Re: FW: snort 2.9.8.3 not detecting skype

[kay <kay.diam () gmail com>]

Did you try to run snort in different packet capture modes? afpacket, nfq, etc?

2012/7/11 Al Al <alcol () hotmail com>:
> Hu Jason, I well know as me too is a security manager and a security
> Incident manager
> of one of first 3 main international companies spread in all the world
>
> I simply ask why a previous version of snort is able to do something and not
> the new version
>
> see that old linux box is still well able to detect all skype session but
> not new snort!
>
> so where is the problem? ... skype? rule? or ...... inside snort ? or its
> new conf in such new flag where it could have a change
> respect previous release?
>
> see that in the while I done other linux boxes and all working fine against
> skype and p2p but not last snort.
>
> so, I really thing that skype is described and labeled with too much rewards
> to be able to hide itself when it is not treu
>
> old snort is so good to detect it ... ;)
>
> I need the trivial conf for new release !
>
> .............. I would avoid to perform some CISCO ASA Inspect rules when
> snort 2.8 was so nice :D
>
> thank for your comment
>
>
>
>
> Date: Wed, 11 Jul 2012 14:14:17 +1200
> From: Jason Haar <Jason_Haar () trimble com>
> Subject: Re: [Snort-users] RE : Re:  RE : snort 2.9.2.3 not detecting
>       skype
> To: snort-users () lists sourceforge net
> Message-ID: <4FFCE179.1090507 () trimble com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On 11/07/12 11:36, Paul Halliday wrote:
> > So, taking into consideration the general gist of that research, are
> > those rules a good start or are they potentially misleading? When it
> > comes to declarations like 'skype agent detected' can we make that
> > declaration if there are other conditions that an analyst might not be
> > aware of or do we just assume the rule to be that literal?
>
> You should assume no rule is 100% reliable. some are 50%, some are
> 99.99%  - but not 100%
>
> Yes, tonnes of rules "misfire" - or don't fire at all. That is the cold
> reality of Intrusion Detection
>
>
> ...and you chose the worst-case. Skype is *designed* to work its way
> around all forms of network protection there are - it doesn't want you
> (representing a corporation who may not want their employees to be
> running such things) to know it's there. Eventually all malware will
> have the same characteristics <shudder>.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!