Intrusion detection team denies Trojan claim

The Snort intrusion detection system does not have a back door for intruders, says the program's author
Written by Patrick Gray, Contributor

The author of Snort, an open-source Intrusion Detection System (IDS), Martin Roesch, has dismissed as untrue claims the software was 'trojaned' by attackers.

Roesch, who is also the chief technology officer of US-based IDS company Sourcefire, moved quickly to quell rumours in the security community that a hacking group had managed to insert back-door code into the Snort source-code repository.

"There is no back door in Snort nor has there ever been, everyone can relax," Roesch wrote in a posting to the full disclosure security mailing list.

Attackers had breached one of Roesch's systems, he admits, but that was a low-security shell server -- used by members of the Snort team and their associates to access services such as IRC without exposing their own machines to risk -- located in his basement, 37km away from the Snort code repository.

"If you're wondering 'how do you know the code isn't backdoored?', since we know that that server is an 'at risk' server, we're not in the habit of checking code into [the Snort code repository] from there. If that's not good enough for you, Snort has been through three code audits since March -- one Sourcefire internal, two third-party external -- and there are most definitively no back doors in the code, nor were there any," Roesch added.

Trojans have been found in several open-source projects over the last year, including those found in Sendmail and OpenSSH. Malicious code was also found in the libpcap and tcpdump libraries -- software which is required by the Snort IDS to operate.

Australian security consultant Daniel Lewkovitz says that the mere fact that a rumour like this could turn out to be true, even though it looks unlikely in this case, means the issue at least warrants discussion. "A lot of threats haven't changed that much, but what has changed is normal people's awareness and attitudes to it. I think anything that makes people more aware of relevant issues and relevant threats a good thing," he told ZDNet Australia. 

There's nothing necessarily wrong with listening to a rumour so you can check it out for yourself, Lewkovitz says, as long as the source of the rumour is at least somewhat credible. "If there was a threat I'd want to know about it," he said. "If it came from a reliable source I'd be much more likely to give it credence than the paranoid rants of tin-foil-hat-wearing conspiracy theorists."

Editorial standards