IDS mailing list archives
RE: Skype & IPS vendor claims
From: "William Bell" <williamb () cwie net>
Date: Wed, 17 May 2006 17:04:36 -0700
These sigs were triggered, from installation all the way through the test call that skype provides. The user-agent detections are triggered when opening the client and closing the client, it calls back to a home server. As far as I can tell this server is semi-random probably goes to some round robin dns. Bleeding-snort will take a look at the capture from this session and see if we can improve the signatures at all. May 17 13:48:58 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY Skype User-Agent detected [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2450 -> 212.72.49.131:80 May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2001595:6] BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup) [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80 May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY Skype User-Agent detected [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80 William B. CWIE Security williamb () cwie net CWIE LLC ------------------------------------------ If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke
Vladimir Parkhaev <vladimir () arobas net> >>>
Quoting Matt Jonkman (mjonkman () infotex com):
What these vendors may be doing it trying to block access to
centralized
login or directory servers by known IP ranges... I don't know if
that'll
be completely effective.
If I understand the protocol correctly, central servers are contacted only on a first run (after install). I(D|P)S systems can have sigs with IP addresses of those servers, but if user X installs Skype client on his corp. laptop at home... it doesn't help much. -- .signature: No such file or directory ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Attachment:
smime.p7s
Description:
Current thread:
- Re: Skype & IPS vendor claims, (continued)
- Re: Skype & IPS vendor claims Kevin (May 17)
- Message not available
- Re: Skype & IPS vendor claims Vladimir Parkhaev (May 17)
- Re: Skype & IPS vendor claims Matt Jonkman (May 17)
- Re: Skype & IPS vendor claims Vladimir Parkhaev (May 17)
- Re: Skype & IPS vendor claims Matt Jonkman (May 17)
- Re: Skype & IPS vendor claims Vladimir Parkhaev (May 17)
- RE: Skype & IPS vendor claims John Brightwell (May 17)
- Re: Skype & IPS vendor claims Jason Haar (May 18)
- Re: Skype & IPS vendor claims ROB DIXON (May 17)
- Re: Skype & IPS vendor claims Christian Kreibich (May 18)
- Re: Skype & IPS vendor claims Matt Jonkman (May 18)
- RE: Skype & IPS vendor claims William Bell (May 18)
- RE: Skype & IPS vendor claims Dante Mercurio (May 18)
- RE: Skype & IPS vendor claims okolesnikov (May 18)
- RE: Skype & IPS vendor claims Basgen, Brian (May 19)
- RE: Skype & IPS vendor claims Clemens, Dan (May 20)
- RE: Skype & IPS vendor claims Basgen, Brian (May 25)