Click here to load reader

- Blocking Skype with pfSense and Snort fileYou can give a Figure11: Skype rule SID 6001search on Snort site and list the available Snort rules. See Figure12. The blocked host will

  • View
    218

  • Download
    0

Embed Size (px)

Text of - Blocking Skype with pfSense and Snort fileYou can give a Figure11: Skype rule SID 6001search on...

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Blocking Skype with pfSense and Snort

We have installed pfSense as our network firewall. Make sure you did read its Licence . I willuse version 1.0.1. If you want to find out more about pfSense features please check this page on its site.

Suppose we have two interface on it: Wan and Lan. And the following rules from Lan to Wan:

Figure1: pfSense Firewall rules from Lan to Wan As you can see we have allowed all HTTP/HTTPS traffic.

Skype has the ability to take advantage of this and so it can get out. We want to block it(you might want to block other stuff, but to keep it simple we will talk only

1 / 12

http://www.pfsense.com/http://www.pfsense.com/index.php?id=20http://www.pfsense.com/index.php?id=26http://www.skype.com/

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

about Skype in this article). Please read these documents first in order to understand how Skype works:An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol .http://www1.cs.columbia.edu/~salman/skype/

From the last one we can find out how we can block Skype by its signature. For this we will use Snort. But first lets install Snort on pfSense. We can find it on the Packages menu. See Figure2 and

Figure3.

Figure2: Accesing pfSense's Packages

2 / 12

http://www1.cs.columbia.edu/%7Esalman/publications/skype1_4.pdfhttp://www1.cs.columbia.edu/%7Esalman/skype/http://www.snort.org/

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure3: pfSense's Packages List Once installed Snort will appear in the Installed packages menu:

Figure4: Installed packages For configuring Snort we need to access its menu from Services:

Figure5: Snort on Services Menu Make sure you put your Oinkmaster code in order to get the updates for rules. As you can seein Figure6, we have an option to block hosts that generate a Snort alert. This sounds great andwe will use it for blocking Skype, but you must carefully select what Snort rules are active inorder that false alerts to not block legitimate traffic.

3 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure6: Block Offenders Bellow are the Categories of rules we have. For this article I have only selected p2p.rules.

4 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure7: Categories: p2p.rules checked Why? Because as you can see from Figure8 it contains some Skype rules. This rules are enabled.

5 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure8: Skype rules What rules actually interests us? Rules with the SID 5999 and the SID 6001 for example which are enabled. According to the document, An Analysis of the Skype Peer-to-Peer Internet TelephonyProtocol , we are are looking for the 0x17030100 signature whichis contained in the login server reply to our client. See Figure9, which is a sample from a Wiresharktrace representing a successful Skype login using TCP port 443.

Figure9: Wireshark Trace for 0x17030100 signature So we need a Snort rule for traffic coming from $External_Net to Home_Net which will watchfor traffic containing the "0x17030100 signature. Actually we dont need to create anything. The rule already exists. There are two: the rules withSID 5999 and SID 6001. See Figure10 and Figure11.

6 / 12

http://www1.cs.columbia.edu/%7Esalman/publications/skype1_4.pdfhttp://www1.cs.columbia.edu/%7Esalman/publications/skype1_4.pdfhttp://www.wireshark.org/

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure10: Skype rule SID 5999

7 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure11: Skype rule SID 6001 You can give a search on Snort site and list the available Snort rules. See Figure12.

Figure12: Skype Rules listed The blocked host will appear into the Blocked tab and the alert generated by Snort in the Alerts tab. Figure13and Figure14.

8 / 12

http://www.snort.org/pub-bin/sigs-search.cgi?sid=skype

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure13: Blocked Tab

Figure14: Alerts Tab Since by now we have installed Snort, have the rules in place(selected the p2p category andmake sure the rules with SID 5999and SID 5999are enabled) and we have choosed to block the hosts that generate Snort alerts lets try toconnect with Skype. Prior of installation of Snort, Skype was able to get out:

9 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure15: Skype Connected After we installed Snort and configure Pfsense to block host which generate an alert, Skypecannot connect anymore:

10 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure16: Skype cannot connect anymore If we look into the Alerts tab we will see that two alerts were generated by the rules with SID5999andSID 6001:

11 / 12

www.thin.kiev.ua - Blocking Skype with pfSense and Snort

: Administrator18.10.10 17:06 - 18.10.10 17:13

Figure17: Skype Alerts The Blocked tab shows us that a host was blocked. As you can see, it is the login server towhich Skype attempted to login.

Figure18: Blocked Host So it worked. It is very simple to block Skype with pfSense and Snort. You must take care what rules youenable because some false alerts might be generated and so legitimate traffic might be blocked.

12 / 12