Snort Vulnerability Exposed

A discovery was made by the University of Wisconsin researchers in Madison that exposed the vulnerability in open-source intrusion prevention technology, Snort, which could be used to launch a DoS attack.

The problem lies in the rule-matching algorithm of Snort, which made it possible to carry out several time-consuming operations leading to zero or decreased detection rates using a specifically crafted packet.

A flaw capable of remote exploitation by hackers for carrying out DoS attacks and render malicious traffic detection futile, is contained in Snort, the open source intrusion detection system.

Version 2.4.3. reports this vulnerability but other versions can be affected as well. Users are advised to update to the latest version.

Successful exploitation can cause the IDS system CPU to operate at 100 percent capacity and eliminate intrusion detection by Snort, thereby making Snort filters ineffective against malicious traffic entering the network.

While the exploit is not all that difficult to manage, attackers would require an understanding of how Snort's signature matching operation works and thorough knowledge of the code, according to Smith. Minimal bandwidth is required for the exploit that could be launched with the help of a dialup modem.

In a press release by cgidir.com on January 11, 2007, Matt Watchinksi, director of the Sourcefire Vulnerability Research team, stated that with advancing technology came threats seeking vulnerabilities to exploit. It is necessary for customers to be aware that their security solutions have the backing of a research team committed to proactively provide the highest possible protection. The Sourcefire VRT is dedicated to being an industry leader for protection against the latest threats. Very often the Snort community and Sourcefire users have protection well in advance of an exploit being released.

The severity rating of the flaw was 7.8 on a 10-point scale by Symantec Deep sight. Secunia perceived less severity with a rating of less critical of 2 on a 5-point scale.

Sourcefire is the producer of Snort and in October 2006 it revealed its intention of going public following the failure of a plan to be acquired by Check Point. Department of Defense and other government agencies apart from many large US companies are Snort users.

Related article: Smartphone Spying Software Attacked by F-secure

» SPAMfighter News - 1/18/2007