[Snort-devel] Snort 3 - Custom file magic definitions

Michael Altizer mialtize at cisco.com
Mon Jun 11 00:38:00 EDT 2018


On 06/10/2018 01:02 PM, Y M via Snort-devel wrote:
> Hi,
>
> What would be the best way to adding custom file magic definitions 
> without altering the original file file_magic.lua?
>
> Creating a custom file and including it in snort.lua overrides the 
> original file_magic.lua, resulting in an error parsing rules that use 
> file types from the original file_magic.lua file. This maybe a lua 
> artifact as I understand it.
>
> custom_file_magic.lua:
> file_magic =
> {
>     { type = "LNK", id = 1000, category = "Windows Shell Link 
> Shortcut", rev = 1,
>       magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } }
> }
>
> snort.lua:
> ...
> dofile(conf_dir .. '/file_magic.lua')
> dofile(conf_dir .. '/custom_file_magic.lua')
> ...
>
> local.rules:
> alert file (msg:"PDF file in transit"; file_type:PDF; sid:9000000)
> alert file (msg:"LNK file in transit"; file_type:LNK; sid:9000001)
>
> Output:
> ...
> ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 Invalid 
> file_type type 'PDF'. Not found in file_rules.
> ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 invalid 
> argument file_type: = PDF
> ...
>
> Otherwise, detection works as expected.
>
> 10/13-13:55:36.104000 [**] [1:9000001:0] "LNK file in transit" [**] 
> [Priority: 0] [AppID: HTTP] {TCP} 10.10.10.2:80 -> 192.168.0.1:32641
>
> Thanks.
> YM

Simplest way to add a single element to the file_magic Lua table would 
probably be something like this sometime after file_magic.lua has been 
included:

file_magic[#file_magic+1] = { type = "LNK", id = 1000, category = 
"Windows Shell Link Shortcut", rev = 1,
       magic = { { content = "| 4C 00 00 00 01 14 02 00 |", offset = 0 } } }

If you want to add a lot of them, I'd probably make a separate table of 
them and then write a tiny bit of Lua to merge the tables.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180611/95049e1d/attachment.html>


More information about the Snort-devel mailing list