Snort mailing list archives

Re: Snort 3 - Custom file magic definitions

From: Y M via Snort-devel <snort-devel () lists snort org>
Date: Wed, 13 Jun 2018 12:35:57 +0000

You can do that by yourself, and it certainly not wise sending such requests to individuals.

________________________________
From: Lawrence Belyeu <lbelyeu71 () gmail com>
Sent: Wednesday, June 13, 2018 5:44 AM
To: Y M
Subject: Re: [Snort-devel] Snort 3 - Custom file magic definitions

Please take me off this traffic. No longer using snort

On Tue, Jun 12, 2018, 12:32 PM Y M via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort 
org>> wrote:
Thank you, Michael, and pardon my lack of Lua workings.

I tested the line provided and I got an odd behavior.  Running against a pcap containing a PDF transfer, for each PDF 
alert, the LNK alert was also generated. Running against a pcap with LNK file transfer , no alerts at all. Errors no 
longer show up.

I then tried each of the below commented lines separately, and the behavior was the same.

custom_file_magic.lua:

custom_file_magic =
{
    { type = "LNK", id = 1000, category = "Windows Shell Link Shortcut", rev = 1,
      magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } }
}

snort.lua:
..
dofile(conf_dir .. '/file_magic.lua')
dofile(conf_dir .. '/custom_file_magic.lua')

--for k,v in ipairs(custom_file_magic) do file_magic[k] = v end
--for k,v in ipairs(custom_file_magic) do table.insert(file_magic, v) end
--for i=1,#custom_file_magic do file_magic[#file_magic+1] = custom_file_magic[i] end
..

I then wrote a Lua script (thanks to the internet) to verify the merge. The script and output are attached, which shows 
that the tables are, well, merged. If this is an expected Lua behavior, then you can ignore this message and I will 
continue to dig into this. I can provide the pcaps I am testing with if they provide any help.

Thanks.
YM

________________________________
From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Michael Altizer via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Sent: Monday, June 11, 2018 7:38 AM
To: snort-devel () lists snort org<mailto:snort-devel () lists snort org>
Subject: Re: [Snort-devel] Snort 3 - Custom file magic definitions

On 06/10/2018 01:02 PM, Y M via Snort-devel wrote:
Hi,

What would be the best way to adding custom file magic definitions without altering the original file file_magic.lua?

Creating a custom file and including it in snort.lua overrides the original file_magic.lua, resulting in an error 
parsing rules that use file types from the original file_magic.lua file. This maybe a lua artifact as I understand it.

custom_file_magic.lua:
file_magic =
{
    { type = "LNK", id = 1000, category = "Windows Shell Link Shortcut", rev = 1,
      magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } }
}

snort.lua:
...
dofile(conf_dir .. '/file_magic.lua')
dofile(conf_dir .. '/custom_file_magic.lua')
...

local.rules:
alert file (msg:"PDF file in transit"; file_type:PDF; sid:9000000)
alert file (msg:"LNK file in transit"; file_type:LNK; sid:9000001)

Output:
...
ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 Invalid file_type type 'PDF'. Not found in file_rules.
ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 invalid argument file_type: = PDF
...

Otherwise, detection works as expected.

10/13-13:55:36.104000 [**] [1:9000001:0] "LNK file in transit" [**] [Priority: 0] [AppID: HTTP] {TCP}10.10.10.2:80 
->192.168.0.1:32641<http://192.168.0.1:32641>

Thanks.
YM

Simplest way to add a single element to the file_magic Lua table would probably be something like this sometime after 
file_magic.lua has been included:

file_magic[#file_magic+1] = { type = "LNK", id = 1000, category = "Windows Shell Link Shortcut", rev = 1,
      magic = { { content = "| 4C 00 00 00 01 14 02 00 |", offset = 0 } } }

If you want to add a lot of them, I'd probably make a separate table of them and then write a tiny bit of Lua to merge 
the tables.
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 10)
- Re: Snort 3 - Custom file magic definitions Ernest Russell via Snort-devel (Jun 10)
- Re: Snort 3 - Custom file magic definitions Michael Altizer via Snort-devel (Jun 10)
  - Re: Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 12)
    - Message not available
    - Re: Snort 3 - Custom file magic definitions Y M via Snort-devel (Jun 13)
    - Re: Snort 3 - Custom file magic definitions Michael Altizer via Snort-devel (Jun 13)