[Snort-users] Detecting Skype traffic (reliably)
Jason.Haar at ...294...
Wed Oct 25 19:24:14 EDT 2006
Andrew Hay wrote:
> Has anyone, in practice...not in theory, been able to create and
> validate a snort signature that is able to classify Skype traffic?
> I've been researching for days and am having a hard time. I know that
> TippingPoint has a way of classifying (and blocking) Skype traffic but
> from what I hear they don't appear to be sharing the 'secret sauce'.
> Any input would be greatly appreciated.
If you want to reliably block it, and run on a proxy-based network, then
it's relatively easy.
Skype relies on it's users to be available for P2P to work - which means
it can't rely on there being DNS entries for every Skype user IP. If it
finds it can't connect directly to anything, it does Registry
lookups/etc to detect proxy servers, and uses them to gateway to other
Skype users via the proxy CONNECT method.
And there's the noose - they are of the form "CONNECT IP.ADD.RESS:443".
Since when do "real" HTTPS Web servers use raw IP addresses? :-)
So in the Squid proxy, you can configure it to deny access to any
CONNECT-based session if ip addresses are used instead of DNS names. It
will break Skype, and shouldn't break very much else (covering a** with
that comment ;-)
Game over for Skype.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users