Ahh, I didn't think about Skype moving the supernodes
around.
Maybe just a change from:
any any -> any 30333 to:
$HOME_NET any -> $EXTERNAL_NET 33033
That way at least we will only see FP from external traffic
and you
won't miss any actual Skype traffic (assuming your not
running a
supernode in your LAN environment).
--
Jon Scheidell
Security Engineer
Secnap Network Security
(561) 999-5000 x:4110
www.secnap.com
-----Original Message-----
From: Reg Quinton [mailto:reggers ist.uwaterloo.ca]
Sent: Tuesday, July 11, 2006 11:09 AM
To: Jonathan Scheidell; bleeding-sigsbleedingsnort.com
Cc: SECNAP Network Security
Subject: Re: [Bleeding-sigs] FP in 2003022 (Skype Bootstrap)
> This traffic will always contact these 7 bootstrap
supernodes on port
> 33033 on Skype first login:
I'm seeing 33033 to other systems. I think Skype may have
some new
bootstrap
nodes -- in the sample below those with counts over 100 are
*probably*
accurate, those below are likely FP's. The ones at
212.72.49.143 and
195.215.8.145 seem to be new ...
[10:52am dominic] grep :33033 /var/log/snort/alert | grep -v
':53 '| sed
's/.*> //' | sort | uniq -c | sort -n
1 203.219.243.215:33033
1 87.3.32.82:33033
2 212.115.176.66:33033
2 219.146.95.130:33033
2 61.229.234.225:33033
2 81.251.204.142:33033
8 82.172.29.27:33033
104 66.235.180.9:33033
131 64.246.48.23:33033
144 64.246.49.60:33033
156 64.246.49.61:33033
278 212.72.49.143:33033
348 195.215.8.145:33033
953 66.235.181.9:33033
>From whois at least one of the new numbers is
suspicious:
inetnum: 212.72.49.128 - 212.72.49.159
netname: SKYPE-NL
descr: SKYPE-NL
Skype doesn't register it's bootstrap nodes so it's
awfully hard to
confirm.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|