Snort mailing list archives
FW: snort 2.9.8.3 not detecting skype
From: Al Al <alcol () hotmail com>
Date: Wed, 11 Jul 2012 17:35:26 +0000
Hu Jason, I well know as me too is a security manager and a security Incident manager of one of first 3 main international companies spread in all the world I simply ask why a previous version of snort is able to do something and not the new version see that old linux box is still well able to detect all skype session but not new snort! so where is the problem? ... skype? rule? or ...... inside snort ? or its new conf in such new flag where it could have a change respect previous release? see that in the while I done other linux boxes and all working fine against skype and p2p but not last snort. so, I really thing that skype is described and labeled with too much rewards to be able to hide itself when it is not treu old snort is so good to detect it ... ;) I need the trivial conf for new release ! .............. I would avoid to perform some CISCO ASA Inspect rules when snort 2.8 was so nice :D thank for your comment Date: Wed, 11 Jul 2012 14:14:17 +1200 From: Jason Haar <Jason_Haar () trimble com> Subject: Re: [Snort-users] RE : Re: RE : snort 2.9.2.3 not detecting skype To: snort-users () lists sourceforge net Message-ID: <4FFCE179.1090507 () trimble com> Content-Type: text/plain; charset=ISO-8859-1 On 11/07/12 11:36, Paul Halliday wrote:
So, taking into consideration the general gist of that research, are those rules a good start or are they potentially misleading? When it comes to declarations like 'skype agent detected' can we make that declaration if there are other conditions that an analyst might not be aware of or do we just assume the rule to be that literal?
You should assume no rule is 100% reliable. some are 50%, some are 99.99% - but not 100% Yes, tonnes of rules "misfire" - or don't fire at all. That is the cold reality of Intrusion Detection ...and you chose the worst-case. Skype is *designed* to work its way around all forms of network protection there are - it doesn't want you (representing a corporation who may not want their employees to be running such things) to know it's there. Eventually all malware will have the same characteristics <shudder>.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- hi, to understand Al Al (Jul 09)
- snort 2.9.8.3 not detecting skype Al Al (Jul 10)
- FW: snort 2.9.8.3 not detecting skype Al Al (Jul 11)
- Re: FW: snort 2.9.8.3 not detecting skype kay (Jul 11)
- FW: snort 2.9.8.3 not detecting skype Al Al (Jul 11)
- snort 2.9.8.3 not detecting skype Al Al (Jul 10)