[Emerging-Sigs] conficker domain rules

Matt Jonkman jonkman at jonkmans.com
Tue Jan 20 00:52:04 EST 2009

Great rules Jack. Surely useful, but I'd rather keep them out of the
ruleset for the time being. They'll come and go quickly. :)


Jack Pepper wrote:
> The previous conficker domain ruleset was 3750 rules.  that seemed a  
> bit much.  I have created an alternate "regex from hell" version that  
> uses PCRE to map the same 3750 domains into just 56 rules (at the  
> price of some serious PCRE hashing).  You do what works for you.
> Detailed rules: http://www.autoshun.org/downloads/conficker.rules
> PCRE based rules: http://www.autoshun.org/downloads/rconficker.rules
> don't load them both, that's just pointless.
> jp

Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list