Snort vulnerability security advisory
elaine
elaine at fwsystems.com
Thu Apr 17 14:05:23 GMT 2003
Versions of Snort from 1.8.x to 1.9.1 (moonbase/crater-current) and
2.0 beta have been found to have a remote-vulnerability.
Because lunar runs snort as root this a critical remote-root
compromise risk for lunar-systems running snort.
http://www.snort.org/advisories/snort-2003-04-16-1.txt
Workaround From the advisory:
Disabling the stream4 preprocessor will make the snort invulnerable to the
attack.
To disable the stream4 preprocessor, edit snort.conf and replace any lines
that begin with "preprocessor stream4" with "# preprocessor stream4"
NOTE: Disabling the stream4 preprocessor disables stateful inspection and
stream reassembly and could allow someone to evade snort using tcp stream
segmentation attacks.
Patches:
Snort 2.0 has been released and corrects this vulnerability.
Some comments.
I do not have time / resources to address this immediately for the
module in moonbase, so I can't address this at least right now.
It is possible to run snort as a non-root user, it drops privilege
and I think (do not know) that this would mitigate root-compromise.
I believe this is a good thing (tm) anyway as otherwise only root
can read Snort's alert and logfiles. I can share my notes on
non-root snort operation with anyone interested.
Updating snort rulesets between even minor versions is usually
a task needing hand adjustment. Snort in general is not useful
without being configured for the local environment to establish
a workable mix of false-positive/false-negative detects.
Wnen I get time I can probably run/config snort on my selinux/lunar
box without fear of breaking anything else and will do so asap.
elaine
More information about the Lunar
mailing list