WAF 370145

From Atomicorp Wiki
Revision as of 15:19, 19 September 2012 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Rule 370145
Status: Active
Alert Message:
Atomicorp.com WAF Rules: Known wormsign



This rule detects the Pushdo botnet's "smokescreen" connections. These connections are used by the botnet to hide its connections by connecting to sites that are not part of the botnet.

These connections do not mean the system has been compromised by this botnet.


False Positives


It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

None. It is not recommended that you disable this rule. However if you wish to, please see the Tuning the Atomicorp WAF Rules page for basic information.

Additional Information

Similar Rules


Knowledge Base Articles


Outside References

New Pushdo variant infects more than 100k computers

Pushdo botnet's smokescreen traffic hits legitimate websites



Personal tools