cancel
Showing results for 
Search instead for 
Did you mean: 
rila
Level 7

Network IPS Conficker signature?

Hi Community,

Does someone know if I can use the following signatures for the Network IPS module inside HIPS?

Why has the Network IPS no signature? Only Host IPS has one?

alert tcp any any -> $HOME_NET 445 (msg:

"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10

80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c

cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4

c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92

96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95

e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5

dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07

a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb

eb|"; sid: 2000001; rev: 1Smiley Wink

alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";

content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d

a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4

94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03

c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88

cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6

c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0

b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab

aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1Smiley Wink

These can be found at the following link:

http://net.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Kind regards,

RILA

0 Kudos
1 Reply
McAfee Employee

Re: Network IPS Conficker signature?

Network IPS signatures cannot be built in the Host IPS product.  McAfee Network Security Platform (Intrushield) might have network coverage for this.

0 Kudos