[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Snort exploit in wild.



On Fri, Apr 25, 2003 at 10:44:49PM +0100, Nick Boyce wrote:
> The general consensus of opinion (including the Debian packager) was
> that *nobody* should even consider using the V1.8.4 Snort package in
> Woody - it's much too old, and has a number of security issues.

It's not really that it has a number of security issues; It's more that
no new rulesets are being developed for it, and thus it can't detect any
attempts to exploit vulnerabilities more recent than its last ruleset.
Obviously that defeats the purpose of using a rule-based traffic
analyzer like snort.

> Most people's advice was to stop using the Debian package, and instead
> download & compile the latest source from www.snort.org, and keep
> tracking new releases from there - and get signature updates from
> there as well.  This is what I do now.

Yes, that's generally the least disruptive to your Debian system.  I've
seen people run a hybrid woody/sid system just to get the new snort.  If
you build it yourself, you don't need to worry about upgrading to
unstable and unsupported (by the sec team) software.

> Some people think Snort should actually be removed from the Debian
> package collection, because it will always drift seriously out of date
> over time, and because there's no easy way to incorporate up-to-date
> signatures (rules) into Debian.

It would be less of an issue if you could actually *get* new rules for
the version of snort that's in woody.  There wouldn't be anything to
stop you from downloading the new rules (which are distributed
independently of snort itself and updated regularly) and untarring them
into the right place and having the right thing happened.

Yes, snort should probably not be shipping with Debian.  Sticking with
an outdated version of snort is counterproductive and, at the very
least, likely to give you a false sense of security regarding the
traffic hitting your machines.

I wish people were more open to the idea of letting a wholly new version
(say, an up to date 1.9) enter woody with its next revision, but that's
not going to happen.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpkUBgmwJuAn.pgp
Description: PGP signature


Reply to: