Snort sniffs at security scare

A spat has broken out in the security community after Internet Security Systems (ISS) revealed a security flaw in the Snort open source intrusion detection system.

ISS released an advisory warning on Monday of a remote denial of service (DoS) vulnerability in Snort, but the system's developer has since poured cold water on this "molehill turning into a mountain".

ISS warned that "it may be possible for remote attackers to send specially crafted ICMP [internet control message protocol] packets to the program, resulting in a segmentation fault that would crash the Snort engine", and thus leave a network without intrusion detection security.

But Snort author Marty Roesch retaliated today, saying that ISS' discovery was "no big deal".

He claimed that the problem only manifests itself on ICMP packets with payloads smaller than four bytes, "which is non-standard", and the crash condition only occurs "if you're running the -d switch at the command line and logging in ASCII mode".

Again, this is not a default mode that has to be explicitly activated "and it's recommended specifically that you don't in production environments due to performance impact", said Roesch.

ISS advised Snort users to install the vendor-supplied patch immediately or upgrade to the latest version of Snort.

But Roesch added: "This is a non-event. A bug that should have been handled as a bug has now been elevated to some sort of DoS attack against Snort due to ISS getting in on the act."

He also wrote on the Snort website: "I won't speak to ISS' motivations (although it is interesting that the news media weren't alerted when we posted up the screenshot of their policy manager failing due to a lack of paper in the printer) but it does seem like something their sales and marketing arm could use for fear, uncertainty and doubt.

In recent tests, Snort blew away commercial vendor IDS offerings and paved the way for open source security products to make a dent in the market.