Hi

I am using a product called Bantu Messenger, a market leading Chat
engine. We are serving Chat facilities to a large number of users (c.
50,000), and now wish to add software that will allow us to monitor
all chat streams automatically for abusive content, and notify
memebers of our support team that a particular chat stream has been
using words that we set up as being either abusive or suspicous.
I would like to know the names of software vendors who can provide us
with software to achieve this monitoring capability. They must be able
to:
1) Interface into Bantu's Messenger server engine
2) Allow us to configure words of phrases that we wish to monitor for
3) Provide for alerts when such words or phrases are picked up, both
to a user and to central adminstration staff.

Please can you provide details of all such software products?

Thanks

Good Day crgj,

I have begun the search for the software you describe.  I will update
you on my search results within 4-5 hours...

Regards,
Researcher slawek-ga.

Good Day,

I have not found any relevant information thus far, but have sent out
a few E-mails in the mean while to see if I can get some
recommendations on possible solutions.

In the mean while, if any researcher has the answer, please don't keep
crgj waiting, and answer his question. I receive some great info via
E-mail, or I might get nothing...

Regards,
slawek-ga

This is definitely not the perfect way but it as some advantages:

What you could do is listen and "snif" the ports that are used by the
chat softwares using a NDIS (network detection intrusion system) like
Snort (snort.org). After that you would manually create a rule for
each of the port/software. So when the communication are equal to the
rules, it would be saved into an "alert.ids" file. As the NDIS works,
you could check(using a perl script) for the alert file for any
specific keywords and voila. A couple of problems could/will occur:

If the chat software is transfering the info into some sort of binary
forms or if it's encrypted, you would need another(now that's getting
complicated) software, probably home made, to descamble all
communications and pass it to the NDIS.

An example of a logged packet using Snort:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/16-19:25:55.508918 0:50:BA:CD:8D:90 -> 0:3:4B:E7:94:C5 type:0x800
len:0x216
xxx.xxx.xx.xxx:3706 -> xxx.xxx.xx.xxx:80 TCP TTL:128 TOS:0x0 ID:65198
IpLen:20 D
gmLen:520 DF
***AP*** Seq: 0x41252FCE  Ack: 0x828752D9  Win: 0x43C2  TcpLen: 20
47 45 54 20 2F 73 65 61 72 63 68 3F 63 6C 69 65  GET xxxxxxxxxxxx
6E 74 3D 6E 61 76 63 6C 69 65 6E 74 2D 61 75 74  xxxxxxxxxxxxxxxx
6F 26 67 6F 6F 67 6C 65 69 70 3D 4F 3B 32 31 36  xxxxxxxxxxxxxxxx
2E 32 33 39 2E 35 37 2E 31 30 34 3B 31 37 30 26  xxxxxxxxxxxxxxxx
63 68 3D 36 33 37 30 33 34 32 36 31 34 35 26 69  xxxxxxxxxxxxxxxx
65 3D 55 54 46 2D 38 26 6F 65 3D 55 54 46 2D 38  e=UTF-8&oe=UTF-8
26 66 65 61 74 75 72 65 73 3D 52 61 6E 6B 26 71  &features=Rank&q
3D 69 6E 66 6F 3A 68 74 74 70 25 33 41 25 32 46  =info:http%3A%2F
25 32 46 77 77 77 25 32 45 65 78 61 6D 70 6C 65  %2Fwww%2Eexample
65 78 61 6D 70 6C 65 65 78 61 6D 70 6C 65 65 78  exampleexampleex
61 6D 70 6C 65 65 78 61 6D 70 6C 65 65 78 61 6D  ampleexampleexam
70 6C 65 65 78 61 6D 70 6C 65 65 78 61 6D 70 6C  pleexampleexampl
65 65 78 61 6D 70 6C 65 65 78 61 6D 70 6C 65 65  eexampleexamplee
78 61 6D 70 6C 65 65 78 61 6D 70 6C 65 65 78 61  xampleexampleexa
6D 70 6C 65 65 78 61 6D 70 6C 65 25 32 45 63 6F  mpleexample%2Eco
6D 25 32 46 20 48 54 54 50 2F 31 2E 31 0D 0A 55  m%2F HTTP/1.1..U
73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C  ser-Agent: Mozil
6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62  la/4.0 (compatib
6C 65 3B 20 47 6F 6F 67 6C 65 54 6F 6F 6C 62 61  le; GoogleToolba
72 20 32 2E 30 2E 39 35 2D 62 69 67 3B 20 57 69  r 2.0.95-big; Wi
6E 64 6F 77 73 20 32 30 30 30 20 35 2E 30 29 0D  ndows 2000 5.0).
0A 43 6F 6F 6B 69 65 3A 20 50 52 45 46 3D 49 44  .Cookie: PREF=ID
3D 34 37 38 38 37 39 34 35 30 39 30 61 32 66 31  =xxxx7945090a2f1
64 3A 4C 44 3D 65 6E 3A 4E 52 3D 31 30 30 3A 54  d:LD=en:NR=100:T
4D 3D 31 30 36 31 30 38 30 33 33 37 3A 4C 4D 3D  M=xxxx080337:LM=
31 30 36 31 30 38 32 38 39 35 3A 53 3D 76 6A 52  1xxxx82895:S=vjR
44 2D 44 30 4F 4E 5F 41 45 56 78 4E 70 0D 0A 48  D-D0ON_AEVxNp..H
6F 73 74 3A 20 32 31 36 2E 32 33 39 2E 35 37 2E  ost: xxx.xxx.xx.
31 30 34 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72  xxx..Cache-Contr
6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A  ol: no-cache....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

You will see the "www%2Eexampleexample..." part. That is the URL I
entered on the address bar of MSIE and pressed enter, and the packet
as been dumped. It includes the header and data. So I suppose you
could do the same with your chat softwares. If you plan to do this,
just make sure that you can easily catch and understand the data that
will pass.

What I like about that solution is that it's free(excluding
descrambler if needed) and near multiplatform. If you don't have the
choice to "decypher" the transmitter data, it could imply some reverse
engineering, so you might want to check the terms of use of each of
the chat software before doing so, and contact the companies for
hints/permission.

Another solution would be to simply start a hidden keyboard logger, on
each of the station, when the chat software starts, log and
automatiquely send the log file back to you.

I hope it make sense.