[Snort-sigs] Rules about keylogging

Chich Thierry thierry.chich at ...2579...
Wed Jun 7 04:15:55 EDT 2006


I have already submitted these two rules to  
snort-sigs at ...1245... It seems that nobody is interested.
Since I don't understand exactly the system with the two sig depositories, I 
try again and  propose these two beautiful signatures to  the bleeding sigs. 
Don't worry, it will be my last try.

alert tcp $HOME_NET any -> any 25 (msg:"Bleeding snort - elitekeylogger v1.0 
report"; flow:established;content:"MAIL FROM|3a|<logs at ...3219...>";
tag:session,60,seconds;classtype:policy-violation;sid:1200604131;rev:1;)


A second rule about  XP keylogger v2.1 :

alert tcp any any -> any 25 (msg:"Bleeding snort - XP keylogger v2.1 mail 
report"; flow:established;content:"X-Mailer|3a| JMail 4.3.0 Free Version by 
Dimac";content:"<H2=3EAbout the use of the PC</H2=3E";
classtype:policy-violation;sid:1200604181;rev:1;)

Thierry





More information about the Snort-sigs mailing list