[Emerging-Sigs] new Downadup/Conficker-A sig?

Matt Jonkman jonkman at jonkmans.com
Sat Jan 17 22:34:12 EST 2009


Updated, thanks all!

RPG wrote:
> Well, I think this might be ok.  Here's a modification to the pcre to
> look for white space after the 1,2 or 3 digit number.
> 
> pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi";
> 
> Frank Knobbe wrote:
>> On Fri, 2009-01-16 at 18:20 -0500, RPG wrote:
>>> how about something like this?
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting";
>>> flow:to_server,established; content:"/search?q=";
>>> pcre:"/\/search\?q\=[0-9]{1,3}/mi";
>>> content:!".google.com";
>>> classtype:trojan-activity;
>>> reference:url,www.f-secure.com/weblog/archives/00001584.html;
>>> sid:XXXXXXXXXXXXXXXXX; rev:1;)
>> Can you run that for a while and report on rate of false positives? :)
>> I thought we had tried a rule like that (only "search?q=") but got way
>> too many FP's.
>>
>> -Frank
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list