IM-Filter is a daemon for GNU/Linux firewall hosts written in C which is able to analyze and filter the ICQ protocol.
IM-Filter's main purpose is to run at a gateway, so all ICQ-related traffic of users in the LAN runs over IM-Filter. Nevertheless the daemon could also be used directly on end users computers. The following diagram shows, how the daemon is integrated in a GNU/Linux system.
One of the design goals of IM-Filter was modularity. So plugins for other protocols like MSN or IRC could be written easily. The source code already contains skeleton code for an IRC module.
Together with the source code, adequate iptables scripts are provided so that only packets which belong to ICQ traffic get in the netfilter queue of IM-Filter.
Here are some key features of "IM Filter":
Logging of messages sent via ICQ
IM-Filter is able to identify and log messages which have been sent via the ICQ protocol. These messages contain a timestamp, an IP-address, the appropriate UIN and - of course - the message itself. A logged message could look like this:
[2007-07-27 11:24:21] IP "10.0.0.1" sent following message to #123456789: "hello, this is a test"
Blacklists for messages and UINs
IM-Filter handles two different blacklists: for messages and for UINs. The message blacklist holds strings which must not occur in text messages. When such a string is detected in a message, it gets censored in the logfiles.
The UIN blacklist contains UINs of users which are not allowed to connect to the ICQ network. Those blacklists can be re-read by the daemon during runtime by sending signals.
Detection and blocking of file transfers
Since file transfers are not always welcome, they can be blocked by invoking the daemon with a specific command line argument. Then, users in the LAN can not send files to other users anymore. Beside blocking, the daemon logs file transfers. Such a log entry can look like this:
[2007-07-06 17:01:26] FILTRANSFER detected (outgoing): receiver uin: #123456789 || filename: test.txt || size: 143360B
List with currently logged in users
To be able to know which users are currently logged in, IM-Filter manages a text file which holds all necessary information. By default, the file is placed in /var/log/imfilter.users and contains IP-address and UIN of the users which are currently logged in. The file could look like this:
What's New in This Release:
· Added branch for libipq
· Added sample iptables script for a gateway
· Added check for existance of /var/run/imfilter.pid (PID will not get overwritten)
· File permissions are checked before start ~ Daemon does not need SUID-Bit anymore ~ IRC-module now must be compiled in explicitely via #ifdef