lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050125180602.ACF0025C00B@mail.nettracers.com> From: lists-security at nettracers.com (lists-security@...tracers.com) Subject: blocking SkyPE? >I think that this may trigger on the regular HTTP request that SkyPE does at >start up (and only then). This checks the SkyPE web site for updates. This is >also what the available Snort signature trigger on, simply because it's the only >kind of traffic that has a recognizable signature. >How many hits do you have for a given client IP on this rule? If it's really >triggering on VoIP traffic, you should get many per second. I am getting 3-10 hits per second for any active system running this, example: 91 detected 09:06:35 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 92 detected 09:06:29 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 93 detected 09:06:13 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 94 detected 09:06:06 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 95 detected 09:04:11 p2p: skype,aggregated 3 times,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 96 detected 09:04:05 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 97 detected 09:03:36 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 98 detected 09:03:29 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 99 detected 09:02:08 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 >If that's just the version check traffic (and my gut feeling is that it is, >considering the data you've shown), this is *not* the kind of SkyPE traffic >you'd want to classify, and your QoS probably doesn't do what you think it >does (unless it shapes all traffic to/from that client's IP)... What do you >think? The plan is to shape the entire users system to throttle to a lower priority or a and/or limited bandwidth or full block when any p2p policy abuse is detected. Since you can't tell which traffic is which, just relegate that user to 9600 bps (BOFH solution). The skype encryption and traffic should be able to be mathematically characterized and classified without having to decrypt...a fun project to work on perhaps...with results fed back to the IPS system to lock down or flow control. - Bryan K. Watson - bwatson@...tracers.com
Powered by blists - more mailing lists