Research Article
Characterizing Anomalies in Malware-Generated HTTP Traffic
Table 1
The top 10 most common Snort IDs and alert messages observed in the analyzed traffic.
| Snort ID | Alert message |
| 1:43685:1 | MALWARE-OTHER Win.Trojan.Nemucod variant outbound connection | 1:2023577:1 | ET TROJAN Locky CnC Checkin HTTP Pattern | 1:32678:2 | MALWARE-CNC Win.Trojan.Dridex variant outbound connection | 1:33145:2 | MALWARE-CNC Win.Trojan.Dridex initial outbound connection | 1:2019478:1 | ET TROJAN Dridex POST Checkin | 1:2023551:1 | ET TROJAN Locky CnC checkin Nov 21 | 1:2023552:1 | ET TROJAN Locky CnC checkin Nov 21 M2 | 1:2807610:2 | ETPRO TROJAN DirtJumper DDoS (INBOUND) | 1:2016879:2 | ET POLICY Unsupported/Fake Windows NT Version 5.0 | 1:2821731:3 | ETPRO CURRENT_EVENTS MalDoc Request for Payload Aug 17, 2016 |
|
|