RE: Skype & IPS vendor claims

["William Bell" <williamb () cwie net>]

These sigs were triggered, from installation all the way through the test
call that skype provides. The user-agent detections are triggered when
opening the client and closing the client, it calls back to a home server.
As far as I can tell this server is semi-random probably goes to some round
robin dns. Bleeding-snort will take a look at the capture from this session
and see if we can improve the signatures at all.


May 17 13:48:58 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY
Skype User-Agent detected [Classification: Potential Corporate Privacy
Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2450 -> 212.72.49.131:80
May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2001595:6] BLEEDING-EDGE Policy
Skype VOIP Checking Version (Startup) [Classification: Potential Corporate
Privacy Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80
May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY
Skype User-Agent detected [Classification: Potential Corporate Privacy
Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80

William B.
CWIE Security
williamb () cwie net
CWIE LLC

------------------------------------------
If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked. 
-- former White House cybersecurity czar Richard Clarke
> > > Vladimir Parkhaev <vladimir () arobas net>  >>>
Quoting Matt Jonkman (mjonkman () infotex com):
> What these vendors may be doing it trying to block access to
centralized
> login or directory servers by known IP ranges... I don't know if
that'll
> be completely effective.

If I understand the protocol correctly, central servers are contacted only
on a first run (after install). I(D|P)S systems can have sigs with IP
addresses of those servers, but if user X installs Skype client on his corp.
laptop at home... it doesn't help much.

--
.signature: No such file or directory

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Attachment: smime.p7s
Description: