[Snort-users] BadTrans.B Test Rules

Jim Forster jforster at ...176...
Tue Nov 27 10:05:02 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's some quick ones I'm testing to see if I can catch it running 
around....  Anyone having luck with 'em, let me know.  :)
Actually, now that I look at 'em...  I suppose double-content checking in 
the Pif/Scr might be better, to also watch for "audio/x-wav" would help to 
narrow down falses.

#----------------BadTrans.B Test Rules-------------------
# This is BAD.
alert tcp any any -> any 25 (msg:"BadTrans.B Detected Sending Passwords!"; 
flags:PA; content-list:"badtrans"; nocase; classtype:misc-activity;)
# These are the extensions it has a chance of using
alert tcp any 110 -> any any (msg:"BadTrans DocPif"; content:".doc.pif"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans Mp3Pif"; content:".mp3.pif"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans ZipPif"; content:".zip.pif"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans DocScr"; content:".doc.scr"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans Mp3Scr"; content:".mp3.scr"; 
nocase; classtype:misc-activity;)
alert tcp any 110 -> any any (msg:"BadTrans ZipScr"; content:".zip.scr"; 
nocase; classtype:misc-activity;)

(File "badtrans" contains the following Email usernames, which the 
keylogger tries to send the logged passwords to):

"ZVDOHYIK at ...131..."
"udtzqccc at ...131..."
"DTCELACB at ...131..."
"I1MCH2TH at ...131..."
"WPADJQ12 at ...131..."
"fjshd at ...4169..."
"smr at ...4170..."
"bgnd2 at ...4171..."
"muwripa at ...4172..."
"rmxqpey at ...4173..."
"eccles at ...4174..."
"suck_my_prick at ...4175..."
"suck_my_prick4 at ...4176..."
"thisisno_fucking_good at ...4177..."
"S_Mentis at ...4178..."
"YJPFJTGZ at ...722..."
"JGQZCD at ...722..."
"XHZJ3 at ...722..."
"OZUNYLRL at ...722..."
"tsnlqd at ...722..."
"cxkawog at ...4179..."
"ssdn at ...4180..."


- -----------------------------------------------------
Jim Forster
Network Administrator
RapidNet, A Golden West Company
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAPWPIm0Gn1R8/mJEQL1WgCcCzbO1dHKFCG0miF7Sr315OIYxXgAoPB9
SszQs404bC+OxQZ8lVyiaW9v
=31sQ
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list