#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)

Added 2017-08-07 21:05:45 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern:only; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:4;)

Added 2012-03-07 18:45:03 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern:only; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:4;)

Added 2011-10-12 19:34:43 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern:only; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; classtype:bad-unknown; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; sid:2012591; rev:4;)

Added 2011-03-28 17:33:32 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats