[Oisf-devel] SNORT alert on Suricata with Napatech
Victor Julien
lists at inliniac.net
Wed Oct 9 08:15:54 UTC 2019
On 08-10-19 08:33, Dezs wrote:
> I need some help with the problem below.
> The SNORT rule does not generate alarms in all cases.
> The Napatech card uses all the 20 streams according to the Suricata.yaml
> configuration file (attached).
> It alerts only in case of HTTP 80 and only 5 times of 100 dowloaded
> eicar test file..
>
> Suricata 3.2.1; Debian.
>
> The RULE:
> alert tcp any any -> any any (msg:"POLICY-OTHER eicar test string
> download attempt"; flow:to_client,established; file_data;
> content:"7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+";
> fast_pattern:only; metadata:policy balanced-ips drop, policy
> max-detect-ips drop, policy security-ips drop;
> reference:url,www.eicar.org/86-0-Intended-use.html
> <http://www.eicar.org/86-0-Intended-use.html>; classtype:misc-activity;
> sid:37732; rev:3;)
>
> Any ideas are appreciated.
I think the first thing to try is update Suricata to a supported
version. This means upgrading to 4.1.x. Ideally you'd update to 4.1.5,
but a reasonable first step could be to try the version in stretch
backports (4.1.2).
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list