Snort mailing list archives
eicar file does not trigger snort alert
From: Jy Tan via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 13 Jul 2022 14:37:05 +0800
We tried to use eicar files for testing IDS alerts, however the alert does not trigger. Some of the entries I took from the snort.rules: alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"X5O!P%@AP[4|5C|PZX54(P^)7CC)7}-STANDARD-ANTIVIRUS-TEST-FILE!+H*",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; service:ftp-data, http, imap, pop3, smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42372; rev:5; ) alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; service:ftp-data, http, imap, pop3, smtp; reference:url, www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42373; rev:5; ) alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|44 54 CD 3C BA 76 BF 75 53 47 28 94 1E 72 15 04 41 3B 9A B6 32 85 89 31 84 81 83 A6 42 DA 42 95|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; service:ftp-data, http, imap, pop3, smtp; reference:url, www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42374; rev:5; ) alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|08 43 1F A6 84 67 40 39 48 76 D3 FE 4B 3C 80 07 33 EF 32 83 6D 24 F4 B2 3D 48 15 90 BA E2 5C 40|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; service:ftp-data, http, imap, pop3, smtp; reference:url, www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42375; rev:5; ) alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; service:ftp-data, http, imap, pop3; reference:url, www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42376; rev:5; ) Will like to check what are the prerequisites for this alert to trigger?
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- eicar file does not trigger snort alert Jy Tan via Snort-sigs (Jul 13)
- Re: eicar file does not trigger snort alert Al Lewis via Snort-sigs (Jul 13)