Blink Beta 3.1 Feedback

Re: HTTP : Suspicious HTTP method from Skype

fairfax — Tue, 04 Sep 2007 14:54:01 GMT

Yeah, that started to happen to me as well as soon as I downloaded the newest version of Skype. It never happened before.

Best,

Art

Re: HTTP : Suspicious HTTP method from Skype

lnicula — Mon, 13 Aug 2007 02:13:15 GMT

This is caused by Skype using a proprietary protocol on a well known port such as 80 (HTTP). Blink tries to interpret it as HTTP and guess what, it will find many things that don't seem right.

It is possible to whitelist applications altogether for the IPS engine (they are still protected by other layers) so if you still have this problem, let me know and I will send you instructions on how to do it.

Re: HTTP : Suspicious HTTP method from Skype

Blue1978 — Sun, 12 Aug 2007 15:59:54 GMT

GameFanatic:
I have already Kevlar'ed Skype.exe but still get these in the log.

Have you tried excluding the entire Program Files group for Skype, not just the .exe?

It almost looks as though Blink thinks that there is an Buffer Overflow trying to take place, or "invalid" data input in Skype. I think this when I see the phrase "A client tried to send a request with a method that has a suspicious size"

GameFanatic:
Method Size : 42-143

I have never used Skype before, but are there any settings in it that control how large voice data packets are allowed to be in it? Maybe compare the defaults with the # above and then that would tell you if the allotted amount was exceeded etc. Just an idea that came to mind.

HTTP : Suspicious HTTP method from Skype

GameFanatic — Wed, 20 Jun 2007 10:30:44 GMT

Getting lots of these in the logs. Are they bad? What can I do to stop these if not?

Event ID: BLINK-BAM-5002

Severity: High

Description: A client tried to send a request with a method that has a suspicious size

Method: êÅØ`û¯Ù¤àv\¢÷0šäøëÜûd™&TÚ8YVÚ˜2`Øûà_,”ÿká.l/1Jnx¼óìë°ì

2: Ò xm÷rÎ›{áÐhÎ²°ËvRÿ”*®|Nf°–ø÷«óïvu,XÔcPß6ªÉl´ÞËvp´v„eºR~A{›ÑìœäŸ&…–¸€Í7T¢8~.š3’ë[®)»¶gcùÉD/4Ó(yÖàœ8k‹7i×ûG±øñÌ Hf1;¯š«O>^ý‡µmÖ|bRJ·

3: ËXÀ|a+°®¿ÜÓÝ¡•ƒÉ·Èræ<MÖU˜±˜‡yÉãÁ®ß³ó¼OV±¬‚šÎHƒÃÝ“ê¤%d“®ç®gðSmC{Ô#YÚòRë.ãëôdi g!i¸.\æ°r»uµžÊ)Ðá–E«j±ÓRÞù´+\:§åœ

4: 8ŸÆÉBj”¢Ëv€v®ÐóÐGì·P l…c6B…‘Uß"wœ«8p´

Process Path: C:\Program Files\Skype\Phone\Skype.exe

Attacker IP: 124.254.82.116, 89.149.56.37, 203.84.186.45, 202.84.110.172

Action: Logged event

Victim IP: 192.168.xxx.xxx

Alert: No

Protocol: TCP

Attacker Port 22925, 16097, 1808, 1289, 1521, 22925

Method Size : 42-143

Victim Port 58223

I have already Kevlar'ed Skype.exe but still get these in the log.