Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not detecting Eicar file

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ehte
      last edited by

      I am using suricata with snorts rules and its not detecting eicar file when i downloaded it.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Are you sure you have the proper rule or rules enabled? Suricata will not understand the syntax (keywords usually) for some Snort rules and will thus kick those rules out at startup. Look in the suricata.log for the interface to see if any Snort rule errors are showing up. You can find that log on the LOGS VIEW tab. Suricata is optimized for Emerging Threats rules since that company is a major sponsor of the Suricata development team.

        1 Reply Last reply Reply Quote 0
        • G
          gary.shakhoyan
          last edited by

          Same here.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            First, in order to detect the Eicar virus file you will need a Snort or Emerging Threats rule specifically designed for detecting the file, and you need that rule signature enabled. Secondly, and more importantly, if you are downloading the file from a web site and the web site is SSL encrypted (in other words, it is an HTTPS URL), then the virus payload will not be detected because it is encrypted with the end-to-end encryption of SSL between your browser and the web site.

            Neither Snort nor Suricata will, out-of-the-box, detect that file. And most especially they can't detect it when it comes over an encrypted connection such as SSL.

            If this is a surprise to you, then welcome to the wonderful world of encryption and VPNs since that technology has pretty much totally neutered deep packet inspection (DPI) technology. The only method to do DPI with encrypted traffic is to set up a MITM (man-in-the-middle) interception. And that comes with its own Pandora's Box of technological and ethical problems.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.