If you are interested in looking for BugBear infection with RealSecure 7.0 or Proventia here are some TRONS rules to detect the mail transmissions. Since these are text matches on subjects, legit subject headers will also be flagged.
alert tcp any any -> any 25 (msg:"BugBearB";content:"25 merchants and rising";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Announcement";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"bad news";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"CALL FOR INFORMATION!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"click on this!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Correction of errors";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Cows";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Daily Email Reminder";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"empty account";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"fantastic";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"free shipping!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Get 8 FREE issues - no risk!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Get a FREE gift!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Greets!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Hello!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Hi!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"history screen";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"hmm..";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"I need help about script!!!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Interesting...";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Introduction";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"its easy";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Just a reminder";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Lost & Found";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Market Update Report";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Membership Confirmation";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"My eBay ads";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"New bonus in your cash account";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"New Contests";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"new reading";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"News";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Payment notices";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Please Help...";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Re: $150 FREE Bonus!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Report";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"SCAM alert!!!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Sponsors needed";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Stats";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Today Only";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Tools For Your Online Business";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"update";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"various";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Warning!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"wow!";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Your Gift";sid:1;rev:1;) alert tcp any any -> any 25 (msg:"BugBearB";content:"Your News Alert";sid:1;rev:1;) -------------------------------------------------------------- Chris Rouland Vice President X-Force R&D Internet Security Systems, Inc. http://xforce.iss.net [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
