cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
877
Views
5
Helpful
3
Replies

Instant Messaging detection

napoleoncrowe
Level 1
Level 1

I am using a 4235 and need to be able to detect when a user is using any type of IM or P2P application. I know others are able to do this but they are using a different brand IDS. Any help or ideas whould be very helpful. My infrastructure is all Extreme so NBAR is not an option.

1 Accepted Solution

Accepted Solutions

We have added a considerable number of signatures in the last few releases. For example, signatures 11019-11020, 11028-11031, 11200-11232 have been added in release S140. These signatures add greatly to our current coverage of IM and P2p products as well as providing more granular activity monitoring. However, They have been disabled by default. To use them, you have to enable them. We are in the process of releasing a few more soon.

View solution in original post

3 Replies 3

nkhawaja
Cisco Employee
Cisco Employee

some signatures should already be there. see details here

http://www.cisco.com/cgi-bin/front.x/csec/idsAllList.pl

Yahoo Messenger Activity

Siganture Id/Sub Id 11200/0

Signature Description This signature fires when a Yahoo Messenger client login attempt to the default TCP port 5050 is detected.

IDS Version S46

Alarm Level 0

Benign Triggers Normal Yahoo Messenger activity will cause this signature to fire.

Signature Type NETWORK

Signature Structure ATOMIC

Implementation CONTENT

Related Vulnerabilities

3843 Instant Messaging

Siganture Id/Sub Id 11201/0

Signature Description This signature fires when an MSN new connection attempt to the default TCP port 1863 is detected.

IDS Version S46

Alarm Level 0

Benign Triggers Normal use of MSN instant messaging clients will cause this signature to fire.

Signature Type NETWORK

Signature Structure ATOMIC

Implementation CONTENT

Related Vulnerabilities

3843 Instant Messaging

We have added a considerable number of signatures in the last few releases. For example, signatures 11019-11020, 11028-11031, 11200-11232 have been added in release S140. These signatures add greatly to our current coverage of IM and P2p products as well as providing more granular activity monitoring. However, They have been disabled by default. To use them, you have to enable them. We are in the process of releasing a few more soon.

I just updated the box to 140 so I'll go ahead and enable those. Thanks a ton!

Review Cisco Networking for a $25 gift card