Interesting analysis, clearly it's not as simple as looking for a known dst port as this might be 80 or 443 but I don't think it would be impossible to block... I guess it depends how much reverse engineering the IPS developer has conducted on Skype - there may be a limited number of login server IP Addresses to look out for (maybe they maintain a watch for new servers) or the login signature may be sufficiently unique for that to be blocked (i.e. challenge response sequence, size of packets, some elements of the payload). If the inital login can be blocked then skype can't progress. If the IPS misses the intial login then I guess it's a lot harder as the traffic will be encrypted and will go to a supernode (I assume there will be lots of supernodes out there). For a corporate network you can also scan company systems to identify the skype process. Not that I've blocked skype - is there a particular reason you would want to block it (maybe I should be looking into it)
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
