Does Suricata perform the disassembly of a virus detected over a network? If yes, does it use this disassembly for the matching?
Hi,
I’m not sure if I understand the question so let me restate:
Can Suricata detect a “virus” inside of one or more network packets?
The answer is “yes” if the definition of the virus can be expressed as a Suricata rule. Note that Suricata loads rules written by the community and individuals. Here, “community” can mean commercial offerings from Proofpoint, Secureworks and similar; “free” rules from Proofpoint or similar, or other rule sources.
If you have a pcap with the virus and a packet viewing tool (e.g., wireshark) and enough knowledge of the virus, it’s attack vector, targets, etc, a set of rules (one or more) could theoretically be put together to catch the virus.
You should note that Suricata is not a “virus scanner” – it’s a general purpose network engine used for network monitoring, IDS or IPS functions and does not provide its own set of signatures (rules).