(imspector-dev) Logging Facebook Chats to meet New Gov't Compliance regs?



  • Running 4 pf boxes in HA, (2 onsite carp'd & 2 carp'd @ DR Site)

    Just began playing around with the new imspector-Dev package,
    never utilized it before but i'm hoping to replace our palo-alto boxes
    that perform all our chat/skype logging onsite so i can remove their
    support fees from my budget… I have it enabled and set to log,
    but when I log in and attempt to send some test messages via
    facebook, none of them appear in the impsector-dev log on my
    pfboxes... Has anybody got this working or can perhaps point me
    in the right direction?



  • anybody?



  • Do you know how facebook chat works?

    imspector is a project that is not being updated in last two years

    imspector description from imspector.org:

    Currently it supports MSN, Jabber/XMPP, AIM, ICQ, Yahoo, IRC and Gadu-Gadu to different degrees.



  • yes it utilizes jabber/xmpp, so it should be able to dissect it?



  • @mastry0da:

    yes it utilizes jabber/xmpp, so it should be able to dissect it?

    It depends on how facebook chat change messages, did you tried to tcpdump this traffic to see what ports does it use?



  • it appears to be connecting to chat.facebook.com on port 443 utilizing ssl encryption…
    Perhaps i need to add some ssl certs to my imspector config... currently i have no ssl
    certs installed on the test box...



  • @mastry0da:

    Perhaps i need to add some ssl certs to my imspector config… currently i have no ssl
    certs installed on the test box...

    you need ca and cert to get it working(at least with google chat it does).



  • @marcelloc:

    @mastry0da:

    Perhaps i need to add some ssl certs to my imspector config… currently i have no ssl
    certs installed on the test box...

    you need ca and cert to get it working(at least with google chat it does).

    Facebook chat uses XMPP wrapped in HTTPS (SSL) so you would need the FB Root CA to do any sort of plain text logging. :-(



  • how do the commercial firewall vendors like smoothwall and sourcefire get around this get the text of facebook chats then?



  • I think, that those use some kind of man-in-the-middle attack by using their own ssl-certificate. But not sure at all



  • @Metu69salemi:

    I think, that those use some kind of man-in-the-middle attack by using their own ssl-certificate. But not sure at all

    Yep. They MITM the traffic, which requires a trusted CA cert to be installed on the machines you want to capture data from.


Log in to reply