Suricata-vs-snort/Test-cases/Malware-viruses
Jump to navigation
Jump to search
| You are here: | Malware & viruses
|
Synthesis
| Test | Suricata | Snort |
|---|---|---|
| Packed.Generic.187 | 1 | 1 |
| W32.Spybot.Worm | - | - |
| W32.Sality.AE (1) | 1 | 1 |
| W32.Sality.AE (2) | 0 | 0 |
| W32.Sality.AE (3) | - | - |
| W32.Sality.AE (4) | - | - |
| Trojan Horse | 0 | 1 |
| Trojan-Spy.Win32.Zbot | 1 | 0 |
| Trojan.Win32.Spyeye | 1 | 1 |
| Generic Trojan Downloader | 1 | 1 |
| Generic IRC Bot | 1 | 1 |
| Win32/SpamTool | 1 | 1 |
| Dropper with BlackEnergy | 1 | 0 |
| Zango Spyware | 1 | 0 |
| TOTAL | 9 | 7 |
Packed.Generic.187
- Test: 84dc4e81531c373e431d818790dd26d1
- Payload: pcap
- Suricata trace:
ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake BACKDOOR rogue software ms antispyware 2009 runtime detection
- Suricata score: 1
- Snort trace:
A Network Trojan was detected
- Snort score: 1
W32.Spybot.Worm
- Test: 327c2990390a03d87f5a395e3a8361ce
- Payload: pcap
- Results: this malware crashed the computer
W32.Sality.AE (1)
- Test: 9ae81e742e9e425066abd1b700f74287
- Payload: pcap
- Suricata trace:
WEB-CLIENT Mozilla Firefox Animated PNG Processing integer overflow Suricata Attempted User Privilege Gain
- Suricata score: 1
- Snort trace:
ET RBN Known Russian Business Network Snort Misc Attack
- Snort score: 1
W32.Sality.AE (2)
- Test: ad5cdd5af1d689fddfc14d239790bd64
- Payload: pcap
- Suricata trace: not detected
- Suricata score: 0
- Snort trace: not detected
- Snort score: 0
W32.Sality.AE (3)
- Test: c90eb4404250e9dd0d5681d31c715c27
- Payload: pcap
- Results: this malware crashed the machine
W32.Sality.AE (4)
- Test: e70d08a94013a9ef06ebacb8749a36cf
- Payload: pcap
- Results: no traffic leaving the network
Trojan horse
- Test: c98f09041ab28addf5c83232c247e2c5
- Payload: pcap
- Suricata trace: not detected
- Suricata score: 0
- Snort trace:
ET RBN Known Russian Business Network IP TCP Snort Misc Attack
- Snort score: 1
Trojan-Spy.Win32.Zbot
- Test: 86ebbeb0bcc10454658e7f5ab68452c6
- Payload: pcap
- Suricata trace:
ET USER_AGENTS Internet Explorer 6 in use - Significant Security Risk [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN Zeus POST Request to CnC [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
- Suricata score: 1
- Snort trace: not detected
- Snort score: 0
Trojan.Win32.Spyeye
- Test: 9d2a48be1a553984a4fda1a88ed4f8ee
- Payload: pcap
- Suricata trace:
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN SpyEye C&C Check-in URI [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP
ET TROJAN SpyEye Bot Checkin [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN Banker PWS/Infostealer HTTP GET Checkin [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN SpyEye Bot Checkin [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN SpyEye Bot Checkin [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN SpyEye Bot Checkin [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
- Suricata score: 1
- Snort trace:
SPYWARE-PUT Spyeye bot contact to C&C server attempt [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
SPYWARE-PUT Spyeye bot contact to C&C server attempt [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
SPYWARE-PUT Spyeye bot contact to C&C server attempt [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
SPYWARE-PUT Spyeye bot contact to C&C server attempt [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
SPYWARE-PUT Spyeye bot contact to C&C server attempt [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
- Snort score: 1
Generic Trojan-Downloader
- Test: fbdd471b89dda4e01d508df929571057
- Payload: pcap
- Suricata trace:
ET RBN Known Russian Business Network IP (164) [**]
[Classification: Misc Attack] [Priority: 3] {TCP}
ET POLICY HTTP GET on unusual Port Possibly Hostile [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET PRO EXPLOIT Red Hat Enterprise Linux DNS Resolver Buffer Overflow [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 3] {TCP}
ET DNS DNS Query for Suspicious .com.cn Domain [**]
[Classification: Potentially Bad Traffic] [Priority: 3] {UDP}
ET POLICY NSPlayer User-Agent Windows Media Player streaming detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3]
ET MALWARE Lookup of Chinese Dynamic DNS Provider 3322.org Likely Malware Related [**]
[Classification: Misc activity] [Priority: 3] {UDP}
ET MALWARE All Numerical .cn Domain Likely Malware Related [**]
[Classification: Misc activity] [Priority: 3] {UDP}
ET MALWARE All Numerical .cn Domain Likely Malware Related [**]
[Classification: Misc activity] [Priority: 3] {UDP}
- Suricata score: 1
- Snort trace:
WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 3] {TCP}
WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
- Snort score: 1
Generic IRC Bot
- Test: 71b6d23abaef923396f2d81f80c5ccd4
- Payload: pcap
- Suricata trace:
GPL DELETED IRC nick change [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
GPL DELETED IRC nick change [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
ET POLICY IRC authorization message [**]
[Classification: Misc activity] [Priority: 3] {TCP}
GPL DELETED IRC message [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
GPL DELETED IRC message [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
GPL DELETED IRC nick change [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
GPL DELETED IRC nick change [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 3] {TCP}
ET POLICY IRC authorization message [**]
[Classification: Misc activity] [Priority: 3] {TCP}
- Suricata score: 1
- Snort trace:
CHAT IRC nick change [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
CHAT IRC channel join [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
CHAT IRC message [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 1
CHAT IRC nick change [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
CHAT IRC channel join [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
- Snort score: 1
Win32/SpamTool
- Test: e93e9cfdfdd8953acd171acdbeaa49c4
- Payload: pcap
- Suricata trace:
ET RBN Known Russian Business Network IP (324) [**]
[Classification: Misc Attack] [Priority: 3] {TCP}
ET DROP Spamhaus DROP Listed Traffic Inbound [**]
[Classification: Misc Attack] [Priority: 3] {TCP}
ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET RBN Known Russian Business Network IP (69) [**]
[Classification: Misc Attack] [Priority: 3] {TCP}
ET RBN Known Russian Business Network IP (69) [**]
[Classification: Misc Attack] [Priority: 3] {TCP}
ET RBN Known Russian Business Network IP (69) [**]
[Classification: Misc Attack] [Priority: 3] {TCP}
GPL ICMP_INFO Destination Unreachable Host Unreachable [**]
[Classification: Misc activity] [Priority: 3] {ICMP}
- Suricata score: 1
- Snort trace:
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [**] [Priority: 3] {TCP}
BACKDOOR trojan agent.aarm runtime detection - spread via spam [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
SPYWARE-PUT Rustock botnet contact to C&C server attempt [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
ICMP Destination Unreachable Host Unreachable [**]
[Classification: Misc activity] [Priority: 3] {ICMP}
- Snort score: 1
Dropper with BlackEnergy
- Test: f2bf9714ae2b79ce9d07dbb8433a0fff
- Payload: pcap
- Suricata trace:
ET DNS Standard query response, Name Error [**]
[Classification: Not Suspicious Traffic] [Priority: 3] {UDP}
ET USER_AGENTS Suspicious User Agent (_TEST_) [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN Blackenergy Bot Checkin to C&C (2) [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET USER_AGENTS Suspicious User Agent (_TEST_) [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN BlackEnergy v2.x Plugin Download Request [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN Blackenergy Bot Checkin to C&C (2) [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN BlackEnergy v2.x Plugin Download Request [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET TROJAN Blackenergy Bot Checkin to C&C (2) [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
- Suricata score: 1
- Snort trace: not detected
- Snort score: 0
Zango Spyware
- Test: 40e5eaa9ab47c77fe6636ab56d9c20f1
- Payload: pcap
- Suricata trace:
ET USER_AGENTS 180 Solutions (Zango Installer) User Agent [**]
[Classification: A Network Trojan was detected] [Priority: 3] {TCP}
ET USER_AGENTS Zango Cash Spyware User Agent (ZC XML-RPC C++ Client) [**]
[Classification: A Network Trojan was detected] [Priority: 3]
- Suricata score: 1
- Snort trace: not detected
- Snort score: 0