[Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization
Jason.Haar at ...651...
Tue Apr 19 20:35:38 EDT 2005
Matt Jonkman wrote:
> Interesting, I believe I have seen real hits on this, and haven't
> personally had falses.
> This session appears to be to paypal.
> Strange, that sig is quite specific. Jason Haar wrote it, maybe he can
> alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE P2P CHAT Skype
> VoIP Initialization";flow:to_server,established;
> depth:112; classtype:policy-violation; sid:2001333; rev:1;)
This rule was written by me some 6 months ago now? Since then there have
been several new releases, and I can say that I think the latest Skype
doesn't trigger this rule.
Skype traffic is AES encrypted according to their Web site - so it was a
bit surprising to me that I found a pattern back then anyway. It appears
they have "fixed" that glitch in the latter releases - I can't see any
pattern in Skype traffic these days... (random IP addresses, random
ports, encrypted packets with no public key exchange - nasty! ;-)
I'd say remove it, and instead rely on the "Skype VOIP Checking Version"
rules to catch at least some installs of it.
I expect to see more and more software moving to this "hidden" mode - it
will make signature-based IDS fairly ineffective. :-(
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs