Snort not seeing threats on network

[#EEE#]

Hey guys, i've installed security onion and it set up snort with my oink-code included, when i use testmyids.com to generate an alert this works, but when i download an eicar file for example snort doesn't seem to generate an alert, are there any rulesets im forgetting?

thanks

[ledin...@gmail.com]

Which eicar file are you trying to download? Maybe some if us can try and see what the result is on our systems...

[ledin...@gmail.com]

In addition, the Snort signature I see typically used to flag EICAR is POLICY-OTHER 1:37732. I know that on my other Snort boxes, we don't have this installed and I'm pretty sure it is not installed\enabled by default on SO...

[ledin...@gmail.com]

FYI - I went and enabled the VRT-policy-other and then attempted the test files at eicar.org. SO flagged these as expected and the alerts were seen in Squert almost instantaneously...

[AD]

Op zaterdag 3 november 2018 18:40:19 UTC+1 schreef ledin...@gmail.com:

> FYI - I went and enabled the VRT-policy-other and then attempted the test files at eicar.org. SO flagged these as expected and the alerts were seen in Squert almost instantaneously...

What exactly is the VRT-Policy-other? is this a paid subscription?
I have downloaded the ruleset which requires an oink-code but it doesn't seem to alert on just this set.

[ledin...@gmail.com]

So first, quick clarification between the free and paid SNORT rules - they are the same with the former being about 30d behind the latter.

Next, I do have a paid OINK subscription but I believe this rule is still part of the free ruleset.

Last, are you sure the rule is downloaded and active in your rules DB?

First, to verify the category is enabled, check the: /etc/nsm/pulledpork/enablesid.conf file.

If the rule category is there, then you can check for the actual rule by using the following command:

grep POLICY-OTHER /etc/nsm/rules/downloaded.rules | grep 37732

[Joel Esler]

Revision: 1 SEU: 1428 Date: 2016-02-18 13:32:41


It's well over 30 days since release of that rule :)

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

[AD]

Figured it out, thanks for all the help

[AD]

Op zaterdag 3 november 2018 18:40:19 UTC+1 schreef ledin...@gmail.com:

> FYI - I went and enabled the VRT-policy-other and then attempted the test files at eicar.org. SO flagged these as expected and the alerts were seen in Squert almost instantaneously...

Ledin,

Apologies for opening this topic again after this time,
however i still have the same problem, i enabled the vrt-policy-other and confirmed all the eicar rules are not commented out. throughout all this snort still refuses to alert on downloading the eicar files.

I confirmed through wireshark they were surely downloaded through to my machine.
additionally i was able to see the tcp stream and confirmed it was not encrypted traffic.

is there anything i mightve overlooked?