Instant Messenging monitoring

5creedus — Sun, 10 Mar 2019 09:36:46 GMT

Looking to montior IM sessions using IDS. Due to the nature of IM and the many ports it can use, is there another method (string match etc) that can be used to monitor this activity? The use of customer signature(s) is ok.

Re: Instant Messenging monitoring

scothrel — Mon, 29 Aug 2005 17:46:01 GMT

look at the IPS signatures in the 112xx range.

Re: Instant Messenging monitoring

a.arndt — Mon, 29 Aug 2005 18:24:25 GMT

There is a long list of signatures that will probably do what you're looking for. They are as follows (as of S187):

11200 - Yahoo Messenger Activity

11201 - MSN Messenger Activity

11202 - AIM / ICQ Messenger Activity

11203 - IRC Channel Join

11204 - Jabber Activity

11205 - Sametime Activity

11206 - ICQ Client DNS Request

11207 - AIM Client DNS request

11208 - Yahoo Messenger Client DNS Request

11209 - MSN Messenger Client DNS Request

11210 - AIM / ICQ Through HTTP Proxy

11211 - MSN Messenger Through HTTP Proxy

11212 - Yahoo Messenger Through HTTP Proxy

11213 - AOL IM Login

11214 - AIM/ICQ Message Send

11215 - AIM/ICQ Message Receive

11216 - AOL IM Chat - User Join

11217 - Yahoo Messenger Logon

11218 - Yahoo Messenger Send Message

11219 - Yahoo Messenger Receive Message

11221 - Yahoo Messenger Chat Invitation Activity

11222 - MSN Login

11223 - MSN Message Sent

11224 - MSN Message Received

11225 - MSN Chat Invitation Sent

11226 - MSN Chat Invitation Received

11227 - MSN Chat Invitation Accepted

11228 - MSN Chat Joined

11229 - AOL IM Chat - User Leave

11230 - AOL IM Chat - Incoming Message

11231 - AOL IM Chat - Outgoing Message

11232 - AOL IM Chat - Create room

11233 - SSH Over Non-standard Ports

11234 - Jabber Logon

11235 - MSN File Transfer Proposal Sent

11236 - MSN File Transfer Proposal Received

11237 - Jabber Chatroom Activity

11238 - MSNFTP File Transfer

11239 - ICQ Chat Invitation Sent

11240 - ICQ Chat Invitation Received

11241 - ICQ Specific Request

11242 - ICQ File Transfer

11244 - MSN P2P File Transfer

11245 - IRC Server Connection

11246 - AIM File Transfer Request

11247 - AIM File Transfer

11248 - Gadu-Gadu Login

11249 - Gadu-Gadu IM Message Sent

11250 - Gadu-Gadu IM Message Received

11251 - Skype Client Activity

According to the config on one of my production sensors, none of these signatures, with the exception of 11245 (subsig 0 and 1), are enabled by default. Therefore, in order to take advantage of them, you will have to use your favourite method (IDM, VMS, etc.) to enable them. Also, since they are "informational" only, you may have to reconfigure your monitoring console to actually see them (IEV, for example, only displays "high" and "medium" events by default).

That being said, like anything else, there is a cost in using them (read: potential alarm rate). This will particularly evident if IM is not specifically banned in your environment and you just want to use these signatures to develop some statistics detailing the usage of the various IM applications identified by this group of signatures.

I hope this helps,

Alex Arndt

Re: Instant Messenging monitoring

5creedus — Tue, 30 Aug 2005 20:11:44 GMT

Thank you Alex, this is exactly what I was looking for. I'm just glad the customer wants to track and not alert on these or we'd most likely have to get an always on line to them.

Re: Instant Messenging monitoring

a.arndt — Wed, 31 Aug 2005 10:45:15 GMT

My pleasure. Glad I could help out.

Alex Arndt

topic Re: Instant Messenging monitoring in Network Security

Instant Messenging monitoring

Re: Instant Messenging monitoring

Re: Instant Messenging monitoring

Re: Instant Messenging monitoring

Re: Instant Messenging monitoring