When will SNORT-Update (rpm) be available?
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble. When can we expect an updated Snort 1.9.1 RPM? Ciao Uwe HoneyNet Germany
On Fri, 7 Mar 2003, HoneyNet Germany wrote:
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.
When can we expect an updated Snort 1.9.1 RPM?
This version will be shipped with the upcoming SuSE Linux distribution.
Bye,
Thomas
--
Thomas Biege
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm. Hmmm ... thinking about priorities .... In security! Uwe
-----Original Message----- From: Thomas Biege [mailto:thomas@suse.de] Posted At: Friday, March 07, 2003 2:53 PM Posted To: Newsletter Conversation: [suse-security] When will SNORT-Update (rpm) be available? Subject: Re: [suse-security] When will SNORT-Update (rpm) be available?
On Fri, 7 Mar 2003, HoneyNet Germany wrote:
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one
mentioned this on
the list, nor is an update availble.
When can we expect an updated Snort 1.9.1 RPM?
This version will be shipped with the upcoming SuSE Linux distribution.
Bye, Thomas -- Thomas Biege
SuSE Linux AG,Deutschherrnstr. 15-19,90429 Nuernberg Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | gpg --import" Key fingerprint = 7254 B15D B3C4 943F 485E 0BBD 8ECC D7CB C200 A213
When can we expect an updated Snort 1.9.1 RPM?
This version will be shipped with the upcoming SuSE Linux distribution.
Bye, Thomas
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.
Hmmm ... thinking about priorities .... In security!
Uwe
So basically SuSE says 'If you want snort with that security fix, go and _BUY_ the next SuSE which hasnt even been announced? 'emerge -u snort' bye, [MH]
On Fri, 7 Mar 2003, Mathias Homann wrote:
When can we expect an updated Snort 1.9.1 RPM?
This version will be shipped with the upcoming SuSE Linux distribution.
Bye, Thomas
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.
Hmmm ... thinking about priorities .... In security!
Uwe
So basically SuSE says 'If you want snort with that security fix, go and _BUY_ the next SuSE which hasnt even been announced?
Snort is open source. You do not need to buy SuSE for just using snort.
If you do not want to compile it on your own look at
http://www.snort.org/dl/binaries/ . Someone may publish an RPM there
very soon I think.
Bye,
Thomas
--
Thomas Biege
----- Original Message -----
From: "Thomas Biege"
On Fri, 7 Mar 2003, Mathias Homann wrote:
When can we expect an updated Snort 1.9.1 RPM?
This version will be shipped with the upcoming SuSE Linux distribution.
Bye, Thomas
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.
Hmmm ... thinking about priorities .... In security!
Uwe
So basically SuSE says 'If you want snort with that security fix, go and _BUY_ the next SuSE which hasnt even been announced?
Snort is open source. You do not need to buy SuSE for just using snort.
If you do not want to compile it on your own look at http://www.snort.org/dl/binaries/ . Someone may publish an RPM there very soon I think.
Maybe, but the same is valid for Sendmail! I think every kind of specially remote exploitable Software included with your distributions should be fixed, as you even use security for marketing (just taking a look at the box:-) I know that with thousands of packages included with the 7 CD's you can't do any bugfix, but remote exploitable security-vulnerabilities are different from just bugs. So what I wonder about is the different way you handeled the sendmail-vulnerability, but didn't even mention the snort-vulnerablity. I know the workaround and I should have postet it myself to the list, but I jsut subscribed the day I sent my message in. Another thing is, that there are not soooo many remote exploitable bugs every day or week on important rpm's, so there should be the time to offer fixed or updated packages when such a bug happens. I can't imagine that for you as the professionals it's hard to build a new rpm for the actual and even some outdated distributions. And what you mention about snort in your next posting ... - I an only aks what is different with sendmail that you did a fix for that so fast? And the feedback here in this group shows, that others re thinking the same ... just to tell the next distribution which isn't even announced will include the bug-fixed version of snort - is not really a good thing. sounds a little bit like they way M$ handles security. But it's good that you came back with some feedback into the group :-) Have a nice week! Uwe Betz
IMNSHO, Suse *really* should provide an update rpm:
You don't have to provide an rpm with fixed source, but you
really should (automatically) disable the rpc stuff via
postinstall and probably send an email to root.
Why? Because I'm convinced that quite a lot of people rely on
you (or fou4s or apt-get) to "fix" security problems for them.
Microsoft received some well deserved bashing for not providing
an update for the SQL (or whatever) fix that enabled slammer via
the simple click on the "Windows update" button.
Please don't repeat the M$ mistake!
I know you are on a tight schedule right now, but a remote root
compromise is the highest sort of threat and should be fixed asap.
Ciao
Jörg
--
Joerg Mayer
On Tuesday 11 March 2003 08:35, Joerg Mayer wrote:
IMNSHO, Suse *really* should provide an update rpm:
<snip>
I know you are on a tight schedule right now, but a remote root compromise is the highest sort of threat and should be fixed asap.
Agreed, and Thomas answered this when I asked. He already said they are working on it. There will be information in the next Security Notice in section 2. Perhaps they should get more help from inside SuSE? It doesn't take a security expert to copy the info that Thomas has given in this thread and make an official response. Anyway lets let Thomas have the time to get his updates done, they're busy and pestering him here won't be helping. I just hope he gets done, before there's an circulation with script kiddies. Rob
On Tuesday 11 March 2003 10:06, Robert Davies wrote:
Anyway lets let Thomas have the time to get his updates done, they're busy and pestering him here won't be helping. I just hope he gets done, before there's an circulation with script kiddies.
That was meant to say, 'an exploit in circulation for script kiddies'! Sorry, and regards Rob
<snip>
I know you are on a tight schedule right now, but a remote root compromise is the highest sort of threat and should be fixed asap.
Agreed, and Thomas answered this when I asked. He already said they are working on it. There will be information in the next Security Notice in section 2.
Perhaps they should get more help from inside SuSE? It doesn't take a security expert to copy the info that Thomas has given in this thread and make an official response.
Anyway lets let Thomas have the time to get his updates done, they're busy and pestering him here won't be helping. I just hope he gets done, before there's an circulation with script kiddies.
Just to prevent misunderstandings: Of course we will publish a fix. That's what we are here for (and what people have confidence in). It's just about the version upgrades that we fear. That will probably not happen. Stay tuned.
Rob
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Can someone explain how I can block these attempts to negotiate ssh session from the outside of my LAN? That is, I read "connection refused" in the following log (/var/log/messages), but only from the second attempt. What can we say about the first one from 62.211.51.30? It seems to have been accepted because I don't read any "connection refused". In any case my firewall ACCEPT these connection that I want to block. Is "connection refused" the answer from TCPWrapper? And why just on the second attempt? I would like to append a rule is SuSE-Firewall2 to block this attempts. I would appreciate any help, thank you. Fabio De Francesco Feb 22 20:33:00 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=62.211.51.30 DST=xx.xx.xx.xx LEN=40 TOS=0x10 PREC=0x00 TTL=119 ID=47416 PROTO=TCP SPT=63147 DPT=22 WINDOW=53672 RES=0x00 SYN URGP=0 Feb 22 20:33:01 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55846 DF PROTO=TCP SPT=3372 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:02 myhost sshd[4686]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114) Feb 22 20:33:06 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55854 DF PROTO=TCP SPT=3373 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:07 myhost sshd[4687]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114) Feb 22 20:33:12 myhost kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=212.50.172.114 DST=xx.xx.xx.xx LEN=48 TOS=0x10 PREC=0x00 TTL=107 ID=55872 DF PROTO=TCP SPT=3374 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 22 20:33:12 myhost sshd[4688]: refused connect from adsl.212-50-172-114.karoo.KCOM.COM (212.50.172.114)
On Monday 10 March 2003 16:02, Fabio De Francesco wrote:
Can someone explain how I can block these attempts to negotiate ssh session from the outside of my LAN? That is, I read "connection refused" in the following log (/var/log/messages), but only from the second attempt. What can we say about the first one from 62.211.51.30? It seems to have been accepted because I don't read any "connection refused".
Probably because there wasn't a login attempt, if there was a successfull login there would be a message that said so.
In any case my firewall ACCEPT these connection that I want to block. Is "connection refused" the answer from TCPWrapper? And why just on the second attempt?
No it says sshd refused the connection.
I would like to append a rule is SuSE-Firewall2 to block this attempts.
What do you mean add a rule, you just have to delete ssh or 22 from the FW_SERVICES_EXT_TCP line in your SuSEfirewall2 config file, if you didn't want SSH access from the outside why did you add that at all? -- GertJan Email address is invalid, so don't reply directly, I'm on the list.
On Friday 07 March 2003 15:02, HoneyNet Germany wrote:
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround). I just wonder a little bit about your answert that the next release will contain the fixed snort-rpm.
Hmmm ... thinking about priorities .... In security!
Probably they don't like snort, the 'updated' version for SuSE 7.2 had some sort of problem (can't remember what, but is was mentioned on this list back then) and was put in the update/7.2/.needs_review directory over a year ago. I find that a very very long time for a review. -- GertJan Email address is invalid, so don't reply directly, I'm on the list.
Good Morning. On Fri, 7 Mar 2003, HoneyNet Germany wrote:
Will there be no Update for existing distributions as it is not a minor fix, but an important update for everyone using snort on a box. With sendmail the reaction was quite fast, with snort the problem wasn't even mentioned here (with the workaround).
As a workaround just put a # infront of the line activating
the preprocessor for rcp_decode in snort.conf.
IMHO this won't be the last remote exploitable bug in snort.
It's a program running in a dangerous environment, maybe it uses
root privilege to fulfil his work and it reads endless amount of
data from untrusted and undefined sources.
No doubt, snort is very useful, but it's dangerous too and far away from
detecting a skillful attacker.
Bye,
Thomas
--
Thomas Biege
....hum, ok, so snort-1.8.4-3 in version 8.0 snort 1.8.7b128 in version 8.1 must be used with the following workaround, from snort.org ?. If you are in an environment that can not upgrade snort immediately, comment out the line in your snort.conf that begins: preprocessor rpc_decode and replace it with: # preprocessor rpc_decode Thomas Biege wrote:
On Fri, 7 Mar 2003, HoneyNet Germany wrote:
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.
When can we expect an updated Snort 1.9.1 RPM?
This version will be shipped with the upcoming SuSE Linux distribution.
Bye, Thomas
-- -.Francisco Acosta.- -.chesco@idea.com.py.-
On Friday 07 March 2003 13:47, HoneyNet Germany wrote:
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.
When can we expect an updated Snort 1.9.1 RPM?
Usually SuSE publish minimum patches to address vulnerabilities, rather than new versions of a package. Maybe that was the wrong question to ask? Having watched the thread slightly bemused, I am wondering : 1) Will there be an advisory on snort, in response to the vulnerability? 2) If so will there be update patch rpms in future 3) Will the work round be published officially, to tide 'snorters' over in meantim As it is, I have impression snort, though present on my CD disks and the SuSE ftp site, is creeping under the radar. If I had not been paying attention here, then I might open up one of my systems unkowingly by installing this package with a remote root exploit. Thomas, thank you for the info, and I agree with you that it is simple to update the snort package by downloading source and rebuilding the rpm. There is however a problem if a known remote-root vulerable package can remain on the install list for long, simply because it that package is 'low priority', maybe because it's infrequently installed, or it's software the Security Team do not trust and like. One of the reasons I buy and use SuSE, is because of the Security Team, and I really like the fact that you are accessible on this list. But you and your managers, need to appreciate, that I am then relying on you then to make sure the SuSE packages are sound against known vulnerabilities, or at least produce an advisiory, with a workround or 'pull the package entirely'. If there's not time to deal with snort patches and update rpm's, and you don't seem to have confidence in the implementation, then maybe the axe should fall? For those who do want to risk snort, a simple spec file and a support note on how to build the snort update package for those who *must* have it, with appropriate disclaimers? Rob
On Mon, 10 Mar 2003, Robert Davies wrote:
On Friday 07 March 2003 13:47, HoneyNet Germany wrote:
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.
When can we expect an updated Snort 1.9.1 RPM?
Usually SuSE publish minimum patches to address vulnerabilities, rather than new versions of a package. Maybe that was the wrong question to ask?
Having watched the thread slightly bemused, I am wondering :
1) Will there be an advisory on snort, in response to the vulnerability? 2) If so will there be update patch rpms in future 3) Will the work round be published officially, to tide 'snorters' over in meantim
Yes.
As it is, I have impression snort, though present on my CD disks and the SuSE ftp site, is creeping under the radar. If I had not been paying attention here, then I might open up one of my systems unkowingly by installing this package with a remote root exploit.
Thomas, thank you for the info, and I agree with you that it is simple to update the snort package by downloading source and rebuilding the rpm.
I know it isn't the most conveniently way, but we are working under high preassure currently. I used snort for myself a very long time and as a snort-user I recognized that it's very important to keep track of the releases made by the snort-team. Their release frequency is much higher then every vendor is able to publish new and tested packages. And their installation routines are clean enough to make compiling, installing and running a new snort release very easy.
There is however a problem if a known remote-root vulerable package can remain on the install list for long, simply because it that package is 'low priority', maybe because it's infrequently installed, or it's software the Security Team do not trust and like.
We think snort is useful that's the reason we ship it. SuSE always tries to ship the most recent versions with their upcoming SuSE Linux release. Bugs like this will be communicated in section two of our security announcements. I know snort wasn't part of the last announcement but it'll be part of the next one.
One of the reasons I buy and use SuSE, is because of the Security Team, and I really like the fact that you are accessible on this list. But you and your
Thank you.
managers, need to appreciate, that I am then relying on you then to make sure the SuSE packages are sound against known vulnerabilities, or at least produce an advisiory, with a workround or 'pull the package entirely'.
We will...
If there's not time to deal with snort patches and update rpm's, and you don't seem to have confidence in the implementation, then maybe the axe should fall?
For those who do want to risk snort, a simple spec file and a support note on how to build the snort update package for those who *must* have it, with appropriate disclaimers?
It should be easy. Just install the source rpm from your CD, generate the
patch for your version by using their CVSWeb
(http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/preprocessors...)
and add it to the spec file. I didn't try ot my own, but it may work.
Copy the tar balls containing the sources to /usr/src/packages/SOURCES and
the spec file to /usr/src/packages/SPECS .
Run rpm -bb /usr/src/packages/SPECS/snort.spec to build the rpm file.
Make sure all dependecies are solved. A list of dependencies is (should
be) included in the header of the spec file.
Now install/update the new snort rpm by running the following command as
root: rpm -Uvh /usr/src/packages/RPMS/<your arch>/snort-<your version>.<your arch>.rpm
But compiling and installing the new snort version my be alot easier.
Bye,
Thomas
--
Thomas Biege
participants (9)
-
Fabio De Francesco
-
Francisco Acosta
-
GertJan Spoelman
-
HoneyNet Germany
-
Joerg Mayer
-
Mathias Homann
-
Robert Davies
-
Roman Drahtmueller
-
Thomas Biege