alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008802; rev:3;)

alert tcp $HOME_NET any -> [75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; threshold:type both, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker; sid:2008803; rev:3;)