Most Effective Malware-Related Snort Signatures
Tue May 15 08:30:56 2012
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 6040 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 77% | 299913:1 | 12/07 | 05/14 | 4673 of 6040 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 65% | 2001683:3 | 12/07 | 05/14 | 3944 of 6040 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 65% | 5001684:99 | 12/07 | 05/14 | 3936 of 6040 | bothunter | egg download | bothunter malware windows executable (p... |
| 61% | 3000003:99 | 12/07 | 05/14 | 3743 of 6040 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 60% | 22466:7 | 12/07 | 05/14 | 3661 of 6040 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 53% | 292000032:99 | 12/07 | 05/14 | 3226 of 6040 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 53% | 22000032:6 | 12/07 | 05/14 | 3225 of 6040 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 52% | 3000000:99 | 12/07 | 05/14 | 3171 of 6040 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 28% | 52123:3 | 12/07 | 05/14 | 1705 of 6040 | snort | outbound scan | registered free attack-responses micros... |
| 24% | 2002750:10 | 12/07 | 05/13 | 1475 of 6040 | snort | inbound | policy reserved ip space traffic - bogon nets 2 |
| 22% | 3001441:1 | 12/07 | 05/14 | 1344 of 6040 | snort | egg download | tftp get .exe from external source |
| 22% | 1444:3 | 12/07 | 05/14 | 1344 of 6040 | snort | egg download | tftp get from external source |
| 22% | 2008120:1 | 12/07 | 05/14 | 1344 of 6040 | emerging threats | egg download | policy outbound tftp read request |
| 15% | 2003070:4 | 12/07 | 05/14 | 954 of 6040 | emerging threats | c&c channel | worm korgo.u reporting |
| 10% | 2002749:4 | 12/08 | 05/14 | 635 of 6040 | snort | inbound | policy reserved ip space traffic - bogon nets 1 |
| 06% | 31000004:99 | 12/07 | 05/05 | 366 of 6040 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 02% | 2000352:6 | 01/18 | 04/30 | 139 of 6040 | emerging threats | local attack prep | attack response irc - dns request on... |
| 01% | 2000346:7 | 01/18 | 04/30 | 100 of 6040 | emerging threats | c&c channel | attack response irc - name response ... |
| 01% | 2000355:4 | 12/12 | 03/10 | 86 of 6040 | emerging threats | c&c channel | policy irc authorization message |
| 01% | 2002751:3 | 12/08 | 05/11 | 85 of 6040 | snort | inbound | policy reserved ip space traffic - bogon nets 3 |
| 01% | 2001569:12 | 12/07 | 05/01 | 85 of 6040 | emerging threats | outbound scan | scan behavioral unusual port 445 tra... |
| 01% | 2003603:2 | 12/09 | 05/12 | 83 of 6040 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
| 01% | 22001056:5 | 12/09 | 05/05 | 45 of 6040 | emerging threats | inbound exploit | bleeding-edge virus w32/sasser.worm.b -... |
| 01% | 21390:5 | 01/18 | 05/07 | 45 of 6040 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 01% | 299998:1 | 01/18 | 05/07 | 43 of 6040 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 01% | 2000047:4 | 12/09 | 05/05 | 42 of 6040 | emerging threats | egg download | worm sasser transfer _up.exe |
| 01% | 3000005:99 | 04/30 | 05/07 | 23 of 6040 | bothunter | egg download | bothunter malware executable upload |
| 01% | 2007726:2 | 01/18 | 01/18 | 20 of 6040 | emerging threats | egg download | attack response unusual ftp server b... |
| 01% | 3000006:99 | 01/18 | 01/18 | 20 of 6040 | bothunter | egg download | bothunter malware executable upload |
| 01% | 299906:1 | 12/13 | 05/11 | 18 of 6040 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 01% | 2400003:1146 | 02/16 | 04/24 | 17 of 6040 | snort | inbound | drop spamhaus drop listed traffic inbound |
| 01% | 23003:4 | 01/18 | 01/18 | 16 of 6040 | snort | inbound exploit | netbios smb-ds session setup ntmlssp un... |
| 01% | 52466:7 | 02/20 | 04/10 | 9 of 6040 | snort | outbound scan | netbios smb-ds ipc$ unicode share access |
| 01% | 2000427:9 | 02/09 | 04/30 | 7 of 6040 | emerging threats | egg download | policy pe exe install windows file d... |
| 01% | 2008124:1 | 01/12 | 02/09 | 6 of 6040 | snort | outbound | trojan likely bot nick in irc (usa +..) |
| 01% | 2000356:4 | 01/12 | 01/18 | 5 of 6040 | emerging threats | c&c channel | policy irc connection |
| 01% | 52000032:6 | 03/03 | 03/30 | 4 of 6040 | emerging threats | outbound scan | bleeding-edge exploit lsa exploit |
| 01% | 599906:1 | 03/03 | 03/30 | 4 of 6040 | snort | outbound scan | shellcode x86 0x90 unicode noop |
| 01% | 2538:15 | 01/10 | 04/03 | 4 of 6040 | snort | inbound exploit | netbios smb ipc$ unicode share access |
| 01% | 592000032:99 | 03/03 | 03/30 | 4 of 6040 | bothunter | outbound scan | bothunter exploit lsa exploit |
| 01% | 2003380:3 | 12/11 | 12/24 | 3 of 6040 | snort | outbound | trojan suspicious user-agent - possible trojan... |
| 01% | 2002190:2 | 12/11 | 12/24 | 3 of 6040 | emerging threats | egg download | bleeding-edge worm possible upnp infec... |
| 01% | 2003081:3 | 02/18 | 03/07 | 2 of 6040 | emerging threats | inbound exploit | exploit netbios smb dcerpc netrppath... |
| 01% | 22002903:1 | 02/08 | 03/15 | 2 of 6040 | emerging threats | inbound exploit | bleeding-edge exploit x86 pexfnstenvmov... |
| 01% | 100000274:2 | 01/12 | 01/12 | 1 of 6040 | snort | c&c channel | community bot gtbot scan command |
| 01% | 2001689:6 | 05/06 | 05/06 | 1 of 6040 | snort | outbound | worm potential mysql bot scanning for sql server |
| 01% | 2406022:43 | 04/25 | 04/25 | 1 of 6040 | emerging threats | c&c channel | rbn known russian business network m... |
| 01% | 2404009:1142 | 03/25 | 03/25 | 1 of 6040 | emerging threats | c&c channel | drop known bot c&c server traffic (g... |

