I would agree, the protocol is very difficult to detect. I haven't done any work on it, but I don't expect it would be very effective.
We DO have some sigs at bleeding snort. I have not tested recent versions of the client. If anyone could and let us know I'd appreciate it. We are just watching for the Skype User-Agent in http requests, and the install and version check http requests. I would assume these have changed in the latest release. http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skype?view=markup If you happen to be installing skype, send us a pcap of what it does and we can update these sigs. But no, we do not have sigs to detect skype in use, other than the above. I'm not aware of any others. What these vendors may be doing it trying to block access to centralized login or directory servers by known IP ranges... I don't know if that'll be completely effective. Matt Vladimir Parkhaev wrote: > Greetings, > > Many IPS vendors are claiming that their devices can block Skype. > Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol" > (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf), > paper I fail to see how those claims can be true. > > > Has anyone looked into blocking Skype? > > > Thanks. > -- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC http://my.infotex.com http://www.infotex.com http://www.bleedingsnort.com -------------------------------------------- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
