Project

General

Profile

Actions

Bug #3670

closed

SMB evasion against EICAR file detection

Added by Jeff Lucovsky over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Signature is

alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)

Test pass with regular download : https://github.com/OISF/suricata-verify/pull/175

Signature is not triggered when overwriting file as in the attached pcap :
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done and does not trigger detection

This issue seems generic for Rust parsers with files :
https://github.com/OISF/suricata/blob/master/rust/src/filetracker.rs#L147

I think that we should at least have one protocol event for this


Files

input.pcap (4.14 KB) input.pcap Philippe Antoine, 02/12/2020 03:01 PM
smb1_eicar_andx_write_padding.pcap (7.69 KB) smb1_eicar_andx_write_padding.pcap Philippe Antoine, 02/26/2020 01:35 PM
smb1_eicar_andx_locking_write.pcap (3.28 KB) smb1_eicar_andx_locking_write.pcap Philippe Antoine, 04/01/2020 11:54 AM

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3475: SMB evasion against EICAR file detectionClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky over 4 years ago

  • Copied from Bug #3475: SMB evasion against EICAR file detection added
Actions #2

Updated by Shivani Bhardwaj over 4 years ago

  • Priority changed from Normal to Immediate
Actions #3

Updated by Victor Julien over 4 years ago

  • Priority changed from Immediate to Normal
  • Target version changed from 4.1.8 to 4.1.9
  • Affected Versions 4.1.7, 4.1.8 added
  • Affected Versions deleted (5.0.2)
Actions #4

Updated by Shivani Bhardwaj about 4 years ago

  • Status changed from Assigned to In Review
Actions #5

Updated by Victor Julien about 4 years ago

  • Status changed from In Review to Closed
Actions #6

Updated by Victor Julien almost 4 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF