Project

General

Profile

Actions

Bug #3475

closed

SMB evasion against EICAR file detection

Added by Philippe Antoine almost 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Signature is

alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)

Test pass with regular download : https://github.com/OISF/suricata-verify/pull/175

Signature is not triggered when overwriting file as in the attached pcap :
- a first dummy write of one byte at offset 0 is done
- the second full write of EICAR at offset 0 is then done and does not trigger detection

This issue seems generic for Rust parsers with files :
https://github.com/OISF/suricata/blob/master/rust/src/filetracker.rs#L147

I think that we should at least have one protocol event for this


Files

input.pcap (4.14 KB) input.pcap Philippe Antoine, 02/12/2020 03:01 PM
smb1_eicar_andx_write_padding.pcap (7.69 KB) smb1_eicar_andx_write_padding.pcap Philippe Antoine, 02/26/2020 01:35 PM
smb1_eicar_andx_locking_write.pcap (3.28 KB) smb1_eicar_andx_locking_write.pcap Philippe Antoine, 04/01/2020 11:54 AM
myandx.pcapng (5.73 KB) myandx.pcapng Philippe Antoine, 05/29/2020 01:57 PM

Related issues 2 (1 open1 closed)

Related to Suricata - Task #3392: Tracking: protocol detection evasionsNewPhilippe AntoineActions
Copied to Suricata - Bug #3670: SMB evasion against EICAR file detectionClosedShivani BhardwajActions
Actions

Also available in: Atom PDF