[Emerging-Sigs] new Downadup/Conficker-A sig?
Bojan Zdrnja (SANS ISC)
bojan.isc at gmail.com
Sat Jan 17 06:23:29 EST 2009
On Sat, Jan 17, 2009 at 5:46 AM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> Since all the samples on the f-secure site were using http/1.0, maybe
> this will improve the FP ratio:
They are, but there are HTTP/1.1 samples as well (I got access to like
20 GB of logs).
So this works as well "GET /search?q=0 HTTP/1.1" which means you can't
use HTTP/1.0 to anchor this :/
More information about the Emerging-sigs