Download the most effective malware infection detection Snort signatures as experienced by our Malware Honeynet.

Most Effective Malware-Related Snort Signatures

Sun Nov 22 08:50:36 2009

160 Day Rule Set      

Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 4291 malware infections

Detects SID First Last Infects Author Phase Description
56% 299913:1 09/01 11/21 2441 of 4291 snort inbound exploit shellcode x86 0x90 unicode noop
41% 5001684:99 09/01 11/21 1799 of 4291 bothunter egg download bothunter malware windows executable (p...
41% 2001683:3 09/01 11/21 1795 of 4291 emerging threats egg download bleeding-edge malware windows executabl...
37% 52123:3 09/01 11/21 1588 of 4291 snort outbound scan registered free attack-responses micros...
29% 3001441:1 09/01 11/21 1284 of 4291 snort egg download tftp get .exe from external source
29% 1444:3 09/01 11/21 1284 of 4291 snort egg download tftp get from external source
29% 2008120:1 09/01 11/21 1284 of 4291 emerging threats egg download policy outbound tftp read request
28% 22466:7 09/01 11/21 1232 of 4291 snort inbound exploit netbios smb-ds ipc$ unicode share access
18% 292000032:99 09/01 11/21 813 of 4291 bothunter inbound exploit bothunter exploit lsa exploit
18% 22000032:6 09/01 11/21 812 of 4291 emerging threats inbound exploit bleeding-edge exploit lsa exploit
18% 3000003:99 09/01 11/21 780 of 4291 bothunter egg download bothunter http-based .exe upload on bac...
17% 3000000:99 09/01 11/21 747 of 4291 bothunter egg download bothunter http-based .exe upload on bac...
15% 299998:1 09/01 11/13 681 of 4291 snort inbound exploit shellcode x86 inc ebx noop
15% 21390:5 09/01 11/13 681 of 4291 snort inbound exploit registered free shellcode x86 inc ebx noop
14% 2002750:10 09/01 11/21 636 of 4291 snort inbound policy reserved ip space traffic - bogon nets 2
14% 3000006:99 09/01 11/13 615 of 4291 bothunter egg download bothunter malware executable upload
08% 2000352:6 09/01 11/21 345 of 4291 emerging threats local attack prep attack response irc - dns request on...
06% 2003070:4 09/01 11/21 290 of 4291 emerging threats c&c channel worm korgo.u reporting
06% 31000004:99 09/01 11/21 286 of 4291 bothunter egg download bothunter scrip-based windows egg downl...
06% 23003:4 09/01 11/13 265 of 4291 snort inbound exploit netbios smb-ds session setup ntmlssp un...
05% 2000355:4 09/01 11/19 242 of 4291 emerging threats c&c channel policy irc authorization message
05% 2406000:7 09/01 11/13 218 of 4291 emerging threats c&c channel rbn known russian business network t...
05% 2406019:43 09/01 11/13 218 of 4291 emerging threats c&c channel rbn known russian business network m...
04% 2007726:2 09/10 11/13 189 of 4291 emerging threats egg download attack response unusual ftp server b...
03% 2003603:2 09/01 11/21 170 of 4291 emerging threats c&c channel trojan w32.virut.a joining an irc ch...
03% 2000346:7 09/01 11/21 129 of 4291 emerging threats c&c channel attack response irc - name response ...
01% 32000004:99 09/01 10/13 66 of 4291 bothunter egg download bothunter malware executable upload
01% 2008124:1 09/01 11/19 63 of 4291 snort outbound trojan likely bot nick in irc (usa +..)
01% 2000047:4 09/02 11/21 63 of 4291 emerging threats egg download worm sasser transfer _up.exe
01% 22001056:5 09/02 11/21 61 of 4291 emerging threats inbound exploit bleeding-edge virus w32/sasser.worm.b -...
01% 2000356:4 09/01 11/20 59 of 4291 emerging threats c&c channel policy irc connection
01% 2001894:5 09/03 11/19 44 of 4291 snort outbound malware toolbarpartner spyware agent partner i...
01% 2000427:9 09/01 11/13 42 of 4291 emerging threats egg download policy pe exe install windows file d...
01% 299906:1 09/01 11/20 34 of 4291 snort inbound exploit shellcode x86 0x90 unicode noop
01% 2001569:12 09/03 11/21 33 of 4291 emerging threats outbound scan scan behavioral unusual port 445 tra...
01% 3000007:99 09/01 11/03 24 of 4291 bothunter egg download bothunter malware executable upload
01% 2002029:7 09/01 11/20 24 of 4291 emerging threats c&c channel trojan bot - channel topic scan/expl...
01% 2003484:5 11/21 11/21 17 of 4291 snort outbound worm allaple unique http request - possibly pa...
01% 2001184:5 09/24 11/03 15 of 4291 emerging threats c&c channel bleeding-edge worm rxbot / rbot vulnera...
01% 100000274:2 09/06 11/19 13 of 4291 snort c&c channel community bot gtbot scan command
01% 2404011:1142 09/01 10/02 10 of 4291 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2404013:1142 09/02 10/16 6 of 4291 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2002986:2 09/09 09/29 5 of 4291 emerging threats egg download policy icq install direct download -...
01% 2406021:43 09/01 09/19 5 of 4291 emerging threats c&c channel rbn known russian business network m...
01% 2406032:43 09/03 11/08 5 of 4291 emerging threats c&c channel rbn known russian business network m...
01% 2002030:10 09/06 10/04 4 of 4291 emerging threats c&c channel trojan bot - potential scan/exploit ...
01% 2003081:3 09/01 10/30 4 of 4291 emerging threats inbound exploit exploit netbios smb dcerpc netrppath...
01% 2404001:1142 10/20 11/10 4 of 4291 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 51390:5 09/29 11/03 3 of 4291 snort outbound scan registered free shellcode x86 inc ebx noop
01% 599998:1 09/29 11/03 3 of 4291 snort outbound scan shellcode x86 inc ebx noop
01% 52000032:6 09/01 09/08 2 of 4291 emerging threats outbound scan bleeding-edge exploit lsa exploit
01% 52466:7 09/01 09/08 2 of 4291 snort outbound scan netbios smb-ds ipc$ unicode share access
01% 2002751:3 10/08 11/04 2 of 4291 snort inbound policy reserved ip space traffic - bogon nets 3
01% 599913:1 09/01 09/08 2 of 4291 snort outbound scan shellcode x86 0x90 unicode noop
01% 592000032:99 09/01 09/08 2 of 4291 bothunter outbound scan bothunter exploit lsa exploit
01% 2002400:12 09/29 09/29 1 of 4291 snort outbound malware suspicious user agent (microsoft inter...
01% 2404007:1142 10/29 10/29 1 of 4291 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2406006:43 09/03 09/03 1 of 4291 emerging threats c&c channel rbn known russian business network m...
01% 22475:7 11/21 11/21 1 of 4291 snort inbound exploit netbios smb-ds admin$ unicode share access
01% 22002903:1 09/25 09/25 1 of 4291 emerging threats inbound exploit bleeding-edge exploit x86 pexfnstenvmov...
01% 2007632:2 10/21 10/21 1 of 4291 snort outbound trojan possible gozi trojan checkin
01% 2003082:3 09/15 09/15 1 of 4291 emerging threats inbound exploit exploit netbios smb-ds dcerpc netrpp...
01% 2003636:3 10/14 10/14 1 of 4291 emerging threats c&c channel virus sality virus user agent detect...
01% 2003088:3 10/14 10/14 1 of 4291 emerging threats c&c channel virus sality trojan user-agent (kuku...
01% 2002911:2 11/21 11/21 1 of 4291 emerging threats inbound scan scan potential vnc scan 5900-5920
01% 2406022:43 11/06 11/06 1 of 4291 emerging threats c&c channel rbn known russian business network m...
01% 2001899:8 09/09 09/09 1 of 4291 snort outbound botnet http botnet reg
01% 2003157:3 09/25 09/25 1 of 4291 emerging threats inbound exploit trojan agobot-sdbot commands
01% 2002854:2 10/21 10/21 1 of 4291 snort outbound trojan orderjack reporting user activity
01% 2001901:4 09/09 09/09 1 of 4291 snort outbound trojan possible bobax trojan infection