Snort mailing list archives
BadTrans.B Test Rules
From: Jim Forster <jforster () rapidnet com>
Date: Tue, 27 Nov 2001 11:06:52 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's some quick ones I'm testing to see if I can catch it running around.... Anyone having luck with 'em, let me know. :) Actually, now that I look at 'em... I suppose double-content checking in the Pif/Scr might be better, to also watch for "audio/x-wav" would help to narrow down falses. #----------------BadTrans.B Test Rules------------------- # This is BAD. alert tcp any any -> any 25 (msg:"BadTrans.B Detected Sending Passwords!"; flags:PA; content-list:"badtrans"; nocase; classtype:misc-activity;) # These are the extensions it has a chance of using alert tcp any 110 -> any any (msg:"BadTrans DocPif"; content:".doc.pif"; nocase; classtype:misc-activity;) alert tcp any 110 -> any any (msg:"BadTrans Mp3Pif"; content:".mp3.pif"; nocase; classtype:misc-activity;) alert tcp any 110 -> any any (msg:"BadTrans ZipPif"; content:".zip.pif"; nocase; classtype:misc-activity;) alert tcp any 110 -> any any (msg:"BadTrans DocScr"; content:".doc.scr"; nocase; classtype:misc-activity;) alert tcp any 110 -> any any (msg:"BadTrans Mp3Scr"; content:".mp3.scr"; nocase; classtype:misc-activity;) alert tcp any 110 -> any any (msg:"BadTrans ZipScr"; content:".zip.scr"; nocase; classtype:misc-activity;) (File "badtrans" contains the following Email usernames, which the keylogger tries to send the logged passwords to): "ZVDOHYIK () yahoo com" "udtzqccc () yahoo com" "DTCELACB () yahoo com" "I1MCH2TH () yahoo com" "WPADJQ12 () yahoo com" "fjshd () rambler ru" "smr () eurosport com" "bgnd2 () canada com" "muwripa () fairesuivre com" "rmxqpey () latemodels com" "eccles () ballsy net" "suck_my_prick () ijustgotfired com" "suck_my_prick4 () ukr net" "thisisno_fucking_good () usa com" "S_Mentis () mail-x-change com" "YJPFJTGZ () excite com" "JGQZCD () excite com" "XHZJ3 () excite com" "OZUNYLRL () excite com" "tsnlqd () excite com" "cxkawog () krovatka net" "ssdn () myrealbox com" - ----------------------------------------------------- Jim Forster Network Administrator RapidNet, A Golden West Company - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPAPWPIm0Gn1R8/mJEQL1WgCcCzbO1dHKFCG0miF7Sr315OIYxXgAoPB9 SszQs404bC+OxQZ8lVyiaW9v =31sQ -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BadTrans.B Test Rules Jim Forster (Nov 27)