Snort mailing list archives
RE: IM Logging - How to?
From: "Khera, Manish (US - New York)" <mkhera () deloitte com>
Date: Fri, 17 Jan 2003 14:48:09 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've used several sniffers to pick up AIM, Yahoo, MSN, and IIRC msgr/chats. Yahoo msgr rides on TCP 5010, MSN on UDP 13324 & 13325 and IIRC is 6667. These are the official ports but I've used network monitoring packages and picked up MSN msgr on port 80. Unfortunately, the data doesn't present itself in any easily readable fashion. The actual content contains various lines of binary data. So you have to sift through it all, decide what you are looking for and if it's worth the hassle. If you don't need it leaving your network I would just look into blocking it. Regards, Manish Khera Senior Consultant Deloitte & Touche LLP 2 World Financial Center, 37th floor New York, NY 10281 email: mkhera () deloitte com - -----Original Message----- From: Gonzalez, Albert [mailto:albert.gonzalez () eds com] Sent: Friday, January 17, 2003 1:38 PM To: 'Mike Shaw'; Matt Yackley; 'Angel Gabriel'; snort-users () lists sourceforge net Subject: RE: [Snort-users] IM Logging - How to? I suggest ethereal, you can pass it some BPF filters to concentrate on exactly what you want to sniff. I have used it to sniff port 5190 and see what AIM traffic is being sent on my network. - -----Original Message----- From: Mike Shaw [mailto:mshaw () wwisp com] Sent: Friday, January 17, 2003 1:26 PM To: Matt Yackley; 'Angel Gabriel'; snort-users () lists sourceforge net Subject: RE: [Snort-users] IM Logging - How to? At 11:44 AM 1/17/2003 -0600, Matt Yackley wrote:
I believe that there is an IM capture util included with dsniff http://naughty.monkey.org/~dugsong/dsniff/ called msgsnarf, but since this package is a bit old I don't know how well it would work. Matt
I haven't had much luck with msgsnarf. It seems the products and protocols might have changed since then. I've used ngrep to snag IM transactions before. I think AIM is port 5190. MSN is a different port (can't remember). IIRC, yahoo's messenger uses http and is much harder to track states, etc. Maybe someone else has had better luck. - -Mike - ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users - ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPiheIg04aXMDN9d+EQLFOACgom5ENtQxbOd3c7QlP08zAxfEnEoAn0gS ukyD0/IWDTgxH1jk1AvjcxZu =bXgx -----END PGP SIGNATURE----- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
Attachment:
PGPexch.rtf.pgp
Description:
Current thread:
- RE: IM Logging - How to? Matt Yackley (Jan 17)
- RE: IM Logging - How to? Mike Shaw (Jan 17)
- Re: IM Logging - How to? Ricardo LondoƱo (Jan 17)
- <Possible follow-ups>
- RE: IM Logging - How to? Gonzalez, Albert (Jan 17)
- RE: IM Logging - How to? Khera, Manish (US - New York) (Jan 17)
- RE: IM Logging - How to? Mike Shaw (Jan 17)