[Snort-devel] Snort 3 - Custom file magic definitions

Y M snort at outlook.com
Sun Jun 10 13:02:31 EDT 2018


Hi,

What would be the best way to adding custom file magic definitions without altering the original file file_magic.lua?

Creating a custom file and including it in snort.lua overrides the original file_magic.lua, resulting in an error parsing rules that use file types from the original file_magic.lua file. This maybe a lua artifact as I understand it.

custom_file_magic.lua:
file_magic =
{
    { type = "LNK", id = 1000, category = "Windows Shell Link Shortcut", rev = 1,
      magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } }
}

snort.lua:
...
dofile(conf_dir .. '/file_magic.lua')
dofile(conf_dir .. '/custom_file_magic.lua')
...

local.rules:
alert file (msg:"PDF file in transit"; file_type:PDF; sid:9000000)
alert file (msg:"LNK file in transit"; file_type:LNK; sid:9000001)

Output:
...
ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 Invalid file_type type 'PDF'. Not found in file_rules.
ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 invalid argument file_type: = PDF
...

Otherwise, detection works as expected.

10/13-13:55:36.104000 [**] [1:9000001:0] "LNK file in transit" [**] [Priority: 0] [AppID: HTTP] {TCP} 10.10.10.2:80 -> 192.168.0.1:32641

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180610/61165e4c/attachment.html>


More information about the Snort-devel mailing list