[unisog] Recording IM conversations/mapping users to IM

Gary Flynn flynngn at jmu.edu
Thu Feb 9 20:41:29 GMT 2006

Micheal Cottingham wrote:

> I know this has been discussed before, but this is something I want to
> revisit following an incident at my institution. Right now I'm looking
> at IMLogic IM Manager and Akonix products. I want to record
> conversations, map employee names to a central database, be able to flag
> a screen name for further investigation, etc. We have an IPS on our
> boundary, so I'm not as worried about IM worms.


Our Juniper IPS has a feature called Profiler that
inventories things like instant message screen
names, HTTP user agents and versions, gnutella
agents and versions, HTTP server versions, etc.

It does not collect content but the screen name
to IP address mapping may come in handy in
harassment or abuse cases.

We have written signatures for the IPS to block
instant message traffic with known malicious
links in buddy and away messages though they
don't appear to catch all of them...probably
due to a combination of the proliferation of
protocol versions, some clients going to the
trouble of enabling encryption, and my own
ignorance of instant message protocols and

Gary Flynn
Security Engineer
James Madison University

More information about the unisog mailing list