[Snort-sigs] Proposed Signature for Keystrokes iKeyMonitor iOS Keylogger

Community Signatures lists at ...3397...
Tue Mar 20 15:42:29 EDT 2012


Pretty simple. Content matches pulled from deb package. Sig to detect on
access of keystrokes/webhistory/etc webpage served from iOS device.
Match on the page served up at offset 000109da in MobileSafe.dylib

alert tcp any any -> $HOME_NET 8888
(msg:"ET POLICY iOS Keylogger iKeyMonitor device access";
flow:to_server,established;
content:"/><title>Keystrokes - iKeyMonitor</title><style ";
reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp;
threshold:type limit, track by_src, count 1, seconds 600;
classtype:policy-violation"; sid:x; rev:1;)

Thanks,
Nathan





More information about the Snort-sigs mailing list