[Emerging-Sigs] conficker domain rules

Matt Jonkman jonkman at jonkmans.com
Tue Jan 20 00:52:04 EST 2009


Great rules Jack. Surely useful, but I'd rather keep them out of the
ruleset for the time being. They'll come and go quickly. :)

Matt

Jack Pepper wrote:
> The previous conficker domain ruleset was 3750 rules.  that seemed a  
> bit much.  I have created an alternate "regex from hell" version that  
> uses PCRE to map the same 3750 domains into just 56 rules (at the  
> price of some serious PCRE hashing).  You do what works for you.
> 
> Detailed rules: http://www.autoshun.org/downloads/conficker.rules
> 
> PCRE based rules: http://www.autoshun.org/downloads/rconficker.rules
> 
> don't load them both, that's just pointless.
> 
> 
> 
> jp
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list