Patch Counters Vulnerability In Snort Open-Source Intrusion Protection

Researchers from Demarc, a Carpinteria, Calif.-based security vendor, discovered the vulnerability May 17 and released a patch May 31. Researchers found that while connecting to Web ports via telnet, adding a carriage return after the URL before the HTTP protocol declaration would enable Snort detection to be evaded, said Joel Ebrahimi, director of application development at Demarc.

Although there are no blatant flaws in the Snort code, discovery of the vulnerability is significant because it affects up to 2,000 Uniform Resource Identifier (URI) content rules in the Snort rule language, Ebrahimi said.

Michele Perry, chief marketing officer at Sourcefire, the Columbia, Md., vendor that manages open-source Snort, said even though the vulnerability makes it possible to evade Snort detection, it doesn't enable other types of attacks to be launched, and only applies to a particular subset of Snort rules and protected Apache Web servers.

One solution provider said Snort has been relatively bug-free over the years and recent security issues aren't likely to prompt customers to switch from a technology they trust to alternative solutions. "In particular, we haven't seen any open-source vulnerability cause any great pressure in any corporation," said Greg Hanchin, principal of DirSec, Centennial, Colo.

Demarc and Sourcefire disagree as to whether proper protocol was followed in releasing the patch. Ebrahimi said Demarc provided full disclosure of the vulnerability to Sourcefire on May 18. Five days later, Sourcefire responded and said it was working on a patch, he said. But when Sourcefire declined to share a copy of the patch, Demarc decided to code one of its own. Sourcefire, meanwhile, said Demarc should have allowed Sourcefire to patch the vulnerability rather than coding its own patch.