Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsFree Intrusion Detection Software. Snort developer Martin Roesch sent us a note on the snort 1.7 release, bringing it to our attention because, with the new release, he felt snort now had a feature set competitive with commercial Intrusion Detection Systems (IDS). His note inspired us to go out to take a look at snort, its commercial IDS competitors, and other free software IDS systems. The commercial IDS systems we examined included products from Symantec, Cisco and ISS, just to get an overview of the common features included in these systems. Then we went back to snort, checking out its features, both old and new. With the addition of dynamic rules, a Statistical Anomaly Detection preprocessor, Oracle database support support (MySQL and PostgreSQL have been supported for some time) and more, we had to agree that snort is now comparable to its commercial competitors. What about free software competitors? We took a long walk through various software databases (Freshmeat, Appwatch, etc.) looking for free software intrusion detection systems other than snort. We found that the term "intrusion detection system" has many meanings. One common interpretation was monitoring data integrity: the detection of modifications to files on a system, which was pioneered by Tripwire. There are a lot of projects in that arena, samhain, AIDE, claymore and Toby IDS, to name a few. Then there was a scattering of others, such as LIDS, the Linux Intrusion Detection System. LIDS is actually a patch to the Linux kernel which brings Mandatory Access Control to Linux, allowing fine-grained control of file permissions (e.g., even root can't modify or delete files without the proper permissions), process permissions and more. LIDS 1.0.4 was announced this week, providing support for the just-released Linux 2.4.0 kernel. Various other projects termed "intrusion detection systems" provide monitoring of login behaviors, syslog replacements and other functionalities. So what definition of intrusion detection fits snort? From our reading of the webpage (and that of the similar commercial products we mentioned), snort is intended to detect network-based security attacks. Given this definition, it does not have many free software competitors. Worthy of note, however, is FreeVeracity. FreeVeracity claims to provide both data integrity (like Tripwire) and network intrusion detection. It is actually a version of the commercial product Veracity, from Rocksoft, released under the Free World License, a controversial topic in and of itself. Its intent is to provide a method whereby commercial companies can provide source code for their software freely to Linux and BSD users, yet restrict its use (and their licensing revenue) on commercial operating systems. Since it restricts the systems on which the covered software can be used, the FWL is not a free software license. So, take a look at your personal ideology. For the purists, snort is available and now more full-featured than ever. If you agree with the intent of the FreeWorld license (to promote free operating systems over commercial ones) and can live with its use of a Point-and-Click contract, you may also want to check out FreeVeracity. If neither yet meets your needs, then you'll need to continue using a commercial product, at least for now. Security ReportsReiserFS long-file-name vulnerability. Extremely long directory names under ReiserFS have been reported to cause the Linux kernel to crash. This bug is also potentially exploitable to gain local root access, though that has not yet been confirmed. In fact, the vulnerability itself has proven very difficult to reproduce. Nonetheless, both ReiserFS and VFS are getting an audit for this and possibly other buffer overrun problems. Patches to temporarily disable long directory names (just in case) have been made available. Check our coverage of this problem in this week's kernel page for more details and expect an update on the problem next week.Immunix reports tmp file race problems in twelve packages. Immunix sent out an advisory covering potential temporary file race conditions in twelve different packages that they uncovered as a result of a new warning message from glibc whenever mktemp(), tempname(), etc., is used. Affected packages include:
This week's updates: IBM HTTP Server denial-of-service vulnerability. A denial-of-service vulnerability has been reported in the IBM HTTP server, which is based on Apache. In turn, IBM's WebSphere product is based on the IBM HTTP server and is reported to also be vulnerable. The problem lies in the Apfa cache used in the IBM HTTP server. Disabling the Apfa cache is one work-around to the problem. Since Apache does not use the Apfa cache, it should not be affected. Check BugTraq ID 2175 for more details.cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesSecure Locate buffer overflow. Check the November 30th, 2000 LWN Security Summary for the original report of this problem.This week's updates: Previous updates:
xchat URL handler bug. Originally reported in the August 24th, 2000 LWN Security Summary. Versions of xchat from 1.3.9 through and including 1.4.2 can allow commands to be passed from IRC to a shell. Check BugTraq ID 1601 for more details.This week's updates: Older updates:
perl/mailx. Check the August 10th, 2000 LWN Security Summary for details. This week's updates: Previous updates:
Red Hat umb-scheme permissions problem. Red Hat reported a file permissions problem with umb-scheme, believed to be Red Hat specific, in the August 10th, 2000 LWN Security Summary.This week's updates: Previous updates:
man/makewhatis vulnerability. A /tmp file vulnerability was reported in makewhatis versions 1.5e and higher. Check the July 6th LWN Security Summary for the original report.This week's updates: Previous updates:
GNU emacs inadequate PTY permissions vulnerability. Check the June 22nd, 2000 LWN Security Summary for the initial report of this problem, affecting GNU emacs 20.6 and earlier. GNU emacs 20.7 contains a fix for the problem. xemacs was not affected.This week's updates: Previous updates:
wu-ftp vulnerability. Check the June 15th, 2000 LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.This week's updates: Previous updates:
openldap tmplink vulnerability. A tmplink vulnerability was reported in openlap the week of the April 27th, 2000. Check Red Hat Bugzilla ID 10714 for more details.This week's updates: Previous updates:
piranha. Issues with the piranha packages were covered in the main editorial of the April 27th LWN Security Summary.This week's updates: Previous updates:
ircii buffer overflow. On March 10th, a remotely exploitable buffer overflow was reported in ircii, an irc client, with all versions prior to 4.4M. Check the April 6th LWN Security Summary for our first report of this problem or BugTraq ID 1046 for more details.This week's updates: Previous updates:
gpm improper permissions handling. Improper permissions handling in gpm, the virtual console cut and paste utility and mouse server, was discussed in the March 30th LWN Security Summary.This week's updates: Previous updates:
ResourcesAnalysis of Auditable Port Scanning Techniques. Guido Bakker posted his whitepaper examining port scan methods, in particular, analysis of auditable techniques. EventsSummercon 2001. The announcement for this year's Summercon 2001 event has been released. Summercon 2001 will be held June 1-3, 2001, in Amsterdam, the Netherlands. This is the first year that Summercon will be held outside of the United States. In addition, a small fee for entrance will be charged and the press will be allowed to attend. Summercon is one of the oldest living security/hacker conferences, with origins tied to early years of Phrack Magazine. Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
January 11, 2001
LWN Resources | |||||||||||||||||||||||||||||||||||||||