Full Disclosure mailing list archives
RE: Snort not backdoored, Sourcefire not compromised
From: "Exibar" <exibar () thelair com>
Date: Sun, 21 Sep 2003 22:17:17 -0400
I knew it wasn't true :-) Although I did think the phrack 62 was real until I actually took the time to read some of it after getting some sleep. I even sent the sneeze article to my IDS guru, talk about having egg on my face for a bit, he'll rag on me for a few days due to this! Thanks for the official statement Marty and keep up the great work with Snort! Exibar -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Martin Roesch Sent: Sunday, September 21, 2003 8:44 PM To: full-disclosure () lists netsys com Cc: snort-users () lists sourceforge net; snort-devel () lists sourceforge net; bugtraq () securityfocus com; incidents () securityfocus com Subject: [Full-disclosure] Snort not backdoored, Sourcefire not compromised It's come to my attention that some group is claiming to have broken into a Sourcefire server and backdoored the Snort source code. First things first, there is no backdoor in Snort nor has there ever been, everyone can relax. A shell server got compromised well over a year ago, but what these guys aren't telling you is that the network that it was on was not only logically separate from the rest of the sourcefire.com domain, it was also physically removed from it too (by about 23 miles, approximately the distance from the Sourcefire office to my basement). Yes, that's right, they busted into a shell server that was maintained on a physically separate network in my basement. That particular machine was maintained as a shell server for various people to log into so that we can have a sacrificial box to use to chat on IRC without having to worry about our real network getting compromised, and it has served its purpose well. While we do try to keep that system from suffering break-ins, we also realize that many IRC clients aren't exactly the most secure pieces of code in the world and sometimes there are problems in server code as well (like apache and sshd), so we put together servers like that one so that we can interact with people while minimizing the risks to the company's networks and servers. I thought this was fairly standard practice for many security companies, maybe I'm wrong. If you're wondering "how do you know the code isn't backdoored?", since we know that that server is an "at risk" server we're not in the habit of checking code into CVS from there. If that's not good enough for you, Snort has been through three code audits since March (one Sourcefire internal, two third-party external) and there are most definitively no backdoors in the code, nor were there any. Hope that clears things up. BTW, the sample code that they put into their little screed was nothing more than an update of the 'stick' program from 2001, not really anything to get worked up about. -Marty -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Snort and SourceFire "Backdoored" joeypork (Sep 21)
- Snort not backdoored, Sourcefire not compromised Martin Roesch (Sep 21)
- RE: Snort not backdoored, Sourcefire not compromised Exibar (Sep 22)
- RE: Snort not backdoored, Sourcefire not compromised Daniele Muscetta (Sep 22)
- Message not available
- Re: [Snort-users] RE: Snort not backdoored, Sourcefire not compromised Daniele Muscetta (Sep 22)
- RE: Snort not backdoored, Sourcefire not compromised Exibar (Sep 22)
- Snort not backdoored, Sourcefire not compromised Martin Roesch (Sep 21)
- Re: Snort not backdoored, Sourcefire not compromised Andreas Marx (Sep 22)
- <Possible follow-ups>
- Snort and SourceFire "Backdoored" joeypork (Sep 21)
- Re: Snort and SourceFire "Backdoored" Brian (Sep 21)
- Re: [Snort-users] Re: Snort and SourceFire "Backdoored" Peteris Krumins (Sep 21)
- Re: [Snort-users] Snort and SourceFire "Backdoored" Richard DeYoung (Sep 22)
- Re: Snort and SourceFire "Backdoored" Brian (Sep 21)
- Re: Snort and SourceFire "Backdoored" whatthefukever (Sep 22)