|Blocking Skype with pfSense and Snort|
Blocking Skype with pfSense and Snort
We have installed pfSense as our network firewall. Make sure you did read its Licence. I will use version 1.0.1.
Suppose we have two interface on it: Wan and Lan.
Skype has the ability to take advantage of this and so it can “get out”.
From the last one we can find out how we can block Skype by its signature. For this we will use Snort.
For configuring Snort we need to access its menu from “Services”:
Make sure you put your Oinkmaster code in order to get the updates for rules. As you can see in Figure6, we have an option to block hosts that generate a Snort alert. This sounds great and we will use it for blocking Skype, but you must carefully select what Snort rules are active in order that false alerts to not block legitimate traffic.
Bellow are the “Categories” of rules we have. For this article I have only selected “p2p.rules”.
What rules actually interests us?
So we need a Snort rule for traffic coming from “$External_Net” to “Home_Net” which will watch for traffic containing the "0x17030100” signature.
You can give a search on Snort site and list the available Snort rules. See Figure12.
The blocked host will appear into the “Blocked” tab and the alert generated by Snort in the “Alerts” tab. Figure13 and Figure14.
Since by now we have installed Snort, have the rules in place(selected the “p2p” category and make sure the rules with SID 5999 and SID 5999 are enabled) and we have choosed to block the hosts that generate Snort alerts let’s try to connect with Skype.
After we installed Snort and configure Pfsense to block host which generate an alert, Skype cannot connect anymore:
If we look into the “Alerts” tab we will see that two alerts were generated by the rules with SID 5999 and SID 6001:
The “Blocked” tab shows us that a host was blocked. As you can see, it is the login server to which Skype attempted to login.
So it worked.
|Последнее обновление 18.10.10 17:13|