EmergingThreats> Main Web>2002157 (revision 5)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0, within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:3;)

Added 2008-02-18 12:27:29 UTC

Adding some anchoring content matches for performance. Thanks Victor

-- MattJonkman - 18 Feb 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0, within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; sid:2002157; rev:3;)

Added 2008-02-18 12:27:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:2;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:2;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:1;)


Can the rule block Skype 3.51 or not?

-- SonicLee? - 29 Aug 2007

3.51 does make an http request on startup, so yes it will detect at startup.

-- MattJonkman - 29 Aug 2007

We tested signature #2001595 2001596 2002157 2003022, still can not block skype 3.51. Have any one signatures to block skype 3.51?

-- SonicLee? - 07 Sep 2007

We tested signature #2001595 2001596 2002157 2003022, still can not block skype 3.51. Have any one signatures to block skype 3.51?

-- SonicLee? - 07 Sep 2007


Edit | Attach | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r5 - 2008-02-18 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats