Snort mailing list archives
Re: RE : Re: RE : snort 2.9.2.3 not detecting skype
From: Paul Halliday <paul.halliday () gmail com>
Date: Tue, 10 Jul 2012 20:36:13 -0300
On Tue, Jul 10, 2012 at 7:47 PM, rmkml () yahoo fr <rmkml () yahoo fr> wrote:
Hi Paul, It's very good start but maybe Skype switch to https/proxy_connect ... http://www.secdev.org/conf/skype_BHEU06.handout.pdf Regards Rmkml
Wow, that document could use some training wheels :) So, taking into consideration the general gist of that research, are those rules a good start or are they potentially misleading? When it comes to declarations like 'skype agent detected' can we make that declaration if there are other conditions that an analyst might not be aware of or do we just assume the rule to be that literal? Should the conditions be worded in the rule? say like 'skype agent detected (but note: someone could be using skype w/o this firing)'? I am actually curious what peoples thoughts are here because there are a few rules that I do use to quantify particular activities (observation only) and it looks like I may need to change my strategy a bit. Thanks.
-------- Original message -------- Subject: Re: [Snort-users] RE : snort 2.9.2.3 not detecting skype From: Paul Halliday To: rmkml () yahoo fr CC: snort-users () lists sourceforge net On Tue, Jul 10, 2012 at 7:04 PM, rmkml () yahoo fr <rmkml () yahoo fr> wrote:Hi, Skype are protocol not easy detected.Are these rules defunct: ET POLICY Skype User-Agent detected 2002157 ET POLICY Skype VOIP Checking Version (Startup) 2001595 I use them with Snort to detect skype. Is there a usage scenario that I am not detecting? Thanks. -- Paul Halliday http://www.pintumbler.org/
-- Paul Halliday http://www.pintumbler.org/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- RE : Re: RE : snort 2.9.2.3 not detecting skype rmkml () yahoo fr (Jul 10)
- Re: RE : Re: RE : snort 2.9.2.3 not detecting skype Paul Halliday (Jul 10)
- Re: RE : Re: RE : snort 2.9.2.3 not detecting skype Jason Haar (Jul 10)
- Re: RE : Re: RE : snort 2.9.2.3 not detecting skype Paul Halliday (Jul 10)