These sigs were triggered, from installation all the way through the test
call that skype provides. The user-agent detections are triggered when
opening the client and closing the client, it calls back to a home server.
As far as I can tell this server is semi-random probably goes to some round
robin dns. Bleeding-snort will take a look at the capture from this session
and see if we can improve the signatures at all.
May 17 13:48:58 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY
Skype User-Agent detected [Classification: Potential Corporate Privacy
Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2450 -> 212.72.49.131:80
May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2001595:6] BLEEDING-EDGE Policy
Skype VOIP Checking Version (Startup) [Classification: Potential Corporate
Privacy Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80
May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY
Skype User-Agent detected [Classification: Potential Corporate Privacy
Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80
William B.
CWIE Security
williamb@cwie.net
CWIE LLC
------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
Vladimir Parkhaev <vladimir@arobas.net> >>>
Quoting Matt Jonkman (mjonkman@infotex.com):
What these vendors may be doing it trying to block access to
centralized
login or directory servers by known IP ranges... I don't know if
that'll
be completely effective.
If I understand the protocol correctly, central servers are contacted only
on a first run (after install). I(D|P)S systems can have sigs with IP
addresses of those servers, but if user X installs Skype client on his corp.
laptop at home... it doesn't help much.
--
.signature: No such file or directory
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
