Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: snort 2.9.8.3 not detecting skype

From: Al Al <alcol () hotmail com>
Date: Wed, 11 Jul 2012 17:35:26 +0000

Hu Jason, I well know as me too is a security manager and a security Incident manager
of one of first 3 main international companies spread in all the world

I simply ask why a previous version of snort is able to do something and not the new version

see that old linux box is still well able to detect all skype session but not new snort!

so where is the problem? ... skype? rule? or ...... inside snort ? or its new conf in such new flag where it could have 
a change
respect previous release?

see that in the while I done other linux boxes and all working fine against skype and p2p but not last snort.

so, I really thing that skype is described and labeled with too much rewards to be able to hide itself when it is not 
treu

old snort is so good to detect it ... ;)

I need the trivial conf for new release !

.............. I would avoid to perform some CISCO ASA Inspect rules when snort 2.8 was so nice :D

thank for your comment




Date: Wed, 11 Jul 2012 14:14:17 +1200
From: Jason Haar <Jason_Haar () trimble com>
Subject: Re: [Snort-users] RE : Re:  RE : snort 2.9.2.3 not detecting
        skype
To: snort-users () lists sourceforge net
Message-ID: <4FFCE179.1090507 () trimble com>
Content-Type: text/plain; charset=ISO-8859-1
 
On 11/07/12 11:36, Paul Halliday wrote:

So, taking into consideration the general gist of that research, are
those rules a good start or are they potentially misleading? When it
comes to declarations like 'skype agent detected' can we make that
declaration if there are other conditions that an analyst might not be
aware of or do we just assume the rule to be that literal?

 
You should assume no rule is 100% reliable. some are 50%, some are
99.99%  - but not 100%
 
Yes, tonnes of rules "misfire" - or don't fire at all. That is the cold
reality of Intrusion Detection
 
 
...and you chose the worst-case. Skype is *designed* to work its way
around all forms of network protection there are - it doesn't want you
(representing a corporation who may not want their employees to be
running such things) to know it's there. Eventually all malware will
have the same characteristics <shudder>.
                                                                                                                        
                                                                                  
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: