Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BadTrans.B Test Rules

From: Jim Forster <jforster () rapidnet com>
Date: Tue, 27 Nov 2001 11:06:52 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's some quick ones I'm testing to see if I can catch it running 
around....  Anyone having luck with 'em, let me know.  :)
Actually, now that I look at 'em...  I suppose double-content checking in 
the Pif/Scr might be better, to also watch for "audio/x-wav" would help to 
narrow down falses.

#----------------BadTrans.B Test Rules-------------------
# This is BAD.
alert tcp any any -> any 25 (msg:"BadTrans.B Detected Sending Passwords!"; 
flags:PA; content-list:"badtrans"; nocase; classtype:misc-activity;)
# These are the extensions it has a chance of using
alert tcp any 110 -> any any (msg:"BadTrans DocPif"; content:".doc.pif"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans Mp3Pif"; content:".mp3.pif"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans ZipPif"; content:".zip.pif"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans DocScr"; content:".doc.scr"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans Mp3Scr"; content:".mp3.scr"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans ZipScr"; content:".zip.scr"; 
nocase; classtype:misc-activity;)

(File "badtrans" contains the following Email usernames, which the 
keylogger tries to send the logged passwords to):

"ZVDOHYIK () yahoo com"
"udtzqccc () yahoo com"
"DTCELACB () yahoo com"
"I1MCH2TH () yahoo com"
"WPADJQ12 () yahoo com"
"fjshd () rambler ru"
"smr () eurosport com"
"bgnd2 () canada com"
"muwripa () fairesuivre com"
"rmxqpey () latemodels com"
"eccles () ballsy net"
"suck_my_prick () ijustgotfired com"
"suck_my_prick4 () ukr net"
"thisisno_fucking_good () usa com"
"S_Mentis () mail-x-change com"
"YJPFJTGZ () excite com"
"JGQZCD () excite com"
"XHZJ3 () excite com"
"OZUNYLRL () excite com"
"tsnlqd () excite com"
"cxkawog () krovatka net"
"ssdn () myrealbox com"


- -----------------------------------------------------
Jim Forster
Network Administrator
RapidNet, A Golden West Company
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAPWPIm0Gn1R8/mJEQL1WgCcCzbO1dHKFCG0miF7Sr315OIYxXgAoPB9
SszQs404bC+OxQZ8lVyiaW9v
=31sQ
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: