Snort mailing list archives
Re: Snort 3 - Custom file magic definitions
From: Michael Altizer via Snort-devel <snort-devel () lists snort org>
Date: Mon, 11 Jun 2018 00:38:00 -0400
On 06/10/2018 01:02 PM, Y M via Snort-devel wrote:
Hi,What would be the best way to adding custom file magic definitions without altering the original file file_magic.lua?Creating a custom file and including it in snort.lua overrides the original file_magic.lua, resulting in an error parsing rules that use file types from the original file_magic.lua file. This maybe a lua artifact as I understand it.custom_file_magic.lua: file_magic = {{ type = "LNK", id = 1000, category = "Windows Shell Link Shortcut", rev = 1,magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } } } snort.lua: ... dofile(conf_dir .. '/file_magic.lua') dofile(conf_dir .. '/custom_file_magic.lua') ... local.rules: alert file (msg:"PDF file in transit"; file_type:PDF; sid:9000000) alert file (msg:"LNK file in transit"; file_type:LNK; sid:9000001) Output: ...ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 Invalid file_type type 'PDF'. Not found in file_rules. ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 invalid argument file_type: = PDF... Otherwise, detection works as expected.10/13-13:55:36.104000 [**] [1:9000001:0] "LNK file in transit" [**] [Priority: 0] [AppID: HTTP] {TCP} 10.10.10.2:80 -> 192.168.0.1:32641Thanks. YM
Simplest way to add a single element to the file_magic Lua table would probably be something like this sometime after file_magic.lua has been included:
file_magic[#file_magic+1] = { type = "LNK", id = 1000, category = "Windows Shell Link Shortcut", rev = 1,
magic = { { content = "| 4C 00 00 00 01 14 02 00 |", offset = 0 } } }If you want to add a lot of them, I'd probably make a separate table of them and then write a tiny bit of Lua to merge the tables.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 10)
- Re: Snort 3 - Custom file magic definitions Ernest Russell via Snort-devel (Jun 10)
- Re: Snort 3 - Custom file magic definitions Michael Altizer via Snort-devel (Jun 10)
- Re: Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 12)
- Message not available
- Re: Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 13)
- Re: Snort 3 - Custom file magic definitions Michael Altizer via Snort-devel (Jun 13)
- Re: Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 12)