Suricata not detecting Eicar file



  • I am using suricata with snorts rules and its not detecting eicar file when i downloaded it.



  • Are you sure you have the proper rule or rules enabled? Suricata will not understand the syntax (keywords usually) for some Snort rules and will thus kick those rules out at startup. Look in the suricata.log for the interface to see if any Snort rule errors are showing up. You can find that log on the LOGS VIEW tab. Suricata is optimized for Emerging Threats rules since that company is a major sponsor of the Suricata development team.



  • Same here.



  • First, in order to detect the Eicar virus file you will need a Snort or Emerging Threats rule specifically designed for detecting the file, and you need that rule signature enabled. Secondly, and more importantly, if you are downloading the file from a web site and the web site is SSL encrypted (in other words, it is an HTTPS URL), then the virus payload will not be detected because it is encrypted with the end-to-end encryption of SSL between your browser and the web site.

    Neither Snort nor Suricata will, out-of-the-box, detect that file. And most especially they can't detect it when it comes over an encrypted connection such as SSL.

    If this is a surprise to you, then welcome to the wonderful world of encryption and VPNs since that technology has pretty much totally neutered deep packet inspection (DPI) technology. The only method to do DPI with encrypted traffic is to set up a MITM (man-in-the-middle) interception. And that comes with its own Pandora's Box of technological and ethical problems.


Log in to reply