[Snort-sigs] Skype login rules - can these be used?

Jim McKibben jmckibben at ...4232...
Wed Feb 15 09:29:03 EST 2017

There are two Skype rules that I am considering using to prevent FPs on
Edonkey/Emule rules.

What I am considering is, modifying another rule written for Edonkey/Emule
and check for the flowbits "skype.login" to not be set to know that Edonkey
IS Edonkey and not Skype.

Has anyone used these rules and what success have you had?

pua-p2p.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"PUA-POLICY Skype client login"; flow:to_client,established;
flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4;
classtype:policy-violation; sid:5999; rev:7;)

pua-p2p.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"PUA-POLICY Skype client login startup"; flow:to_server,established;
dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login;
classtype:policy-violation; sid:5998; rev:7;)

Sorry to re-open a comment thread that was last discussed about 10 years
ago, but, this hit my radar again and I figured it was time to reach out to
the community.



*Jim McKibben*Security Analyst GSEC GWAPT
Office / 913-685-6588
Mobile / 573-424-4848
jmckibben at ...4232...

[image: RiskAnalytics] <https://riskanalytics.com/>  [image: Twitter]
<https://twitter.com/riskanalytics>  [image: LinkedIn]
<https://www.linkedin.com/company/riskanalytics-llc>  [image: Facebook]

The information in this email (and any attachments) is confidential.  If
you are not the intended recipient, you must not read, use or disseminate
the information.  Please reply to the sender and take the steps necessary
to delete the message completely from your computer system.  Although this
email and any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it is
virus free and no responsibility is accepted by RiskAnalytics, LLC for any
loss or damage arising in any way from its use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170215/a11b795e/attachment.html>

More information about the Snort-sigs mailing list