lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050125120429.GE23798@ait.ac.th>
From: alain at ait.ac.th (Alain Fauconnet)
Subject: blocking SkyPE?

Bryan,

Thanks for your input.

On Tue, Jan 25, 2005 at 12:04:45AM -0800, lists-security@...tracers.com wrote:
> Full-Disclosure aspect: knowing the capabilities and limitations of the
> various firewalls employed.  How policies can be violated without detection.
> Vendors and open-source community need to push to solve these real world
> problems.
> 
> >...but the real question is: can they detect SkyPE specifically? 
> 
> This is from a Fortigate with factory release NIDS, AV and IPS databases -
> nothing custom - (someone with a checkpoint and others may pipe in here with
> their capabilities):
> 
> On Status page:
> Recent Intrusion Detections
> Time 	Src/Dst 	Service 	Attack Name
> 2005-01-24 22:35:16	10.0.0.12 206.14.209.40  http	skype
> 
> Skype In Alert Log:
> 2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert
> vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743
> dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http
> msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]"
> 

I think that this may trigger on the regular HTTP request that SkyPE
does at start up (and only then). This checks the SkyPE web site for
updates. This is also what the available Snort signature trigger on,
simply because it's the only kind of traffic that has a recognizable
signature.
How many hits do you have for a given client IP on this rule? If it's
really triggering on VoIP traffic, you should get many per second.

> I am not blocking skype traffic or the kazaa traffic that is detected, but
> use this info to quantify the use of the network and to throttle bandwidth
> if needed to maintain QOS for business-critical functions.

If that's just the version check traffic (and my gut feeling is that
it is, considering the data you've shown), this is *not* the kind of
SkyPE traffic you'd want to classify, and your QoS probably doesn't do
what you think it does (unless it shapes all traffic to/from that
client's IP)... What do you think?

[rest deleted - amen to all of this... including the pathetic "security
advice" of the SkyPE folks]

Greets,
_Alain_

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ