Re: Skype & IPS vendor claims

Calls and conversations, or just the client startup and checkins to the
server?

If you're using the user agent sigs and the like that are out there, and
you block that client from anything, then you could stop skype easily.
Which many folks do, and then go remove it.

It would be as useful to be able to identify the call streams in case
skype decides to no longer make identifiable http requests, or someone
controls the outbound traffic from their workstation and prevents these....

Matt

Greg owens wrote:
> cisco's IDS can detect and stop skype
>
> Greg Owens, CCNP CCSP CISSP
> Email:gowens@covad.net
> --------------------------
> Sent from my Samsung I730 Wireless Handheld
>
>
>
> -----Original Message-----
>    >From: "Matt Jonkman"<mjonkman@infotex.com>
>    >Sent: 5/16/06 1:04:52 PM
>    >To: "Vladimir Parkhaev"<vladimir@arobas.net>
>    >Cc: "focus-ids@lists.securityfocus.com"<focus-ids@lists.securityfocus.com>
>    >Subject: Re: Skype & IPS vendor claims
>    >
>    >I would agree, the protocol is very difficult to detect. I haven't done
>    >any work on it, but I don't expect it would be very effective.
>    >
>    >We DO have some sigs at bleeding snort. I have not tested recent
>    >versions of the client. If anyone could and let us know I'd appreciate
>    >it. We are just watching for the Skype User-Agent in http requests, and
>    >the install and version check http requests. I would assume these have
>    >changed in the latest release.
>    >
>    
> > http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skype?view=markup
>    >
>    >If you happen to be installing skype, send us a pcap of what it does and
>    >we can update these sigs.
>    >
>    >But no, we do not have sigs to detect skype in use, other than the
>    >above. I'm not aware of any others.
>    >
>    >What these vendors may be doing it trying to block access to centralized
>    >login or directory servers by known IP ranges... I don't know if that'll
>    >be completely effective.
>    >
>    >Matt
>    >
>    >
>    >Vladimir Parkhaev wrote:
>    >> Greetings,
>    >> 
>    >> Many IPS vendors are claiming that their devices can block Skype. 
>    >> Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony 
> Protocol" 
>    >> 
> (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf),
>    >> paper I fail to see how those claims can be true. 
>    >> 
>    >> 
>    >> Has anyone looked into blocking Skype?
>    >> 
>    >> 
>    >> Thanks.
>    >> 
>    >
>    >-- 
>    >--------------------------------------------
>    >Matthew Jonkman, CISSP
>    >Senior Security Engineer
>    >Infotex
>    >765-429-0398 Direct Anytime
>    >765-448-6847 Office
>    >866-679-5177 24x7 NOC
>    >http://my.infotex.com
>    >http://www.infotex.com
>    >http://www.bleedingsnort.com
>    >--------------------------------------------
>    >
>    >
>    >
>    >------------------------------------------------------------------------
>    >Test Your IDS
>    >
>    >Is your IDS deployed correctly?
>    >Find out quickly and easily by testing it 
>    >with real-world attacks from CORE IMPACT.
>    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
>    >to learn more.
>    >------------------------------------------------------------------------
>    >

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------