From: A quality metric for IDS signatures: in the wild the size matters
SID | Signature description |
---|---|
C&C Communication - update malicious binary instruction set | Â |
2007668 | ET TROJAN Blackenergy Bot Checkin to C&C |
2010861 | ET TROJAN Zeus Bot Request to CnC |
2404138:2404156, | ET DROP Known Bot C&C Server Traffic TCP/UDP |
2404242:2404247,2404335:240434 | Â |
16693 | SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt |
2011857 | ET TROJAN SpyEye C&C Check-in URI |
2013076 | ET TROJAN Zeus Bot GET to Google checking Internet connectivity |
2013348 | ET TROJAN Zeus Bot Request to CnC 2 |
2013911 | ET TROJAN P2P Zeus or ZeroAccess Request To CnC |
2000348 | ET ATTACK_RESPONSE IRC - Channel JOIN on non-std port |
2014107 | ET TROJAN Zeus POST Request to CnC - cookie variation |
2015813 | ET CURRENT_EVENTS DNS Query Torpig Sinkhole Domain |
16140 | BACKDOOR torpig-mebroot command and control checkin |
Reporting- share stolen user confidential data with controller | Â |
2008660 | ET TROJAN Torpig Infection Reporting |
2011827 | ET TROJAN Xilcter/Zeus related malware dropper reporting in |
2009024 | ET TROJAN Downadup/Conficker A or B Worm reporting |
2802912 | ETPRO TROJAN Backdoor.Nervos.A Checkin to Server |
2002728 | ET TROJAN Ransky or variant backdoor communication ping |
2010150 | ET TROJAN Koobface HTTP Request |
2010885 | ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variable |
2012279 | ET CURRENT_EVENTS SpyEye HTTP Library Checkin |
2002762 | ET TROJAN Torpig Reporting User Activity |
2008660 | ET TROJAN Torpig Infection Reporting |
2000347 | ET ATTACK_RESPONSE IRC - Private message on non-std port |
Egg Download - update malicious binary/download additional malware | Â |
2010886 | ET TROJAN BlackEnergy v2.x Plugin Download Request |
2802975 | ETPRO TROJAN Linezing.com Checkin |
1012686 | ET TROJAN SpyEye Checkin version 1.3.25 or later |
2010071 | ET TROJAN Hiloti/Mufanom Downloader Checkin |
2011388 | ET TROJAN Bredolab/Hiloti/ Mufanom Downloader Checkin 2 |
2014435 | ET TROJAN Infostealer.Banprox Proxy.pac Download |
2007577 | ET TROJAN General Downloader Checkin URL |
2016347 | ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing |
2011365, 2010267 | ET TROJAN Sinowal/sinonet/ mebroot/Torpig infected host checkin |
Redirection - redirect user to malicious domain | Â |
2011912 | ET CURRENT_EVENTS Possible Fake AV Checkin |
2003494:2003496 | ET USER_AGENTS AskSearch Toolbar Spyware User-Agent |
2003626,2007854 | ET USER_AGENTS Suspicious User Agent (agent) |
2009005 | ET MALWARE Simbar Spyware User-Agent Detected |
2406001:2406012,2406147:2406167, | ET RBN Known Russian Business Network IP TCP/UDP |
2406361:2406383,2406635:2406649 | Â |
2016583 | ET CURRENT_EVENTS SUSPICIOUS Java Request to |
 | DNSDynamic DNS |
Propagation - detect and infect vulnerable hosts | Â |
2008802 | ET TROJAN Possible Downadup/ Conficker-A Worm Activity |
2003068 | ET SCAN Potential SSH Scan OUTBOUND |
2001569 | ET SCAN Behavioral Unusual Port 445 traffic |
2003292 | ET WORM Allaple ICMP Sweep Ping Outbound |
2011104 | ET TROJAN Exploit kit attack activity likely hostile |
2010087 | ET SCAN Suspicious User-Agent Containing SQL Inject/ion, |
 | SQL Scanner |
2006546 | ET SCAN LibSSH Based Frequent SSH Connections |
 | BruteForce Attack! |
2001219 | ET SCAN Potential SSH Scan |
2003 | SQL Worm propagation attempt |
3817 | TFTP GET transfer mode overflow attempt |
12798:12802 | SHELLCODE base64 x86 NOOP |