Does Suricata disassembly a virus over a network?

Does Suricata perform the disassembly of a virus detected over a network? If yes, does it use this disassembly for the matching?

Hi,
I’m not sure if I understand the question so let me restate:

Can Suricata detect a “virus” inside of one or more network packets?

The answer is “yes” if the definition of the virus can be expressed as a Suricata rule. Note that Suricata loads rules written by the community and individuals. Here, “community” can mean commercial offerings from Proofpoint, Secureworks and similar; “free” rules from Proofpoint or similar, or other rule sources.

If you have a pcap with the virus and a packet viewing tool (e.g., wireshark) and enough knowledge of the virus, it’s attack vector, targets, etc, a set of rules (one or more) could theoretically be put together to catch the virus.

You should note that Suricata is not a “virus scanner” – it’s a general purpose network engine used for network monitoring, IDS or IPS functions and does not provide its own set of signatures (rules).