Re: Skype & IPS vendor claims

[Matt Jonkman <mjonkman () infotex com>]

I would agree, the protocol is very difficult to detect. I haven't done
any work on it, but I don't expect it would be very effective.

We DO have some sigs at bleeding snort. I have not tested recent
versions of the client. If anyone could and let us know I'd appreciate
it. We are just watching for the Skype User-Agent in http requests, and
the install and version check http requests. I would assume these have
changed in the latest release.

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skype?view=markup

If you happen to be installing skype, send us a pcap of what it does and
we can update these sigs.

But no, we do not have sigs to detect skype in use, other than the
above. I'm not aware of any others.

What these vendors may be doing it trying to block access to centralized
login or directory servers by known IP ranges... I don't know if that'll
be completely effective.

Matt


Vladimir Parkhaev wrote:
> Greetings,
>
> Many IPS vendors are claiming that their devices can block Skype. 
> Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol" 
> (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf),
> paper I fail to see how those claims can be true. 
>
>
> Has anyone looked into blocking Skype?
>
>
> Thanks.

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------