Full Disclosure mailing list archives

Re: Is Marty Lying?

From: security snot <booger () unixclan net>
Date: Mon, 22 Sep 2003 10:43:47 -0700 (PDT)

Marty,

You failed to address the other points.

If your shell server was compromised, and people were logging into
sourcefire boxes from it (as the log shows, my friend!) then what
prevented them from abusing the access to your shellbox to gain access to
your corporate machines?

The "code audit" that you guys did to make sure nothing was backdoored was
quite thorough too, considering since then remote bugs in Snort have been
published.  If you can't even spot the vulnerable code you introduce into
your source tree by accident, how can you definitively argue that no one
else snuck in subtle bugs that you also didn't catch?

You are a security expert, right?

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

On Mon, 22 Sep 2003, Martin Roesch wrote:

I'm not going to engage in tit-for-tat on this stuff, so let me get
right to it.

stupid to think independantly to arrive to a conclusion to what most
likely did happen with the Snort.org compromise.


Snort.org wasn't compromised, a shell server was.

Some good questions are:
1) If the intrusion were limited to a single "shellbox" then why did
they
need to audit the code in CVS to see if it was backdoored?


The audits were performed after the rpc buffer overflow in Snort this
past spring, no audit was performed as a result of the compromise
because it didn't effect anything.  I don't see why this is a tough
problem for you, grep the code for whatever you're interested in or
something, it's open source.  In fact, I invite everyone to go through
the code and check it themselves, it's all up there on snort.org all
the way back to the initial release back in 1998.

     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Is Marty Lying? security snot (Sep 22)
- Re: Is Marty Lying? Martin Roesch (Sep 22)
  - Re: Is Marty Lying? security snot (Sep 22)
    - Re: Is Marty Lying? james (Sep 22)
    - Re: Is Marty Lying? Blue Boar (Sep 22)
    - Re: Is Marty Lying? security snot (Sep 23)
    - Please don't feed the troll (was: Re: Is Marty Lying?) Cael Abal (Sep 23)
- Re: Is Marty Lying? Valdis . Kletnieks (Sep 22)
- Re: Is Marty Lying? daniel uriah clemens (Sep 22)
  - Re: Is Marty Lying? Peter Busser (Sep 22)
    - Re: Is Marty Lying? Gregory A. Gilliss (Sep 22)
    - Re: Is Marty Lying? security snot (Sep 22)
    - Re: Is Marty Lying? pdt (Sep 22)

(Thread continues...)