By Mike Mullins
Snort is a common open source network packet monitoring and intrusion detection tool. Released in December 1996, it was originally developed for UNIX-based systems. Since then, Snort has been ported to all the major UNIX-based operating systems, Windows operating systems, and MacOS X. Snort has three common uses: packet sniffing, packet logging, and intrusion detection.
You can use Snort strictly as a packet sniffer, which is a wiretap device that watches network traffic. In order to translate the binary data on the wire, packet sniffers also include a protocol analyzer. The protocol analyzer decodes the network traffic and converts the ones and zeros into a format you can read.
Snort's sniffing and decoding mechanism is similar to the output you receive when running tcpdump.
As a packet logger, Snort can send a packet sniffer's continual output to a flat file that you designate when you initiate the sniffer. Although you can direct the log output to the console, it's usually saved. This information is particularly useful when analyzing your network for traffic flow problems caused by various protocols.
Don't get wrapped around the axle by terms. Through common usage, "packet sniffing" and "packet logging" have become interchangeable. The difference between the two is that sniffers become loggers when you start recording the data.
Finally, Snort is most typically used as a freeware intrusion detection system (IDS). As network traffic is sniffed and decoded, it's logged to a file and anomalous or specified traffic triggers an alert. Alerts are delivered through a variety of mechanisms including:
Snort is useful and extremely flexible in what it can do and on what platforms it can operate. The problem is that it's vulnerable to integer/heap and buffer overflows.
Integer/heap overflows are extremely complex. An integer overflow is a condition that's triggered when the preprocessor reassembles malformed fragmented packets.
The preprocessor assembles packets before passing them to Snort for traffic analysis. Corrupting the preprocessor's value causes distortion of the memory processor's values, which corrupts the heap memory and triggers an integer overflow condition.
Buffer overflows are fairly common. This overflow takes advantage of the remote procedure call (RPC) decode preprocessor that interprets packet encoding. The encoding default is a 4-byte packet; however, packets of other sizes also can be sent through the network. If a packet is too long, it can't be decoded properly and will result in a buffer overflow.
Heap/integer and buffer overflow vulnerabilities are significant when you realize that the malicious packets that trigger these vulnerabilities don't have to be directed at the machine running Snort. They just have to be seen and decoded by the IDS. Add this to the fact that Snort usually runs as root and alarm bells should be ringing! Once exploited, an attacker could assume full control of your IDS, leaving your network security administrators blind to all attacks on your network.
So what can you do to ensure that malicious traffic doesn't derail your network defense? Don't stop using Snort. Check your machines and verify which version you're running. During mid-April this year, the Snort Web site released version 2.0 RC4. Versions 1.8 to version 2.0 are vulnerable to integer and/or buffer overflows. Visit Snort's site to download the latest version of this free tool and regain control of your network security.
While most administrators are very thorough when it comes to software versioning and updating user applications, we sometimes forget to police ourselves and verify that our tools are up to date. So take a minute to step back and make sure your tool set is current.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.