EmergingThreats
>
Main Web
>
2002157
(2015-01-22,
ShreekalaKN
)
(raw view)
E
dit
A
ttach
<h2> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_user_agent; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;) </h2> Added 2020-04-22 19:05:09 UTC %COMMENT{type="threadmode" default="Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps." button="Add to Documentation" }% <hr> <h2> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_user_agent; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) </h2> Added 2018-09-13 19:37:49 UTC <hr> <h2> </h2> Added 2018-09-13 17:52:43 UTC <hr> <h2> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_user_agent; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) </h2> Added 2017-08-07 20:55:51 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) </h2> Added 2013-08-13 17:17:59 UTC Hi, Can we block only skype calls using suricata rules? without blocking other features of skype ? If so, what rule i have to add ? -- Main.ShreekalaKN - 2015-01-13 As far as I know, I don't think that is possible as Skype traffic is encrypted. -- Main.DarienH - 2015-01-13 Okay. Thank you. I am trying to set up GUI interface for suricata. I found that Snorby brings up GUI for suricata. But i dont know how i can use my suricata setup with snorby. Can you please guide me with that ? -- Main.ShreekalaKN - 2015-01-22 <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) </h2> Added 2013-08-13 16:50:10 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) </h2> Added 2013-08-13 01:59:04 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) </h2> Added 2012-05-01 20:42:41 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:9;) </h2> Added 2011-12-07 21:59:22 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:8;) </h2> Added 2011-10-12 19:11:22 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; sid:2002157; rev:8;) </h2> Added 2011-09-14 21:27:19 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:8;) </h2> Added 2011-05-31 15:33:07 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:7;) </h2> Added 2011-02-04 17:21:45 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:5;) </h2> Added 2009-02-11 19:15:23 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:5;) </h2> Added 2009-02-11 19:15:23 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:4;) </h2> Added 2008-03-03 11:36:54 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:4;) </h2> Added 2008-03-03 11:36:54 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0, within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:3;) </h2> Added 2008-02-18 12:27:29 UTC Adding some anchoring content matches for performance. Thanks Victor -- Main.MattJonkman - 18 Feb 2008 <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0, within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:3;) </h2> Added 2008-02-18 12:27:29 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:2;) </h2> Added 2008-01-31 18:48:10 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:2;) </h2> Added 2008-01-31 18:48:10 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:1;) </h2> <hr> Can the rule block Skype 3.51 or not? -- Main.SonicLee - 29 Aug 2007 3.51 does make an http request on startup, so yes it will detect at startup. -- Main.MattJonkman - 29 Aug 2007 We tested signature #2001595 2001596 2002157 2003022, still can not block skype 3.51. Have any one signatures to block skype 3.51? -- Main.SonicLee - 07 Sep 2007 We tested signature #2001595 2001596 2002157 2003022, still can not block skype 3.51. Have any one signatures to block skype 3.51? -- Main.SonicLee - 07 Sep 2007 <hr>
E
dit
|
A
ttach
|
P
rint version
|
H
istory
: r8
<
r7
<
r6
<
r5
<
r4
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r8 - 2015-01-22
-
ShreekalaKN
Main
Log In
Main Web
Create New Topic
Index
Search
Changes
Preferences
User Reference
ATasteOfTWiki
TextFormattingRules
Signature Reference
WebRss
Feed
EmergingFAQ
Copyright © Emerging Threats
Main Web
Create New Topic
Index
Search
Changes
Preferences
Copyright © Emerging Threats Copyright © Emerging Threats