While doing my daily security reading, I came across news of a Snort 2.20 DoS exploit posted at SANS ISC. According to the daily handler, K-OTik notified them of an exploit for Snort 2.2 and earlier. According to the handler, “It will core dump a running Snort process with a specially crafted packed. The recommended fix is to upgrade to Snort 2.3 RC1 or better which various handlers have reported is stable. This particular exploit works with Linux-based distributions, but not BSD-based. (We tried RHEL3, Debian, and OpenBSD).” Chatting with Marty Roesch over IRC, he stated that the exploit only works when Snort is run in sniffer mode. Specifically, it’s a bug in log.c and will only happen when “you touch the p->tcp_options array directly and nothing in snort outside the protocol printers does”.
Reading a recent thread on the pen-test mailing list about password auditing led me to Lepton’s Crack or LCrack for short which is a free GPL password cracking engine and development workbench. Of course, the old standbys of JtR, rainbow tables (which I wrote about before) and the Windows based Cain & Abel and L0phtCrack ($$$) were mentioned. But I had never heard of LCrack. Browsing the LCrack website, I came across a link to An experiment with Lepton’s Crack. After reading this article, the advantages or unique features of LCrack over other software like Cain & Abel or JtR would have to be the advanced regex support which would be useful for auditing passwords with known conventions or if a partial password is known.
Tim Hunkin writes a good article called Illegal Engineering about cracking safes. It’s an interesting read and easy to see the parallels between safebreaking and computer security. He mentions Richard Feynman in the article, whose book “Surely You’re Joking, Mr. Feynman!”: Adventures of a Curious Character” I recently purchased and am reading.
Sguil 0.5.3 was released today. The major additions include the ability to import and query Nessus reports, text search within Transcripts, and of course bugfixes.
Pigris is a Snort alert analyzer, written by Andreas Östling (of Oinkmaster fame), that is not quite ready for release yet but has screenshots up. I particularly like a few of the features he’s added, such as the Sensor Status page showing the first and last alerts from each sensor and the Attack Web. There’s some useful dirty hacks in Pigris, such as using Ethereal’s text2pcap to generate pseudo-packets from the payloads in the database for display with Ethereal (Ethereal has the best protocol decoders in my opinion) and having the ability to scan the payload of one or several alerts with Clam antivirus. Andreas told me he is not going to release Pigris anytime soon as there is still lots to do.