[Emerging-Sigs] new Downadup/Conficker-A sig?

Frank Knobbe frank at knobbe.us
Fri Jan 16 19:00:40 EST 2009


On Fri, 2009-01-16 at 18:20 -0500, RPG wrote:
> how about something like this?
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
> flow:to_server,established; content:"/search?q=";
> pcre:"/\/search\?q\=[0-9]{1,3}/mi";
> content:!".google.com";
> classtype:trojan-activity;
> reference:url,www.f-secure.com/weblog/archives/00001584.html;
> sid:XXXXXXXXXXXXXXXXX; rev:1;)

Can you run that for a while and report on rate of false positives? :)
I thought we had tried a rule like that (only "search?q=") but got way
too many FP's.

-Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.




More information about the Emerging-sigs mailing list