Re: Proposed Signature for Keystrokes iKeyMonitor iOS Keylogger

[Bad Horse <b4dh0rs3 () gmail com>]

Hello.  Wouldn't this be "from_server" and not "to_server" along with
"$HOME_NET any -> any any" ?

I could be not understanding this though but if the page is being served I
think it should be "from_server".

Cheers.

-Bad Horse
 The Thoroughbred of SYN

On Tue, Mar 20, 2012 at 2:42 PM, Community Signatures
<lists () packetmail net>wrote:

> Pretty simple. Content matches pulled from deb package. Sig to detect on
> access of keystrokes/webhistory/etc webpage served from iOS device.
> Match on the page served up at offset 000109da in MobileSafe.dylib
>
> alert tcp any any -> $HOME_NET 8888
> (msg:"ET POLICY iOS Keylogger iKeyMonitor device access";
> flow:to_server,established;
> content:"/><title>Keystrokes - iKeyMonitor</title><style ";
> reference:url,
> moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp;
> threshold:type limit, track by_src, count 1, seconds 600;
> classtype:policy-violation"; sid:x; rev:1;)
>
> Thanks,
> Nathan
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!