Actions
Bug #3670
closedSMB evasion against EICAR file detection
Description
Signature is
alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
Test pass with regular download : https://github.com/OISF/suricata-verify/pull/175
Signature is not triggered when overwriting file as in the attached pcap :
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done and does not trigger detection
This issue seems generic for Rust parsers with files :
https://github.com/OISF/suricata/blob/master/rust/src/filetracker.rs#L147
I think that we should at least have one protocol event for this
Files
Updated by Jeff Lucovsky over 4 years ago
- Copied from Bug #3475: SMB evasion against EICAR file detection added
Updated by Shivani Bhardwaj over 4 years ago
- Priority changed from Normal to Immediate
Updated by Victor Julien over 4 years ago
- Priority changed from Immediate to Normal
- Target version changed from 4.1.8 to 4.1.9
- Affected Versions 4.1.7, 4.1.8 added
- Affected Versions deleted (
5.0.2)
Updated by Shivani Bhardwaj about 4 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien about 4 years ago
- Status changed from In Review to Closed
Actions