[Emerging-Sigs] new Downadup/Conficker-A sig?

Jack Pepper pepperjack at afferentsecurity.com
Fri Jan 16 23:46:17 EST 2009


Since all the samples on the f-secure site were using http/1.0, maybe  
this will improve the FP ratio:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
flow:to_server,established; content:"/search?q=";
pcre:"/\/search\?q\=[0-9]{1,4} http/1.0/mi";
content:!".google.com";
classtype:trojan-activity;
reference:url,www.f-secure.com/weblog/archives/00001584.html;
sid:XXXXXXXXXXXXXXXXX; rev:1;)

That would look for a numeric-only value for q, plus I upped it to 4  
digits since f-secure is showing some of those.

jp




Quoting Frank Knobbe <frank at knobbe.us>:

> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote:
>> how about something like this?
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
>> flow:to_server,established; content:"/search?q=";
>> pcre:"/\/search\?q\=[0-9]{1,3}/mi";
>> content:!".google.com";
>> classtype:trojan-activity;
>> reference:url,www.f-secure.com/weblog/archives/00001584.html;
>> sid:XXXXXXXXXXXXXXXXX; rev:1;)
>
> Can you run that for a while and report on rate of false positives? :)
> I thought we had tried a rule like that (only "search?q=") but got way
> too many FP's.
>
> -Frank
>

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com



More information about the Emerging-sigs mailing list