[Snort-sigs] Proposed Signature for Keystrokes iKeyMonitor iOS Keylogger

Community Signatures lists at ...3397...
Tue Mar 20 15:42:29 EDT 2012

Pretty simple. Content matches pulled from deb package. Sig to detect on
access of keystrokes/webhistory/etc webpage served from iOS device.
Match on the page served up at offset 000109da in MobileSafe.dylib

alert tcp any any -> $HOME_NET 8888
(msg:"ET POLICY iOS Keylogger iKeyMonitor device access";
content:"/><title>Keystrokes - iKeyMonitor</title><style ";
threshold:type limit, track by_src, count 1, seconds 600;
classtype:policy-violation"; sid:x; rev:1;)


More information about the Snort-sigs mailing list