Snort mailing list archives

Previous By Date Next
Previous By Thread Next

eicar file does not trigger snort alert

From: Jy Tan via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 13 Jul 2022 14:37:05 +0800
We tried to use eicar files for testing IDS alerts, however the alert does
not trigger.
Some of the entries I took from the snort.rules:
alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected";
flow:established; file_data;
content:"X5O!P%@AP[4|5C|PZX54(P^)7CC)7}-STANDARD-ANTIVIRUS-TEST-FILE!+H*",fast_pattern,nocase;
metadata:policy balanced-ips drop,policy max-detect-ips drop,policy
connectivity-ips drop,policy security-ips drop; service:ftp-data, http,
imap, pop3, smtp; reference:url,www.eicar.org/86-0-Intended-use.html;
classtype:misc-activity; sid:42372; rev:5; )
alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected";
flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED
D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49
EA|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy
max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop;
service:ftp-data, http, imap, pop3, smtp; reference:url,
www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42373;
rev:5; )
alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected";
flow:established; file_data; content:"|44 54 CD 3C BA 76 BF 75 53 47 28 94
1E 72 15 04 41 3B 9A B6 32 85 89 31 84 81 83 A6 42 DA 42
95|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy
max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop;
service:ftp-data, http, imap, pop3, smtp; reference:url,
www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42374;
rev:5; )
alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected";
flow:established; file_data; content:"|08 43 1F A6 84 67 40 39 48 76 D3 FE
4B 3C 80 07 33 EF 32 83 6D 24 F4 B2 3D 48 15 90 BA E2 5C
40|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy
max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop;
service:ftp-data, http, imap, pop3, smtp; reference:url,
www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42375;
rev:5; )
alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected";
flow:established; file_data; content:"|CB 68 9E 19 5D 89 56 55 DB ED 56 ED
D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49
EA|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy
max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop;
service:ftp-data, http, imap, pop3; reference:url,
www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42376;
rev:5; )


Will like to check what are the prerequisites for this alert to trigger?

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: