Most Effective Malware-Related Snort Signatures
Sun Mar 21 08:41:35 2010
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 7132 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 55% | 299913:1 | 10/12 | 03/20 | 3943 of 7132 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 40% | 52123:3 | 10/12 | 03/20 | 2871 of 7132 | snort | outbound scan | registered free attack-responses micros... |
| 35% | 3001441:1 | 10/12 | 03/20 | 2505 of 7132 | snort | egg download | tftp get .exe from external source |
| 35% | 1444:3 | 10/12 | 03/20 | 2505 of 7132 | snort | egg download | tftp get from external source |
| 35% | 2008120:1 | 10/12 | 03/20 | 2505 of 7132 | emerging threats | egg download | policy outbound tftp read request |
| 29% | 5001684:99 | 10/12 | 03/20 | 2122 of 7132 | bothunter | egg download | bothunter malware windows executable (p... |
| 29% | 2001683:3 | 10/12 | 03/20 | 2109 of 7132 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 28% | 22466:7 | 10/12 | 03/20 | 2013 of 7132 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 20% | 2002750:10 | 10/12 | 03/20 | 1427 of 7132 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 14% | 22000032:6 | 10/12 | 03/20 | 1027 of 7132 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 14% | 292000032:99 | 10/12 | 03/20 | 1027 of 7132 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 13% | 3000003:99 | 10/12 | 03/20 | 970 of 7132 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 12% | 3000000:99 | 10/12 | 03/20 | 911 of 7132 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 05% | 2003603:2 | 10/12 | 03/20 | 406 of 7132 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 04% | 31000004:99 | 10/12 | 03/20 | 344 of 7132 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 03% | 2003070:4 | 10/12 | 03/18 | 277 of 7132 | emerging threats | c&c channel | worm korgo.u reporting |
| 03% | 21390:5 | 10/13 | 01/28 | 218 of 7132 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 03% | 299998:1 | 10/13 | 01/17 | 216 of 7132 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 02% | 2000352:6 | 10/12 | 03/08 | 206 of 7132 | emerging threats | local attack prep | attack response irc - dns request on... |
| 02% | 2000427:9 | 11/03 | 03/12 | 168 of 7132 | emerging threats | egg download | policy pe exe install windows file d... |
| 02% | 2000346:7 | 10/12 | 03/08 | 164 of 7132 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 3000005:99 | 01/03 | 01/17 | 140 of 7132 | bothunter | egg download | bothunter malware executable upload |
| 01% | 299906:1 | 10/12 | 02/21 | 91 of 7132 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 01% | 2003484:5 | 11/21 | 01/06 | 84 of 7132 | snort | outbound | worm allaple unique http request - possibly pa... |
| 01% | 2000047:4 | 10/12 | 03/20 | 83 of 7132 | emerging threats | egg download | worm sasser transfer _up.exe |
| 01% | 22001056:5 | 10/12 | 03/20 | 82 of 7132 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 01% | 2000355:4 | 10/13 | 03/18 | 80 of 7132 | emerging threats | c&c channel | policy irc authorization message |
| 01% | 2001894:5 | 10/13 | 02/12 | 78 of 7132 | snort | outbound | malware toolbarpartner spyware agent partner i... |
| 01% | 3000006:99 | 10/13 | 11/13 | 70 of 7132 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2001569:12 | 10/13 | 03/20 | 58 of 7132 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 2007726:2 | 10/13 | 12/05 | 43 of 7132 | emerging threats | egg download | attack response unusual ftp server b... |
| 01% | 2406000:7 | 10/13 | 11/13 | 36 of 7132 | emerging threats | c&c channel | rbn known russian business network t... |
| 01% | 2406019:43 | 10/13 | 11/13 | 36 of 7132 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 23003:4 | 10/13 | 11/13 | 30 of 7132 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 01% | 2008124:1 | 10/22 | 02/27 | 29 of 7132 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2000356:4 | 10/16 | 02/27 | 25 of 7132 | emerging threats | c&c channel | policy irc connection |
| 01% | 100000274:2 | 11/19 | 02/27 | 22 of 7132 | snort | c&c channel | community bot gtbot scan command |
| 01% | 100000273:2 | 01/08 | 03/19 | 18 of 7132 | snort | c&c channel | community bot gtbot info command |
| 01% | 2002029:7 | 10/30 | 02/11 | 16 of 7132 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 01% | 2406022:43 | 11/06 | 02/14 | 11 of 7132 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2001184:5 | 11/03 | 12/17 | 9 of 7132 | emerging threats | c&c channel | bleeding-edge worm rxbot / rbot vulnera... |
| 01% | 2003081:3 | 10/30 | 03/10 | 8 of 7132 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 2404001:1142 | 10/20 | 02/12 | 8 of 7132 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002030:10 | 12/01 | 02/11 | 7 of 7132 | emerging threats | c&c channel | trojan bot - potential scan/exploit ... |
| 01% | 3000007:99 | 11/03 | 11/03 | 4 of 7132 | bothunter | egg download | bothunter malware executable upload |
| 01% | 22475:7 | 11/21 | 12/22 | 3 of 7132 | snort | inbound exploit | netbios smb-ds admin$ unicode share access |
| 01% | 2003082:3 | 12/05 | 12/26 | 3 of 7132 | emerging threats | inbound exploit | exploit netbios smb-ds dcerpc netrpp... |
| 01% | 2538:15 | 12/25 | 02/19 | 3 of 7132 | snort | inbound exploit | netbios smb ipc$ unicode share access |
| 01% | 2003579:2 | 02/02 | 02/04 | 2 of 7132 | snort | outbound | malware findwhat.com spyware (clickthrough) |
| 01% | 2002031:13 | 11/30 | 12/10 | 2 of 7132 | snort | inbound | trojan bot - potential update/download |
| 01% | 51390:5 | 11/03 | 11/03 | 2 of 7132 | snort | outbound scan | registered free shellcode x86 inc ebx noop |
| 01% | 599998:1 | 11/03 | 11/03 | 2 of 7132 | snort | outbound scan | shellcode x86 inc ebx noop |
| 01% | 2406032:43 | 10/31 | 11/08 | 2 of 7132 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2404011:1142 | 12/21 | 12/28 | 2 of 7132 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2002363:10 | 02/27 | 02/27 | 1 of 7132 | snort | inbound | trojan bot - potential reptile commands |
| 01% | 2404007:1142 | 10/29 | 10/29 | 1 of 7132 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2406021:43 | 12/21 | 12/21 | 1 of 7132 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 22002903:1 | 12/18 | 12/18 | 1 of 7132 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2007632:2 | 10/21 | 10/21 | 1 of 7132 | snort | outbound | trojan possible gozi trojan checkin |
| 01% | 32000004:99 | 10/13 | 10/13 | 1 of 7132 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2003636:3 | 10/14 | 10/14 | 1 of 7132 | emerging threats | c&c channel | virus sality virus user agent detect... |
| 01% | 2000537:4 | 11/27 | 11/27 | 1 of 7132 | snort | inbound | scan nmap -ss |
| 01% | 2404013:1142 | 10/16 | 10/16 | 1 of 7132 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |
| 01% | 2003088:3 | 10/14 | 10/14 | 1 of 7132 | emerging threats | c&c channel | virus sality trojan user-agent (kuku... |
| 01% | 2002033:12 | 02/27 | 02/27 | 1 of 7132 | emerging threats | c&c channel | trojan bot - potential response |
| 01% | 2002911:2 | 11/21 | 11/21 | 1 of 7132 | emerging threats | inbound scan | scan potential vnc scan 5900-5920 |
| 01% | 2002751:3 | 11/04 | 11/04 | 1 of 7132 | snort | inbound | policy reserved ip space traffic - bogon nets 3 |
| 01% | 599913:1 | 12/01 | 12/01 | 1 of 7132 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 2002854:2 | 10/21 | 10/21 | 1 of 7132 | snort | outbound | trojan orderjack reporting user activity |
| 01% | 2000545:4 | 11/27 | 11/27 | 1 of 7132 | snort | inbound | scan nmap -f -ss |