[Snort-devel] Snort 3 - Custom file magic definitions

Ernest Russell ernestrrussell at gmail.com
Sun Jun 10 16:04:45 EDT 2018


unsubscribe

On Sun, Jun 10, 2018 at 1:02 PM, Y M via Snort-devel <
snort-devel at lists.snort.org> wrote:

> Hi,
>
> What would be the best way to adding custom file magic definitions without
> altering the original file file_magic.lua?
>
> Creating a custom file and including it in snort.lua overrides the
> original file_magic.lua, resulting in an error parsing rules that use file
> types from the original file_magic.lua file. This maybe a lua artifact as I
> understand it.
>
> custom_file_magic.lua:
> file_magic =
> {
>     { type = "LNK", id = 1000, category = "Windows Shell Link Shortcut",
> rev = 1,
>       magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } }
> }
>
> snort.lua:
> ...
> dofile(conf_dir .. '/file_magic.lua')
> dofile(conf_dir .. '/custom_file_magic.lua')
> ...
>
> local.rules:
> alert file (msg:"PDF file in transit"; file_type:PDF; sid:9000000)
> alert file (msg:"LNK file in transit"; file_type:LNK; sid:9000001)
>
> Output:
> ...
> ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 Invalid
> file_type type 'PDF'. Not found in file_rules.
> ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 invalid
> argument file_type: = PDF
> ...
>
> Otherwise, detection works as expected.
>
> 10/13-13:55:36.104000 [**] [1:9000001:0] "LNK file in transit" [**]
> [Priority: 0] [AppID: HTTP] {TCP} 10.10.10.2:80 -> 192.168.0.1:32641
>
> Thanks.
> YM
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>


-- 
V/R,
Ernest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180610/0333d738/attachment-0001.html>


More information about the Snort-devel mailing list