Using snort : how to block a specific traffic not a host



  • Hi to all,

    I'm using pfsense and snort to bloc skype on our company network, this is working great : every host that attempts to use skype is blocked.
    But actually, we need to do not bloc all traffic from this host, we want to keep the ability to use internet and just bloc skype traffic.
    Is it possible with snort?

    Thanx



  • @sadoki:

    Hi to all,

    I'm using pfsense and snort to bloc skype on our company network, this is working great : every host that attempts to use skype is blocked.
    But actually, we need to do not bloc all traffic from this host, we want to keep the ability to use internet and just bloc skype traffic.
    Is it possible with snort?

    Thanx

    I have the same question, Please could someone answer this?



  • Ok, i found that if u use snort on interface WAN then on login, there is blocked skype login server.

    Rule 5999	tcp	$EXTERNAL_NET	any	$HOME_NET	any 	 P2P Skype client login
    

    This rule add destination ip to blocked list for next time. The same as 5998.

    5693	tcp	$HOME_NET	any	$EXTERNAL_NET	$HTTP_PORTS 	 P2P Skype client start up get latest version attempt
    

    Is not blocking ip address. There is 10 Alerts about this rule, but nothing is added to blocked list. Why it is so?

    Tnx



  • Does anyone ever blocked skype with pfsense?



  • @artifact:

    Does anyone ever blocked skype with pfsense?

    I have been trying to get pfsense 1.2.3 and snort package to block skype for the last 3 days without success.

    Also I have noticed that pfsense doesn't completely block MSN and Yahoo messengers.



  • @sadoki:

    Hi to all,

    I'm using pfsense and snort to bloc skype on our company network, this is working great : every host that attempts to use skype is blocked.
    But actually, we need to do not bloc all traffic from this host, we want to keep the ability to use internet and just bloc skype traffic.
    Is it possible with snort?

    Thanx

    You need to write a snort rule that blocks known content of skype or addjust the rule for you company network.

    James



  • @jamesdean:

    @sadoki:

    Hi to all,

    I'm using pfsense and snort to bloc skype on our company network, this is working great : every host that attempts to use skype is blocked.
    But actually, we need to do not bloc all traffic from this host, we want to keep the ability to use internet and just bloc skype traffic.
    Is it possible with snort?

    Thanx

    You need to write a snort rule that blocks known content of skype or addjust the rule for you company network.

    James

    As far as I noticed it's not possible to create your own rules or am i missing something?

    I reinstalled everything and noticed that some IP addresses get blocked once skype starts up, so I am assuming that the detection works. However skype gets connected either way.


Locked