Matt Jonkman wrote:
Interesting, I believe I have seen real hits on this, and haven't
personally had falses.
This session appears to be to paypal.
Strange, that sig is quite specific. Jason Haar wrote it, maybe he can
comment:
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE P2P CHAT Skype
VoIP Initialization";flow:to_server,established;
content:"|8046010301002d0000001000000500000400000a0000090000640000620000080000030000060100800700c0030080060040020080040080|";
depth:112; classtype:policy-violation; sid:2001333; rev:1;)
This rule was written by me some 6 months ago now? Since then there have
been several new releases, and I can say that I think the latest Skype
doesn't trigger this rule.
Skype traffic is AES encrypted according to their Web site - so it was a
bit surprising to me that I found a pattern back then anyway. It appears
they have "fixed" that glitch in the latter releases - I can't see any
pattern in Skype traffic these days... (random IP addresses, random
ports, encrypted packets with no public key exchange - nasty! ;-)
I'd say remove it, and instead rely on the "Skype VOIP Checking Version"
rules to catch at least some installs of it.
I expect to see more and more software moving to this "hidden" mode - it
will make signature-based IDS fairly ineffective. :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
