Monitor IM traffic

phoeneous · December 2009

Anyone know of a good app that can monitor IM traffic? Management has their suspicions and now I need to audit a few users. Thanks.

veritas_libertas · December 2009

phoeneous wrote: »

Anyone know of a good app that can monitor IM traffic? Management has their suspicions and now I need to audit a few users. Thanks.

I would use WireShark and set the filters for whatever type of IM traffic you are looking to capture. Google Mail uses jabber, but AIM and the others I don't know what they use.

RobertKaucher · December 2009

For something RIGHT NOW a network capture is probably best. what info are you trying to find?

Barracuda IM Firewall - Instant Messaging Management and Archiving

I would suggest blocking all IM at the application layer level except for those who need it for business. For the company set up OpenFire. I have been using OpenFire here at work (it's running off a small CentOS VM on ESXi) and people love it. You can use MySQL database to archive chat histories.

Depending on where you work some might still need to use an external IM. We do lots of business with China, so our China "devision" uses IM with our partners there.

unclerico · December 2009

phoeneous wrote: »

Anyone know of a good app that can monitor IM traffic? Management has their suspicions and now I need to audit a few users. Thanks.

I second RobertKaucher's response for using OpenFire. I too have deployed it company wide and people love it. I have IM gateways for Yahoo, AOL, and MSN Messenger enabled to permit people to link their IM client to the external services. For people that need to use IM for business purposes we have them create a business specific profile on the public service. We archive all conversations on the Openfire server.

veritas_libertas · December 2009

unclerico wrote: »

I second RobertKaucher's response for using OpenFire. I too have deployed it company wide and people love it. I have IM gateways for Yahoo, AOL, and MSN Messenger enabled to permit people to link their IM client to the external services. For people that need to use IM for business purposes we have them create a business specific profile on the public service. We archive all conversations on the Openfire server.

I've also used OpenFire and love it!

Chivalry1 · December 2009

What platform is it? Live Communication Server 2005 has a archiving feature.

HeroPsycho · December 2009

Also, if you have Enterprise Vault, you can integrate IM archiving into it with Symantec's IM Manager.

phoeneous · December 2009

I think I wrote my original message wrong. We don't use IM at all and are not going to. Some users have managed to download aim or yahoo im on their work pc's. I need to prove that they are overusing it on company time because management suspects that they are. The only thing I can think of is a sniffer and filter for those protocols.

veritas_libertas · December 2009

phoeneous wrote: »

I think I wrote my original message wrong. We don't use IM at all and are not going to. Some users have managed to download aim or yahoo im on their work pc's. I need to prove that they are overusing it on company time because management suspects that they are. The only thing I can think of is a sniffer and filter for those protocols.

In that case I think Wire Shark would be best for this, and it has filters for IM traffic.

RobertKaucher · December 2009

I understood the question. The easiest thing to do would be to run a sniffer on the DNS servers and on the connection with the DFG.

Once you start seeing the ports being used run a PowerShell script like this

[FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080]$computer[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][FONT=Courier New][SIZE=2][COLOR=#ff0000][FONT=Courier New][SIZE=2][COLOR=#ff0000][FONT=Courier New][SIZE=2][COLOR=#ff0000]=[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]Read-Host [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000]"Enter computer name"[/COLOR][/SIZE][/FONT]
[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]get-wmiobject [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000]Win32_ComputerSystem [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][I][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]-computername [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/I][FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080][FONT=Courier New][SIZE=2][COLOR=#800080]$computer[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][FONT=Courier New][SIZE=2][FONT=Courier New][SIZE=2] | [/SIZE][/FONT][/SIZE][/FONT][B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]format-table[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B][I][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]-property [/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/I][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000][FONT=Courier New][SIZE=2][COLOR=#800000]username[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT]
[B][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0][FONT=Courier New][SIZE=2][COLOR=#5f9ea0]Get-Date[/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/COLOR][/SIZE][/FONT][/B]

To get the identity of the logged on user with a time stamp. You will then have network captures and data showing which user account was logged on to the PC at the time. But as a more perminent solution I suggest the Barracuda Networks IM filter.

EDIT: And IMHO external IMs should be banned per company policy unless there is a valid business need for them. And in that case the employee should be using an IM account registered to a work email address with a password that is documented some place. External IM for a company is a lawsuit waiting to happen.

veritas_libertas · December 2009

RobertKaucher wrote: »

...run a PowerShell script like this...

I'm seriously have to learn more about PowerShell, I had know idea you could do stuff like that...

RobertKaucher · December 2009

phoeneous wrote: »

We don't use IM at all and are not going to. Some users have managed to download aim or yahoo im on their work pc's.

My suggestion of OpenFire is that you may find out that people are using this for legit business purposes. There may be managers who areusing it or even just employees who are using it to chat with other employees.

openFire is a free way to ensure that this communication is done securely and in a manner that can be monitored.

RobertKaucher · December 2009

veritas_libertas wrote: »

I'm seriously have to learn more about PowerShell, I had know idea you could do stuff like that...

I run SQL queries and import data into Excel and then format the Excel spread sheet using Powershell. I backup my WSS site using PowerShell. I run SQL Queries and export the data into WSS lists using PowerShell. I install VNC on remote PCs using PowerShell. I verify server uptime using PowerShell.

I have one script that the AP person runs which gets information about the checks that have been run from the SQL server, formats the data per the bank's requirements, sends the data to the bank for security and then emails me, the AP person, and the group at the bank in charge of the "Poisitive Pay" accounting system when it is done. I was going to do it in C# but it was just easier in PowerShell.

I believe there should be an MCTS on PowerShell...

MCTS: PowerShell Scripting for Server Administration or something like that.

veritas_libertas · December 2009

RobertKaucher wrote: »

... believe there should be an MCTS on PowerShell...

MCTS: PowerShell Scripting for Server Administration or something like that.

That would be cool!

phoeneous · December 2009

RobertKaucher wrote: »

I have one script that the AP person runs which gets information about the checks that have been run from the SQL server, formats the data per the bank's requirements, sends the data to the bank for security and then emails me, the AP person, and the group at the bank in charge of the "Poisitive Pay" accounting system when it is done. I was going to do it in C# but it was just easier in PowerShell.

Yeah, feel free to send me this script anytime because I'm working on the same exact project

Right now I'm using ssrs with a scheduled subscription to run the query and **** the file to a share. Then use task scheduler to kick off a seperate app provided by the bank to upload the file to their posi-pay site. Still working on the query, my concern is ssrs wont export it in the correct format...

RobertKaucher · December 2009

Shoot me an email and I will give any help I can. I doubt we are using the same SQL based app, as mine is for manufacturing. The bank isn't 5/3 by chance? Not even sure if they are in Vegas... But I will email you the script to give you some ideas on text and number formatting.

phoeneous · December 2009

RobertKaucher wrote: »

Shoot me an email and I will give any help I can. I doubt we are using the same SQL based app, as mine is for manufacturing. The bank isn't 5/3 by chance? Not even sure if they are in Vegas... But I will email you the script to give you some ideas on text and number formatting.

No, its Wells Fargo. I'll send a pm today.

Monitor IM traffic

Comments