alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track
by_src, count 95, seconds 50; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/ ;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666661; rev:3;)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track
by_src, count 95, seconds 40; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/ ;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666662; rev:3;)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track
by_src, count 95, seconds 40; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666663; rev:3;)

alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET
[!1720,!1722,!2427,!5060,1024:] (msg:"ET CURRENT_EVENTS Possible
Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value
16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track
by_src, count 95, seconds 40; classtype:trojan-activity;
reference:url,mtc.sri.com/Conficker/addendumC/ ;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Conficker ;
sid:666664; rev:3;)