[Emerging-Sigs] new Downadup/Conficker-A sig?
inittab at jtan.com
Fri Jan 16 20:09:38 EST 2009
Well, I think this might be ok. Here's a modification to the pcre to
look for white space after the 1,2 or 3 digit number.
Frank Knobbe wrote:
> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote:
>> how about something like this?
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
>> flow:to_server,established; content:"/search?q=";
>> sid:XXXXXXXXXXXXXXXXX; rev:1;)
> Can you run that for a while and report on rate of false positives? :)
> I thought we had tried a rule like that (only "search?q=") but got way
> too many FP's.
More information about the Emerging-sigs