[Snort-users] Snort and SourceFire "Backdoored"

joeypork at ...1284... joeypork at ...1284...
Sun Sep 21 08:42:59 EDT 2003


I guess now that we have this incident validated as positively true from
the main Snort/SourceFire IT person, it lends a lot of credibility to
the Snort/SourceFire "backdoor" rumor. 

There have been lots of rumors on IRC that a few months ago, some of
the PHC guys were able to compromise the snort CVS tree. Instead of creating
a traditional backdoor in Snort/SourceFire (simply opening a rootshell
on a specific port) they changed a lot of the code to introduce buffer
overflows that didnt exist previously, and could be exploited at a later
point in time. They changed a lot of the code to include strcpys where
there was strncpys and such. This is a lot less noticeable than PHC's
other open source security project trojan code inserts, such as the libpcap,
 dsniff, and sendmail compromises. 

Brian Caswell has said that Sourcefire did a major code audit after discovering
this compromise, which I think is very cool of them. 
Code audits can be very expensive, and Im sure SourceFire footed the
bill. But, the question remains, how long were all of us exposed? And,
 why did we learn of all this from blackhats releasing a fake phrack,
 rather than from Snort/SourceFire? 

I find it high disturbing that this is how the whole incident unfolded,
 as many Snort team members have ragged on the industry practice of hiding
major security incidents in the past. Don't we Snort users have the right
to know if our code has been trojaned and Snort/Sourcefire compromised?
Maybe not, but the paying customers of SourceFire for sure do. 

Joey 



On Sun, 21 Sep 2003 02:08:15 -0700 Brian <bmc at ...950...> wrote:
>On Sat, Sep 20, 2003 at 10:46:14PM -0700, joeypork at ...1284... wrote:
>> Hey, has anyone else seen this:
>> 
>> http://www.phrack.nl/phrack62/p62-0x0d.txt
>> 
>> It looks like the PHC folks are at it again, the above is an article
>> on "sneeze", a new script that will generate traffic to trigger
>on every
>> snort rule. 
>> 
>> Also, appended to the end of the article is the home dirs of everyone
>> at Sourcefire/Snort. You can see what is in Marty's directory,
> etc. Go
>> check it out. 
>
>Yes, this was a LONG time ago.  Note that ALL of the date timestamps
>are 
>dashed out.  Gee, I wonder why.  As well as normal incident response,

>>
>the entire snort team did a major audit of snort at that time for
>anything 
>injected.
>
>BTW, for those of you wanting the original sneeze, its still available
>>
>online at http://snort.sourceforge.net/sneeze-1.0.tar 
>
>-brian
>
>



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427




More information about the Snort-users mailing list