[Emerging-Sigs] new Downadup/Conficker-A sig?

RPG inittab at jtan.com
Fri Jan 16 18:20:02 EST 2009


how about something like this?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
flow:to_server,established; content:"/search?q=";
pcre:"/\/search\?q\=[0-9]{1,3}/mi";
content:!".google.com";
classtype:trojan-activity;
reference:url,www.f-secure.com/weblog/archives/00001584.html;
sid:XXXXXXXXXXXXXXXXX; rev:1;)


RPG wrote:
> Does anyone have any recommendations for a signature based on the 
> following analysis, the current sid, 2008804, doesn't match.
> 
> http://www.f-secure.com/weblog/archives/00001584.html
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


More information about the Emerging-sigs mailing list