Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Re: [Snort-users] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability

0 views

Skip to first unread message

Sam Evans

unread,

Oct 18, 2005, 5:56:00 PM10/18/05

------=_Part_28219_2690732.1129672490452
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Jennifer,
I might be missing something, but when I click the
http://www.snort.org/dl/link all I see is the
2.4.2 version, not the 2.4.3.
Thanks,
Sam

On 10/18/05, Jennifer Steffens <jennifer...@sourcefire.com> wrote:
>
> Subject: Fix and Mitigation Available for Snort Vulnerability
>
> The Sourcefire Vulnerability Research Team (VRT) has learned of a
> vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if
> the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released
> to correct the issue and detailed instructions for mitigating the issue
> by disabling the Back Orifice preprocessor are below.
>
>
> Snort v2.4.3
>
> In addition to fixing the vulnerability, this version includes a
> mechanism to detect exploits against vulnerable sensors and, optionally
> for inline sensors, drop the offending traffic. These features enable a
> phased approach to upgrading while protecting unpatched sensors.
> Detection capabilities are part of the new preprocessor and therefore
> are available to all users regardless of subscription status.
>
> In addition to the source tarball, postgres, mysql and plain RPMs and a
> win32 installer are available at http://www.snort.org/dl. Please
> remember that updated rules are only included in major releases. For
> updated rules, visit http://www.snort.org/rules/.
>
>
> Mitigation Instructions:
>
> The Back Orifice preprocessor can be disabled by commenting out the line
> "preprocessor bo" in snort.conf. This can be done in any text editor
> using the following procedure:
>
> 1. Locate the line "preprocessor bo"
> 2. Comment out this line by preceding it with a hash (#). The new line
> will look like "#preprocessor bo"
> 3. Save the file
> 4. Restart snort
>
>
> Background:
>
> On Thursday, October 13th Sourcefire was contacted by USCERT with news
> of a vulnerability in Snort. We used the subsequent days to verify the
> vulnerability and to prepare mitigation strategies and the software
> updates necessary to fix the vulnerability for both Sourcefire customers
> and Snort users. While it cannot be said that no other problems will
> ever be found in the Snort code base, we can state that we will redouble
> our efforts to ensure the security of the system so many people have
> come to rely on for the detection of network-based threats. Sourcefire
> will also continue to work with the most sophisticated testing
> facilities in the industry to assure that every reasonable step is being
> taken to provide the most secure code base possible.
>
>
> Technical Details:
> The Back Orifice preprocessor contains a stack-based buffer overflow.
> This vulnerability could be leveraged by an attacker to execute code
> remotely on a Snort sensor where the Back Orifice preprocessor is
> enabled. However, there are a number of factors that make remote code
> execution difficult to achieve across different builds of Snort on
> different platforms, even on the same platform with different compiler
> versions, and it is more likely that an attacker could use the
> vulnerability as a denial of service attack.
>
>
> If you have any questions, please let us know at snort...@sourcefire.co=
m
>
> Thanks,
> Jennifer
>
>
> --
> Jennifer S. Steffens
> Director, Snort Product Management | Sourcefire, Inc.
> W: 410.423.1930 | C: 202.409.7707
> www.sourcefire.com <http://www.sourcefire.com> | www.snort.org<http://www=
.snort.org>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
>

------=_Part_28219_2690732.1129672490452
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>Jennifer,</div>
<div> </div>
<div>I might be missing something, but when I click the <a href=3D"http://w=
ww.snort.org/dl/">http://www.snort.org/dl/</a> link all I see is the 2=
.4.2 version, not the 2.4.3.</div>
<div> </div>
<div>Thanks,</div>
<div>Sam</div>
<div>  </div>
<div>On 10/18/05, Jennifer Steffens <<a href=3D"mailto:jennifer.steffens@sourcefire.c=
om">jennifer...@sourcefire.com</a>> wrote:
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Subject: Fix and Mitigation Avai=
lable for Snort Vulnerability The Sourcefire Vulnerability Research =
Team (VRT) has learned of a
 vulnerability in Snort v2.4.0 and higher. Users are only vulnerable if<=
br>the Back Orifice preprocessor is enabled. Snort v2.4.3 has been released=
 to correct the issue and detailed instructions for mitigating the issue
 by disabling the Back Orifice preprocessor are below. Snort =
v2.4.3 In addition to fixing the vulnerability, this version include=
s a mechanism to detect exploits against vulnerable sensors and, optiona=
lly
 for inline sensors, drop the offending traffic. These features enable a=
 phased approach to upgrading while protecting unpatched sensors. Det=
ection capabilities are part of the new preprocessor and therefore are a=
vailable to all users regardless of subscription status.
 In addition to the source tarball, postgres, mysql and plain RPMs a=
nd a win32 installer are available at <a href=3D"http://www.snort.org/dl=
">http://www.snort.org/dl</a>. Please remember that updated rules are on=
ly included in major releases. For
 updated rules, visit <a href=3D"http://www.snort.org/rules/">http://www=
.snort.org/rules/</a>. Mitigation Instructions: The Back =
Orifice preprocessor can be disabled by commenting out the line "pr=
eprocessor bo" in=20
snort.conf. This can be done in any text editor using the following proc=
edure: 1. Locate the line "preprocessor bo" 2. Comment =
out this line by preceding it with a hash (#). The new line will look li=
ke "#preprocessor bo"
 3. Save the file 4. Restart snort Background: On T=
hursday, October 13th Sourcefire was contacted by USCERT with news of a =
vulnerability in Snort. We used the subsequent days to verify the vulner=
ability and to prepare mitigation strategies and the software
 updates necessary to fix the vulnerability for both Sourcefire customer=
s and Snort users. While it cannot be said that no other problems will<b=
r>ever be found in the Snort code base, we can state that we will redouble
 our efforts to ensure the security of the system so many people have<br=
>come to rely on for the detection of network-based threats. Sourcefire =
will also continue to work with the most sophisticated testing facilitie=
s in the industry to assure that every reasonable step is being
 taken to provide the most secure code base possible. Technic=
al Details: The Back Orifice preprocessor contains a stack-based buffer =
overflow. This vulnerability could be leveraged by an attacker to execut=
e code
 remotely on a Snort sensor where the Back Orifice preprocessor is en=
abled.  However, there are a number of factors that make remote c=
ode execution difficult to achieve across different builds of Snort on<b=
r>different platforms, even on the same platform with different compiler
 versions, and it is more likely that an attacker could use the vulne=
rability as a denial of service attack. If you have any question=
s, please let us know at <a href=3D"mailto:snort...@sourcefire.com">snort=
-te...@sourcefire.com
</a> Thanks, Jennifer -- Jennifer S. Steffens Di=
rector, Snort Product Management | Sourcefire, Inc. W: 410.423.1930 | C:=
202.409.7707 <a href=3D"http://www.sourcefire.com">www.sourcefire.com
</a> | <a href=3D"http://www.snort.org">www.snort.org</a> ------=
------------------------------------------------- This SF.Net email is s=
ponsored by: Power Architecture Resource Center: Free content, downloads=
, discussions,
 and more. <a href=3D"http://solutions.newsforge.com/ibmarch.tmpl">http:=
//solutions.newsforge.com/ibmarch.tmpl</a> _____________________________=
__________________ Snort-users mailing list <a href=3D"mailto:Snort-u=
se...@lists.sourceforge.net">
Snort...@lists.sourceforge.net</a> Go to this URL to change user opti=
ons or unsubscribe: <a href=3D"https://lists.sourceforge.net/lists/listi=
nfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users
</a> Snort-users list archive: <a href=3D"http://www.geocrawler.com/r=
edir-sf.php3?list=3Dsnort-users">http://www.geocrawler.com/redir-sf.php3?li=
st=3Dsnort-users</a> </blockquote></div>

------=_Part_28219_2690732.1129672490452--

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Ron Jenkins

unread,

Oct 18, 2005, 6:37:18 PM10/18/05

I see it too.

-----Original Message-----
From: snort-us...@lists.sourceforge.net
[mailto:snort-us...@lists.sourceforge.net] On Behalf Of Jennifer
Steffens
Sent: Tuesday, October 18, 2005 5:31 PM
To: Sam Evans
Cc: snort-users @ lists. sourceforge. net
Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available
for Snort Back Orifice Vulnerability

Sam,

Can you try refreshing the page? The 2.4.3 version is there for me. The=20
actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.

Thanks,
Jennifer

Sam Evans wrote:
> Jennifer,
> =20
> I might be missing something, but when I click the=20
> http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the
2.4.3.
> =20
> Thanks,
> Sam
>=20
>=20
> =20
> On 10/18/05, *Jennifer Steffens* <jennifer...@sourcefire.com=20
> <mailto:jennifer...@sourcefire.com>> wrote:
>=20

> Subject: Fix and Mitigation Available for Snort Vulnerability

>=20

> The Sourcefire Vulnerability Research Team (VRT) has learned of a
> vulnerability in Snort v2.4.0 and higher. Users are only
vulnerable if
> the Back Orifice preprocessor is enabled. Snort v2.4.3 has been
released
> to correct the issue and detailed instructions for mitigating the
issue
> by disabling the Back Orifice preprocessor are below.

>=20
>=20
> Snort v2.4.3
>=20

> In addition to fixing the vulnerability, this version includes a
> mechanism to detect exploits against vulnerable sensors and,
optionally
> for inline sensors, drop the offending traffic. These features
enable a
> phased approach to upgrading while protecting unpatched sensors.
> Detection capabilities are part of the new preprocessor and
therefore
> are available to all users regardless of subscription status.

>=20

> In addition to the source tarball, postgres, mysql and plain RPMs
and a
> win32 installer are available at http://www.snort.org/dl. Please
> remember that updated rules are only included in major releases.
For
> updated rules, visit http://www.snort.org/rules/.

>=20
>=20
> Mitigation Instructions:
>=20

> The Back Orifice preprocessor can be disabled by commenting out
the line
> "preprocessor bo" in snort.conf. This can be done in any text
editor
> using the following procedure:

>=20

> 1. Locate the line "preprocessor bo"
> 2. Comment out this line by preceding it with a hash (#). The new
line
> will look like "#preprocessor bo"
> 3. Save the file
> 4. Restart snort

>=20
>=20
> Background:
>=20

> On Thursday, October 13th Sourcefire was contacted by USCERT with
news
> of a vulnerability in Snort. We used the subsequent days to verify
the
> vulnerability and to prepare mitigation strategies and the
software
> updates necessary to fix the vulnerability for both Sourcefire
customers
> and Snort users. While it cannot be said that no other problems
will
> ever be found in the Snort code base, we can state that we will
> redouble
> our efforts to ensure the security of the system so many people
have
> come to rely on for the detection of network-based threats.
Sourcefire
> will also continue to work with the most sophisticated testing
> facilities in the industry to assure that every reasonable step is
> being
> taken to provide the most secure code base possible.

>=20
>=20

> Technical Details:
> The Back Orifice preprocessor contains a stack-based buffer
overflow.
> This vulnerability could be leveraged by an attacker to execute
code
> remotely on a Snort sensor where the Back Orifice preprocessor is
> enabled. However, there are a number of factors that make remote
code
> execution difficult to achieve across different builds of Snort on
> different platforms, even on the same platform with different
compiler
> versions, and it is more likely that an attacker could use the
> vulnerability as a denial of service attack.

>=20
>=20

> If you have any questions, please let us know at

> snort...@sourcefire.com <mailto:snort...@sourcefire.com>
>=20
> Thanks,
> Jennifer
>=20
>=20

> --
> Jennifer S. Steffens
> Director, Snort Product Management | Sourcefire, Inc.
> W: 410.423.1930 | C: 202.409.7707
> www.sourcefire.com <http://www.sourcefire.com> | www.snort.org

> <http://www.snort.org>
>=20
>=20

> <mailto:Snort...@lists.sourceforge.net>

> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-users>
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users

>=20
>=20

-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads,
discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users

Sam Evans

unread,

Oct 18, 2005, 8:32:57 PM10/18/05

------=_Part_30698_24809211.1129681883912

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Thanks, like I said, I think the problem was on my end (and it was).

On 10/18/05, Ron Jenkins <rjen...@dibr.net> wrote:
>
> I see it too.
>
> -----Original Message-----
> From: snort-us...@lists.sourceforge.net
> [mailto:snort-us...@lists.sourceforge.net] On Behalf Of Jennifer
> Steffens
> Sent: Tuesday, October 18, 2005 5:31 PM
> To: Sam Evans
> Cc: snort-users @ lists. sourceforge. net
> Subject: Re: [Snort-users] Fixes and Mitigation Instructions Available
> for Snort Back Orifice Vulnerability
>
> Sam,
>
> Can you try refreshing the page? The 2.4.3 version is there for me. The

> actual link is http://www.snort.org/dl/current/snort-2.4.3.tar.gz.
>
> Thanks,
> Jennifer
>
> Sam Evans wrote:
> > Jennifer,
> >

> > I might be missing something, but when I click the

> > http://www.snort.org/dl/ link all I see is the 2.4.2 version, not the
> 2.4.3.
> >

> > Thanks,
> > Sam
> >
> >
> >
> > On 10/18/05, *Jennifer Steffens* <jennifer...@sourcefire.com

> > <mailto:jennifer...@sourcefire.com>> wrote:
> >
> > Subject: Fix and Mitigation Available for Snort Vulnerability
> >

> > The Sourcefire Vulnerability Research Team (VRT) has learned of a
> > vulnerability in Snort v2.4.0 and higher. Users are only
> vulnerable if
> > the Back Orifice preprocessor is enabled. Snort v2.4.3 has been
> released
> > to correct the issue and detailed instructions for mitigating the
> issue
> > by disabling the Back Orifice preprocessor are below.
> >
> >

> > Snort v2.4.3

> >
> > In addition to fixing the vulnerability, this version includes a
> > mechanism to detect exploits against vulnerable sensors and,
> optionally
> > for inline sensors, drop the offending traffic. These features
> enable a
> > phased approach to upgrading while protecting unpatched sensors.
> > Detection capabilities are part of the new preprocessor and
> therefore
> > are available to all users regardless of subscription status.
> >

> > In addition to the source tarball, postgres, mysql and plain RPMs
> and a
> > win32 installer are available at http://www.snort.org/dl. Please
> > remember that updated rules are only included in major releases.
> For
> > updated rules, visit http://www.snort.org/rules/.
> >
> >

> > Mitigation Instructions:

> >
> > The Back Orifice preprocessor can be disabled by commenting out
> the line
> > "preprocessor bo" in snort.conf. This can be done in any text
> editor
> > using the following procedure:
> >

> > 1. Locate the line "preprocessor bo"
> > 2. Comment out this line by preceding it with a hash (#). The new
> line
> > will look like "#preprocessor bo"
> > 3. Save the file
> > 4. Restart snort
> >
> >

> > Background:

> >
> > On Thursday, October 13th Sourcefire was contacted by USCERT with
> news
> > of a vulnerability in Snort. We used the subsequent days to verify
> the
> > vulnerability and to prepare mitigation strategies and the
> software
> > updates necessary to fix the vulnerability for both Sourcefire
> customers
> > and Snort users. While it cannot be said that no other problems
> will
> > ever be found in the Snort code base, we can state that we will
> > redouble
> > our efforts to ensure the security of the system so many people
> have
> > come to rely on for the detection of network-based threats.
> Sourcefire
> > will also continue to work with the most sophisticated testing
> > facilities in the industry to assure that every reasonable step is
> > being
> > taken to provide the most secure code base possible.
> >
> >

> > Technical Details:
> > The Back Orifice preprocessor contains a stack-based buffer
> overflow.
> > This vulnerability could be leveraged by an attacker to execute
> code
> > remotely on a Snort sensor where the Back Orifice preprocessor is
> > enabled. However, there are a number of factors that make remote
> code
> > execution difficult to achieve across different builds of Snort on
> > different platforms, even on the same platform with different
> compiler
> > versions, and it is more likely that an attacker could use the
> > vulnerability as a denial of service attack.
> >
> >

> > If you have any questions, please let us know at
> > snort...@sourcefire.com <mailto:snort...@sourcefire.com>
> >

> > Thanks,
> > Jennifer

> >
> >
> > --
> > Jennifer S. Steffens
> > Director, Snort Product Management | Sourcefire, Inc.
> > W: 410.423.1930 | C: 202.409.7707
> > www.sourcefire.com <http://www.sourcefire.com> <
> http://www.sourcefire.com> | www.snort.org <http://www.snort.org>

> > <http://www.snort.org>

> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Power Architecture Resource Center: Free content, downloads,
> > discussions,
> > and more. http://solutions.newsforge.com/ibmarch.tmpl
> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > <mailto:Snort...@lists.sourceforge.net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
> >
> >
>
>

> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
>

------=_Part_30698_24809211.1129681883912

Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Thanks,  like I said, I think the problem was on my end (and it was).<=
br>
 
 <div>On 10/18/05, Ron Jenkins <<a href=3D"mailto:rjen...@dibr.net">rjenkins@=
dibr.net</a>> wrote:<blockquote class=3D"gmail_quote" style=3D"bo=
rder-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding=
-left: 1ex;">
I see it too. -----Original Message----- From: <a href=3D"mailto:=
snort-us...@lists.sourceforge.net">snort-us...@lists.sourceforg=
e.net</a> [mailto:<a href=3D"mailto:snort-us...@lists.sourceforge.=
net">
snort-us...@lists.sourceforge.net</a>] On Behalf Of Jennifer Steff=
ens Sent: Tuesday, October 18, 2005 5:31 PM To: Sam Evans Cc: snor=
t-users @ lists. sourceforge. net Subject: Re: [Snort-users] Fixes and M=
itigation Instructions Available
 for Snort Back Orifice Vulnerability Sam, Can you try ref=
reshing the page? The 2.4.3 version is there for me. The actual link is =
<a href=3D"http://www.snort.org/dl/current/snort-2.4.3.tar.gz">http://www.s=
nort.org/dl/current/snort-2.4.3.tar.gz
</a>. Thanks, Jennifer Sam Evans wrote: > Jennifer,<=
br>> > I might be missing something, but when I click the > =
<a href=3D"http://www.snort.org/dl/">http://www.snort.org/dl/</a> link all =
I see is the=20
2.4.2 version, not the 2.4.3. > > Thanks, > Sam &gt=
; > > > On 10/18/05, *Jennifer Steffens* <<a href=3D"m=
ailto:jennifer...@sourcefire.com">jennifer...@sourcefire.com</a=
>
 > <mailto:<a href=3D"mailto:jennifer...@sourcefire.com">jen=
nifer.s...@sourcefire.com</a>>> wrote: > > &nbsp=
;   Subject: Fix and Mitigation Available for Snort Vulnerability=
 > >     The Sourcefire Vulnerability Resea=

rch Team (VRT) has learned of a

>     vulnerability in Snort v2.4.0 and higher. =
Users are only vulnerable if >     the Back Or=
ifice preprocessor is enabled. Snort v2.4.3 has been released >&nb=
sp;    to correct the issue and detailed instructions for mi=
tigating the
 issue >     by disabling the Back Orifice pre=
processor are below. > > >     Snort =
v2.4.3 > >     In addition to fixing the vu=
lnerability, this version includes a >     mechan=

ism to detect exploits against vulnerable sensors and,

optionally >     for inline sensors, drop the=
offending traffic. These features enable a >   &nb=
sp; phased approach to upgrading while protecting unpatched sensors. &gt=
;     Detection capabilities are part of the new prepro=
cessor and
 therefore >     are available to all users re=
gardless of subscription status. > >     In=
addition to the source tarball, postgres, mysql and plain RPMs and a<br=
>>     win32 installer are available at=20
<a href=3D"http://www.snort.org/dl">http://www.snort.org/dl</a>. Please =
>     remember that updated rules are only included =
in major releases. For >     updated rules, vi=

sit <a href=3D"http://www.snort.org/rules/">

http://www.snort.org/rules/</a>. > > >   &=
nbsp; Mitigation Instructions: > >     The =
Back Orifice preprocessor can be disabled by commenting out the line =
>     "preprocessor bo" in=20
snort.conf. This can be done in any text editor >  &nbsp=
;  using the following procedure: > >   &nb=
sp; 1. Locate the line "preprocessor bo" >  &nbsp=
;  2. Comment out this line by preceding it with a hash (#). The new
 line >     will look like "#preprocessor=
bo" >     3. Save the file > &nb=
sp;   4. Restart snort > > >   &=
nbsp; Background: > >     On Thursday, Octo=

ber 13th Sourcefire was contacted by USCERT with

news >     of a vulnerability in Snort. We us=
ed the subsequent days to verify the >     vul=
nerability and to prepare mitigation strategies and the software >=
     updates necessary to fix the vulnerability for bot=
h Sourcefire
 customers >     and Snort users. While it can=
not be said that no other problems will >     =
ever be found in the Snort code base, we can state that we will >&nbs=
p;    redouble >     our efforts t=

o ensure the security of the system so many people

have >     come to rely on for the detection =
of network-based threats. Sourcefire >     wil=
l also continue to work with the most sophisticated testing > &n=
bsp;   facilities in the industry to assure that every reasonable=
step is
 >     being >     take=
n to provide the most secure code base possible. > > >&nb=
sp;    Technical Details: >     Th=
e Back Orifice preprocessor contains a stack-based buffer overflow. &=
gt;     This vulnerability could be leveraged by an att=
acker to execute
 code >     remotely on a Snort sensor where t=
he Back Orifice preprocessor is >     enabled.&nb=
sp; However, there are a number of factors that make remote code<br=
>>     execution difficult to achieve across differe=
nt builds of Snort on
 >     different platforms, even on the same plat=
form with different compiler >     versions, a=
nd it is more likely that an attacker could use the >  &nbs=
p;  vulnerability as a denial of service attack. 
> > >     If you have any questions, ple=
ase let us know at >     <a href=3D"mailto:snort-=
te...@sourcefire.com">snort...@sourcefire.com</a> <mailto:<a href=3D"ma=
ilto:snort...@sourcefire.com">snort...@sourcefire.com
</a>> > >     Thanks, > &nbsp=
;   Jennifer > > >     --<b=
r>>     Jennifer S. Steffens >  &nbs=
p;  Director, Snort Product Management | Sourcefire, Inc. >&nbsp=
;    W: 410.423.1930 | C:=20
202.409.7707 >     <a href=3D"http://www.sourcefi=
re.com">www.sourcefire.com</a> <<a href=3D"http://www.sourcefire.com">ht=
tp://www.sourcefire.com</a>> | <a href=3D"http://www.snort.org">www.snor=
t.org</a> >     <
<a href=3D"http://www.snort.org">http://www.snort.org</a>> > &g=
t; >     ----------------------------------------=
--------------- >     This SF.Net email is sponso=
red by: >     Power Architecture Resource Center:=
Free content, downloads,
 >     discussions, >   &nbs=
p; and more. <a href=3D"http://solutions.newsforge.com/ibmarch.tmpl">http:/=
/solutions.newsforge.com/ibmarch.tmpl</a> >     _=
______________________________________________ >   &nb=
sp; Snort-users mailing list
 >     <a href=3D"mailto:Snort...@lists.source=
forge.net">Snort...@lists.sourceforge.net</a> >   &=
nbsp; <mailto:<a href=3D"mailto:Snort...@lists.sourceforge.net">Snort=
-us...@lists.sourceforge.net</a>> 
>     Go to this URL to change user options or unsub=
scribe: >     <a href=3D"https://lists.sourceforg=
e.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listi=
nfo/snort-users</a> >     <<a href=3D"https://=
lists.sourceforge.net/lists/listinfo/snort-users">
https://lists.sourceforge.net/lists/listinfo/snort-users</a>> >&nb=
sp;    Snort-users list archive: >   &n=
bsp; <a href=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users"=
>http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
</a> > > -------------------------------------------=
------------ This SF.Net email is sponsored by: Power Architecture Re=
source Center: Free content, downloads, discussions, and more. <a hre=
f=3D"http://solutions.newsforge.com/ibmarch.tmpl">
http://solutions.newsforge.com/ibmarch.tmpl</a> ________________________=
_______________________ Snort-users mailing list <a href=3D"mailto:Sn=
ort-...@lists.sourceforge.net">Snort...@lists.sourceforge.net</a> 
Go to this URL to change user options or unsubscribe: <a href=3D"https:/=
/lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforg=
e.net/lists/listinfo/snort-users</a> Snort-users list archive: <a hre=
f=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users">
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users</a> </blockqu=
ote></div>

------=_Part_30698_24809211.1129681883912--

0 new messages