Snort mailing list archives

Re: snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy

From: "Nihal Desai \(nihdesai\) via Snort-devel" <snort-devel () lists snort org>
Date: Thu, 26 Nov 2020 07:23:50 +0000

Hi,

Could you please share full config and pcap along with build info?
Not able to repro this at the moment.


file_id = {
     enable_type = true,
     enable_signature = true,
     enable_capture = true,
     file_rules = file_magic,
     file_policy =
     {
         { when = { file_type_id =  62 }, use = { verdict = "log" } },
         { when = { file_type_id =  63 }, use = { verdict = "log" } },
     }
}

--
V/r
Nihal N. Desai

From: Snort-devel <snort-devel-bounces () lists snort org>
Date: Wednesday, November 25, 2020 at 11:10 AM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy
Hello,
I'm trying to use file_log to log results of my file_policy rules.

In my config: enable_file_type, enable_file_signatire and enable_file_capture are all true for my rules and globally 
enable_type/enable_signtaure = true.

Example of my rule:
file_id.file_policy = { { when = {file_type_id = 62}, use = {  verdict = "log",enable_file_type = 
true,enable_file_signature = true,enable_file_capture = true} }

Then all works fine - specified in rule files are captured as SHA-named files.

But problem is next:  in file.log I see entries for the logged files with their sha and other correct info, except 
field Verdict:  the verdict in oll these entries are set to Unknown.

I've debugged some and found, that when both type and signature are enabled for rule, and we for example found known 
and good type (for example GIF). And then during step of processing signature for this file, we can not match on 
signature, because it is not specified in rule and our good verdict = FILE_VERDICT_LOG (which got earlier on file type 
processing) is reset/rewrote to FILE_VERDICT_UNKNOWN in signature processing phase.

Is it normal? My rule is matched but I have Unknown verdict.

May be support the 2nd verdict variable for the verdict that got on type phase. And then in file_log we log entry with 
the better verdict value (from signature or type phase). Ot another solution.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Rdtsc via Snort-devel (Nov 25)
- Re: snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Nihal Desai (nihdesai) via Snort-devel (Nov 25)