Snort mailing list archives
snort3: file_id: no entry in file.log when type matched and signature/capture enabled
From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Fri, 28 Jan 2022 17:43:08 +0300
Hello, I have snort 3.1.20 and found strange behavior, maybe it is a bug or a feature. 1) If I have such file_id rule for GIF for example: *file_id.file_policy[1] = { when = { file_type_id = 62}, use = { verdict = "log"} } * Then: in file.log I see good log entry, when GIF file is detected: 22/01/20-12:16:39.382652 10.0.0.2:49710 -> 84.204.46.5:80, [Name: "spacer.gif"] [Verdict: Log] [Type: GIF1] [Size: 67] 2) If I have the same rule but with capture and signature enabled: *file_id.file_policy[1] = *{ when = { file_type_id = 62}, use = { verdict = "log",enable_file_signature = true, enable_file_capture = true} } Then GIF files are captured successfully , but no information in file.log, though file type is matched obviously. I've saw code in file_api/file_lib.cc in process() function and here what we have here 1) doing type_lookup() and have good verdict = LOG, but file_name is not set now (it is set in for example http inspector before after process()); and because of theese log_file_event() do nothing. 2) then in process() we call siganture_lookup() and good verdict (=LOG) is rewrited by UNKNOWN, because no SHA matched 3) then calls to log_file_event do nothing because verdict was changed in step2 to UNKOWN Is it feature or bug? May be it would be good if any "positive/making-log-entry" (LOG/BLOCK/REJECT) verdict will not be rewritten and logged in file.log?...
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3: file_id: no entry in file.log when type matched and signature/capture enabled Meridoff via Snort-devel (Jan 28)
- Re: snort3: file_id: no entry in file.log when type matched and signature/capture enabled Meridoff via Snort-devel (Jan 28)