10/27/2008
only some Snort rules detect some malicious traffic
Download the most effective malware infection detection Snort signatures as experienced by our Malware Honeynet.
Most Effective Malware-Related Snort Signatures Sun Oct 26 11:24:52 2008
Phase = BotHunter infection phase: (scan, infection, egg download, C&C, outbound attack)
Malcode = Number of unique malware binaries that this rule fired on during the analysis window
Infects = Number of malware infections that this rule detected during the analysis window
Detects = 30-day signature detection rates based on exposure to 23035 malware infections
| Detects | SID | First | Last | Infects | Author | Phase | Description |
|---|---|---|---|---|---|---|---|
| 59% | 299913:1 | 05/19 | 10/25 | 13794 of 23035 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 47% | 5001684:99 | 05/19 | 10/25 | 11030 of 23035 | bothunter | egg download | bothunter malware windows executable (p... |
| 44% | 22466:7 | 05/19 | 10/25 | 10156 of 23035 | snort | inbound exploit | netbios smb-ds ipc$ unicode share access |
| 43% | 52123:3 | 06/05 | 10/25 | 10116 of 23035 | snort | outbound scan | registered free attack-responses micros... |
| 37% | 292000032:99 | 05/19 | 10/25 | 8640 of 23035 | bothunter | inbound exploit | bothunter exploit lsa exploit |
| 37% | 22000032:6 | 05/19 | 10/25 | 8620 of 23035 | emerging threats | inbound exploit | bleeding-edge exploit lsa exploit |
| 36% | 2001683:3 | 05/19 | 10/25 | 8354 of 23035 | emerging threats | egg download | bleeding-edge malware windows executabl... |
| 26% | 3000003:99 | 05/19 | 10/25 | 6065 of 23035 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 24% | 3001441:1 | 05/19 | 10/25 | 5570 of 23035 | snort | egg download | tftp get .exe from external source |
| 24% | 1444:3 | 05/19 | 10/25 | 5570 of 23035 | snort | egg download | tftp get from external source |
| 24% | 2008120:1 | 05/19 | 10/25 | 5570 of 23035 | emerging threats | egg download | policy outbound tftp read request |
| 19% | 3000000:99 | 05/19 | 10/25 | 4469 of 23035 | bothunter | egg download | bothunter http-based .exe upload on bac... |
| 10% | 299998:1 | 05/19 | 10/25 | 2440 of 23035 | snort | inbound exploit | shellcode x86 inc ebx noop |
| 10% | 21390:5 | 05/19 | 10/25 | 2440 of 23035 | snort | inbound exploit | registered free shellcode x86 inc ebx noop |
| 09% | 299906:1 | 05/19 | 10/25 | 2239 of 23035 | snort | inbound exploit | shellcode x86 0x90 unicode noop |
| 09% | 31000004:99 | 05/19 | 10/25 | 2127 of 23035 | bothunter | egg download | bothunter scrip-based windows egg downl... |
| 06% | 2000352:6 | 05/19 | 10/05 | 1389 of 23035 | emerging threats | local attack prep | attack response irc - dns request on... |
| 05% | 3000006:99 | 05/19 | 10/01 | 1233 of 23035 | bothunter | egg download | bothunter malware executable upload |
| 03% | 2002029:7 | 05/19 | 10/25 | 921 of 23035 | emerging threats | c&c channel | trojan bot - channel topic scan/expl... |
| 03% | 2003603:2 | 05/19 | 10/25 | 713 of 23035 | emerging threats | c&c channel | trojan w32.virut.a joining an irc ch... |
and the rest is even less.......
don't count on the machine to stop all, count on the machine to stop some so you can treat the rest with your own intelligence and other tools....
13:17 | Permalink | Comments (0) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment