[Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization

stephane nasdrovisky stephane.nasdrovisky at ...2835...
Wed Apr 20 00:32:28 EDT 2005


Jason Haar wrote:

> random IP addresses, random ports,
>
> I'd say remove it, and instead rely on the "Skype VOIP Checking Version"
> rules to catch at least some installs of it.

An alternative could be to alarm upon access to skype's login server.
The file C:\Documents and Settings\All Users\Application 
Data\Skype\shared.xml (skype 1.0) contains these infos:
      <EventServers>
        <DirectlyConnected>1</DirectlyConnected>
        <LastTCPServer>80.160.91.28:12350</LastTCPServer>
        <LastUDPServer>212.72.49.142:12350</LastUDPServer>
      </EventServers>

      <LoginServers>
        <DirectlyConnected>1</DirectlyConnected>
        <LastTCPServer>195.215.8.141:33033</LastTCPServer>
      </LoginServers>

I don't know how skype uses these infos, but I guess it sometimes uses them.
This file also contains the p2p hosts cache (random ip addresses & ports)

alert ip $HOME_NET any -> 195.215.8.141 any (msg:"BLEEDING-EDGE P2P VOIP 
Skype VoIP Login"; classtype:policy-violation; sid:9999988; rev:1;)
alert tcp $HOME_NET any -> any 33033 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Login"; classtype:policy-violation; sid:9999989; rev:1;)
alert udp $HOME_NET any -> any 33033 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Login"; classtype:policy-violation; sid:9999990; rev:1;)
alert ip $HOME_NET any -> 80.160.91.28 any (msg:"BLEEDING-EDGE P2P VOIP 
Skype VoIP Event"; classtype:policy-violation; sid:9999991; rev:1;)
alert ip $HOME_NET any -> 212.72.49.142 any (msg:"BLEEDING-EDGE P2P VOIP 
Skype VoIP Event"; classtype:policy-violation; sid:9999992; rev:1;)
alert tcp $HOME_NET any -> any 12350 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Event"; classtype:policy-violation; sid:9999993; rev:1;)
alert udp $HOME_NET any -> any 12350 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Event"; classtype:policy-violation; sid:9999994; rev:1;)
alert ip $HOME_NET any -> 198.63.210.250 any (msg:"BLEEDING-EDGE P2P 
VOIP Skype VoIP web site"; classtype:policy-violation; sid:9999995; rev:1;)
alert udp $HOME_NET any -> 64.141.3.65 53 (msg:"BLEEDING-EDGE P2P VOIP 
Skype VoIP dns"; classtype:policy-violation; sid:9999996; rev:1;)
alert udp $HOME_NET any -> 195.50.213.37 53 (msg:"BLEEDING-EDGE P2P VOIP 
Skype VoIP dns"; classtype:policy-violation; sid:9999997; rev:1;)
alert udp $HOME_NET any -> 80.160.91.4 53 (msg:"BLEEDING-EDGE P2P VOIP 
Skype VoIP dns"; classtype:policy-violation; sid:9999998; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP dns"; content: "|05|skype"; depth: 50; classtype:policy-violation; 
sid:9999999; rev:1;)

whois reports these netblocks:
inetnum: 212.72.49.128 - 212.72.49.159
netname: SKYPE-NL

inetnum: 195.215.8.0 - 195.215.8.255
netname: TDC-HOSTING-OEBRO

inetnum: 80.160.88.0 - 80.160.91.255
netname: TDC-INTERNET-SERVERCAMP-OPA

Nom :    skype.com
Address:  198.63.210.250

nslookup -type=ns skype.com
skype.com       nameserver = ns4.joltid.net
skype.com       nameserver = ns5.joltid.net
skype.com       nameserver = ns.joltid.net

ns5.joltid.net  internet address = 64.141.3.65
ns.joltid.net   internet address = 195.50.213.37
ns4.joltid.net  internet address = 80.160.91.4





More information about the Snort-sigs mailing list