Download the most effective malware infection detection Snort signatures as experienced by our Malware Honeynet.

Most Effective Malware-Related Snort Signatures

Mon Feb 13 08:41:49 2012

160 Day Rule Set      

Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 5746 malware infections

Detects SID First Last Infects Author Phase Description
72% 299913:1 09/06 02/12 4145 of 5746 snort inbound exploit shellcode x86 0x90 unicode noop
63% 3000003:99 09/06 02/12 3667 of 5746 bothunter egg download bothunter http-based .exe upload on bac...
58% 5001684:99 09/06 02/12 3356 of 5746 bothunter egg download bothunter malware windows executable (p...
58% 2001683:3 09/06 02/12 3342 of 5746 emerging threats egg download bleeding-edge malware windows executabl...
57% 22466:7 09/06 02/12 3303 of 5746 snort inbound exploit netbios smb-ds ipc$ unicode share access
48% 292000032:99 09/06 02/12 2777 of 5746 bothunter inbound exploit bothunter exploit lsa exploit
48% 22000032:6 09/06 02/12 2776 of 5746 emerging threats inbound exploit bleeding-edge exploit lsa exploit
47% 3000000:99 09/06 02/12 2724 of 5746 bothunter egg download bothunter http-based .exe upload on bac...
27% 2002750:10 09/06 02/12 1580 of 5746 snort inbound policy reserved ip space traffic - bogon nets 2
23% 52123:3 09/06 02/12 1370 of 5746 snort outbound scan registered free attack-responses micros...
21% 3001441:1 09/06 02/12 1228 of 5746 snort egg download tftp get .exe from external source
21% 1444:3 09/06 02/12 1228 of 5746 snort egg download tftp get from external source
21% 2008120:1 09/06 02/12 1228 of 5746 emerging threats egg download policy outbound tftp read request
10% 2003070:4 09/27 02/12 604 of 5746 emerging threats c&c channel worm korgo.u reporting
08% 2002749:4 09/06 02/12 482 of 5746 snort inbound policy reserved ip space traffic - bogon nets 1
02% 31000004:99 09/07 02/09 143 of 5746 bothunter egg download bothunter scrip-based windows egg downl...
01% 2001569:12 09/06 02/10 114 of 5746 emerging threats outbound scan scan behavioral unusual port 445 tra...
01% 2002751:3 09/07 02/11 84 of 5746 snort inbound policy reserved ip space traffic - bogon nets 3
01% 2003603:2 09/12 02/12 78 of 5746 emerging threats c&c channel trojan w32.virut.a joining an irc ch...
01% 22001056:5 09/09 02/09 59 of 5746 emerging threats inbound exploit bleeding-edge virus w32/sasser.worm.b -...
01% 2000355:4 10/02 02/12 46 of 5746 emerging threats c&c channel policy irc authorization message
01% 2000047:4 09/09 02/09 41 of 5746 emerging threats egg download worm sasser transfer _up.exe
01% 299906:1 09/15 02/08 23 of 5746 snort inbound exploit shellcode x86 0x90 unicode noop
01% 21390:5 09/10 02/08 22 of 5746 snort inbound exploit registered free shellcode x86 inc ebx noop
01% 2007726:2 01/18 01/18 20 of 5746 emerging threats egg download attack response unusual ftp server b...
01% 3000006:99 01/18 01/18 20 of 5746 bothunter egg download bothunter malware executable upload
01% 299998:1 01/18 01/18 20 of 5746 snort inbound exploit shellcode x86 inc ebx noop
01% 23003:4 01/18 01/18 16 of 5746 snort inbound exploit netbios smb-ds session setup ntmlssp un...
01% 2000352:6 10/13 02/09 16 of 5746 emerging threats local attack prep attack response irc - dns request on...
01% 2008124:1 10/02 02/09 15 of 5746 snort outbound trojan likely bot nick in irc (usa +..)
01% 2000356:4 10/02 01/18 14 of 5746 emerging threats c&c channel policy irc connection
01% 100000274:2 10/02 01/12 10 of 5746 snort c&c channel community bot gtbot scan command
01% 2000346:7 10/13 01/18 9 of 5746 emerging threats c&c channel attack response irc - name response ...
01% 2406008:43 09/17 11/10 9 of 5746 emerging threats c&c channel rbn known russian business network m...
01% 2002190:2 10/26 12/24 9 of 5746 emerging threats egg download bleeding-edge worm possible upnp infec...
01% 2003380:3 10/26 12/24 7 of 5746 snort outbound trojan suspicious user-agent - possible trojan...
01% 52000032:6 10/01 12/06 3 of 5746 emerging threats outbound scan bleeding-edge exploit lsa exploit
01% 592000032:99 10/01 12/06 3 of 5746 bothunter outbound scan bothunter exploit lsa exploit
01% 52466:7 10/01 12/06 3 of 5746 snort outbound scan netbios smb-ds ipc$ unicode share access
01% 2003081:3 11/19 11/19 2 of 5746 emerging threats inbound exploit exploit netbios smb dcerpc netrppath...
01% 2000427:9 10/18 02/09 2 of 5746 emerging threats egg download policy pe exe install windows file d...
01% 599906:1 10/01 10/11 2 of 5746 snort outbound scan shellcode x86 0x90 unicode noop
01% 2002908:2 09/10 09/10 1 of 5746 snort inbound exploit x86 jmpcalladditive encoder
01% 100000272:2 10/18 10/18 1 of 5746 snort c&c channel community bot gtbot ver command
01% 22002903:1 02/08 02/08 1 of 5746 emerging threats inbound exploit bleeding-edge exploit x86 pexfnstenvmov...
01% 2406022:43 10/29 10/29 1 of 5746 emerging threats c&c channel rbn known russian business network m...
01% 2000339:4 10/18 10/18 1 of 5746 snort inbound p2p iroffer irc bot offered files advertisement
01% 2002153:7 11/13 11/13 1 of 5746 snort outbound malware exe as user agent - potential malware
01% 599913:1 12/06 12/06 1 of 5746 snort outbound scan shellcode x86 0x90 unicode noop
01% 2538:15 01/10 01/10 1 of 5746 snort inbound exploit netbios smb ipc$ unicode share access