[nsp-sec] FW: [sec] Conficker Timecheck Daily Reports Data

[Smith, Donald]

I am trying to validate the conficker-time check data.
Here is my process so far.

Pull the ips from the source, sort and uniq them, build an flow-nfilter acl based on PART of that. I "sampled" the top 100 for my acl).
Find packets where the src and dst port are 2k or larger print and sort the unique ports.

Grep the top ports from the src file to see if it looks like conficker p2p (static high port to static high port).
Check the ips to see if those ports match their conficker.c p2p ports.
python ./get_ports.py ip_address.
I got zero matches so far. I have only done 6 unique IPs but expected to see some p2p matches on the "correct" ports.

What did I prove?

I didn't prove that there is anything wrong conficker timecheck data. The traffic that I see looks similar to conficker p2p to me in that I am seeing static high port to static high port communications but my conficker p2p port generation tool isn't giving me any matches.

Do we know if what version of conficker these should be. The tool I am using generates .C or .D  p2p ports:(
If the time-check data is just the newest version (E) then I may need to go find another p2p port generation tool.