alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;)

Added 2013-08-13 17:17:59 UTC

Hi, Can we block only skype calls using suricata rules? without blocking other features of skype ? If so, what rule i have to add ?

-- ShreekalaKN - 2015-01-13

As far as I know, I don't think that is possible as Skype traffic is encrypted.

-- DarienH - 2015-01-13

Okay. Thank you. I am trying to set up GUI interface for suricata. I found that Snorby brings up GUI for suricata. But i dont know how i can use my suricata setup with snorby. Can you please guide me with that ?

-- ShreekalaKN - 2015-01-22


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;)

Added 2013-08-13 16:50:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;)

Added 2013-08-13 01:59:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;)

Added 2012-05-01 20:42:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:9;)

Added 2011-12-07 21:59:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:8;)

Added 2011-10-12 19:11:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; sid:2002157; rev:8;)

Added 2011-09-14 21:27:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:8;)

Added 2011-05-31 15:33:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:7;)

Added 2011-02-04 17:21:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:5;)

Added 2009-02-11 19:15:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:5;)

Added 2009-02-11 19:15:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:4;)

Added 2008-03-03 11:36:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:4;)

Added 2008-03-03 11:36:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0, within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:3;)

Added 2008-02-18 12:27:29 UTC

Adding some anchoring content matches for performance. Thanks Victor

-- MattJonkman - 18 Feb 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0, within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:3;)

Added 2008-02-18 12:27:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:2;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:2;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:1;)


Can the rule block Skype 3.51 or not?

-- SonicLee? - 29 Aug 2007

3.51 does make an http request on startup, so yes it will detect at startup.

-- MattJonkman - 29 Aug 2007

We tested signature #2001595 2001596 2002157 2003022, still can not block skype 3.51. Have any one signatures to block skype 3.51?

-- SonicLee? - 07 Sep 2007

We tested signature #2001595 2001596 2002157 2003022, still can not block skype 3.51. Have any one signatures to block skype 3.51?

-- SonicLee? - 07 Sep 2007


Topic revision: r8 - 2015-01-22 - ShreekalaKN
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats