Snort not backdoored, Sourcefire not compromised

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Snort not backdoored, Sourcefire not compromised
From: Martin Roesch <roesch@xxxxxxxxxxxxxx>
Date: Sun, 21 Sep 2003 20:44:11 -0400
Cc: snort-users@xxxxxxxxxxxxxxxxxxxxx, snort-devel@xxxxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, incidents@xxxxxxxxxxxxxxxxx
In-reply-to: <200309211556.h8LFuS5m076005@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

It's come to my attention that some group is claiming to have brokeninto a Sourcefire server and backdoored the Snort source code. Firstthings first, there is no backdoor in Snort nor has there ever been,everyone can relax.

A shell server got compromised well over a year ago, but what theseguys aren't telling you is that the network that it was on was not onlylogically separate from the rest of the sourcefire.com domain, it wasalso physically removed from it too (by about 23 miles, approximatelythe distance from the Sourcefire office to my basement). Yes, that'sright, they busted into a shell server that was maintained on aphysically separate network in my basement. That particular machinewas maintained as a shell server for various people to log into so thatwe can have a sacrificial box to use to chat on IRC without having toworry about our real network getting compromised, and it has served itspurpose well.

While we do try to keep that system from suffering break-ins, we alsorealize that many IRC clients aren't exactly the most secure pieces ofcode in the world and sometimes there are problems in server code aswell (like apache and sshd), so we put together servers like that oneso that we can interact with people while minimizing the risks to thecompany's networks and servers. I thought this was fairly standardpractice for many security companies, maybe I'm wrong.

If you're wondering "how do you know the code isn't backdoored?", sincewe know that that server is an "at risk" server we're not in the habitof checking code into CVS from there. If that's not good enough foryou, Snort has been through three code audits since March (oneSourcefire internal, two third-party external) and there are mostdefinitively no backdoors in the code, nor were there any.


Hope that clears things up.

BTW, the sample code that they put into their little screed was nothingmore than an update of the 'stick' program from 2001, not reallyanything to get worked up about.


     -Marty


--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch@xxxxxxxxxxxxxx - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Prev by Date: [SECURITY] [DSA-383-2] OpenSSH buffer management fix
Next by Date: Fw: 0x333hztty => hztty 2.0 local root exploit
Previous by thread: [SECURITY] [DSA-383-2] OpenSSH buffer management fix
Next by thread: Fw: 0x333hztty => hztty 2.0 local root exploit
Index(es):
- Date
- Thread