Snort
Aus SchnallIchNet
my rules
some rules i wrote...
Trojans Android
some rules on android trojans...
Android Trojan 01
Ref: https://www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack
Rules:
# check my phonenumber alert tcp any any -> any any (msg:"Trojan Activity on SGS2-Mine \(Android\)"; flow: established,from_client; uricontent:"<MyPhoneNumber>"; nocase; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:9000001; rev:1;) # check wifes phonenumber alert tcp any any -> any any (msg:"Trojan Activity on SGS2-Wife \(Android\)"; flow: established,from_client; uricontent:"<MyWifesPhonenumber>"; nocase; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:9000002; rev:1;) # check connection to C&C server alert tcp any any -> 64.78.161.133 any (msg:"Trojan Activity to C&C server \(Android\). May be inaccurate"; flow: established,from_client; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:9000003; rev:1;)