[Emerging-Sigs] new Downadup/Conficker-A sig?

RPG inittab at jtan.com
Fri Jan 16 20:09:38 EST 2009


Well, I think this might be ok.  Here's a modification to the pcre to
look for white space after the 1,2 or 3 digit number.

pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi";

Frank Knobbe wrote:
> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote:
>> how about something like this?
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
>> flow:to_server,established; content:"/search?q=";
>> pcre:"/\/search\?q\=[0-9]{1,3}/mi";
>> content:!".google.com";
>> classtype:trojan-activity;
>> reference:url,www.f-secure.com/weblog/archives/00001584.html;
>> sid:XXXXXXXXXXXXXXXXX; rev:1;)
> 
> Can you run that for a while and report on rate of false positives? :)
> I thought we had tried a rule like that (only "search?q=") but got way
> too many FP's.
> 
> -Frank
> 
> 


More information about the Emerging-sigs mailing list