2 min read

Flaw Discovered In Snort Intrusion Prevention Software

Researchers from Demarc, a security vendor, discovered the flaw May 17 and released a patch earlier this week.
A recently discovered security issue in Snort, the open source intrusion prevention and detection technology used in government agencies and many large corporations, could allow attackers to bypass security on compromised machines.

Researchers from Demarc, a Carpinteria, Calif.-based security vendor, discovered the flaw May 17 and released a patch earlier this week. Researchers found that while connecting to Web ports via telnet, adding a carriage return after the URL before the HTTP protocol declaration would enable Snort detection to be evaded, said Joel Ebrahimi, director of application development at Demarc.

Although there are no blatant flaws in the Snort code, this discovery is significant because it enables the URL to bypass up to 2000 Uniform Resource Identifier (URI) content rules in the Snort rule language and attack infected machines, Ebrahimi added.

Although the flaw makes it possible to evade Snort detection, it doesn't enable other types of attacks to be launched, and only applies to a particular subset of Snort rules and protected Apache web servers, said Michele Perry, chief marketing officer at SourceFire, the Columbia, Md., security software vendor that manages the open source Snort.

"We think it's a manageable issue," said Perry, who said SourceFire is working on patches for versions 2.4 and 2.6 of Snort and plans to release them Monday.

There is some disagreement between the two sides as to whether proper protocol was followed in the announcement of the issue. According to Ebrahimi, Demarc notified SourceFire and provided full disclosure about the flaw May 18. Five days later, SourceFire responded and said it was working on a patch. But when SourceFire declined to share a copy of the patch, Demarc decided to code one of its own, which it released May 31.

"We were concerned about [the vulnerability] being in the wild -- you never know with open source if someone already knows about [a vulnerability]," Ebrahimi said. Demarc released the patch initially only to Snort-specific user lists to keep a low profile, he added.

However, SourceFire's position is that Demarc didn't follow standard industry protocol for releasing information on vulnerabilities. "This could have been patched, but [Demarc] chose to go for the publicity," said Perry.