A quality metric for IDS signatures: in the wild the size matters

Raftopoulos, Elias; Dimitropoulos, Xenofontas

doi:10.1186/1687-417X-2013-7

EURASIP Journal on Information Security

Table 4 Effective Snort signatures in the 200 investigated incidents

From: A quality metric for IDS signatures: in the wild the size matters

SID	Signature description
C&C Communication - update malicious binary instruction set
2007668	ET TROJAN Blackenergy Bot Checkin to C&C
2010861	ET TROJAN Zeus Bot Request to CnC
2404138:2404156,	ET DROP Known Bot C&C Server Traffic TCP/UDP
2404242:2404247,2404335:240434
16693	SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt
2011857	ET TROJAN SpyEye C&C Check-in URI
2013076	ET TROJAN Zeus Bot GET to Google checking Internet connectivity
2013348	ET TROJAN Zeus Bot Request to CnC 2
2013911	ET TROJAN P2P Zeus or ZeroAccess Request To CnC
2000348	ET ATTACK_RESPONSE IRC - Channel JOIN on non-std port
2014107	ET TROJAN Zeus POST Request to CnC - cookie variation
2015813	ET CURRENT_EVENTS DNS Query Torpig Sinkhole Domain
16140	BACKDOOR torpig-mebroot command and control checkin
Reporting- share stolen user confidential data with controller
2008660	ET TROJAN Torpig Infection Reporting
2011827	ET TROJAN Xilcter/Zeus related malware dropper reporting in
2009024	ET TROJAN Downadup/Conficker A or B Worm reporting
2802912	ETPRO TROJAN Backdoor.Nervos.A Checkin to Server
2002728	ET TROJAN Ransky or variant backdoor communication ping
2010150	ET TROJAN Koobface HTTP Request
2010885	ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variable
2012279	ET CURRENT_EVENTS SpyEye HTTP Library Checkin
2002762	ET TROJAN Torpig Reporting User Activity
2008660	ET TROJAN Torpig Infection Reporting
2000347	ET ATTACK_RESPONSE IRC - Private message on non-std port
Egg Download - update malicious binary/download additional malware
2010886	ET TROJAN BlackEnergy v2.x Plugin Download Request
2802975	ETPRO TROJAN Linezing.com Checkin
1012686	ET TROJAN SpyEye Checkin version 1.3.25 or later
2010071	ET TROJAN Hiloti/Mufanom Downloader Checkin
2011388	ET TROJAN Bredolab/Hiloti/ Mufanom Downloader Checkin 2
2014435	ET TROJAN Infostealer.Banprox Proxy.pac Download
2007577	ET TROJAN General Downloader Checkin URL
2016347	ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing
2011365, 2010267	ET TROJAN Sinowal/sinonet/ mebroot/Torpig infected host checkin
Redirection - redirect user to malicious domain
2011912	ET CURRENT_EVENTS Possible Fake AV Checkin
2003494:2003496	ET USER_AGENTS AskSearch Toolbar Spyware User-Agent
2003626,2007854	ET USER_AGENTS Suspicious User Agent (agent)
2009005	ET MALWARE Simbar Spyware User-Agent Detected
2406001:2406012,2406147:2406167,	ET RBN Known Russian Business Network IP TCP/UDP
2406361:2406383,2406635:2406649
2016583	ET CURRENT_EVENTS SUSPICIOUS Java Request to
	DNSDynamic DNS
Propagation - detect and infect vulnerable hosts
2008802	ET TROJAN Possible Downadup/ Conficker-A Worm Activity
2003068	ET SCAN Potential SSH Scan OUTBOUND
2001569	ET SCAN Behavioral Unusual Port 445 traffic
2003292	ET WORM Allaple ICMP Sweep Ping Outbound
2011104	ET TROJAN Exploit kit attack activity likely hostile
2010087	ET SCAN Suspicious User-Agent Containing SQL Inject/ion,
	SQL Scanner
2006546	ET SCAN LibSSH Based Frequent SSH Connections
	BruteForce Attack!
2001219	ET SCAN Potential SSH Scan
2003	SQL Worm propagation attempt
3817	TFTP GET transfer mode overflow attempt
12798:12802	SHELLCODE base64 x86 NOOP

Back to article page