Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Skype login rules - can these be used?

From: Jim McKibben <jmckibben () riskanalytics com>
Date: Wed, 15 Feb 2017 08:29:03 -0600
There are two Skype rules that I am considering using to prevent FPs on
Edonkey/Emule rules.

What I am considering is, modifying another rule written for Edonkey/Emule
and check for the flowbits "skype.login" to not be set to know that Edonkey
IS Edonkey and not Skype.

Has anyone used these rules and what success have you had?

pua-p2p.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"PUA-POLICY Skype client login"; flow:to_client,established;
flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4;
classtype:policy-violation; sid:5999; rev:7;)

pua-p2p.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"PUA-POLICY Skype client login startup"; flow:to_server,established;
dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login;
classtype:policy-violation; sid:5998; rev:7;)


Sorry to re-open a comment thread that was last discussed about 10 years
ago, but, this hit my radar again and I figured it was time to reach out to
the community.

-- 


<https://riskanalytics.com/>


*Jim McKibben*Security Analyst GSEC GWAPT
Office / 913-685-6588
Mobile / 573-424-4848
jmckibben () riskanalytics com

[image: RiskAnalytics] <https://riskanalytics.com/>  [image: Twitter]
<https://twitter.com/riskanalytics>  [image: LinkedIn]
<https://www.linkedin.com/company/riskanalytics-llc>  [image: Facebook]
<https://www.facebook.com/riskanalytics?fref=ts>

CONFIDENTIAL:
The information in this email (and any attachments) is confidential.  If
you are not the intended recipient, you must not read, use or disseminate
the information.  Please reply to the sender and take the steps necessary
to delete the message completely from your computer system.  Although this
email and any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it is
virus free and no responsibility is accepted by RiskAnalytics, LLC for any
loss or damage arising in any way from its use.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: