Calls and conversations, or just the client startup and checkins to the server?
If you're using the user agent sigs and the like that are out there, and you block that client from anything, then you could stop skype easily. Which many folks do, and then go remove it. It would be as useful to be able to identify the call streams in case skype decides to no longer make identifiable http requests, or someone controls the outbound traffic from their workstation and prevents these.... Matt Greg owens wrote: > cisco's IDS can detect and stop skype > > Greg Owens, CCNP CCSP CISSP > Email:[EMAIL PROTECTED] > -------------------------- > Sent from my Samsung I730 Wireless Handheld > > > > -----Original Message----- > >From: "Matt Jonkman"<[EMAIL PROTECTED]> > >Sent: 5/16/06 1:04:52 PM > >To: "Vladimir Parkhaev"<[EMAIL PROTECTED]> > >Cc: "[EMAIL PROTECTED]"<[EMAIL PROTECTED]> > >Subject: Re: Skype & IPS vendor claims > > > >I would agree, the protocol is very difficult to detect. I haven't done > >any work on it, but I don't expect it would be very effective. > > > >We DO have some sigs at bleeding snort. I have not tested recent > >versions of the client. If anyone could and let us know I'd appreciate > >it. We are just watching for the Skype User-Agent in http requests, and > >the install and version check http requests. I would assume these have > >changed in the latest release. > > > > >http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/POLICY/POLICY_Skype?view=markup > > > >If you happen to be installing skype, send us a pcap of what it does and > >we can update these sigs. > > > >But no, we do not have sigs to detect skype in use, other than the > >above. I'm not aware of any others. > > > >What these vendors may be doing it trying to block access to centralized > >login or directory servers by known IP ranges... I don't know if that'll > >be completely effective. > > > >Matt > > > > > >Vladimir Parkhaev wrote: > >> Greetings, > >> > >> Many IPS vendors are claiming that their devices can block Skype. > >> Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony > Protocol" > >> > (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf), > >> paper I fail to see how those claims can be true. > >> > >> > >> Has anyone looked into blocking Skype? > >> > >> > >> Thanks. > >> > > > >-- > >-------------------------------------------- > >Matthew Jonkman, CISSP > >Senior Security Engineer > >Infotex > >765-429-0398 Direct Anytime > >765-448-6847 Office > >866-679-5177 24x7 NOC > >http://my.infotex.com > >http://www.infotex.com > >http://www.bleedingsnort.com > >-------------------------------------------- > > > > > > > >------------------------------------------------------------------------ > >Test Your IDS > > > >Is your IDS deployed correctly? > >Find out quickly and easily by testing it > >with real-world attacks from CORE IMPACT. > >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > >to learn more. > >------------------------------------------------------------------------ > > > -- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC http://my.infotex.com http://www.infotex.com http://www.bleedingsnort.com -------------------------------------------- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
