[Emerging-Sigs] new Downadup/Conficker-A sig?

Bojan Zdrnja (SANS ISC) bojan.isc at gmail.com
Sat Jan 17 06:23:29 EST 2009


On Sat, Jan 17, 2009 at 5:46 AM, Jack Pepper
<pepperjack at afferentsecurity.com> wrote:
> Since all the samples on the f-secure site were using http/1.0, maybe
> this will improve the FP ratio:

They are, but there are HTTP/1.1 samples as well (I got access to like
20 GB of logs).
So this works as well "GET /search?q=0 HTTP/1.1" which means you can't
use HTTP/1.0 to anchor this :/

Bojan


More information about the Emerging-sigs mailing list