List Info

Thread: FP in 2003022 (Skype Bootstrap)
FP in 2003022 (Skype Bootstrap)
user name
 2006-07-10 16:46:09 

  


  

    





In bleeding-policy.rules



 



Thank you Reg Quinton for your initial submission of this
signature



 



This signature looks for any traffic destined for any host
with a destination port of 33033 UDP.



 



We are seeing FP from this on several machines running DNS
servers (UNIX i.e. no Skype installed).



 



This traffic will always contact these 7 bootstrap
supernodes on port 33033 on Skype first login:



66.235.180.9



66.235.181.9



80.161.91.25



80.161.91.12



64.246.49.60



64.246.49.61



64.246.48.23



 



Reference (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf)
page 4



 



Current sig:



alert udp any any -> any 33033 (msg: "BLEEDING-EDGE
POLICY Skype Bootstrap Node (udp)"; …..



 



Suggested replacement:



alert udp $HOME_NET any -> [66.235.180.9, 66.235.181.9,80.161.91.25,80.161.91.12,64.246.49.60,64.246.49.61,64.246.48.23]
33033 (msg: "BLEEDING-EDGE POLICY Skype Bootstrap Node (udp)"; ….



 



Here is a diff of the changes if you choose to use them.



--- bleeding-policy.rules.org   Mon Jul 10
12:38:48 2006



+++
bleeding-policy.rules     ;  Mon Jul 10 12:39:48
2006



 -1016,7 +1016,7 



 alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"BLEEDING-EDGE POLICY TOR 1.0 Outbound Circuit Traffic";
flow:established; content:"|54 4f 52|"; content:"|3C 69 64 65 6E
74 69 74 79 3E|"; rawbytes; distance:10; within:35; threshold:type limit,
track by_src, count 1, seconds 120; classtype:policy-violation;
reference:url,tor.eff.org; sid:2002953; rev:2;)



 



 #by Reg Quinton



-alert udp any any -> any 33033 (msg: "BLEEDING-EDGE
POLICY Skype Bootstrap Node (udp)";;
reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf;
classtype:policy-violation; sid:2003022; rev:1;)



+alert udp $HOME_NET any ->
[66.235.180.9,66.235.181.9,80.161.91.25,80.161.91.12,64.246.49.60,64.246.49.61,64.246.48.23]
33033 (msg: "BLEEDING-EDGE POLICY Skype Bootstrap Node (udp)";;
reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf;
classtype:policy-violation; sid:2003022; rev:1;)



 



 #Submitted by Erik Vincent



 #alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:
"BLEEDING-EDGE Policy Proxy Connection detected"; flow: established;
content:"Proxy-Connection"; classtype: attempted-user; sid: 2001449;
rev:2; )



 



-- 



Jon Scheidell



Security Engineer



Secnap Network Security



(561) 999-5000 x:4110



www.secnap.com



 






  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )