Re: File magic rules for 2.9.6, what options are required?

[Joshua Kinard <kumba () gentoo org>]

On 12/27/2013 1:52 PM, Hui Cao wrote:
> Hi Joshhua,
>
> Thanks for the great feedbacks.
>
> In general, file magic rule should be relative stable, so we just keep 
> file magic rule syntax simple on this release. Please see my comments 
> inline.
>
> Best,
> Hui.
>
>
> On 12/27/2013 12:10 PM, Joel Esler (jesler) wrote:
> > This is great feedback.
> >
> > --
> > Joel Esler
> > Intelligence Lead
> > Open Source Manager
> > Vulnerability Research Team
> >
> > Sent from my iPhone.
> >
> > > On Dec 27, 2013, at 11:13, "Joshua Kinard" <kumba () gentoo org> wrote:
> > >
> > > > On 12/26/2013 10:16 PM, Joel Esler (jesler) wrote:
> > > > Thanks Joshua, one of the devels will get back to you.
> > > Couple of additional questions/ideas:
> > >
> > > - 'content' keyword should be a quoted string and optionally allow ASCII.  I
> > > can see why the initial draft is to allow hexadecimal only, but one finds
> > > that a lot of file magics use printable ASCII.  I.e., "%PDF-1." for PDF,
> > > "ELF" for Linux/Unix ELF executables, classic "MZ" for PE executables.
> Yes, this is a nice feature.

My other thought is this will match more closely the standard "content"
keyword.  Equally, that could get people confused by it...


> Currently, category is used for document purpose.  It can accept spaces.

Okay, I'll keep that note in mind.  At least there's semi-colons to provide
a hard delimiter between the keywords.


> > > - ver: unquoted string, right?  The source suggests such.
> Currently, ver is used for document purpose

This isn't used with the 'file_type' keyword at all?  The documentation for
that keyword only states that a value specified in file_type has to exist in
a file magic definition, and I was assuming that "ver" was used to select a
specific file magic rule.

E.g., Given these file magic rules:
file type:PDF; id:42; ver:1.4; group:pdf; msg:"PDF v1.4"; content:|25 50 44
46 2d 31 2e 34|; rev:1;
file type:PDF; id:43; ver:1.5; group:pdf; msg:"PDF v1.5"; content:|25 50 44
46 2d 31 2e 35|; rev:1;

Then, "file_type:PDF,1.5;" would match the second one?


--J

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!