Your Weekly Tech Tidbit – A look at 2017’s top fired Snort Signatures

February 23rd, 2018
Your Weekly Tech Tidbit – A look at 2017’s top fired Snort Signatures

The Snort IPS engine is at the core of both the Cisco Firepower Threat Defense and Cisco Meraki IPS systems. Maintained by Cisco’s Talos Group, the Snort Engine, and its signatures are licensed to the world via the open source GPL and as such it is the most widely distributed IPS engine in the world.

A recent Talos blog post summed up the top 5 most frequently triggered signatures on the Snort engines in 2017.

Pay particular attention to #5 and #3 as in my view these are both “early warning” alerts that something bad might be brewing in your network. We see these signatures fire with unfortunate regularity on the school IPS modules that we routinely monitor. The source of these hits probably deserves more attention than they are getting at the current time.

As usual, the full post is an interesting read to get a feel for what has been happening out in the real-world Internet.

For the direct full Cisco Talos blog entry with additional charts and graphs please follow this link:

The abbreviated text of Talos blog post is below:

2017 was an eventful year for cybersecurity with high profile vulnerabilities that allowed self-replicating worm attacks such as WannaCry and BadRabbit to impact organizations throughout the world. In 2017, Talos researchers discovered many new attacks including backdoors in legitimate software such as CCleaner, designed to target high tech companies as well as M.E.Doc, responsible for the initial spread of Nyetya. Despite all those, headline-making attacks are only a small part of the day to day protection provided by security systems.

In this post, we review some of the findings created by investigating the most frequently triggered Snort signatures as reported by Cisco Meraki systems and included in the Snort default policy set.


Snort signatures are classified into different classes based on the type of activity detected with the most commonly reported class type being “Trojan-activity” followed by “Policy-violation” and “Misc-activity”. Some less frequently reported class types such as “Attempted-admin” and “Web-application-attack” are particularly interesting in the context of detecting malicious inbound and outbound network traffic.

Snort signatures are identified from three parts. The Generator ID (GID), the Signature ID (SID) and revision number. The GID identifies what part of Snort generates the event; ‘1’ indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search box on the Snort website. The revision number is the version of the rule; be sure to use the latest revision of any rule.

Without a further ado, here are the top 5 triggered signatures within policy in reverse order, just as you would expect from a yearly Top of the Snort alerts chart.

#5 - 1:39867:3 “Suspicious .tk dns query”

The .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top-level domain being one of the prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers.

This signature triggers on DNS lookups for .tk domains. Such a case doesn’t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers.

Other, similar signatures detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules.

#4 - 1:23493:6 “Win.Trojan.ZeroAccess outbound connection”

ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns. This rule detects UDP packets sent by an infected system to so-called supernodes, which participate in the network of command and control servers. The rule can be used to block outbound communication from the malware.

ZeroAccess is a state of the art rootkit and is able to hide from the basic detection techniques on the infected machine. However, network detection using IPS such as Snort can quickly pinpoint a source of the malicious ZeroAccess traffic as it generates a fairly noisy and regular communication pattern.

The malware sends a UDP packet to check with a supernode once every second, so a single affected organization is expected to have many alerts. This may be one of the reasons why the ZeroAccess detection signature is placed high on our list.

#3 - 1:41083:1 “suspicious .bit dns query”

The .bit top level domain extension is relatively obscure but is occasionally used for hosting malware C2 systems with Necurs being one of the families using it as a part of the botnet communication. The .bit TLD is managed using Namecoin, a distributed ledger with no central authority that is one of the first forks of the Bitcoin cryptocurrency. The decentralized nature of .bit domains means that few DNS servers resolve the domains, but equally the domains are resistant to take down.

The signature triggers on DNS lookups for .bit domains. As with .tk lookups, if the signature triggers, this doesn’t necessarily mean that such a lookup is malicious in nature. However, a sharp increase in the rule triggering may warrant investigation.

#2 - 1:42079:1 “Win.Trojan.Jenxcus outbound connection attempt with unique User-Agent”

Jenxcus is more of a worm than a trojan, despite the naming used in the human-readable description of the signature. It spreads by copying itself to removable and shared drives and allows the attacker to remotely access and control the infected system. Like many trojans, once a system is infected, Jenxcus seeks to establish contact with its’ C2 infrastructure. This contact is made with an HTTP POST request using a specific user-agent string. The user-agent string itself is specific to this trojan and its many variants and can be detected and blocked using this signature.

#1 - 1:40522:3 “Unix.Trojan.Mirai variant post-compromise fingerprinting”

Internet of Things (IoT) security is something which we have written about extensively. The Mirai botnet and variants continue to try and infect IoT devices by attempting to log in with default usernames and passwords. Once the malware successfully accesses a device, it will check that the device behaves as expected and not like a honeypot. It is this check which is detected by this rule. This post compromise activity has been constantly present throughout the year and at the peak of its activity in February accounted for over 20% of all alerts reported daily.