RE: IM Logging - How to?

["Khera, Manish (US - New York)" <mkhera () deloitte com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I've used several sniffers to pick up AIM, Yahoo, MSN, and IIRC msgr/chats.

Yahoo msgr rides on TCP 5010, MSN on UDP 13324 & 13325 and IIRC is 6667.

These are the official ports but I've used network monitoring packages and
picked up MSN msgr on port 80. 

Unfortunately, the data doesn't present itself in any easily readable
fashion.  The actual content contains various lines of binary data.  So you
have to sift through it all, decide what you are looking for and if it's
worth the hassle.   If you don't need it leaving your network I would just
look into blocking it.

Regards,

Manish Khera
Senior Consultant
Deloitte & Touche LLP
2 World Financial Center, 37th floor
New York, NY 10281
email: mkhera () deloitte com


- -----Original Message-----
From: Gonzalez, Albert [mailto:albert.gonzalez () eds com]
Sent: Friday, January 17, 2003 1:38 PM
To: 'Mike Shaw'; Matt Yackley; 'Angel Gabriel';
snort-users () lists sourceforge net
Subject: RE: [Snort-users] IM Logging - How to?


I suggest ethereal, you can pass it some BPF filters to
concentrate on exactly what you want to sniff. I have used
it to sniff port 5190 and see what AIM traffic is being sent
on my network. 

- -----Original Message-----
From: Mike Shaw [mailto:mshaw () wwisp com]
Sent: Friday, January 17, 2003 1:26 PM
To: Matt Yackley; 'Angel Gabriel'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] IM Logging - How to?


At 11:44 AM 1/17/2003 -0600, Matt Yackley wrote:
> I believe that there is an IM capture util included with dsniff
> http://naughty.monkey.org/~dugsong/dsniff/ called msgsnarf, but since this
> package is a bit old I don't know how well it would work.
>
> Matt

I haven't had much luck with msgsnarf.  It seems the products and protocols 
might have changed since then.

I've used ngrep to snag IM transactions before.  I think AIM is port 
5190.  MSN is a different port (can't remember).

IIRC, yahoo's messenger uses http and is much harder to track states, 
etc.  Maybe someone else has had better luck.

- -Mike



- -------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
allow you to extend the highest allowed 128 bit encryption to all your 
clients even if they use browsers that are limited to 40 bit encryption. 
Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- -------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
allow you to extend the highest allowed 128 bit encryption to all your 
clients even if they use browsers that are limited to 40 bit encryption. 
Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPiheIg04aXMDN9d+EQLFOACgom5ENtQxbOd3c7QlP08zAxfEnEoAn0gS
ukyD0/IWDTgxH1jk1AvjcxZu
=bXgx
-----END PGP SIGNATURE-----
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  If
you are not the intended recipient, you should delete this message.  Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.

Attachment: PGPexch.rtf.pgp
Description: