Custom IPS signatures to detect botnet traffic
Attached is a copy of various custom IPS signatures for SEPM to detect botnet activity (Koobface, Zeus, Clampi, etc)
These are currently in "Allow" mode
Any comments/suggestions to make the rules better are welcome. Also, please feel free to test and report back to me. I'm currently using these as well in my environment.
And just to note, these rules are setup to work with a proxy using port 8080. If you are not behind a proxy, you can change the port to 80 or if you are behind a proxy, you will need to change the port to match what your proxy uses.
I've also attached a zip file of the IPS format used by SEPM if you want to create custom rules.