08-29-2005 10:11 AM - edited 03-10-2019 01:36 AM
Looking to montior IM sessions using IDS. Due to the nature of IM and the many ports it can use, is there another method (string match etc) that can be used to monitor this activity? The use of customer signature(s) is ok.
08-29-2005 10:46 AM
look at the IPS signatures in the 112xx range.
08-29-2005 11:24 AM
There is a long list of signatures that will probably do what you're looking for. They are as follows (as of S187):
11200 - Yahoo Messenger Activity
11201 - MSN Messenger Activity
11202 - AIM / ICQ Messenger Activity
11203 - IRC Channel Join
11204 - Jabber Activity
11205 - Sametime Activity
11206 - ICQ Client DNS Request
11207 - AIM Client DNS request
11208 - Yahoo Messenger Client DNS Request
11209 - MSN Messenger Client DNS Request
11210 - AIM / ICQ Through HTTP Proxy
11211 - MSN Messenger Through HTTP Proxy
11212 - Yahoo Messenger Through HTTP Proxy
11213 - AOL IM Login
11214 - AIM/ICQ Message Send
11215 - AIM/ICQ Message Receive
11216 - AOL IM Chat - User Join
11217 - Yahoo Messenger Logon
11218 - Yahoo Messenger Send Message
11219 - Yahoo Messenger Receive Message
11221 - Yahoo Messenger Chat Invitation Activity
11222 - MSN Login
11223 - MSN Message Sent
11224 - MSN Message Received
11225 - MSN Chat Invitation Sent
11226 - MSN Chat Invitation Received
11227 - MSN Chat Invitation Accepted
11228 - MSN Chat Joined
11229 - AOL IM Chat - User Leave
11230 - AOL IM Chat - Incoming Message
11231 - AOL IM Chat - Outgoing Message
11232 - AOL IM Chat - Create room
11233 - SSH Over Non-standard Ports
11234 - Jabber Logon
11235 - MSN File Transfer Proposal Sent
11236 - MSN File Transfer Proposal Received
11237 - Jabber Chatroom Activity
11238 - MSNFTP File Transfer
11239 - ICQ Chat Invitation Sent
11240 - ICQ Chat Invitation Received
11241 - ICQ Specific Request
11242 - ICQ File Transfer
11244 - MSN P2P File Transfer
11245 - IRC Server Connection
11246 - AIM File Transfer Request
11247 - AIM File Transfer
11248 - Gadu-Gadu Login
11249 - Gadu-Gadu IM Message Sent
11250 - Gadu-Gadu IM Message Received
11251 - Skype Client Activity
According to the config on one of my production sensors, none of these signatures, with the exception of 11245 (subsig 0 and 1), are enabled by default. Therefore, in order to take advantage of them, you will have to use your favourite method (IDM, VMS, etc.) to enable them. Also, since they are "informational" only, you may have to reconfigure your monitoring console to actually see them (IEV, for example, only displays "high" and "medium" events by default).
That being said, like anything else, there is a cost in using them (read: potential alarm rate). This will particularly evident if IM is not specifically banned in your environment and you just want to use these signatures to develop some statistics detailing the usage of the various IM applications identified by this group of signatures.
I hope this helps,
Alex Arndt
08-30-2005 01:11 PM
Thank you Alex, this is exactly what I was looking for. I'm just glad the customer wants to track and not alert on these or we'd most likely have to get an always on line to them.
08-31-2005 03:45 AM
My pleasure. Glad I could help out.
Alex Arndt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide