Bug #3670: SMB evasion against EICAR file detection - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #3670

closed

SMB evasion against EICAR file detection

Added by Jeff Lucovsky over 4 years ago. Updated almost 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Shivani Bhardwaj

Target version:

4.1.9

Affected Versions:

4.1.7, 4.1.8

Effort:

Difficulty:

Label:

Description

Signature is

alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)

Test pass with regular download : https://github.com/OISF/suricata-verify/pull/175

Signature is not triggered when overwriting file as in the attached pcap :
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done and does not trigger detection

This issue seems generic for Rust parsers with files :
https://github.com/OISF/suricata/blob/master/rust/src/filetracker.rs#L147

I think that we should at least have one protocol event for this

Files

Download all files

input.pcap (4.14 KB) input.pcap		Philippe Antoine, 02/12/2020 03:01 PM
smb1_eicar_andx_write_padding.pcap (7.69 KB) smb1_eicar_andx_write_padding.pcap		Philippe Antoine, 02/26/2020 01:35 PM
smb1_eicar_andx_locking_write.pcap (3.28 KB) smb1_eicar_andx_locking_write.pcap		Philippe Antoine, 04/01/2020 11:54 AM

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #3670

SMB evasion against EICAR file detection

Updated by Jeff Lucovsky over 4 years ago

Updated by Shivani Bhardwaj over 4 years ago

Updated by Victor Julien over 4 years ago

Updated by Shivani Bhardwaj about 4 years ago

Updated by Victor Julien about 4 years ago

Updated by Victor Julien almost 4 years ago