Snort mailing list archives
Skype login rules - can these be used?
From: Jim McKibben <jmckibben () riskanalytics com>
Date: Wed, 15 Feb 2017 08:29:03 -0600
There are two Skype rules that I am considering using to prevent FPs on Edonkey/Emule rules. What I am considering is, modifying another rule written for Edonkey/Emule and check for the flowbits "skype.login" to not be set to know that Edonkey IS Edonkey and not Skype. Has anyone used these rules and what success have you had? pua-p2p.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-POLICY Skype client login"; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4; classtype:policy-violation; sid:5999; rev:7;) pua-p2p.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-POLICY Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; rev:7;) Sorry to re-open a comment thread that was last discussed about 10 years ago, but, this hit my radar again and I figured it was time to reach out to the community. -- <https://riskanalytics.com/> *Jim McKibben*Security Analyst GSEC GWAPT Office / 913-685-6588 Mobile / 573-424-4848 jmckibben () riskanalytics com [image: RiskAnalytics] <https://riskanalytics.com/> [image: Twitter] <https://twitter.com/riskanalytics> [image: LinkedIn] <https://www.linkedin.com/company/riskanalytics-llc> [image: Facebook] <https://www.facebook.com/riskanalytics?fref=ts> CONFIDENTIAL: The information in this email (and any attachments) is confidential. If you are not the intended recipient, you must not read, use or disseminate the information. Please reply to the sender and take the steps necessary to delete the message completely from your computer system. Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by RiskAnalytics, LLC for any loss or damage arising in any way from its use.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Skype login rules - can these be used? Jim McKibben (Feb 15)