Snort mailing list archives
Re: Detecting Skype traffic (reliably)
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 26 Oct 2006 12:24:14 +1300
Andrew Hay wrote:
Has anyone, in practice...not in theory, been able to create and validate a snort signature that is able to classify Skype traffic? I've been researching for days and am having a hard time. I know that TippingPoint has a way of classifying (and blocking) Skype traffic but from what I hear they don't appear to be sharing the 'secret sauce'. Any input would be greatly appreciated.
If you want to reliably block it, and run on a proxy-based network, then it's relatively easy. Skype relies on it's users to be available for P2P to work - which means it can't rely on there being DNS entries for every Skype user IP. If it finds it can't connect directly to anything, it does Registry lookups/etc to detect proxy servers, and uses them to gateway to other Skype users via the proxy CONNECT method. And there's the noose - they are of the form "CONNECT IP.ADD.RESS:443". Since when do "real" HTTPS Web servers use raw IP addresses? :-) So in the Squid proxy, you can configure it to deny access to any CONNECT-based session if ip addresses are used instead of DNS names. It will break Skype, and shouldn't break very much else (covering a** with that comment ;-) Game over for Skype. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting Skype traffic (reliably) Andrew Hay (Oct 24)
- Re: Detecting Skype traffic (reliably) Paul Halliday (Oct 24)
- Re: Detecting Skype traffic (reliably) Jason Haar (Oct 25)
- Re: Detecting Skype traffic (reliably) Nigel Houghton (Oct 25)
- <Possible follow-ups>
- Re: Detecting Skype traffic (reliably) Michael Scheidell (Oct 24)
- Re: Detecting Skype traffic (reliably) Humes, David G. (Oct 25)
- Re: Detecting Skype traffic (reliably) baginski (Oct 25)
- Re: Detecting Skype traffic (reliably) Nicolas Saurbier (Oct 26)