[Emerging-Sigs] new Downadup/Conficker-A sig?

Frank Knobbe frank at knobbe.us
Sat Jan 17 00:57:13 EST 2009


On Fri, 2009-01-16 at 22:59 -0600, Jack Pepper wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
> flow:to_server,established; content:"/search?q=";
> pcre:"/\/search\?q\=[0-9]{1,4}\s+http\/1\.0/mi";
> content:!".google.com";
> classtype:trojan-activity;
> reference:url,www.f-secure.com/weblog/archives/00001584.html;
> sid:XXXXXXXXXXXXXXXXX; rev:1;)

Committed. Thanks guys.

-Frank




More information about the Emerging-sigs mailing list