[Snort-users] Snort not backdoored, Sourcefire not compromised

Martin Roesch roesch at ...1935...
Sun Sep 21 17:45:21 EDT 2003

It's come to my attention that some group is claiming to have broken 
into a Sourcefire server and backdoored the Snort source code.   First 
things first, there is no backdoor in Snort nor has there ever been, 
everyone can relax.

A shell server got compromised well over a year ago, but what these 
guys aren't telling you is that the network that it was on was not only 
logically separate from the rest of the sourcefire.com domain, it was 
also physically removed from it too (by about 23 miles, approximately 
the distance from the Sourcefire office to my basement).  Yes, that's 
right, they busted into a shell server that was maintained on a 
physically separate network in my basement.  That particular machine 
was maintained as a shell server for various people to log into so that 
we can have a sacrificial box to use to chat on IRC without having to 
worry about our real network getting compromised, and it has served its 
purpose well.

While we do try to keep that system from suffering break-ins, we also 
realize that many IRC clients aren't exactly the most secure pieces of 
code in the world and sometimes there are problems in server code as 
well (like apache and sshd), so we put together servers like that one 
so that we can interact with people while minimizing the risks to the 
company's networks and servers.  I thought this was fairly standard 
practice for many security companies, maybe I'm wrong.

If you're wondering "how do you know the code isn't backdoored?", since 
we know that that server is an "at risk" server we're not in the habit 
of checking code into CVS from there.  If that's not good enough for 
you, Snort has been through three code audits since March (one 
Sourcefire internal, two third-party external) and there are most 
definitively no backdoors in the code, nor were there any.

Hope that clears things up.

BTW, the sample code that they put into their little screed was nothing 
more than an update of the 'stick' program from 2001, not really 
anything to get worked up about.


Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list