Snort mailing list archives

Re: Detecting Skype traffic (reliably)

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 26 Oct 2006 12:24:14 +1300

Andrew Hay wrote:

Has anyone, in practice...not in theory, been able to create and
validate a snort signature that is able to classify Skype traffic?
I've been researching for days and am having a hard time.  I know that
TippingPoint has a way of classifying (and blocking) Skype traffic but
from what I hear they don't appear to be sharing the 'secret sauce'.
Any input would be greatly appreciated.

If you want to reliably block it, and run on a proxy-based network, then
it's relatively easy.

Skype relies on it's users to be available for P2P to work - which means
it can't rely  on there being DNS entries for every Skype user IP. If it
finds it can't connect directly to anything, it does Registry
lookups/etc to detect proxy servers, and uses them to gateway to other
Skype users via the proxy CONNECT method.

And there's the noose - they are of the form "CONNECT IP.ADD.RESS:443".

Since when do "real" HTTPS Web servers use raw IP addresses? :-)

So in the Squid proxy, you can configure it to deny access to any
CONNECT-based session if ip addresses are used instead of DNS names. It
will break Skype, and shouldn't break very much else (covering a** with
that comment ;-)

Game over for Skype.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Detecting Skype traffic (reliably) Andrew Hay (Oct 24)
- Re: Detecting Skype traffic (reliably) Paul Halliday (Oct 24)
- Re: Detecting Skype traffic (reliably) Jason Haar (Oct 25)
- Re: Detecting Skype traffic (reliably) Nigel Houghton (Oct 25)
- <Possible follow-ups>
- Re: Detecting Skype traffic (reliably) Michael Scheidell (Oct 24)
- Re: Detecting Skype traffic (reliably) Humes, David G. (Oct 25)
- Re: Detecting Skype traffic (reliably) baginski (Oct 25)
  - Re: Detecting Skype traffic (reliably) Nicolas Saurbier (Oct 26)