Snort mailing list archives
Re: snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy
From: "Nihal Desai \(nihdesai\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 26 Nov 2020 07:23:50 +0000
Hi, Could you please share full config and pcap along with build info? Not able to repro this at the moment. file_id = { enable_type = true, enable_signature = true, enable_capture = true, file_rules = file_magic, file_policy = { { when = { file_type_id = 62 }, use = { verdict = "log" } }, { when = { file_type_id = 63 }, use = { verdict = "log" } }, } } -- V/r Nihal N. Desai From: Snort-devel <snort-devel-bounces () lists snort org> Date: Wednesday, November 25, 2020 at 11:10 AM To: snort-devel () lists snort org <snort-devel () lists snort org> Subject: [Snort-devel] snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Hello, I'm trying to use file_log to log results of my file_policy rules. In my config: enable_file_type, enable_file_signatire and enable_file_capture are all true for my rules and globally enable_type/enable_signtaure = true. Example of my rule: file_id.file_policy = { { when = {file_type_id = 62}, use = { verdict = "log",enable_file_type = true,enable_file_signature = true,enable_file_capture = true} } Then all works fine - specified in rule files are captured as SHA-named files. But problem is next: in file.log I see entries for the logged files with their sha and other correct info, except field Verdict: the verdict in oll these entries are set to Unknown. I've debugged some and found, that when both type and signature are enabled for rule, and we for example found known and good type (for example GIF). And then during step of processing signature for this file, we can not match on signature, because it is not specified in rule and our good verdict = FILE_VERDICT_LOG (which got earlier on file type processing) is reset/rewrote to FILE_VERDICT_UNKNOWN in signature processing phase. Is it normal? My rule is matched but I have Unknown verdict. May be support the 2nd verdict variable for the verdict that got on type phase. And then in file_log we log entry with the better verdict value (from signature or type phase). Ot another solution.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Rdtsc via Snort-devel (Nov 25)
- Re: snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Nihal Desai (nihdesai) via Snort-devel (Nov 25)