Re: RE : Re: RE : snort 2.9.2.3 not detecting skype

[Jason Haar <Jason_Haar () trimble com>]

On 11/07/12 11:36, Paul Halliday wrote:
> So, taking into consideration the general gist of that research, are
> those rules a good start or are they potentially misleading? When it
> comes to declarations like 'skype agent detected' can we make that
> declaration if there are other conditions that an analyst might not be
> aware of or do we just assume the rule to be that literal?

You should assume no rule is 100% reliable. some are 50%, some are
99.99%  - but not 100%

Yes, tonnes of rules "misfire" - or don't fire at all. That is the cold
reality of Intrusion Detection


...and you chose the worst-case. Skype is *designed* to work its way
around all forms of network protection there are - it doesn't want you
(representing a corporation who may not want their employees to be
running such things) to know it's there. Eventually all malware will
have the same characteristics <shudder>.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!