Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
10
Helpful
4
Replies

Instant Messenging monitoring

5creedus
Level 1
Level 1

‎08-29-2005 10:11 AM - edited ‎03-10-2019 01:36 AM

Looking to montior IM sessions using IDS. Due to the nature of IM and the many ports it can use, is there another method (string match etc) that can be used to monitor this activity? The use of customer signature(s) is ok.

Labels:
0 Helpful
4 Replies 4

scothrel
Level 3
Level 3

‎08-29-2005 10:46 AM

look at the IPS signatures in the 112xx range.

0 Helpful

a.arndt
Level 3
Level 3

‎08-29-2005 11:24 AM

There is a long list of signatures that will probably do what you're looking for. They are as follows (as of S187):

11200 - Yahoo Messenger Activity

11201 - MSN Messenger Activity

11202 - AIM / ICQ Messenger Activity

11203 - IRC Channel Join

11204 - Jabber Activity

11205 - Sametime Activity

11206 - ICQ Client DNS Request

11207 - AIM Client DNS request

11208 - Yahoo Messenger Client DNS Request

11209 - MSN Messenger Client DNS Request

11210 - AIM / ICQ Through HTTP Proxy

11211 - MSN Messenger Through HTTP Proxy

11212 - Yahoo Messenger Through HTTP Proxy

11213 - AOL IM Login

11214 - AIM/ICQ Message Send

11215 - AIM/ICQ Message Receive

11216 - AOL IM Chat - User Join

11217 - Yahoo Messenger Logon

11218 - Yahoo Messenger Send Message

11219 - Yahoo Messenger Receive Message

11221 - Yahoo Messenger Chat Invitation Activity

11222 - MSN Login

11223 - MSN Message Sent

11224 - MSN Message Received

11225 - MSN Chat Invitation Sent

11226 - MSN Chat Invitation Received

11227 - MSN Chat Invitation Accepted

11228 - MSN Chat Joined

11229 - AOL IM Chat - User Leave

11230 - AOL IM Chat - Incoming Message

11231 - AOL IM Chat - Outgoing Message

11232 - AOL IM Chat - Create room

11233 - SSH Over Non-standard Ports

11234 - Jabber Logon

11235 - MSN File Transfer Proposal Sent

11236 - MSN File Transfer Proposal Received

11237 - Jabber Chatroom Activity

11238 - MSNFTP File Transfer

11239 - ICQ Chat Invitation Sent

11240 - ICQ Chat Invitation Received

11241 - ICQ Specific Request

11242 - ICQ File Transfer

11244 - MSN P2P File Transfer

11245 - IRC Server Connection

11246 - AIM File Transfer Request

11247 - AIM File Transfer

11248 - Gadu-Gadu Login

11249 - Gadu-Gadu IM Message Sent

11250 - Gadu-Gadu IM Message Received

11251 - Skype Client Activity

According to the config on one of my production sensors, none of these signatures, with the exception of 11245 (subsig 0 and 1), are enabled by default. Therefore, in order to take advantage of them, you will have to use your favourite method (IDM, VMS, etc.) to enable them. Also, since they are "informational" only, you may have to reconfigure your monitoring console to actually see them (IEV, for example, only displays "high" and "medium" events by default).

That being said, like anything else, there is a cost in using them (read: potential alarm rate). This will particularly evident if IM is not specifically banned in your environment and you just want to use these signatures to develop some statistics detailing the usage of the various IM applications identified by this group of signatures.

I hope this helps,

Alex Arndt

5creedus
Level 1
Level 1
In response to a.arndt

‎08-30-2005 01:11 PM

Thank you Alex, this is exactly what I was looking for. I'm just glad the customer wants to track and not alert on these or we'd most likely have to get an always on line to them.

0 Helpful

a.arndt
Level 3
Level 3
In response to 5creedus

‎08-31-2005 03:45 AM

My pleasure. Glad I could help out.

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card