[Snort-devel] File magic rules for 2.9.6, what options are required?

Joshua Kinard kumba at ...2185...
Fri Dec 27 15:11:09 EST 2013


On 12/27/2013 1:52 PM, Hui Cao wrote:
> Hi Joshhua,
> 
> Thanks for the great feedbacks.
> 
> In general, file magic rule should be relative stable, so we just keep 
> file magic rule syntax simple on this release. Please see my comments 
> inline.
> 
> Best,
> Hui.
> 
> 
> On 12/27/2013 12:10 PM, Joel Esler (jesler) wrote:
>> This is great feedback.
>>
>> --
>> Joel Esler
>> Intelligence Lead
>> Open Source Manager
>> Vulnerability Research Team
>>
>> Sent from my iPhone.
>>
>>> On Dec 27, 2013, at 11:13, "Joshua Kinard" <kumba at ...2185...> wrote:
>>>
>>>> On 12/26/2013 10:16 PM, Joel Esler (jesler) wrote:
>>>> Thanks Joshua, one of the devels will get back to you.
>>> Couple of additional questions/ideas:
>>>
>>> - 'content' keyword should be a quoted string and optionally allow ASCII.  I
>>> can see why the initial draft is to allow hexadecimal only, but one finds
>>> that a lot of file magics use printable ASCII.  I.e., "%PDF-1." for PDF,
>>> "ELF" for Linux/Unix ELF executables, classic "MZ" for PE executables.
> Yes, this is a nice feature.

My other thought is this will match more closely the standard "content"
keyword.  Equally, that could get people confused by it...


> Currently, category is used for document purpose.  It can accept spaces.

Okay, I'll keep that note in mind.  At least there's semi-colons to provide
a hard delimiter between the keywords.


>>> - ver: unquoted string, right?  The source suggests such.
> Currently, ver is used for document purpose

This isn't used with the 'file_type' keyword at all?  The documentation for
that keyword only states that a value specified in file_type has to exist in
a file magic definition, and I was assuming that "ver" was used to select a
specific file magic rule.

E.g., Given these file magic rules:
file type:PDF; id:42; ver:1.4; group:pdf; msg:"PDF v1.4"; content:|25 50 44
46 2d 31 2e 34|; rev:1;
file type:PDF; id:43; ver:1.5; group:pdf; msg:"PDF v1.5"; content:|25 50 44
46 2d 31 2e 35|; rev:1;

Then, "file_type:PDF,1.5;" would match the second one?


--J




More information about the Snort-devel mailing list