linux, säkerhet

10726497 2003-09-21 20:44 -0400 /55 rader/ Martin Roesch <roesch@sourcefire.com>
Importerad: 2003-09-22 17:28 av Brevbäraren
Extern mottagare: full-disclosure@lists.netsys.com
Extern kopiemottagare: snort-users@lists.sourceforge.net
Extern kopiemottagare: snort-devel@lists.sourceforge.net
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: incidents@securityfocus.com
Mottagare: Bugtraq (import) <29122>
Ärende: Snort not backdoored, Sourcefire not compromised
------------------------------------------------------------
From: Martin Roesch <roesch@sourcefire.com>
To: full-disclosure@lists.netsys.com
Cc: snort-users@lists.sourceforge.net,
 snort-devel@lists.sourceforge.net, bugtraq@securityfocus.com,
 incidents@securityfocus.com
Message-ID: <E2226338-EC95-11D7-B534-000393A45F6C@sourcefire.com>

It's come to my attention that some group is claiming to have broken 
into a Sourcefire server and backdoored the Snort source code.   First 
things first, there is no backdoor in Snort nor has there ever been, 
everyone can relax.

A shell server got compromised well over a year ago, but what these
guys aren't telling you is that the network that it was on was not
only  logically separate from the rest of the sourcefire.com domain,
it was  also physically removed from it too (by about 23 miles,
approximately  the distance from the Sourcefire office to my
basement).  Yes, that's  right, they busted into a shell server that
was maintained on a  physically separate network in my basement.
That particular machine  was maintained as a shell server for various
people to log into so that  we can have a sacrificial box to use to
chat on IRC without having to  worry about our real network getting
compromised, and it has served its  purpose well.

While we do try to keep that system from suffering break-ins, we also 
realize that many IRC clients aren't exactly the most secure pieces of 
code in the world and sometimes there are problems in server code as 
well (like apache and sshd), so we put together servers like that one 
so that we can interact with people while minimizing the risks to the 
company's networks and servers.  I thought this was fairly standard 
practice for many security companies, maybe I'm wrong.

If you're wondering "how do you know the code isn't backdoored?",
since  we know that that server is an "at risk" server we're not in
the habit  of checking code into CVS from there.  If that's not good
enough for  you, Snort has been through three code audits since March
(one  Sourcefire internal, two third-party external) and there are
most  definitively no backdoors in the code, nor were there any.

Hope that clears things up.

BTW, the sample code that they put into their little screed was
nothing  more than an update of the 'stick' program from 2001, not
really  anything to get worked up about.

      -Marty


-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
(10726497) /Martin Roesch <roesch@sourcefire.com>/(Ombruten)