When will SNORT-Update (rpm) be available?

HoneyNet Germany

7 Mar 2003 7 Mar '03

13:47

Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble. When can we expect an updated Snort 1.9.1 RPM? Ciao Uwe HoneyNet Germany

Show replies by date

Thomas Biege

7 Mar 7 Mar

13:53

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Fri, 7 Mar 2003, HoneyNet Germany wrote:

...

Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.

When can we expect an updated Snort 1.9.1 RPM?

This version will be shipped with the upcoming SuSE Linux distribution. Bye, Thomas -- Thomas Biege SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import" Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213

HoneyNet Germany

14:02

New subject: [suse-security] When will SNORT-Update (rpm) be available?

Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm. Hmmm ... thinking about priorities .... In security! Uwe

...

-----Original Message----- From: Thomas Biege [mailto:thomas@suse.de] Posted At: Friday, March 07, 2003 2:53 PM Posted To: Newsletter Conversation: [suse-security] When will SNORT-Update (rpm) be available? Subject: Re: [suse-security] When will SNORT-Update (rpm) be available?

On Fri, 7 Mar 2003, HoneyNet Germany wrote:

...
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one

mentioned this on

...
the list, nor is an update availble.

When can we expect an updated Snort 1.9.1 RPM?

This version will be shipped with the upcoming SuSE Linux distribution.

Bye, Thomas -- Thomas Biege SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import" Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213

Mathias Homann

14:14

New subject: [suse-security] When will SNORT-Update (rpm) be available?

...

...
...
When can we expect an updated Snort 1.9.1 RPM?

This version will be shipped with the upcoming SuSE Linux distribution.

Bye, Thomas

...

Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.

Hmmm ... thinking about priorities .... In security!

Uwe

So basically SuSE says 'If you want snort with that security fix, go and _BUY_ the next SuSE which hasnt even been announced? 'emerge -u snort' bye, [MH]

Thomas Biege

10 Mar 10 Mar

08:58

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Fri, 7 Mar 2003, Mathias Homann wrote:

...

...
...
...
When can we expect an updated Snort 1.9.1 RPM?

This version will be shipped with the upcoming SuSE Linux distribution.

Bye, Thomas

...
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.

Hmmm ... thinking about priorities .... In security!

Uwe

So basically SuSE says 'If you want snort with that security fix, go and _BUY_ the next SuSE which hasnt even been announced?

Snort is open source. You do not need to buy SuSE for just using snort. If you do not want to compile it on your own look at http://www.snort.org/dl/binaries/ . Someone may publish an RPM there very soon I think. Bye, Thomas -- Thomas Biege SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import" Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213

HoneyNet Germany

10:22

New subject: [suse-security] When will SNORT-Update (rpm) be available?

----- Original Message ----- From: "Thomas Biege" To: "Mathias Homann" Cc: Sent: Monday, March 10, 2003 9:58 AM Subject: Re: [suse-security] When will SNORT-Update (rpm) be available?

...

On Fri, 7 Mar 2003, Mathias Homann wrote:

...
...
...
...
When can we expect an updated Snort 1.9.1 RPM?

This version will be shipped with the upcoming SuSE Linux distribution.

Bye, Thomas

...
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.

Hmmm ... thinking about priorities .... In security!

Uwe

So basically SuSE says 'If you want snort with that security fix, go and _BUY_ the next SuSE which hasnt even been announced?

Snort is open source. You do not need to buy SuSE for just using snort.

If you do not want to compile it on your own look at http://www.snort.org/dl/binaries/ . Someone may publish an RPM there very soon I think.

Maybe, but the same is valid for Sendmail! I think every kind of specially remote exploitable Software included with your distributions should be fixed, as you even use security for marketing (just taking a look at the box:-) I know that with thousands of packages included with the 7 CD's you can't do any bugfix, but remote exploitable security-vulnerabilities are different from just bugs. So what I wonder about is the different way you handeled the sendmail-vulnerability, but didn't even mention the snort-vulnerablity. I know the workaround and I should have postet it myself to the list, but I jsut subscribed the day I sent my message in. Another thing is, that there are not soooo many remote exploitable bugs every day or week on important rpm's, so there should be the time to offer fixed or updated packages when such a bug happens. I can't imagine that for you as the professionals it's hard to build a new rpm for the actual and even some outdated distributions. And what you mention about snort in your next posting ... - I an only aks what is different with sendmail that you did a fix for that so fast? And the feedback here in this group shows, that others re thinking the same ... just to tell the next distribution which isn't even announced will include the bug-fixed version of snort - is not really a good thing. sounds a little bit like they way M$ handles security. But it's good that you came back with some feedback into the group :-) Have a nice week! Uwe Betz

Joerg Mayer

11 Mar 11 Mar

08:35

New subject: [suse-security] When will SNORT-Update (rpm) be available?

IMNSHO, Suse *really* should provide an update rpm: You don't have to provide an rpm with fixed source, but you really should (automatically) disable the rpc stuff via postinstall and probably send an email to root. Why? Because I'm convinced that quite a lot of people rely on you (or fou4s or apt-get) to "fix" security problems for them. Microsoft received some well deserved bashing for not providing an update for the SQL (or whatever) fix that enabled slammer via the simple click on the "Windows update" button. Please don't repeat the M$ mistake! I know you are on a tight schedule right now, but a remote root compromise is the highest sort of threat and should be fixed asap. Ciao Jörg -- Joerg Mayer We are stuck with technology when what we really want ist just stuff that works. Some say that should read Microsoft instead of technology.

Robert Davies

10:06

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Tuesday 11 March 2003 08:35, Joerg Mayer wrote:

...

IMNSHO, Suse *really* should provide an update rpm:

<snip>

...

I know you are on a tight schedule right now, but a remote root compromise is the highest sort of threat and should be fixed asap.

Agreed, and Thomas answered this when I asked. He already said they are working on it. There will be information in the next Security Notice in section 2. Perhaps they should get more help from inside SuSE? It doesn't take a security expert to copy the info that Thomas has given in this thread and make an official response. Anyway lets let Thomas have the time to get his updates done, they're busy and pestering him here won't be helping. I just hope he gets done, before there's an circulation with script kiddies. Rob

Robert Davies

11:02

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Tuesday 11 March 2003 10:06, Robert Davies wrote:

...

Anyway lets let Thomas have the time to get his updates done, they're busy and pestering him here won't be helping. I just hope he gets done, before there's an circulation with script kiddies.

That was meant to say, 'an exploit in circulation for script kiddies'! Sorry, and regards Rob

Roman Drahtmueller

14:04

New subject: [suse-security] When will SNORT-Update (rpm) be available?

...

<snip>

...
I know you are on a tight schedule right now, but a remote root compromise is the highest sort of threat and should be fixed asap.

Agreed, and Thomas answered this when I asked. He already said they are working on it. There will be information in the next Security Notice in section 2.

Perhaps they should get more help from inside SuSE? It doesn't take a security expert to copy the info that Thomas has given in this thread and make an official response.

Anyway lets let Thomas have the time to get his updates done, they're busy and pestering him here won't be helping. I just hope he gets done, before there's an circulation with script kiddies.

Just to prevent misunderstandings: Of course we will publish a fix. That's what we are here for (and what people have confidence in). It's just about the version upgrades that we fear. That will probably not happen. Stay tuned.

...

Rob

Thanks, Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -

Fabio De Francesco

10 Mar 10 Mar

15:02

New subject: log of ssh attack

Can someone explain how I can block these attempts to negotiate ssh session from the outside of my LAN? That is, I read "connection refused" in the following log (/var/log/messages), but only from the second attempt. What can we say about the first one from 62.211.51.30? It seems to have been accepted because I don't read any "connection refused". In any case my firewall ACCEPT these connection that I want to block. Is "connection refused" the answer from TCPWrapper? And why just on the second attempt? I would like to append a rule is SuSE-Firewall2 to block this attempts. I would appreciate any help, thank you. Fabio De Francesco Feb 22 20:33:00 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.211.51.30 DST=xx.xx.xx.xx LEN=40 TOS=0x10 PREC=0x00 TTL=119 ID=47416 PROTO=TCP SPT=63147 DPT=22 WINDOW=53672 RES=0x00 SYN URGP=0 Feb 22 20:33:01 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55846 DF PROTO=TCP SPT=3372 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:02 myhost sshd[4686]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114) Feb 22 20:33:06 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55854 DF PROTO=TCP SPT=3373 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:07 myhost sshd[4687]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114) Feb 22 20:33:12 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55872 DF PROTO=TCP SPT=3374 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:12 myhost sshd[4688]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)

GertJan Spoelman

17:43

New subject: [suse-security] log of ssh attack

On Monday 10 March 2003 16:02, Fabio De Francesco wrote:

...

Can someone explain how I can block these attempts to negotiate ssh session from the outside of my LAN? That is, I read "connection refused" in the following log (/var/log/messages), but only from the second attempt. What can we say about the first one from 62.211.51.30? It seems to have been accepted because I don't read any "connection refused".

Probably because there wasn't a login attempt, if there was a successfull login there would be a message that said so.

...

In any case my firewall ACCEPT these connection that I want to block. Is "connection refused" the answer from TCPWrapper? And why just on the second attempt?

No it says sshd refused the connection.

...

I would like to append a rule is SuSE-Firewall2 to block this attempts.

What do you mean add a rule, you just have to delete ssh or 22 from the FW_SERVICES_EXT_TCP line in your SuSEfirewall2 config file, if you didn't want SSH access from the outside why did you add that at all? -- GertJan Email address is invalid, so don't reply directly, I'm on the list.

GertJan Spoelman

7 Mar 7 Mar

18:04

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Friday 07 March 2003 15:02, HoneyNet Germany wrote:

...

Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.

Hmmm ... thinking about priorities .... In security!

Probably they don't like snort, the 'updated' version for SuSE 7.2 had some sort of problem (can't remember what, but is was mentioned on this list back then) and was put in the update/7.2/.needs_review directory over a year ago. I find that a very very long time for a review. -- GertJan Email address is invalid, so don't reply directly, I'm on the list.

Thomas Biege

10 Mar 10 Mar

09:08

New subject: [suse-security] When will SNORT-Update (rpm) be available?

Good Morning. On Fri, 7 Mar 2003, HoneyNet Germany wrote:

...

Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround).

As a workaround just put a # infront of the line activating the preprocessor for rcp_decode in snort.conf. IMHO this won't be the last remote exploitable bug in snort. It's a program running in a dangerous environment, maybe it uses root privilege to fulfil his work and it reads endless amount of data from untrusted and undefined sources. No doubt, snort is very useful, but it's dangerous too and far away from detecting a skillful attacker. Bye, Thomas -- Thomas Biege SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import" Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213

Francisco Acosta

7 Mar 7 Mar

14:16

New subject: [suse-security] When will SNORT-Update (rpm) be available?

....hum, ok, so snort-1.8.4-3 in version 8.0 snort 1.8.7b128 in version 8.1 must be used with the following workaround, from snort.org ?. If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins: preprocessor rpc_decode and replace it with: # preprocessor rpc_decode Thomas Biege wrote:

...

On Fri, 7 Mar 2003, HoneyNet Germany wrote:

...
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.

When can we expect an updated Snort 1.9.1 RPM?

This version will be shipped with the upcoming SuSE Linux distribution.

Bye, Thomas

-- -.Francisco Acosta.- -.chesco@idea.com.py.-

Robert Davies

10 Mar 10 Mar

10:28

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Friday 07 March 2003 13:47, HoneyNet Germany wrote:

...

Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.

When can we expect an updated Snort 1.9.1 RPM?

Usually SuSE publish minimum patches to address vulnerabilities, rather than new versions of a package. Maybe that was the wrong question to ask? Having watched the thread slightly bemused, I am wondering : 1) Will there be an advisory on snort, in response to the vulnerability? 2) If so will there be update patch rpms in future 3) Will the work round be published officially, to tide 'snorters' over in meantim As it is, I have impression snort, though present on my CD disks and the SuSE ftp site, is creeping under the radar. If I had not been paying attention here, then I might open up one of my systems unkowingly by installing this package with a remote root exploit. Thomas, thank you for the info, and I agree with you that it is simple to update the snort package by downloading source and rebuilding the rpm. There is however a problem if a known remote-root vulerable package can remain on the install list for long, simply because it that package is 'low priority', maybe because it's infrequently installed, or it's software the Security Team do not trust and like. One of the reasons I buy and use SuSE, is because of the Security Team, and I really like the fact that you are accessible on this list. But you and your managers, need to appreciate, that I am then relying on you then to make sure the SuSE packages are sound against known vulnerabilities, or at least produce an advisiory, with a workround or 'pull the package entirely'. If there's not time to deal with snort patches and update rpm's, and you don't seem to have confidence in the implementation, then maybe the axe should fall? For those who do want to risk snort, a simple spec file and a support note on how to build the snort update package for those who *must* have it, with appropriate disclaimers? Rob

Thomas Biege

12:17

New subject: [suse-security] When will SNORT-Update (rpm) be available?

On Mon, 10 Mar 2003, Robert Davies wrote:

...

On Friday 07 March 2003 13:47, HoneyNet Germany wrote:

...
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.

When can we expect an updated Snort 1.9.1 RPM?

Usually SuSE publish minimum patches to address vulnerabilities, rather than new versions of a package. Maybe that was the wrong question to ask?

Having watched the thread slightly bemused, I am wondering :

1) Will there be an advisory on snort, in response to the vulnerability? 2) If so will there be update patch rpms in future 3) Will the work round be published officially, to tide 'snorters' over in meantim

Yes.

...

As it is, I have impression snort, though present on my CD disks and the SuSE ftp site, is creeping under the radar. If I had not been paying attention here, then I might open up one of my systems unkowingly by installing this package with a remote root exploit.

Thomas, thank you for the info, and I agree with you that it is simple to update the snort package by downloading source and rebuilding the rpm.

I know it isn't the most conveniently way, but we are working under high preassure currently. I used snort for myself a very long time and as a snort-user I recognized that it's very important to keep track of the releases made by the snort-team. Their release frequency is much higher then every vendor is able to publish new and tested packages. And their installation routines are clean enough to make compiling, installing and running a new snort release very easy.

...

There is however a problem if a known remote-root vulerable package can remain on the install list for long, simply because it that package is 'low priority', maybe because it's infrequently installed, or it's software the Security Team do not trust and like.

We think snort is useful that's the reason we ship it. SuSE always tries to ship the most recent versions with their upcoming SuSE Linux release. Bugs like this will be communicated in section two of our security announcements. I know snort wasn't part of the last announcement but it'll be part of the next one.

...

One of the reasons I buy and use SuSE, is because of the Security Team, and I really like the fact that you are accessible on this list. But you and your

Thank you.

...

managers, need to appreciate, that I am then relying on you then to make sure the SuSE packages are sound against known vulnerabilities, or at least produce an advisiory, with a workround or 'pull the package entirely'.

We will...

...

If there's not time to deal with snort patches and update rpm's, and you don't seem to have confidence in the implementation, then maybe the axe should fall?

For those who do want to risk snort, a simple spec file and a support note on how to build the snort update package for those who *must* have it, with appropriate disclaimers?

It should be easy. Just install the source rpm from your CD, generate the patch for your version by using their CVSWeb (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/preprocessors...) and add it to the spec file. I didn't try ot my own, but it may work. Copy the tar balls containing the sources to /usr/src/packages/SOURCES and the spec file to /usr/src/packages/SPECS . Run rpm -bb /usr/src/packages/SPECS/snort.spec to build the rpm file. Make sure all dependecies are solved. A list of dependencies is (should be) included in the header of the spec file. Now install/update the new snort rpm by running the following command as root: rpm -Uvh /usr/src/packages/RPMS/<your arch>/snort-<your version>.<your arch>.rpm But compiling and installing the new snort version my be alot easier. Bye, Thomas -- Thomas Biege SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import" Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213

7718

Age (days ago)

7722

Last active (days ago)

List overview

Download

16 comments

9 participants

participants (9)

Fabio De Francesco
Francisco Acosta
GertJan Spoelman
HoneyNet Germany
Joerg Mayer
Mathias Homann
Robert Davies
Roman Drahtmueller
Thomas Biege