lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: alain at ait.ac.th (Alain Fauconnet) Subject: blocking SkyPE? Bryan, Thanks for your input. On Tue, Jan 25, 2005 at 12:04:45AM -0800, lists-security@...tracers.com wrote: > Full-Disclosure aspect: knowing the capabilities and limitations of the > various firewalls employed. How policies can be violated without detection. > Vendors and open-source community need to push to solve these real world > problems. > > >...but the real question is: can they detect SkyPE specifically? > > This is from a Fortigate with factory release NIDS, AV and IPS databases - > nothing custom - (someone with a checkpoint and others may pipe in here with > their capabilities): > > On Status page: > Recent Intrusion Detections > Time Src/Dst Service Attack Name > 2005-01-24 22:35:16 10.0.0.12 206.14.209.40 http skype > > Skype In Alert Log: > 2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert > vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743 > dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http > msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]" > I think that this may trigger on the regular HTTP request that SkyPE does at start up (and only then). This checks the SkyPE web site for updates. This is also what the available Snort signature trigger on, simply because it's the only kind of traffic that has a recognizable signature. How many hits do you have for a given client IP on this rule? If it's really triggering on VoIP traffic, you should get many per second. > I am not blocking skype traffic or the kazaa traffic that is detected, but > use this info to quantify the use of the network and to throttle bandwidth > if needed to maintain QOS for business-critical functions. If that's just the version check traffic (and my gut feeling is that it is, considering the data you've shown), this is *not* the kind of SkyPE traffic you'd want to classify, and your QoS probably doesn't do what you think it does (unless it shapes all traffic to/from that client's IP)... What do you think? [rest deleted - amen to all of this... including the pathetic "security advice" of the SkyPE folks] Greets, _Alain_
Powered by blists - more mailing lists