RE: [Full-Disclosure] Snort not backdoored, Sourcefire not compromised

From: Exibar (exibar_at_thelair.com)
Date: 09/22/03

  • Next message: Michal Zalewski: "[Full-Disclosure] OpenSSH - is X-Force really behind this?" 
    To: "Martin Roesch" <roesch@sourcefire.com>, <full-disclosure@lists.netsys.com>
Date: Sun, 21 Sep 2003 22:17:17 -0400

    I knew it wasn't true :-)

      Although I did think the phrack 62 was real until I actually took the time
    to read some of it after getting some sleep. I even sent the sneeze article
    to my IDS guru, talk about having egg on my face for a bit, he'll rag on me
    for a few days due to this!

      Thanks for the official statement Marty and keep up the great work with
    Snort!

       Exibar

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Martin
    Roesch
    Sent: Sunday, September 21, 2003 8:44 PM
    To: full-disclosure@lists.netsys.com
    Cc: snort-users@lists.sourceforge.net;
    snort-devel@lists.sourceforge.net; bugtraq@securityfocus.com;
    incidents@securityfocus.com
    Subject: [Full-Disclosure] Snort not backdoored, Sourcefire not
    compromised

    It's come to my attention that some group is claiming to have broken
    into a Sourcefire server and backdoored the Snort source code. First
    things first, there is no backdoor in Snort nor has there ever been,
    everyone can relax.

    A shell server got compromised well over a year ago, but what these
    guys aren't telling you is that the network that it was on was not only
    logically separate from the rest of the sourcefire.com domain, it was
    also physically removed from it too (by about 23 miles, approximately
    the distance from the Sourcefire office to my basement). Yes, that's
    right, they busted into a shell server that was maintained on a
    physically separate network in my basement. That particular machine
    was maintained as a shell server for various people to log into so that
    we can have a sacrificial box to use to chat on IRC without having to
    worry about our real network getting compromised, and it has served its
    purpose well.

    While we do try to keep that system from suffering break-ins, we also
    realize that many IRC clients aren't exactly the most secure pieces of
    code in the world and sometimes there are problems in server code as
    well (like apache and sshd), so we put together servers like that one
    so that we can interact with people while minimizing the risks to the
    company's networks and servers. I thought this was fairly standard
    practice for many security companies, maybe I'm wrong.

    If you're wondering "how do you know the code isn't backdoored?", since
    we know that that server is an "at risk" server we're not in the habit
    of checking code into CVS from there. If that's not good enough for
    you, Snort has been through three code audits since March (one
    Sourcefire internal, two third-party external) and there are most
    definitively no backdoors in the code, nor were there any.

    Hope that clears things up.

    BTW, the sample code that they put into their little screed was nothing
    more than an update of the 'stick' program from 2001, not really
    anything to get worked up about.

          -Marty 

    --
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Michal Zalewski: "[Full-Disclosure] OpenSSH - is X-Force really behind this?"