- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
February 20, 2007 | Comments: (0)
New Snort overflow exploit
Snort can be buffer overflowed.
About once a year, Snort gets a buffer overflow vulnerability.
Any piece of additional software in a defense strategy has to be carefully considered (e.g. Snort, Wireshark, antivirus program, anti-spam device, etc.) before placing it.
In order to pull off this particular exploit, the attacker would have to know you are running Snort, know its placement, create the buffer overflow attack, and somehow get it to your Snort sensor.
A dedicated attacker, who really wants to exploit you, could learn that you are running Snort, and then just sit back until the next Snort exploit is released. All they have to do is beat you to the patch.
In the best of environments, it normally takes the admin at least half a day to a day, at best, to patch something like Snort...and I'm being gracious (many users I run across using Snort haven't updated it since they first installed it...very sad).
It's because of things like this, that I personal cautious when using Snort and Wireshark (both of which I love) in real-time alerting and analysis. A student of mine recommended a great strategy for my many honeypots (I run 8).
In the past, I had used both Snort and Ethereal (now called Wireshark) to capture packets and to alert me. Because both Snort and Wireshark get the occassional buffer overflow exploit announcement (Wireshark much more so than Snort), the student suggested that I never run either in real-time, and instead, capture traffic on the front end with some other tool, and use Snort and Wireshark on the backend for analysis. Perfect strategy for me.
By definition, any traffic to my honeypots is malicious by nature. I don't run Snort as an detection and alert tool. Instead, I use it to identify common exploits of traffic I've captured. I used Wireshark to capture packets. Well, in the past I used Wireshark to capture packets in real-time. Not anymore.
Now, I use winpcap and/or tcpdump to capture and analyze packets in real time. Then when I'm alerted to an attack, I use the captured packets (captured using port mirroring Ethernet switches), I analyze the traffic on my management machine, where I have Snort and Wireshark. I get the benefits of less risk and the benefits of Snort and Wireshark (and Tcpdump) during the analysis.
Of course, I always have to worry about Winpcap and Tcpdump buffer overflows, but both of those products seem more stable and less attacked (than Snort and Wireshark).
Remember, even your security defenses are potential exploit vectors. Always keep your security tools up to date.
And the last time Snort had an exploit (it was with the Back Orifice detector, I believe) several other commercial products had the exact same exploit they had to patch.
Posted by Roger Grimes on February 20, 2007 06:22 AM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
Hyperconnected users growingSteve Jobs to keynote WWDC
CSC settles kickbacks case
MS previews SMB software
What does HP-EDS really mean?
Mac Office 2008 SP1 released
HP buys EDS for $13.9 billion
Corporate IT spending slows
MS targets smartphone market
Sun to clarify JavaFX plan
ADDITIONAL RESOURCES
- Application Security: Threats and How to Counter Them
- Why Linux Threats Mean Business
- Minding the Machines: PC Disaster Recovery for the Enterprise
- Protect Your Data with SSL
- Prevent Your Next Microsoft Exchange Outage
- 11 Myths About Microsoft Exchange Backup & Recovery
