[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050125120429.GE23798@ait.ac.th>
From: alain at ait.ac.th (Alain Fauconnet)
Subject: blocking SkyPE?
Bryan,
Thanks for your input.
On Tue, Jan 25, 2005 at 12:04:45AM -0800, lists-security@...tracers.com wrote:
> Full-Disclosure aspect: knowing the capabilities and limitations of the
> various firewalls employed. How policies can be violated without detection.
> Vendors and open-source community need to push to solve these real world
> problems.
>
> >...but the real question is: can they detect SkyPE specifically?
>
> This is from a Fortigate with factory release NIDS, AV and IPS databases -
> nothing custom - (someone with a checkpoint and others may pipe in here with
> their capabilities):
>
> On Status page:
> Recent Intrusion Detections
> Time Src/Dst Service Attack Name
> 2005-01-24 22:35:16 10.0.0.12 206.14.209.40 http skype
>
> Skype In Alert Log:
> 2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert
> vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743
> dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http
> msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]"
>
I think that this may trigger on the regular HTTP request that SkyPE
does at start up (and only then). This checks the SkyPE web site for
updates. This is also what the available Snort signature trigger on,
simply because it's the only kind of traffic that has a recognizable
signature.
How many hits do you have for a given client IP on this rule? If it's
really triggering on VoIP traffic, you should get many per second.
> I am not blocking skype traffic or the kazaa traffic that is detected, but
> use this info to quantify the use of the network and to throttle bandwidth
> if needed to maintain QOS for business-critical functions.
If that's just the version check traffic (and my gut feeling is that
it is, considering the data you've shown), this is *not* the kind of
SkyPE traffic you'd want to classify, and your QoS probably doesn't do
what you think it does (unless it shapes all traffic to/from that
client's IP)... What do you think?
[rest deleted - amen to all of this... including the pathetic "security
advice" of the SkyPE folks]
Greets,
_Alain_
Powered by blists - more mailing lists