From 5b6967fae0f3dd96b79f6d6fe9659d5dd0100a31 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 5 Feb 2020 14:03:42 +0100 Subject: [PATCH] Adds test for SMB EICAR file --- tests/smb-eicar-file/README.md | 12 ++++++++++++ tests/smb-eicar-file/input.pcap | Bin 0 -> 4479 bytes tests/smb-eicar-file/test.rules | 1 + tests/smb-eicar-file/test.yaml | 14 ++++++++++++++ 4 files changed, 27 insertions(+) create mode 100644 tests/smb-eicar-file/README.md create mode 100644 tests/smb-eicar-file/input.pcap create mode 100644 tests/smb-eicar-file/test.rules create mode 100644 tests/smb-eicar-file/test.yaml diff --git a/tests/smb-eicar-file/README.md b/tests/smb-eicar-file/README.md new file mode 100644 index 000000000..4ac0b29d7 --- /dev/null +++ b/tests/smb-eicar-file/README.md @@ -0,0 +1,12 @@ +# Description + +Test SMB EICAR file rule. + +# PCAP + +The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared forlder public wihtout needed authentication) +Command is +`smbclient //192.168.1.3/public/ -U % -m NT1` +Than in the smbclient shell : +`put eicar` where eicar is the name of a file with the EICAR contents : +https://en.wikipedia.org/wiki/EICAR_test_file diff --git a/tests/smb-eicar-file/input.pcap b/tests/smb-eicar-file/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e97b433c4805aa28ce91c18d15fabcf6aff5a4b0 GIT binary patch literal 4479 zc-qZadrVVT82|2VX|MHxC}?r&DsurOV0nmOETgs{oj^NU-$p57j5GM2b2=jeiSPHT zQ#U{}vt>)|9%eppBI;(0f3dkZXZ&Z;EK78{Oy^_c?mORYYkNJEEc<8o=G=4dx##@O z_xpXnb9&+X3!k@&poQm$7M9{Q@x-{^y%$G1TiWKV`TKUpRZxU=iDoBYt)L09jr!QNcz$Nf5Lm!(54&1qfEak2fu_ zgW}z!inkhZ1FrsXyRlQ@?U*9LQ-pY`!qMat&aZ);3@7dzE{+jyH|-@(U(4=_3Cq}> z(RLZ4jxL$1Lm;|rrpgk}RA<#BldH-(vC3Lu%FZ%_SmCf$Io-}uPw2IqwdZnQ`*7Vb$jb-ydYM3g71}S*<*#toRytJO2jXb z;0y+OhM%QR`~xUU4XP{!^r@#(Tt-vkieWTvU04YpUx|cXpvggatyP(Z9e@2S)Gxg8 z;O5IWuL&1r7zYWrEw}uIvnL%e?r{I~XMTKjnogIY6XN2;mf_~1Ekn#kodKV^5 z93F9RU{vy#@XaCA2FmHD0Hyryc6OP+b-#USuBM($Cx{lI)RD+O$efd4=2U zqOnO0QVkoM7KCTDP63UF$*>3(z$(0VgBR+c2CoXwqX#AE!fssxFZIGb|3H@dZ;PT+ ze?Awvc3|oUUc5rXI*8{WfOa2;r-Uh&p#!Ig7Y+!m4MJ~ogP?EG7zCj;n$-FS+V%HB zv_u>|9M1xxx4GtO+u9qZI$ncECRLsmGsD;JwHY^7dW@sKPgOzkOK@N_~hC*sz zfmvfcz4)dUTe4v+p81gbpHT84ix8L_wj7ekG-RB})gzGW9|iW1>%UUDzQZDRJVDn# zY-*vzT#4y=NmRRjRoL}Apmn8r#gS#&B_R`Nf&-_;s3kmE-5<|tW|qxR6Y~D16NanX zk~aPAJuu^UZ~k|a%D{;tc;M2*LqivIuBj~?vS4#vXTz)*Yvk!M2_ED9W7YOJI+0ZQ z#h*yqqb+)kbUe|gp5DpU$h8z2*A`aA$5#c{NE<%%f?d$6H^;H{@xOA%hL0s&aX^K$ zCvFVvrM-1zv^!4kw1^i@p*y;oa)|6Kro&qtcgQl+LBn(a=!5v#*cne2TMovNjnNcP z&0?AbF3i~kTu~0NF%8*4ahm)Rtj3nrs(i^w6z7}%B+6HNbiOW}!dUNPz6M-srg25# zIMw-*lsNS=6hU7&Ck&+07p&uO-FtAIyMu}qI(xX~#VX~}P@0DS*405=8@Q^^CQ!1`zf&ZJw!i+Ld>2O~~tBYw1kQaCs}13tnra&efF z<0#TvM&t-jN%BS<80mwjU%0th7!cKsZEJB@im{0FZN$7j57+5jT6^qZ@qV!#;3z01 zQuu;$ig%BHFbTgeTKJ2381pVB{LEuCZhkmkA3xp{8RoNaSS$rw7vEyPPTkce==NYC zcWwu6suDt}dXFStr;>OVhTR;Qsv*1aa{`pYNmU?lkbaCFadB9xW>82?jQZ$qQ>BA` zl&a!rBKBYdPBd+dbA;>FVykOr-YnOQX=C!zT(i^1+HC1#*N!Z4*sN8VZjZInZmqIs zS}Q${DUPbi?o3aK+ml)9C@&c?vMi%)6yq~vAHYIT3TF+?^cyLaS5>KO)~B{5V=5Es z*U-4pVLm=SADs-NF@9Noo{|y!0llRZj+B!FhbSekXery0ar#asWut{0|u;qXoKCllW;72i&rxYX6(l(0>RbXDp`0ob3MbNFaZ{}4j^fs2Of zefA-ZdnHW4$EOgSE;&Ptz26)r#okpZR*F+T37I$ any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;) diff --git a/tests/smb-eicar-file/test.yaml b/tests/smb-eicar-file/test.yaml new file mode 100644 index 000000000..c1282b105 --- /dev/null +++ b/tests/smb-eicar-file/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - HAVE_LIBJANSSON + +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 -- 2.47.2