[Snort-sigs] false +ves for BLEEDING-EDGE P2P CHAT Skype VoIP Initialization

stephane nasdrovisky stephane.nasdrovisky at ...2835...
Wed Apr 20 08:29:01 EDT 2005


Matt Jonkman wrote:

> I don't think we can count on the IPs remaining static, nor the ports. 
> So I think we'll have to for now rely on the version check sig.

This may also change. The easiest thing to do is probably not letting 
users install skype if you don't want it to be used (it's easier than 
maintaining 5 or 10 snort signatures)
I guess too the address and ports will chage sometime, my original post 
suggested replacing the ip addresses with their associated netblocks 
(unfortunatly, my del key seems too close to my send button).
Skype (version 0.9 ?) was analized by 
http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf
One of the login or bootstrap server was at 80.160.91.11 ( this netblock 
is still in use by skype, but not for login. port 33033 was already used)
It uses STUN for nat & firewall traversal. Could be a way to sniff its 
presence ?

10 sigs for skype detection seems overkill, so relying only on "Skype 
VOIP Checking Version" is probably fine in most cases, especially since 
there are competitors on this new market (a new .com economy story 
candidate ?).

alert ip $HOME_NET any -> [195.215.8.128/24 or 80.160.88.0/22 or 
212.72.49.128/27] any (msg:"BLEEDING-EDGE P2P VOIP Skype VoIP ip"; 
classtype:policy-violation; sid:9999995; rev:1;)
alert tcp $HOME_NET any -> any 33033 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Login"; classtype:policy-violation; sid:9999996; rev:1;)
alert udp $HOME_NET any -> any 33033 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Login"; classtype:policy-violation; sid:9999997; rev:1;)
alert tcp $HOME_NET any -> any 12350 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Event"; classtype:policy-violation; sid:9999998; rev:1;)
alert tcp $HOME_NET any -> any 12350 (msg:"BLEEDING-EDGE P2P VOIP Skype 
VoIP Event"; classtype:policy-violation; sid:9999999; rev:1;)

>>> I'd say remove it, and instead rely on the "Skype VOIP Checking 
>>> Version"
>>

It looks like the false+ was some ssl/tls messages. As skype knows most 
parameters (enc. scheme, certs,...) I guess they removed the negotiation 
from their protocol (why use a dynamic protocol in a static 
environmentt). They probably only exchange random params (such as the dh 
keys)

It looks like the messages now begins with "|xx030100|", xx being 
"|1x|". A sig candidate could be:
alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P VOIP Skype VoIP 
030100";content: "|030100|"; offset: 1; depth: 4; 
classtype:policy-violation; sid:9999999; rev:1;)
I guess it will false+ a lot.




More information about the Snort-sigs mailing list