Block Skype with Snort

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Snort is used as the native IDS/IPS in several Unified Thread Management (UTM) security platforms including Astaro and Untangle. The following Snort rule signatures can be used to block Skype traffic at your network perimeter.

Note: When defining rules, the SID (Security ID) must be copied into the Snort SID field and the full rule must be placed in the Signature field. The signature lines may wrap but need to be placed as a single string into the signature field.

Example Snort IPS Rule:

Category: p2p
Signature: tcp $HOME_NET 1024: -> $EXTERNAL_NET 33033 (msg:”Skype client manual login — TCP/33033″; flow:to_server,established; flags:AP,SUFR12; content:”|17 03 01|”; depth:3; sid:1000400; rev:2; )
Name: Skype client manual login — TCP/33033
SID: 1000400
Block: Yes
Log: Yes
Description: Skype client manual login — TCP/33033

Current Skype filtering signatures (March 8th 2010)

Signature 1 - Skype VoIP Initialization

tcp $HOME_NET any -> any any (msg:”P2P CHAT Skype VoIP Initialization”;flow:to_server,established; content:”|8046010301002d0000001000000500000400000a 0000090000640000620000080000030000060100800700c003 0080060040020080040080|”;depth:112;classtype:polic y-violation;sid:1000013; rev:1;) Continue reading “Block Skype with Snort”