[Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization

Jason Haar Jason.Haar at ...651...
Tue Apr 19 20:35:38 EDT 2005

Matt Jonkman wrote:

> Interesting, I believe I have seen real hits on this, and haven't
> personally had falses.
> This session appears to be to paypal.
> Strange, that sig is quite specific. Jason Haar wrote it, maybe he can
> comment:
> alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE P2P CHAT Skype
> VoIP Initialization";flow:to_server,established;
> content:"|8046010301002d0000001000000500000400000a0000090000640000620000080000030000060100800700c0030080060040020080040080|";
> depth:112; classtype:policy-violation; sid:2001333; rev:1;)
This rule was written by me some 6 months ago now? Since then there have
been several new releases, and I can say that I think the latest Skype
doesn't trigger this rule.

Skype traffic is AES encrypted according to their Web site - so it was a
bit surprising to me that I found a pattern back then anyway. It appears
they have "fixed" that glitch in the latter releases - I can't see any
pattern in Skype traffic these days... (random IP addresses, random
ports, encrypted packets with no public key exchange - nasty! ;-)

I'd say remove it, and instead rely on the "Skype VOIP Checking Version"
rules to catch at least some installs of it.

I expect to see more and more software moving to this "hidden" mode - it
will make signature-based IDS fairly ineffective. :-(


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list