Snort mailing list archives

Re: snort3: file_id: no entry in file.log when type matched and signature/capture enabled

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Fri, 28 Jan 2022 18:09:06 +0300

If we replace policy->signature_lookup(p, this);
To:
+            FileVerdict sverdict = policy->signature_lookup(p, this);
+            if ( verdict == FILE_VERDICT_UNKNOWN )
+               verdict = sverdict;

In functions process() and finish_sig_lookup()  then we always have logging
if type was matched - signature unmatching can't influence this.

пт, 28 янв. 2022 г. в 17:43, Meridoff <oagvozd () gmail com>:

Hello,
I have snort 3.1.20 and found strange behavior, maybe it is a bug or a
feature.

1) If I have such file_id rule for GIF for example:

*file_id.file_policy[1] = { when = { file_type_id = 62}, use = {  verdict
= "log"} } *

Then: in file.log I see good log entry, when GIF file is detected:

22/01/20-12:16:39.382652  10.0.0.2:49710 -> 84.204.46.5:80, [Name:
"spacer.gif"] [Verdict: Log] [Type: GIF1] [Size: 67]

2) If I have the same rule but with capture and signature enabled:

*file_id.file_policy[1] = *{ when = { file_type_id = 62}, use = {
 verdict = "log",enable_file_signature = true, enable_file_capture = true} }

Then GIF files are captured successfully , but no information in file.log,
though file type is matched obviously.


I've saw code in file_api/file_lib.cc in process() function and here what
we have here

1) doing type_lookup() and have good verdict = LOG, but file_name is not
set now (it is set in for example http inspector before after process());
and because of theese log_file_event() do nothing.

2) then in process() we call siganture_lookup() and good verdict (=LOG) is
rewrited by UNKNOWN, because no SHA matched

3) then calls to log_file_event do nothing because verdict was changed in
step2 to UNKOWN

Is it feature or bug?
May be it would be good if any  "positive/making-log-entry"
(LOG/BLOCK/REJECT) verdict will not be rewritten and logged in file.log?...

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

snort3: file_id: no entry in file.log when type matched and signature/capture enabled Meridoff via Snort-devel (Jan 28)
- Re: snort3: file_id: no entry in file.log when type matched and signature/capture enabled Meridoff via Snort-devel (Jan 28)