Snort mailing list archives
HTTP-Inspect / Stream4 Reassembly question
From: Daniel Purcell <dpurcell () nitrosecurity com>
Date: Tue, 31 May 2005 10:35:17 -0600
List users,For some reason, my snort rule is not detecting a simple signature. The EICAR virus is a simple, sample virus that can be used to detect
whether or not a virus-detection engine is working or not. It is 68
bytes long. It is in fact an executable (an MS-DOS .com file) that is
also entirely printable ASCII characters (all 68 bytes). You can see it
here:
http://www.eicar.org/anti_virus_test_file.htm
I have a rule in the database to detect it. It is really simple (almost
overly so). Here it is:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EICAR test virus";
content:"X5O!P%@AP[4|5c|PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
classtype:not-suspicious;
reference:url,www.eicar.org/anti_virus_test_file.htm; rev:1;)
It is just a rule with one content. I can't get it to detect with my
2.3.x or 2.2.x copy of snort when I go to the above
web site. I have found a way, however, to force it to detect it, but it is pretty bad - I have to turn off _BOTH_ the Stream-4-Reassembly, _AND_ turn off the HTTP_INSPECT preprocessors. Then, it will detect it every time. Otherwise, it will never detect it. And, it is not just that. I can't even detect, for example, the "X5" from the front of the string, or the "EICAR" from the middle of the string without turning those off.Does the content: tag do some mangling of the packet before it inspects it? I thought that's what uricontent did...
-Daniel - -- Dyslexics have more fnu. ------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP-Inspect / Stream4 Reassembly question Daniel Purcell (May 31)
- Re: HTTP-Inspect / Stream4 Reassembly question Will Metcalf (May 31)
- Re: HTTP-Inspect / Stream4 Reassembly question Daniel Purcell (May 31)
- Re: HTTP-Inspect / Stream4 Reassembly question Will Metcalf (May 31)