[Emerging-Sigs] new Downadup/Conficker-A sig?
frank at knobbe.us
Fri Jan 16 19:00:40 EST 2009
On Fri, 2009-01-16 at 18:20 -0500, RPG wrote:
> how about something like this?
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
> flow:to_server,established; content:"/search?q=";
> sid:XXXXXXXXXXXXXXXXX; rev:1;)
Can you run that for a while and report on rate of false positives? :)
I thought we had tried a rule like that (only "search?q=") but got way
too many FP's.
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
More information about the Emerging-sigs