Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skype: remove old detection logic #1954

Merged
merged 1 commit into from
Feb 12, 2024
Merged

Skype: remove old detection logic #1954

merged 1 commit into from
Feb 12, 2024

Conversation

IvanNardi
Copy link
Collaborator

@IvanNardi IvanNardi commented Apr 24, 2023
edited
Loading

Skype has been using standard protocols (STUN/ICE or TLS) for a long, long time, now. Long gone are the days of Skype as a distribuited protocol.

See: #2166

@sonarcloud
Copy link

sonarcloud bot commented Apr 24, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@utoni
Copy link
Collaborator

utoni commented Apr 25, 2023

Skype has been using standard protocols (STUN/ICE or TLS) for a long, long time, now. Long gone are the days of Skype as a distribuited protocol.

Is there any information available that supports your thesis? I am not familiar with Skype/Teams, but I am using those on a daily base and would be very sad if nDPId does not classify those flows anymore.

lucaderi
lucaderi reviewed Apr 26, 2023
View reviewed changes
tests/cfgs/default/result/zoom.pcap.out
@@ -43,7 +43,7 @@ JA3 Host Stats:
1 192.168.1.117 4


1 UDP 192.168.1.117:58327 <-> 109.94.160.99:8801 [proto: 189/Zoom][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 1][cat: Video/26][10 pkts/7806 bytes <-> 175 pkts/184434 bytes][Goodput ratio: 95/96][1.44 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 14/8 32/35 11/5][Pkt Len c2s/s2c min/avg/max/stddev: 55/60 781/1054 1071/1071 444/129][PLAIN TEXT (replace)][Plen Bins: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,97,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think Zoom is cleartext

Copy link
Collaborator Author

@IvanNardi IvanNardi Apr 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not. Somehow while "Zoom" is correctly associated to "Encrypted", "RTP.Zoom" is associated to "ClearText", which seems wrong to me. Probably an unrelated bug; I'll try to fix it in a new version of this PR

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucaderi, what do you think of #1955?

src/lib/protocols/skype.c Outdated
u_int16_t sport = ntohs(packet->udp->source);
u_int16_t dport = ntohs(packet->udp->dest);

/* skype-to-skype */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is skype-to-skype protocol still recognized without this code? Did you check that?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If with "skype-to-skype" you mean an interaction between "Skype-app" or "Skype-from-a-broswer" to/from "Skype-app" or "Skype-from-a-broswer", yes, I checked that. Always standard STUN or TLS stuff

@IvanNardi
Copy link
Collaborator Author

Skype has been using standard protocols (STUN/ICE or TLS) for a long, long time, now. Long gone are the days of Skype as a distribuited protocol.

Is there any information available that supports your thesis? I am not familiar with Skype/Teams, but I am using those on a daily base and would be very sad if nDPId does not classify those flows anymore.

I check Skype traffic regularly on some common environments (win/android/linux with app or via browser) and I have seen only STUN/TLS for a few years.
However, I am not able to find any public statement/information about that.

Anyway, we can keep this code around a little more; no specific harm in that

@IvanNardi IvanNardi marked this pull request as draft August 20, 2023 10:38
@0xA50C1A1 0xA50C1A1 mentioned this pull request Nov 24, 2023
Closed
@IvanNardi IvanNardi marked this pull request as ready for review December 1, 2023 18:11
@IvanNardi IvanNardi force-pushed the skype-old branch 2 times, most recently from 2815553 to c599d2c Compare January 19, 2024 09:11
@0xA50C1A1
Copy link
Contributor

Will there be any updates on this PR? If you need more pcap samples to confirm that Skype is only using TLS and STUN these days, I can capture some.

@utoni
Copy link
Collaborator

utoni commented Feb 12, 2024

Is the old detection logic not used anymore (for sure)?
Are there any new PCAPs that support your statement?

@0xA50C1A1
Copy link
Contributor

0xA50C1A1 commented Feb 12, 2024
edited
Loading

Is the old detection logic not used anymore (for sure)? Are there any new PCAPs that support your statement?

Yeah, here's Skype for Android traffic (login and test call).
Skype_for_Android.zip

@0xA50C1A1
Copy link
Contributor

Is the old detection logic not used anymore (for sure)? Are there any new PCAPs that support your statement?

Yeah, here's Skype for Android traffic (login and test call). Skype_for_Android.zip

I'd also capture Skype for iOS traffic as well, but I dunno how to do it.

@utoni
Copy link
Collaborator

utoni commented Feb 12, 2024

What about skype for desktops?

@IvanNardi
Copy link
Collaborator Author

IvanNardi commented Feb 12, 2024
edited
Loading

I tested win11 (both via browser and via app) and ubuntu (browser) to from android/landline: standard STUN stuff.
I didn't check any Apple device/OS, though.

Examples:
skype_win11_app_8.96.0.409_call_to_lte.zip

@0xA50C1A1
Copy link
Contributor

What about skype for desktops?

Here's a skype for linux pcap sample

skype_for_linux.zip

utoni
utoni approved these changes Feb 12, 2024
View reviewed changes
Copy link
Collaborator

@utoni utoni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ty for all the information @0xA50C1A1 and @IvanNardi!

@IvanNardi
Skype: remove old detection logic
12f8193 
Skype has been using standard protocols (STUN/ICE or TLS) for a long,
long time, now. Long gone are the days of Skype as a distribuited
protocol.

See: ntop#2166
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Feb 12, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@IvanNardi
Copy link
Collaborator Author

Thanks everyone!

@IvanNardi IvanNardi merged commit ae36648 into ntop:dev Feb 12, 2024
33 checks passed
@IvanNardi IvanNardi deleted the skype-old branch February 12, 2024 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucaderi lucaderi lucaderi left review comments

@utoni utoni utoni approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@IvanNardi @utoni @0xA50C1A1 @lucaderi