Re: eicar file does not trigger snort alert

[Al Lewis via Snort-sigs <snort-sigs () lists snort org>]

Hello,

Are you running snort2 or snort3?
Do you have a sample pcap that you can share?
Are you testing with a pcap or with live traffic?


On Wed, Jul 13, 2022 at 4:14 PM Jy Tan via Snort-sigs
<snort-sigs () lists snort org> wrote:
> We tried to use eicar files for testing IDS alerts, however the alert does not trigger.
> Some of the entries I took from the snort.rules:
> alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; 
> content:"X5O!P%@AP[4|5C|PZX54(P^)7CC)7}-STANDARD-ANTIVIRUS-TEST-FILE!+H*",fast_pattern,nocase; metadata:policy 
> balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; service:ftp-data, 
> http, imap, pop3, smtp; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; sid:42372; 
> rev:5; )
> alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 
> 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|",fast_pattern,nocase; 
> metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; 
> service:ftp-data, http, imap, pop3, smtp; reference:url,www.eicar.org/86-0-Intended-use.html; 
> classtype:misc-activity; sid:42373; rev:5; )
> alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|44 54 
> CD 3C BA 76 BF 75 53 47 28 94 1E 72 15 04 41 3B 9A B6 32 85 89 31 84 81 83 A6 42 DA 42 95|",fast_pattern,nocase; 
> metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; 
> service:ftp-data, http, imap, pop3, smtp; reference:url,www.eicar.org/86-0-Intended-use.html; 
> classtype:misc-activity; sid:42374; rev:5; )
> alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|08 43 
> 1F A6 84 67 40 39 48 76 D3 FE 4B 3C 80 07 33 EF 32 83 6D 24 F4 B2 3D 48 15 90 BA E2 5C 40|",fast_pattern,nocase; 
> metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; 
> service:ftp-data, http, imap, pop3, smtp; reference:url,www.eicar.org/86-0-Intended-use.html; 
> classtype:misc-activity; sid:42375; rev:5; )
> alert tcp any any -> any any ( msg:"POLICY-OTHER eicar file detected"; flow:established; file_data; content:"|CB 68 
> 9E 19 5D 89 56 55 DB ED 56 ED D9 4B D2 60 DC 0B E2 9E 17 8C D3 70 16 C6 D3 C4 4B FB 49 EA|",fast_pattern,nocase; 
> metadata:policy balanced-ips drop,policy max-detect-ips drop,policy connectivity-ips drop,policy security-ips drop; 
> service:ftp-data, http, imap, pop3; reference:url,www.eicar.org/86-0-Intended-use.html; classtype:misc-activity; 
> sid:42376; rev:5; )
>
>
> Will like to check what are the prerequisites for this alert to trigger?
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!



-- 
Thanks!

Al Lewis
albert.l.lewis () gmail com
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!