Full Disclosure mailing list archives
Re: blocking SkyPE?
From: Alain Fauconnet <alain () ait ac th>
Date: Tue, 25 Jan 2005 19:04:29 +0700
Bryan, Thanks for your input. On Tue, Jan 25, 2005 at 12:04:45AM -0800, lists-security () nettracers com wrote:
Full-Disclosure aspect: knowing the capabilities and limitations of the various firewalls employed. How policies can be violated without detection. Vendors and open-source community need to push to solve these real world problems....but the real question is: can they detect SkyPE specifically?This is from a Fortigate with factory release NIDS, AV and IPS databases - nothing custom - (someone with a checkpoint and others may pipe in here with their capabilities): On Status page: Recent Intrusion Detections Time Src/Dst Service Attack Name 2005-01-24 22:35:16 10.0.0.12 206.14.209.40 http skype Skype In Alert Log: 2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743 dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]"
I think that this may trigger on the regular HTTP request that SkyPE does at start up (and only then). This checks the SkyPE web site for updates. This is also what the available Snort signature trigger on, simply because it's the only kind of traffic that has a recognizable signature. How many hits do you have for a given client IP on this rule? If it's really triggering on VoIP traffic, you should get many per second.
I am not blocking skype traffic or the kazaa traffic that is detected, but use this info to quantify the use of the network and to throttle bandwidth if needed to maintain QOS for business-critical functions.
If that's just the version check traffic (and my gut feeling is that it is, considering the data you've shown), this is *not* the kind of SkyPE traffic you'd want to classify, and your QoS probably doesn't do what you think it does (unless it shapes all traffic to/from that client's IP)... What do you think? [rest deleted - amen to all of this... including the pathetic "security advice" of the SkyPE folks] Greets, _Alain_ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)
- RE: blocking SkyPE? Brenno J.S.A.A.F. de Winter (Jan 24)
- Message not available
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- Re: blocking SkyPE? Valdis . Kletnieks (Jan 24)
- Message not available
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 25)
- RE: blocking SkyPE? lists-security (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)