Most Effective Malware-Related Snort Signatures
Mon Feb 13 08:41:49 2012
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 5746 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 72% | 299913:1 | 09/06 | 02/12 | 4145 of 5746 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 63% | 3000003:99 | 09/06 | 02/12 | 3667 of 5746 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 58% | 5001684:99 | 09/06 | 02/12 | 3356 of 5746 | bothunter | egg download | bothunter malware windows executable (p... |
| 58% | 2001683:3 | 09/06 | 02/12 | 3342 of 5746 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 57% | 22466:7 | 09/06 | 02/12 | 3303 of 5746 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 48% | 292000032:99 | 09/06 | 02/12 | 2777 of 5746 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 48% | 22000032:6 | 09/06 | 02/12 | 2776 of 5746 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 47% | 3000000:99 | 09/06 | 02/12 | 2724 of 5746 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 27% | 2002750:10 | 09/06 | 02/12 | 1580 of 5746 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 23% | 52123:3 | 09/06 | 02/12 | 1370 of 5746 | snort | outbound scan | registered free attack-responses micros... |
| 21% | 3001441:1 | 09/06 | 02/12 | 1228 of 5746 | snort | egg download | tftp get .exe from external source |
| 21% | 1444:3 | 09/06 | 02/12 | 1228 of 5746 | snort | egg download | tftp get from external source |
| 21% | 2008120:1 | 09/06 | 02/12 | 1228 of 5746 | emerging threats | egg download | policy outbound tftp read request |
| 10% | 2003070:4 | 09/27 | 02/12 | 604 of 5746 | emerging threats | c&c channel | worm korgo.u reporting |
| 08% | 2002749:4 | 09/06 | 02/12 | 482 of 5746 | snort | inbound | policy reserved ip space traffic - bogon nets 1 |
| 02% | 31000004:99 | 09/07 | 02/09 | 143 of 5746 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 01% | 2001569:12 | 09/06 | 02/10 | 114 of 5746 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 2002751:3 | 09/07 | 02/11 | 84 of 5746 | snort | inbound | policy reserved ip space traffic - bogon nets 3 |
| 01% | 2003603:2 | 09/12 | 02/12 | 78 of 5746 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 01% | 22001056:5 | 09/09 | 02/09 | 59 of 5746 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 01% | 2000355:4 | 10/02 | 02/12 | 46 of 5746 | emerging threats | c&c channel | policy irc authorization message |
| 01% | 2000047:4 | 09/09 | 02/09 | 41 of 5746 | emerging threats | egg download | worm sasser transfer _up.exe |
| 01% | 299906:1 | 09/15 | 02/08 | 23 of 5746 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 01% | 21390:5 | 09/10 | 02/08 | 22 of 5746 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 01% | 2007726:2 | 01/18 | 01/18 | 20 of 5746 | emerging threats | egg download | attack response unusual ftp server b... |
| 01% | 3000006:99 | 01/18 | 01/18 | 20 of 5746 | bothunter | egg download | bothunter malware executable upload |
| 01% | 299998:1 | 01/18 | 01/18 | 20 of 5746 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 01% | 23003:4 | 01/18 | 01/18 | 16 of 5746 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 01% | 2000352:6 | 10/13 | 02/09 | 16 of 5746 | emerging threats | local attack prep | attack response irc - dns request on... |
| 01% | 2008124:1 | 10/02 | 02/09 | 15 of 5746 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2000356:4 | 10/02 | 01/18 | 14 of 5746 | emerging threats | c&c channel | policy irc connection |
| 01% | 100000274:2 | 10/02 | 01/12 | 10 of 5746 | snort | c&c channel | community bot gtbot scan command |
| 01% | 2000346:7 | 10/13 | 01/18 | 9 of 5746 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 2406008:43 | 09/17 | 11/10 | 9 of 5746 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2002190:2 | 10/26 | 12/24 | 9 of 5746 | emerging threats | egg download | bleeding-edge worm possible upnp infec... |
| 01% | 2003380:3 | 10/26 | 12/24 | 7 of 5746 | snort | outbound | trojan suspicious user-agent - possible trojan... |
| 01% | 52000032:6 | 10/01 | 12/06 | 3 of 5746 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 592000032:99 | 10/01 | 12/06 | 3 of 5746 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 52466:7 | 10/01 | 12/06 | 3 of 5746 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2003081:3 | 11/19 | 11/19 | 2 of 5746 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 2000427:9 | 10/18 | 02/09 | 2 of 5746 | emerging threats | egg download | policy pe exe install windows file d... |
| 01% | 599906:1 | 10/01 | 10/11 | 2 of 5746 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 2002908:2 | 09/10 | 09/10 | 1 of 5746 | snort | inbound | exploit x86 jmpcalladditive encoder |
| 01% | 100000272:2 | 10/18 | 10/18 | 1 of 5746 | snort | c&c channel | community bot gtbot ver command |
| 01% | 22002903:1 | 02/08 | 02/08 | 1 of 5746 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 2406022:43 | 10/29 | 10/29 | 1 of 5746 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2000339:4 | 10/18 | 10/18 | 1 of 5746 | snort | inbound | p2p iroffer irc bot offered files advertisement |
| 01% | 2002153:7 | 11/13 | 11/13 | 1 of 5746 | snort | outbound | malware exe as user agent - potential malware |
| 01% | 599913:1 | 12/06 | 12/06 | 1 of 5746 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 2538:15 | 01/10 | 01/10 | 1 of 5746 | snort | inbound exploit | netbios smb ipc$ unicode share access |