Block Skype with Snort

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Snort is used as the native IDS/IPS in several Unified Thread Management (UTM) security platforms including Astaro and Untangle. The following Snort rule signatures can be used to block Skype traffic at your network perimeter.

Note: When defining rules, the SID (Security ID) must be copied into the Snort SID field and the full rule must be placed in the Signature field. The signature lines may wrap but need to be placed as a single string into the signature field.

Example Snort IPS Rule:

Category: p2p
Signature: tcp $HOME_NET 1024: -> $EXTERNAL_NET 33033 (msg:”Skype client manual login — TCP/33033″; flow:to_server,established; flags:AP,SUFR12; content:”|17 03 01|”; depth:3; sid:1000400; rev:2; )
Name: Skype client manual login — TCP/33033
SID: 1000400
Block: Yes
Log: Yes
Description: Skype client manual login — TCP/33033

Current Skype filtering signatures (March 8th 2010)

Signature 1 - Skype VoIP Initialization

tcp $HOME_NET any -> any any (msg:”P2P CHAT Skype VoIP Initialization”;flow:to_server,established; content:”|8046010301002d0000001000000500000400000a 0000090000640000620000080000030000060100800700c003 0080060040020080040080|”;depth:112;classtype:polic y-violation;sid:1000013; rev:1;)

Signature 2 – Skype client login — reply from server

tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:”Skype client login — reply from server”; flags:AP,SUFR12; flow:to_client,established; flowbits:isset,skype_client_login; dsize:5; content:”|17 03 01|”; depth:3; sid:1000012; rev:2; )

Signature 3 – P2P Skype client setup get newest version attempt

tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”P2P Skype client setup get newest version attempt”; flow:to_server,established; uricontent:”/ui/”; uricontent:”/getnewestversion”; content:”Host|3A| ui.skype.com”; classtype:policy-violation; sid:5694; rev:4;)

Signature 4 – Skype client login — from client

tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:”Skype client login — from client”; flags:AP,SUFR12; flow:to_server,established; dsize:5; content:”|16 03 01|”; depth:3; flowbits:set,skype.login; sid:1000009; rev:2;)

Signature 5 – P2P Skype client login startup

tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”P2P Skype client login startup”; flow:to_server,established; dsize:5; content:”|16 03 01 00|”; depth:4; flowbits:set,skype.login; metadata:policy security-ips drop; classtype:policy-violation; sid:5998; rev:4;)

Signature 6 – Skype client login — reply from server

tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:”Skype client login — reply from server”; flags:AP,SUFR12; flow:to_client,established; dsize:5; content:”|17 03 01 00|”; depth:4; sid:1000010; rev:2; )

Signature 7 – Skype client manual login — TCP/33033

tcp $HOME_NET 1024: -> $EXTERNAL_NET 33033 (msg:”Skype client manual login — TCP/33033″; flow:to_server,established; flags:AP,SUFR12; content:”|17 03 01|”; depth:3; sid:1000400; rev:2; )

Signature 8 – P2P Skype client login

tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”P2P Skype client login”; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:”|17 03 01 00|”; depth:4; metadata:policy security-ips drop; classtype:policy-violation; sid:5999; rev:4;)

Signature 9 – Skype client login — from client

tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:”Skype client login — from client”; flags:AP,SUFR12; flow:to_server,established; flowbits:set,skype_client_login,noalert; dsize:5; content:”|16 03 01|”; depth:3; sid:1000011; rev:2;)