www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Blocking Skype with pfSense and Snort
We have installed pfSense as our network firewall. Make sure you did read its Licence . I willuse version 1.0.1. If you want to find out more about pfSense features please check this page on its site.
Suppose we have two interface on it: Wan and Lan. And the following rules from Lan to Wan:
Figure1: pfSense Firewall rules from Lan to Wan As you can see we have allowed all HTTP/HTTPS traffic.
Skype has the ability to take advantage of this and so it can “get out”. We want to block it(you might want to block other stuff, but to keep it simple we will talk only
1 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
about Skype in this article). Please read these documents first in order to understand how Skype “works”:An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol .http://www1.cs.columbia.edu/~salman/skype/
From the last one we can find out how we can block Skype by its signature. For this we will use Snort. But first let’s install Snort on pfSense. We can find it on the “Packages” menu. See Figure2 and
Figure3.
Figure2: Accesing pfSense's Packages
2 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure3: pfSense's Packages List Once installed Snort will appear in the “Installed packages” menu:
Figure4: Installed packages For configuring Snort we need to access its menu from “Services”:
Figure5: Snort on “Services” Menu Make sure you put your Oinkmaster code in order to get the updates for rules. As you can seein Figure6, we have an option to block hosts that generate a Snort alert. This sounds great andwe will use it for blocking Skype, but you must carefully select what Snort rules are active inorder that false alerts to not block legitimate traffic.
3 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure6: Block Offenders Bellow are the “Categories” of rules we have. For this article I have only selected “p2p.rules”.
4 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure7: Categories: “p2p.rules” checked Why? Because as you can see from Figure8 it contains some Skype rules. This rules are enabled.
5 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure8: Skype rules What rules actually interests us? Rules with the SID 5999 and the SID 6001 for example which are enabled. According to the document, An Analysis of the Skype Peer-to-Peer Internet TelephonyProtocol , we are are looking for the “0x17030100” signature whichis contained in the login server reply to our client. See Figure9, which is a sample from a Wiresharktrace representing a successful Skype login using TCP port 443.
Figure9: Wireshark Trace for “0x17030100” signature” So we need a Snort rule for traffic coming from “$External_Net” to “Home_Net” which will watchfor traffic containing the "0x17030100” signature. Actually we don’t need to create anything. The rule already exists. There are two: the rules withSID 5999 and SID 6001. See Figure10 and Figure11.
6 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure10: Skype rule SID 5999
7 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure11: Skype rule SID 6001 You can give a search on Snort site and list the available Snort rules. See Figure12.
Figure12: Skype Rules listed The blocked host will appear into the “Blocked” tab and the alert generated by Snort in the “Alerts ”tab. Figure13and Figure14.
8 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure13: Blocked Tab
Figure14: Alerts Tab Since by now we have installed Snort, have the rules in place(selected the “p2p” category andmake sure the rules with SID 5999and SID 5999are enabled) and we have choosed to block the hosts that generate Snort alerts let’s try toconnect with Skype. Prior of installation of Snort, Skype was able to “get out”:
9 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure15: Skype “Connected” After we installed Snort and configure Pfsense to block host which generate an alert, Skypecannot connect anymore:
10 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure16: Skype cannot connect anymore If we look into the “Alerts” tab we will see that two alerts were generated by the rules with SID5999andSID 6001:
11 / 12
www.thin.kiev.ua - Blocking Skype with pfSense and Snort
Автор: Administrator18.10.10 17:06 - Последнее обновление 18.10.10 17:13
Figure17: Skype Alerts The “Blocked” tab shows us that a host was blocked. As you can see, it is the login server towhich Skype attempted to login.
Figure18: Blocked Host So it worked. It is very simple to block Skype with pfSense and Snort. You must take care what rules youenable because some false alerts might be generated and so legitimate traffic might be blocked.
12 / 12
Recommended
