[Snort-devel] Snort 3 - Custom file magic definitions

Michael Altizer mialtize at cisco.com
Thu Jun 14 01:04:29 EDT 2018


Your Lua is fine.  You can replicate this bug just by adding multiple 
file rules for different existing file types.  We'll have to look at it 
more internally, thanks.

On 06/12/2018 01:30 PM, Y M via Snort-devel wrote:
> Thank you, Michael, and pardon my lack of Lua workings.
>
> I tested the line provided and I got an odd behavior. Running against 
> a pcap containing a PDF transfer, for each PDF alert, the LNK 
> alert was also generated. Running against a pcap with LNK file 
> transfer , no alerts at all. Errors no longer show up.
>
> I then tried each of the below commented lines separately, and the 
> behavior was the same.
>
> custom_file_magic.lua:
>
> custom_file_magic =
> {
>     { type = "LNK", id = 1000, category = "Windows Shell Link 
> Shortcut", rev = 1,
>       magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 } } }
> }
>
> snort.lua:
> ..
> dofile(conf_dir .. '/file_magic.lua')
> dofile(conf_dir .. '/custom_file_magic.lua')
>
> --for k,v in ipairs(custom_file_magic) do file_magic[k] = v end
> --for k,v in ipairs(custom_file_magic) do table.insert(file_magic, v) end
> --for i=1,#custom_file_magic do file_magic[#file_magic+1] = 
> custom_file_magic[i] end
> ..
>
> I then wrote a Lua script (thanks to the internet) to verify the 
> merge. The script and output are attached, which shows that the tables 
> are, well, merged. If this is an expected Lua behavior, then you can 
> ignore this message and I will continue to dig into this. I can 
> provide the pcaps I am testing with if they provide any help.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------
> *From:* Snort-devel <snort-devel-bounces at lists.snort.org> on behalf of 
> Michael Altizer via Snort-devel <snort-devel at lists.snort.org>
> *Sent:* Monday, June 11, 2018 7:38 AM
> *To:* snort-devel at lists.snort.org
> *Subject:* Re: [Snort-devel] Snort 3 - Custom file magic definitions
> On 06/10/2018 01:02 PM, Y M via Snort-devel wrote:
>> Hi,
>>
>> What would be the best way to adding custom file magic definitions 
>> without altering the original file file_magic.lua?
>>
>> Creating a custom file and including it in snort.lua overrides the 
>> original file_magic.lua, resulting in an error parsing rules that use 
>> file types from the original file_magic.lua file. This maybe a lua 
>> artifact as I understand it.
>>
>> custom_file_magic.lua:
>> file_magic =
>> {
>>     { type = "LNK", id = 1000, category = "Windows Shell Link 
>> Shortcut", rev = 1,
>>       magic = { { content = "| 4C 00 00 00 01 14 02 00 |",offset = 0 
>> } } }
>> }
>>
>> snort.lua:
>> ...
>> dofile(conf_dir .. '/file_magic.lua')
>> dofile(conf_dir .. '/custom_file_magic.lua')
>> ...
>>
>> local.rules:
>> alert file (msg:"PDF file in transit"; file_type:PDF; sid:9000000)
>> alert file (msg:"LNK file in transit"; file_type:LNK; sid:9000001)
>>
>> Output:
>> ...
>> ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 Invalid 
>> file_type type 'PDF'. Not found in file_rules.
>> ERROR: /usr/local/snort/etc/snort/../../rules/test.rules:1 invalid 
>> argument file_type: = PDF
>> ...
>>
>> Otherwise, detection works as expected.
>>
>> 10/13-13:55:36.104000 [**] [1:9000001:0] "LNK file in transit" [**] 
>> [Priority: 0] [AppID: HTTP] {TCP} 10.10.10.2:80 -> 192.168.0.1:32641
>>
>> Thanks.
>> YM
>
> Simplest way to add a single element to the file_magic Lua table would 
> probably be something like this sometime after file_magic.lua has been 
> included:
>
> file_magic[#file_magic+1] = { type = "LNK", id = 1000, category = 
> "Windows Shell Link Shortcut", rev = 1,
>       magic = { { content = "| 4C 00 00 00 01 14 02 00 |", offset = 0 
> } } }
>
> If you want to add a lot of them, I'd probably make a separate table 
> of them and then write a tiny bit of Lua to merge the tables.
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20180614/6d5f12c0/attachment-0001.html>


More information about the Snort-devel mailing list