Download the most effective malware infection detection Snort signatures as experienced by our Malware Honeynet.

Most Effective Malware-Related Snort Signatures

Sun Mar 21 08:41:35 2010

160 Day Rule Set      

Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 7132 malware infections

Detects SID First Last Infects Author Phase Description
55% 299913:1 10/12 03/20 3943 of 7132 snort inbound exploit shellcode x86 0x90 unicode noop
40% 52123:3 10/12 03/20 2871 of 7132 snort outbound scan registered free attack-responses micros...
35% 3001441:1 10/12 03/20 2505 of 7132 snort egg download tftp get .exe from external source
35% 1444:3 10/12 03/20 2505 of 7132 snort egg download tftp get from external source
35% 2008120:1 10/12 03/20 2505 of 7132 emerging threats egg download policy outbound tftp read request
29% 5001684:99 10/12 03/20 2122 of 7132 bothunter egg download bothunter malware windows executable (p...
29% 2001683:3 10/12 03/20 2109 of 7132 emerging threats egg download bleeding-edge malware windows executabl...
28% 22466:7 10/12 03/20 2013 of 7132 snort inbound exploit netbios smb-ds ipc$ unicode share access
20% 2002750:10 10/12 03/20 1427 of 7132 snort inbound policy reserved ip space traffic - bogon nets 2
14% 22000032:6 10/12 03/20 1027 of 7132 emerging threats inbound exploit bleeding-edge exploit lsa exploit
14% 292000032:99 10/12 03/20 1027 of 7132 bothunter inbound exploit bothunter exploit lsa exploit
13% 3000003:99 10/12 03/20 970 of 7132 bothunter egg download bothunter http-based .exe upload on bac...
12% 3000000:99 10/12 03/20 911 of 7132 bothunter egg download bothunter http-based .exe upload on bac...
05% 2003603:2 10/12 03/20 406 of 7132 emerging threats c&c channel trojan w32.virut.a joining an irc ch...
04% 31000004:99 10/12 03/20 344 of 7132 bothunter egg download bothunter scrip-based windows egg downl...
03% 2003070:4 10/12 03/18 277 of 7132 emerging threats c&c channel worm korgo.u reporting
03% 21390:5 10/13 01/28 218 of 7132 snort inbound exploit registered free shellcode x86 inc ebx noop
03% 299998:1 10/13 01/17 216 of 7132 snort inbound exploit shellcode x86 inc ebx noop
02% 2000352:6 10/12 03/08 206 of 7132 emerging threats local attack prep attack response irc - dns request on...
02% 2000427:9 11/03 03/12 168 of 7132 emerging threats egg download policy pe exe install windows file d...
02% 2000346:7 10/12 03/08 164 of 7132 emerging threats c&c channel attack response irc - name response ...
01% 3000005:99 01/03 01/17 140 of 7132 bothunter egg download bothunter malware executable upload
01% 299906:1 10/12 02/21 91 of 7132 snort inbound exploit shellcode x86 0x90 unicode noop
01% 2003484:5 11/21 01/06 84 of 7132 snort outbound worm allaple unique http request - possibly pa...
01% 2000047:4 10/12 03/20 83 of 7132 emerging threats egg download worm sasser transfer _up.exe
01% 22001056:5 10/12 03/20 82 of 7132 emerging threats inbound exploit bleeding-edge virus w32/sasser.worm.b -...
01% 2000355:4 10/13 03/18 80 of 7132 emerging threats c&c channel policy irc authorization message
01% 2001894:5 10/13 02/12 78 of 7132 snort outbound malware toolbarpartner spyware agent partner i...
01% 3000006:99 10/13 11/13 70 of 7132 bothunter egg download bothunter malware executable upload
01% 2001569:12 10/13 03/20 58 of 7132 emerging threats outbound scan scan behavioral unusual port 445 tra...
01% 2007726:2 10/13 12/05 43 of 7132 emerging threats egg download attack response unusual ftp server b...
01% 2406000:7 10/13 11/13 36 of 7132 emerging threats c&c channel rbn known russian business network t...
01% 2406019:43 10/13 11/13 36 of 7132 emerging threats c&c channel rbn known russian business network m...
01% 23003:4 10/13 11/13 30 of 7132 snort inbound exploit netbios smb-ds session setup ntmlssp un...
01% 2008124:1 10/22 02/27 29 of 7132 snort outbound trojan likely bot nick in irc (usa +..)
01% 2000356:4 10/16 02/27 25 of 7132 emerging threats c&c channel policy irc connection
01% 100000274:2 11/19 02/27 22 of 7132 snort c&c channel community bot gtbot scan command
01% 100000273:2 01/08 03/19 18 of 7132 snort c&c channel community bot gtbot info command
01% 2002029:7 10/30 02/11 16 of 7132 emerging threats c&c channel trojan bot - channel topic scan/expl...
01% 2406022:43 11/06 02/14 11 of 7132 emerging threats c&c channel rbn known russian business network m...
01% 2001184:5 11/03 12/17 9 of 7132 emerging threats c&c channel bleeding-edge worm rxbot / rbot vulnera...
01% 2003081:3 10/30 03/10 8 of 7132 emerging threats inbound exploit exploit netbios smb dcerpc netrppath...
01% 2404001:1142 10/20 02/12 8 of 7132 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2002030:10 12/01 02/11 7 of 7132 emerging threats c&c channel trojan bot - potential scan/exploit ...
01% 3000007:99 11/03 11/03 4 of 7132 bothunter egg download bothunter malware executable upload
01% 22475:7 11/21 12/22 3 of 7132 snort inbound exploit netbios smb-ds admin$ unicode share access
01% 2003082:3 12/05 12/26 3 of 7132 emerging threats inbound exploit exploit netbios smb-ds dcerpc netrpp...
01% 2538:15 12/25 02/19 3 of 7132 snort inbound exploit netbios smb ipc$ unicode share access
01% 2003579:2 02/02 02/04 2 of 7132 snort outbound malware findwhat.com spyware (clickthrough)
01% 2002031:13 11/30 12/10 2 of 7132 snort inbound trojan bot - potential update/download
01% 51390:5 11/03 11/03 2 of 7132 snort outbound scan registered free shellcode x86 inc ebx noop
01% 599998:1 11/03 11/03 2 of 7132 snort outbound scan shellcode x86 inc ebx noop
01% 2406032:43 10/31 11/08 2 of 7132 emerging threats c&c channel rbn known russian business network m...
01% 2404011:1142 12/21 12/28 2 of 7132 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2002363:10 02/27 02/27 1 of 7132 snort inbound trojan bot - potential reptile commands
01% 2404007:1142 10/29 10/29 1 of 7132 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2406021:43 12/21 12/21 1 of 7132 emerging threats c&c channel rbn known russian business network m...
01% 22002903:1 12/18 12/18 1 of 7132 emerging threats inbound exploit bleeding-edge exploit x86 pexfnstenvmov...
01% 2007632:2 10/21 10/21 1 of 7132 snort outbound trojan possible gozi trojan checkin
01% 32000004:99 10/13 10/13 1 of 7132 bothunter egg download bothunter malware executable upload
01% 2003636:3 10/14 10/14 1 of 7132 emerging threats c&c channel virus sality virus user agent detect...
01% 2000537:4 11/27 11/27 1 of 7132 snort inbound scan nmap -ss
01% 2404013:1142 10/16 10/16 1 of 7132 emerging threats c&c channel drop known bot c&c server traffic (g...
01% 2003088:3 10/14 10/14 1 of 7132 emerging threats c&c channel virus sality trojan user-agent (kuku...
01% 2002033:12 02/27 02/27 1 of 7132 emerging threats c&c channel trojan bot - potential response
01% 2002911:2 11/21 11/21 1 of 7132 emerging threats inbound scan scan potential vnc scan 5900-5920
01% 2002751:3 11/04 11/04 1 of 7132 snort inbound policy reserved ip space traffic - bogon nets 3
01% 599913:1 12/01 12/01 1 of 7132 snort outbound scan shellcode x86 0x90 unicode noop
01% 2002854:2 10/21 10/21 1 of 7132 snort outbound trojan orderjack reporting user activity
01% 2000545:4 11/27 11/27 1 of 7132 snort inbound scan nmap -f -ss