how to block skype on SRX

To test how SRX blocks skype logins I have done the followings test and it worked;

1) Create a test IDP policy named My_Policy

root@ankara# show idp-policy My_Policy
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks [ VOIP:SKYPE:LOGIN VOIP:SKYPE:PROBE-1 ];
            }
        }
        then {
            action {
                close-client;
            }
            ip-action {
                ip-block;
                target destination-address;
            }
            notification {
                log-attacks;
            }
        }
    }
}

One thing I have noticed is if you dont use ip-block as ip-action, idp triggers the close-client event but login is still successful.

2) Apply the policy as active

#set security idp idp-policy My_Policy

3) Use it in a security policy

#set security policies from-zone lan to-zone wan policy local-to-wan then permit application-services idp

4) Enable logging to see what is going on

#set system syslog file idp_log any any
#set system syslog file idp_log match RT_IDP

5) Commit the config and check policy compilation;

root@ankara> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/My_Policy.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:5426 Bytes

6) Once the compilation is completed, try to login to skype and watch the logs. You must see something similar like below;

root@ankara# run show log idp_log
Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, SIG Attack log <192.168.100.2/37731->212.187.172.78/443> for TCP protocol and service SERVICE_IDP application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=CLOSE_CLIENT, threat-severity=INFO, name=VOIP:SKYPE:LOGIN, NAT <172.30.73.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -
Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, TRAFFIC Attack log <192.168.100.2/37731->212.187.172.78/443> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=TRAFFIC_IPACTION_DROP, threat-severity=INFO, name=_, NAT <172.30.73.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -

7) You can also see which IP addresses are blocked;

root@ankara> show security flow ip-action
Src-Addr Src-Port Dst-Addr Dst-Port/Proto Timeout(sec) Zone Action
* * 212.8.166.35 */* never * drop
* * 213.166.51.4 */* never * drop
* * 212.187.172.78 */* never * drop

Below is my system details if you want to compare;

root@ankara> show version
Hostname: ankara
Model: srx100h
JUNOS Software Release [10.4R7.5]

root@ankara> show security idp security-package-version
Attack database version:2053(Tue Dec 27 14:15:02 2011)
Detector version :11.6.160110920
Policy template version :2053

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


4 thoughts on “how to block skype on SRX”

  1. Sir,
    I still cannot block Skype. It is only possible to detect version check attack.
    Attack name #Hits
    VOIP:SKYPE:VERSION-CHECK 1
    Can you help me with this problem?
    Thank you sir!

  2. Good Sir,
    Predefined attacks VOIP:SKYPE:LOGIN VOIP:SKYPE:PROBE-1 cannot detect my Skype login. Could you help me with this issue?

    Thank you in advance!

  3. Yes. When I type “run show security idp attack table”, in the table there is only VOIP:SKYPE:PROBE-1 matched.
    # run show security idp attack table
    IDP attack statistics:

    Attack name #Hits
    VOIP:SKYPE:PROBE-1 1
    Here is the part of configuration:

    rule BLOCK-SKYPE {
    match {
    from-zone PCs;
    to-zone INTERNET;
    application default;
    attacks {
    predefined-attacks [ VOIP:SKYPE:CONNECTION VOIP:SKYPE:INSTALL VOIP:SKYPE:LOGIN VOIP:SKYPE:PROBE-1 VOIP:SKYPE:VERSION-CHECK ];
    }
    }
    then {
    action {
    close-client;
    }
    ip-action {
    ip-block;
    target destination-address;
    }
    }
    }

    There is one IP address blocked, but Skype works quite fine.
    # run show security flow ip-action
    Src-Addr Src-Port Dst-Addr Dst-Port/Proto Timeout(sec) Zone Action
    * * 149.5.45.166 */* never * drop

    Thank you.

    P.S.
    Your blog is great. We have found many useful things reading it.

Leave a Reply to Sir CastersCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading