Snort

Aus SchnallIchNet
Wechseln zu: Navigation, Suche

my rules

some rules i wrote...


Trojans Android

some rules on android trojans...


Android Trojan 01

Ref: https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack

Rules: 

# check my phonenumber 
alert tcp any any -> any any (msg:"Trojan Activity on SGS2-Mine \(Android\)"; flow: established,from_client; uricontent:"<MyPhoneNumber>"; nocase;
reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:9000001; rev:1;)
# check wifes phonenumber
alert tcp any any -> any any (msg:"Trojan Activity on SGS2-Wife \(Android\)"; flow: established,from_client; uricontent:"<MyWifesPhonenumber>"; nocase;
reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:9000002; rev:1;)
# check connection to C&C server
alert tcp any any -> 64.78.161.133 any (msg:"Trojan Activity to C&C server \(Android\). May be inaccurate"; flow: established,from_client;
reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:9000003; rev:1;)
Von „https://schnallich.net/index.php?title=Snort&oldid=1289