[Snort-devel] File magic rules for 2.9.6, what options are required?
kumba at ...2185...
Fri Dec 27 15:11:09 EST 2013
On 12/27/2013 1:52 PM, Hui Cao wrote:
> Hi Joshhua,
> Thanks for the great feedbacks.
> In general, file magic rule should be relative stable, so we just keep
> file magic rule syntax simple on this release. Please see my comments
> On 12/27/2013 12:10 PM, Joel Esler (jesler) wrote:
>> This is great feedback.
>> Joel Esler
>> Intelligence Lead
>> Open Source Manager
>> Vulnerability Research Team
>> Sent from my iPhone.
>>> On Dec 27, 2013, at 11:13, "Joshua Kinard" <kumba at ...2185...> wrote:
>>>> On 12/26/2013 10:16 PM, Joel Esler (jesler) wrote:
>>>> Thanks Joshua, one of the devels will get back to you.
>>> Couple of additional questions/ideas:
>>> - 'content' keyword should be a quoted string and optionally allow ASCII. I
>>> can see why the initial draft is to allow hexadecimal only, but one finds
>>> that a lot of file magics use printable ASCII. I.e., "%PDF-1." for PDF,
>>> "ELF" for Linux/Unix ELF executables, classic "MZ" for PE executables.
> Yes, this is a nice feature.
My other thought is this will match more closely the standard "content"
keyword. Equally, that could get people confused by it...
> Currently, category is used for document purpose. It can accept spaces.
Okay, I'll keep that note in mind. At least there's semi-colons to provide
a hard delimiter between the keywords.
>>> - ver: unquoted string, right? The source suggests such.
> Currently, ver is used for document purpose
This isn't used with the 'file_type' keyword at all? The documentation for
that keyword only states that a value specified in file_type has to exist in
a file magic definition, and I was assuming that "ver" was used to select a
specific file magic rule.
E.g., Given these file magic rules:
file type:PDF; id:42; ver:1.4; group:pdf; msg:"PDF v1.4"; content:|25 50 44
46 2d 31 2e 34|; rev:1;
file type:PDF; id:43; ver:1.5; group:pdf; msg:"PDF v1.5"; content:|25 50 44
46 2d 31 2e 35|; rev:1;
Then, "file_type:PDF,1.5;" would match the second one?
More information about the Snort-devel