alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; pcre:"/\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\x3a \d+\.\d+\.\d+\.\d+\x0d\x0a/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:02:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; pcre:"/\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\x3a \d+\.\d+\.\d+\.\d+\x0d\x0a/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:11;)

Added 2011-10-12 19:26:27 UTC

www.f-secure.com/weblog/archives/00001584.html is a usless reference, Please replace with https://technet.microsoft.com/library/security/ms08-067

-- AndrewPatroni - 2015-11-30

That reference doesn't seemed to be related to this threat, are you sure that's the right link you intended on providing? We'd be more than happy to fix the reference provided it is related to the signature.

-- DarienH - 2015-11-30


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; pcre:"/\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\x3a \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; sid:2009024; rev:11;)

Added 2011-09-14 22:39:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2009024; rev:10;)

Added 2011-03-17 21:40:57 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2009024; rev:10;)

Added 2011-02-04 17:28:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2009024; rev:9;)

Added 2010-03-04 21:00:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2009024; rev:9;)

Added 2010-03-04 21:00:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:7;)

Added 2010-02-15 10:46:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:7;)

Added 2010-02-15 10:46:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:7;)

Added 2010-02-15 10:44:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:7;)

Added 2010-02-15 10:44:44 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:8;)

Added 2010-01-26 09:46:05 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:8;)

Added 2010-01-26 09:46:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:8;)

Added 2009-09-08 16:48:23 UTC

Rule generates a false positive when you search by area code on the textsfromlastnight.com site which uses a similar /search?q= string - pcap attached

-- RickChisholm - 26 Jan 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:8;)

Added 2009-09-08 16:48:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:8;)

Added 2009-09-08 16:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009024; rev:8;)

Added 2009-09-08 16:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker; sid:2009024; rev:7;)

Added 2009-09-05 09:30:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/CURRENT_Conficker; sid:2009024; rev:7;)

Added 2009-09-05 09:30:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:6;)

Added 2009-03-03 10:15:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:6;)

Added 2009-03-03 10:15:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:5;)

Added 2009-02-06 19:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2009024; rev:5;)

Added 2009-02-06 19:00:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:4;)

Added 2009-01-18 09:15:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:4;)

Added 2009-01-18 09:15:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:3;)

Added 2009-01-17 22:45:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,3}\s+/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:3;)

Added 2009-01-17 22:45:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,4}/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:2;)

Added 2009-01-17 13:15:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,4}/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:2;)

Added 2009-01-17 13:15:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm reporting"; flow:to_server,established; content:"/search?q="; pcre:"/\/search\?q\=[0-9]{1,4}\s+http\/1\.0/mi"; content:!".google.com"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; sid:2009024; rev:1;)

Added 2009-01-17 01:00:23 UTC


Topic revision: r4 - 2015-11-30 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats