Pull request #3404: File type finding using IPS rules

Merge in SNORT/snort3 from ~BJANDHYA/snort3:poc_file_type to master

Squashed commit of the following:

commit bc98bab3ec3f6e42ef512f2729c8e8940b49b770
Author: krishnakanth <vkambala@cisco.com>
Date:   Mon Jun 27 10:34:11 2022 +0530

    framework: update base API version to 14

commit 48da0d392030ec7af45bb0fde117acc2e216d844
Author: Bhargava Jandhyala <bjandhya@cisco.com>
Date:   Fri Dec 3 06:54:35 2021 -0500

    file_api: file type identification over ips engine

    	modified:   src/framework/cursor.cc

diff --git a/lua/CMakeLists.txt b/lua/CMakeLists.txt
index b8866ef03f99d955ca3efad2f38e5dcea84ca513..3c6c1ac80834f42e22185960d38f1b39acfcc3d6 100644 (file)
--- a/lua/CMakeLists.txt
+++ b/lua/CMakeLists.txt
@@ -2,7 +2,7 @@
 set (LUA_SCRIPTS
     balanced.lua
     connectivity.lua
-    file_magic.lua
+    file_magic.rules
     inline.lua
     max_detect.lua
     security.lua

diff --git a/lua/file_magic.lua b/lua/file_magic.lua
deleted file mode 100644 (file)
index e8804a5..0000000
--- a/lua/file_magic.lua
+++ /dev/null
@@ -1,207 +0,0 @@
-file_magic =
-{
-    { type = 'XLW', id = 1, category = 'Office Documents', msg = 'Excel spreadsheet subheader (MS Office)', rev = 1, group = 'office', magic = { { content = '| 09 08 10 00 00 06 05 00  |', offset = 512, }, }, },
-    { type = 'POSIX_TAR', id = 2, category = 'Archive', msg = 'POSIX Tape Archive file', rev = 1, magic = { { content = '| 75 73 74 61 72 00 |', offset = 257, }, }, },
-    { type = 'OLD_TAR', id = 3, category = 'Archive', msg = 'Pre-POSIX Tape Archive file', rev = 1, magic = { { content = '| 75 73 74 61 72 20 |', offset = 257, }, }, },
-    { type = 'MOV', id = 4, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 66 72 65 65  |', offset = 4, }, }, },
-    { type = 'MOV', id = 5, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 6D 6F 6F 76  |', offset = 4, }, }, },
-    { type = 'MOV', id = 6, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 6D 64 61 74  |', offset = 4, }, }, },
-    { type = 'MOV', id = 7, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 70 6E 6F 74  |', offset = 4, }, }, },
-    { type = 'MOV', id = 8, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70  |', offset = 4, }, }, },
-    { type = 'LHA', id = 9, category = 'Archive', msg = 'File compressed with lha utility/algorithm (lha, lzh)', rev = 1, magic = { { content = '| 2D 6C 68 |', offset = 2, }, }, },
-    { type = 'ISO', id = 10, category = 'System files', msg = 'Disc Image file based on ISO-9660 standard (iso)c', rev = 1, magic = { { content = '| 43 44 30 30 31 |', offset = 32769, }, }, },
-    { type = 'ISO', id = 11, category = 'System files', msg = 'Disc Image file based on ISO-9660 standard (iso)c', rev = 1, magic = { { content = '| 43 44 30 30 31 |', offset = 34817, }, }, },
-    { type = 'ISO', id = 12, category = 'System files', msg = 'Disc Image file based on ISO-9660 standard (iso)c', rev = 1, magic = { { content = '| 43 44 30 30 31 |', offset = 36865, }, }, },
-    { type = 'S3M', id = 13, category = 'Multimedia', msg = 'S3M audio module format', rev = 1, group = 'audio', magic = { { content = '| 53 43 52 4d |', offset = 44, }, }, },
-    { type = 'FLIC', id = 14, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|11 AF|', offset = 4, }, { content = '|40 01|', offset = 8, }, { content = '|c8 00|', offset = 10, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, },
-    { type = 'FLIC', id = 15, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|12 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, },
-    { type = 'FLIC', id = 16, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|44 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, },
-    { type = 'FLIC', id = 17, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|30 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, },
-    { type = 'FLIC', id = 18, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|31 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, },
-    { type = 'MSEXE', id = 21, category = 'Executables,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'Windows/DOS executable file ', rev = 1, magic = { { content = '| 4D 5A|', offset = 0, }, }, },
-    { type = 'PDF', id = 22, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, magic = { { content = '| 25 50 44 46|', offset = 0, }, }, },
-    { type = 'RTF', id = 23, category = 'Office Documents,Dynamic Analysis Capable', msg = 'Rich text format word processing file ', rev = 2, magic = { { content = '| 7B 5C 72 74|', offset = 0, }, }, },
-    { type = 'RIFF', id = 24, category = 'Multimedia', msg = 'Resource Interchange File Format', rev = 1, magic = { { content = '| 52 49 46 46|', offset = 0, }, }, },
-    { type = 'MSCHM', id = 25, category = 'Office Documents', msg = 'Microsoft Compiled HTML Help File', rev = 1, magic = { { content = '| 49 54 53 46|', offset = 0, }, }, },
-    { type = 'MSCAB', id = 26, category = 'Archive', msg = 'Microsoft Windows CAB', rev = 1, magic = { { content = '| 4D 53 43 46|', offset = 0, }, }, },
-    { type = 'MSOLE2', id = 27, category = 'Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'Microsoft Object Linking and Embedding Compound File, used for office documents as well as installers', rev = 1, magic = { { content = '| D0 CF 11 E0 A1 B1 1A E1|', offset = 0, }, }, },
-    { type = 'MSSZDD', id = 28, category = 'Archive', msg = 'SZDD file format', rev = 1, magic = { { content = '| 53 5A 44 44 88 F0 27 33 |', offset = 0, }, }, },
-    { type = 'ZIP', id = 29, category = 'Archive', msg = 'PKZIP archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, }, },
-    { type = 'RAR', id = 30, category = 'Archive', msg = 'WinRAR compressed archive file', rev = 1, magic = { { content = '| 52 61 72 21 1A 07 00 |', offset = 0, }, }, },
-    { type = '7Z', id = 31, category = 'Archive', msg = '7-Zip compressed file', rev = 1, magic = { { content = '| 37 7A BC AF 27 1C |', offset = 0, }, }, },
-    { type = 'BZ', id = 32, category = 'Archive', msg = 'bzip2 compressed archive', rev = 1, magic = { { content = '| 42 5A 68 |', offset = 0, }, }, },
-    { type = 'GZ', id = 33, category = 'Archive', msg = 'GZ', rev = 1, magic = { { content = '| 1F 8B 08 |', offset = 0, }, }, },
-    { type = 'ARJ', id = 34, category = 'Archive', msg = 'Compressed archive file', rev = 1, magic = { { content = '| 60 EA 00 00 |', offset = 0, }, }, },
-    { type = 'ISHIELD_MSI', id = 35, category = 'Executables', msg = 'Install Shield v5.x or 6.x compressed file', rev = 1, magic = { { content = '| 49 53 63 28 |', offset = 0, }, }, },
-    { type = 'BINHEX', id = 36, category = 'Executables', msg = 'Macintosh BinHex 4 Compressed Archive', rev = 1, magic = { { content = '| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |', offset = 0, }, }, },
-    { type = 'MAIL', id = 37, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 46 72 6F 6D 20 20 20 |', offset = 0, }, }, },
-    { type = 'MAIL', id = 38, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 46 72 6F 6D 20 3F 3F 3F |', offset = 0, }, }, },
-    { type = 'MAIL', id = 39, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 46 72 6F 6D 3A 20 |', offset = 0, }, }, },
-    { type = 'MAIL', id = 40, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |', offset = 0, }, }, },
-    { type = 'MAIL', id = 41, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 58 2D |', offset = 0, }, }, },
-    { type = 'TNEF', id = 42, category = 'Office Documents', msg = 'Transport Neutral Encapsulation Format, an E-mail attachment format', rev = 1, magic = { { content = '| 78 9F 3E 22 |', offset = 0, }, }, },
-    { type = 'BINARY_DATA', id = 43, category = 'Executables', msg = 'Universal Binary/Java Bytecode', rev = 1, magic = { { content = '| CA FE BA BE|', offset = 0, }, }, },
-    { type = 'UUENCODED', id = 44, category = 'Encoded', msg = 'UUencoded file', rev = 1, magic = { { content = '| 62 65 67 69 6E |', offset = 0, }, }, },
-    { type = 'SCRENC', id = 45, category = 'Encoded', msg = 'Script encoder file', rev = 1, magic = { { content = '| 23 40 7E 5E |', offset = 0, }, }, },
-    { type = 'ELF', id = 46, category = 'Executables', msg = 'Executable and Linking Format executable file (Linux/Unix)', rev = 1, magic = { { content = '| 7F 45 4C 46|', offset = 0, }, }, },
-    { type = 'MACHO', id = 47, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| CE FA ED FE |', offset = 0, }, }, },
-    { type = 'MACHO', id = 48, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| CF FA ED FE |', offset = 0, }, }, },
-    { type = 'MACHO', id = 49, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| FE ED FA CE |', offset = 0, }, }, },
-    { type = 'MACHO', id = 50, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| FE ED FA CF |', offset = 0, }, }, },
-    { type = 'SIS', id = 51, category = 'Archive', msg = 'Software Installation Script, an archive for Symbian OS', rev = 1, magic = { { content = '| 19 04 00 10 |', offset = 0, }, }, },
-    { type = 'SWF', id = 52, category = 'Multimedia', msg = 'Flash file ', rev = 1, magic = { { content = '| 43 57 53 |', offset = 0, }, }, },
-    { type = 'SWF', id = 53, category = 'Multimedia', msg = 'Flash file ', rev = 1, magic = { { content = '| 46 57 53 |', offset = 0, }, }, },
-    { type = 'SWF', id = 54, category = 'Multimedia', msg = 'Flash file ', rev = 1, magic = { { content = '| 58 46 49 52|', offset = 0, }, }, },
-    { type = 'CPIO_ODC', id = 55, category = 'Archive', msg = 'Archive created with the cpio utility- standard ASCII format', rev = 1, magic = { { content = '| 30 37 30 37 30 37 |', offset = 0, }, }, },
-    { type = 'CPIO_NEWC', id = 56, category = 'Archive', msg = 'Archive created with the cpio utility- new ASCII (aka SVR4) format', rev = 1, magic = { { content = '| 30 37 30 37 30 31 |', offset = 0, }, }, },
-    { type = 'CPIO_CRC', id = 57, category = 'Archive', msg = 'Archive created with the cpio utility- CRC format', rev = 1, magic = { { content = '| 30 37 30 37 30 32 |', offset = 0, }, }, },
-    { type = 'MPEG', id = 58, category = 'Multimedia', msg = 'MPEG video file', rev = 1, group = 'video', magic = { { content = '| 00 00 01 B3|', offset = 0, }, }, },
-    { type = 'MPEG', id = 59, category = 'Multimedia', msg = 'MPEG video file', rev = 1, group = 'video', magic = { { content = '| 00 00 01 BA|', offset = 0, }, }, },
-    { type = 'EPS', id = 60, category = 'PDF files', msg = 'Adobe encapsulated PostScript file', rev = 1, magic = { { content = '| 25 21 50 53 2D 41 64 6F 62 65 2D |', offset = 0, }, }, },
-    { type = 'RMF', id = 61, category = 'Multimedia', msg = 'RealNetworks  RealMedia streaming media file', rev = 1, magic = { { content = '| 2E 52 4D 46 |', offset = 0, }, }, },
-    { type = 'GIF', id = 62, category = 'Graphics', msg = 'GIF', rev = 1, group = 'multimedia', magic = { { content = '| 47 49 46 38 37 61 |', offset = 0, }, }, },
-    { type = 'GIF', id = 63, category = 'Graphics', msg = 'GIF', rev = 1, group = 'multimedia', magic = { { content = '| 47 49 46 38 39 61 |', offset = 0, }, }, },
-    { type = 'MP3', id = 64, category = 'Multimedia', msg = 'MPEG-1 Audio Layer 3 (MP3) audio file', rev = 1, group = 'audio', magic = { { content = '| 49 44 33 |', offset = 0, }, }, },
-    { type = 'MP3', id = 65, category = 'Multimedia', msg = 'MPEG-1 Audio Layer 3 (MP3) audio file', rev = 1, group = 'audio', magic = { { content = '| FF FB |', offset = 0, }, }, },
-    { type = 'OGG', id = 66, category = 'Multimedia', msg = 'Ogg Vorbis Codec compressed Multimedia file', rev = 1, group = 'audio', magic = { { content = '| 4F 67 67 53 |', offset = 0, }, }, },
-    { type = 'RIFX', id = 67, category = 'Multimedia', msg = 'RIFX audio format', rev = 1, group = 'audio', magic = { { content = '| 52 49 46 58  |', offset = 0, }, }, },
-    { type = 'SYMANTEC', id = 68, category = 'System files', msg = 'Symantec files', rev = 1, magic = { { content = '| 58 2D 53 79 6D 61 6E 74 65 63 2D |', offset = 0, }, }, },
-    { type = 'PNG', id = 69, category = 'Graphics', msg = 'Portable Network Graphics file', rev = 1, group = 'multimedia', magic = { { content = '| 89 50 4E 47 0D 0A 1A 0A |', offset = 0, }, }, },
-    { type = 'JPEG', id = 70, category = 'Graphics', msg = 'JPEG/JFIF graphics file', rev = 1, group = 'multimedia', magic = { { content = '| FF D8 FF E0 |', offset = 0, }, }, },
-    { type = 'JARPACK', id = 72, category = 'Executables', msg = 'Jar pack file', rev = 1, magic = { { content = '| CA FE D0 0D |', offset = 0, }, }, },
-    { type = 'JAR', id = 73, category = 'Archive', msg = 'Java archive file', rev = 3, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 4D 45 54 41 2D 49 4E 46 2F |', offset = 30, }, }, },
-    { type = 'FLV', id = 74, category = 'Multimedia', msg = 'Flash video file', rev = 1, group = 'video', magic = { { content = '| 46 4C 56 01 |', offset = 0, }, }, },
-    { type = 'WAV', id = 76, category = 'Multimedia', msg = 'Waveform Audio File Format', rev = 1, group = 'audio', magic = { { content = '| 62 65 61 74 |', offset = 0, }, }, },
-    { type = 'WAV', id = 77, category = 'Multimedia', msg = 'Waveform Audio File Format', rev = 1, group = 'audio', magic = { { content = '| 4D 58 43 33  |', offset = 0, }, }, },
-    { type = 'FFMPEG', id = 78, category = 'Multimedia', msg = 'ffmpeg Multimedia framework', rev = 1, magic = { { content = '| 34 58 4D 56  |', offset = 0, }, }, },
-    { type = 'DMG', id = 79, category = 'System files', msg = 'Apple Disk Image', rev = 1, magic = { { content = '| 45 52 02 00   |', offset = 0, }, }, },
-    { type = 'DMG', id = 80, category = 'System files', msg = 'Apple Disk Image', rev = 1, magic = { { content = '| 32 49 4D 47    |', offset = 0, }, }, },
-    { type = 'IVR', id = 81, category = 'Multimedia', msg = 'RealPlayer video file', rev = 1, group = 'video', magic = { { content = '| 2E 52 45 43  |', offset = 0, }, }, },
-    { type = 'IVR', id = 82, category = 'Multimedia', msg = 'RealPlayer video file', rev = 1, group = 'video', magic = { { content = '| 2E 52 31 4D  |', offset = 0, }, }, },
-    { type = 'RA', id = 83, category = 'Multimedia', msg = 'RealAudio file', rev = 1, group = 'audio', magic = { { content = '| 2E 52 4D 46 00 00 00 12 00  |', offset = 0, }, }, },
-    { type = 'RA', id = 84, category = 'Multimedia', msg = 'RealAudio file', rev = 1, group = 'audio', magic = { { content = '| 2E 72 61 FD 00  |', offset = 0, }, }, },
-    { type = 'VMDK', id = 85, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '| 43 4F 57 44 |', offset = 0, }, }, },
-    { type = 'VMDK', id = 86, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '|4B 44 4D |', offset = 0, }, }, },
-    { type = 'VMDK', id = 87, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |', offset = 0, }, }, },
-    { type = 'VMDK', id = 88, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '| 2E 03 00 00 01 |', offset = 0, }, }, },
-    { type = 'FLAC', id = 89, category = 'Multimedia', msg = 'Free Lossless Audio Codec file', rev = 1, group = 'audio', magic = { { content = '| 66 4C 61 43 00 00 00 22 |', offset = 0, }, }, },
-    { type = 'S3M', id = 90, category = 'Multimedia', msg = 'S3M audio module format', rev = 1, group = 'audio', magic = { { content = '| 53 43 52 4d  |', offset = 0, }, }, },
-    { type = 'ASF', id = 91, category = 'Multimedia', msg = 'Microsoft Windows Media Audio/Video File ', rev = 1, group = 'audio', magic = { { content = '| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |', offset = 0, }, }, },
-    { type = 'MSWORD_MAC5', id = 93, category = 'Office Documents', msg = 'Microsoft Word for Mac 5', rev = 1, group = 'office', magic = { { content = '| FE 37 00 23|', offset = 0, }, }, },
-    { type = 'SYLKc', id = 94, category = 'System files', msg = 'Microsoft symbolic Link', rev = 1, magic = { { content = '| 49 44 3B 50  |', offset = 0, }, }, },
-    { type = 'WP', id = 95, category = 'Office Documents', msg = 'WordPerfect text and graphics file', rev = 1, magic = { { content = '| FF 57 50 43|', offset = 0, }, }, },
-    { type = 'WP', id = 96, category = 'Office Documents', msg = 'WordPerfect text and graphics file', rev = 1, magic = { { content = '| 81 CD AB|', offset = 0, }, }, },
-    { type = 'TIFF', id = 97, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 49 49 2A 00|', offset = 0, }, }, },
-    { type = 'TIFF', id = 98, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 49 20 49|', offset = 0, }, }, },
-    { type = 'TIFF', id = 99, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 4D 4D 00 2A|', offset = 0, }, }, },
-    { type = 'TIFF', id = 100, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 4D 4D 00 2B|', offset = 0, }, }, },
-    { type = 'MWL', id = 101, category = 'Office Documents', msg = 'Metastock technical analysis program for traders', rev = 1, magic = { { content = '| 5b 4d 65 74 61 53 74 6f 63 6b |', offset = 0, }, }, },
-    { type = 'MDB', id = 102, category = 'Office Documents', msg = 'Microsoft Access file', rev = 1, magic = { { content = '| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |', offset = 0, }, }, },
-    { type = 'ACCDB', id = 103, category = 'Office Documents', msg = 'Microsoft Access 2007 file', rev = 1, magic = { { content = '| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42|', offset = 0, }, }, },
-    { type = 'MNY', id = 104, category = 'Office Documents', msg = 'Microsoft Money file', rev = 1, magic = { { content = '| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65|', offset = 0, }, }, },
-    { type = 'REC', id = 105, category = 'Multimedia', msg = 'RealNetworks Realplayer REC', rev = 1, magic = { { content = '| 2e 72 65 63 00 |', offset = 0, }, }, },
-    { type = 'R1M', id = 106, category = 'Multimedia', msg = 'RealNetworks Realplayer R1M', rev = 1, magic = { { content = '| 2e 72 31 6d |', offset = 0, }, }, },
-    { type = 'WAB', id = 107, category = 'Office Documents', msg = 'Outlook address file', rev = 1, group = 'office', magic = { { content = '| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |', offset = 0, }, }, },
-    { type = 'WAB', id = 108, category = 'Office Documents', msg = 'Outlook address file', rev = 1, group = 'office', magic = { { content = '| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |', offset = 0, }, }, },
-    { type = 'M3U', id = 109, category = 'Multimedia', msg = 'Multimedia playlists', rev = 1, magic = { { content = '| 23 45 58 54 4d 33 55 |', offset = 0, }, }, },
-    { type = 'MKV', id = 110, category = 'Multimedia', msg = 'Matroska stream file', rev = 1, magic = { { content = '| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61|', offset = 0, }, }, },
-    { type = 'IMG_PICT', id = 111, category = 'Graphics', msg = 'ChromaGraph Graphics Card Bitmap Graphic file', rev = 1, group = 'multimedia', magic = { { content = '| 50 49 43 54 00 08 |', offset = 0, }, }, },
-    { type = 'AMF', id = 112, category = 'Multimedia', msg = 'Advanced Module Format for digital music', rev = 1, group = 'audio', magic = { { content = '| 41 4d 46 |', offset = 0, }, }, },
-    { type = 'WEBM', id = 113, category = 'Multimedia', msg = 'WebM audio-video format', rev = 1, group = 'audio,video', magic = { { content = '| 1A 45 DF A3|', offset = 0, }, }, },
-    { type = 'MAYA', id = 114, category = 'Graphics', msg = 'Autodesk Maya', rev = 1, magic = { { content = '| 2f 2f 4d 61 79 61 |', offset = 0, }, }, },
-    { type = 'MIDI', id = 115, category = 'Multimedia', msg = 'Musical Instrument Digital Interface (MIDI) sound file', rev = 1, group = 'audio', magic = { { content = '| 4D 54 68 64 |', offset = 0, }, }, },
-    { type = 'PLS', id = 116, category = 'Multimedia', msg = 'multimedia playlists', rev = 1, magic = { { content = '| 5b 70 6c 61 79 6c 69 73 74 5d |', offset = 0, }, }, },
-    { type = 'SMIL', id = 117, category = 'Multimedia', msg = 'Synchronized Multimedia Integration Language', rev = 1, magic = { { content = '| 3c 73 6d 69 6c 3e |', offset = 0, }, }, },
-    { type = 'SAMI', id = 119, category = 'Multimedia', msg = 'Synchronized Accessible Media Interchange', rev = 1, magic = { { content = '| 3c 53 41 4d 49 |', offset = 0, }, }, },
-    { type = 'NEW_OFFICE', id = 120, category = 'Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)', rev = 1, group = 'office', magic = { { content = '|50 4B 03 04 14 00 06 00|', offset = 0, }, }, },
-    { type = 'DWG', id = 130, category = 'Graphics', msg = 'Autodesk AutoCAD file (dwg) ', rev = 1, magic = { { content = '| 41 43 31 30 |', offset = 0, }, }, },
-    { type = 'MDI', id = 132, category = 'Office Documents', msg = 'Microsoft Document Imaging file (mdi)', rev = 1, magic = { { content = '| 45 50 |', offset = 0, }, }, },
-    { type = 'PGD', id = 133, category = 'System files', msg = 'PGP disk image(PGD)', rev = 1, magic = { { content = '| 50 47 50 64 4D 41 49 4E |', offset = 0, }, }, },
-    { type = 'PSD', id = 134, category = 'Graphics', msg = 'Photoshop image file (PSD)', rev = 1, magic = { { content = '|38 42 50 53 |', offset = 0, }, }, },
-    { type = '9XHIVE', id = 135, category = 'System files', msg = 'Windows 9x registry hive (REG)', rev = 1, magic = { { content = '| 43 52 45 47 |', offset = 0, }, }, },
-    { type = 'REG', id = 136, category = 'System files', msg = 'Windows Registry and Registry Undo files (REG)', rev = 1, magic = { { content = '| 52 45 47 45 44 49 54 |', offset = 0, }, }, },
-    { type = 'WMF', id = 137, category = 'Graphics', msg = 'Windows graphics metafile ', rev = 1, magic = { { content = '| 01 00 09 00 00 03 |', offset = 0, }, }, },
-    { type = 'WRI', id = 138, category = 'Office Documents', msg = 'Windows Write document file (wri) ', rev = 1, magic = { { content = '| BE 00 00 00 AB 00 00 00 00 00 00 00 00|', offset = 0, }, }, },
-    { type = 'RPM', id = 139, category = 'Executables', msg = 'RedHat Package Manager file', rev = 1, magic = { { content = '| ED AB EE DB |', offset = 0, }, }, },
-    { type = 'ONE', id = 140, category = 'Office Documents', msg = 'Microsoft OneNote note', rev = 1, group = 'office', magic = { { content = '| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |', offset = 0, }, }, },
-    { type = 'MP4', id = 141, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 00 00 00 18 66 74 79 70 33 67 70 35 |', offset = 0, }, }, },
-    { type = 'MP4', id = 142, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 69 73 6F 6D |', offset = 4, }, }, },
-    { type = 'PCAP', id = 143, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '| D4 C3 B2 A1 |', offset = 0, }, }, },
-    { type = 'PCAP', id = 144, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|34 CD B2 A1 |', offset = 0, }, }, },
-    { type = 'PCAP', id = 145, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|A1 B2 C3 D4 |', offset = 0, }, }, },
-    { type = 'PCAP', id = 146, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|A1 B2 CD 34 |', offset = 0, }, }, },
-    { type = 'PCAP', id = 147, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|52 54 53 53 |', offset = 0, }, }, },
-    { type = 'BMP', id = 148, category = 'Graphics', msg = 'Bitmap image file', rev = 1, group = 'multimedia', magic = { { content = '|42  4D |', offset = 0, }, }, },
-    { type = 'ICO', id = 149, category = 'Graphics', msg = 'Windows icon file', rev = 1, magic = { { content = '| 00 00 01 00 |', offset = 0, }, }, },
-    { type = 'TORRENT', id = 150, category = 'Executables', msg = 'BitTorrent File', rev = 1, magic = { { content = '| 64 38 3A 61 6E 6E 6F 75 6E 63 65  |', offset = 0, }, }, },
-    { type = 'AMR', id = 151, category = 'Multimedia', msg = 'Adaptive Multi-Rate Codec File', rev = 1, magic = { { content = '| 23 21 41 4D 52|', offset = 0, }, }, },
-    { type = 'SIT', id = 152, category = 'Archive', msg = 'StuffIt compressed archive', rev = 1, magic = { { content = '| 53 49 54 21 00|', offset = 0, }, }, },
-    { type = 'PST', id = 153, category = 'Office Documents', msg = 'Microsoft Outlook Personal Folder File', rev = 1, group = 'office', magic = { { content = '| 21 42 44 4E |', offset = 0, }, }, },
-    { type = 'HLP', id = 154, category = 'Office Documents', msg = 'Windows Help file', rev = 1, magic = { { content = '| 4C 4E 02 00 |', offset = 0, }, }, },
-    { type = 'HLP', id = 155, category = 'Office Documents', msg = 'Windows Help file', rev = 1, magic = { { content = '| 3F 5F 03 00 |', offset = 0, }, }, },
-    { type = 'AUTORUN', id = 156, category = 'Executables', msg = 'Windows Autorun setup file', rev = 1, magic = { { content = '| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |', offset = 0, }, }, },
-    { type = 'JPEG', id = 157, category = 'Graphics', msg = 'JPEG/JFIF graphics file', rev = 1, group = 'multimedia', magic = { { content = '| FF D8 FF E1 |', offset = 0, }, }, },
-    { type = 'ARJ', id = 158, category = 'Archive', msg = 'Compressed archive file', rev = 1, magic = { { content = '| 60 EA |', offset = 0, }, }, },
-    { type = 'MP3', id = 159, category = 'Multimedia', msg = 'MPEG-1 Audio Layer 3 (MP3) audio file', rev = 1, group = 'audio', magic = { { content = '| FF FA |', offset = 0, }, }, },
-    { type = 'SIT', id = 160, category = 'Archive', msg = 'StuffIt compressed archive', rev = 1, magic = { { content = '| 53 74 75 66 66 49 74 20 |', offset = 0, }, }, },
-    { type = 'NTHIVE', id = 161, category = 'System files', msg = 'Windows NT registry hive (REG)', rev = 1, magic = { { content = '| 72 65 67 66 |', offset = 0, }, }, },
-    { type = 'WMF', id = 162, category = 'Graphics', msg = 'Windows graphics metafile ', rev = 1, magic = { { content = '| D7 CD C6 9A |', offset = 0, }, }, },
-    { type = 'SIS', id = 163, category = 'Archive', msg = 'Software Installation Script, an archive for Symbian OS', rev = 1, magic = { { content = '| 7A 1A 20 10 |', offset = 0, }, }, },
-    { type = 'WRI', id = 164, category = 'Office Documents', msg = 'Windows Write document file (wri) ', rev = 1, magic = { { content = '| 31 BE|', offset = 0, }, }, },
-    { type = 'WRI', id = 165, category = 'Office Documents', msg = 'Windows Write document file (wri) ', rev = 1, magic = { { content = '| 32 BE|', offset = 0, }, }, },
-    { type = 'WAV', id = 166, category = 'Multimedia', msg = 'Waveform Audio File Format', rev = 1, group = 'audio', magic = { { content = '| 52 49 46 46 |', offset = 0, }, { content = '| 57 41 56 45 66 6D 74 20 |', offset = 8, }, }, },
-    { type = 'MP4', id = 167, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 6D 70 34 32 |', offset = 4, }, }, },
-    { type = 'MP4', id = 168, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 33 67 70 |', offset = 4, }, }, },
-    { type = 'MP4', id = 169, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 4D 53 4E 56 |', offset = 4, }, }, },
-    { type = 'DICM', id = 170, category = 'Multimedia', msg = 'Digital Imaging and Communications in Medicine', rev = 1, magic = { { content = '| 44 49 43 4D |', offset = 128, }, }, },
-    { type = 'ZIP_ENC', id = 171, category = 'Archive', msg = 'PKZIP encrypted archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 01 |', offset = 6, }, }, },
-    { type = 'EICAR', id = 273, category = 'Executables', msg = 'Standard Anti-Virus Test File', rev = 1, magic = { { content = '| 58 35 4F 21 50 25 |', offset = 0, }, }, },
-    { type = 'XPS', id = 275, category = 'Office Documents', msg = 'Microsoft XML Paper Specification Document', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 46 69 78 65 64 44 6F 63 75 6D |', offset = 30, }, }, },
-    { type = 'XPS', id = 277, category = 'Office Documents', msg = 'Microsoft XML Paper Specification Document', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 44 6F 63 75 6D 65 6E 74 73 2F |', offset = 30, }, }, },
-    { type = 'XPS', id = 278, category = 'Office Documents', msg = 'Microsoft XML Paper Specification Document', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 4D 65 74 61 64 61 74 61 2F |', offset = 30, }, }, },
-    { type = 'DMP', id = 279, category = 'System files', msg = 'Windows crash dump file', rev = 1, magic = { { content = '|4D 44 4D 50 93 A7|', offset = 0, }, }, },
-    { type = 'DMP', id = 280, category = 'System files', msg = 'Windows crash dump file', rev = 1, magic = { { content = '|50 41 47 45 44 55 36 34|', offset = 0, }, }, },
-    { type = 'DMP', id = 281, category = 'System files', msg = 'Windows crash dump file', rev = 1, magic = { { content = '|50 41 47 45 44 55 4D 50|', offset = 0, }, }, },
-    { type = 'PDF', id = 282, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.0', magic = { { content = '| 25 50 44 46 2D 31 2E 30|', offset = 0, }, }, },
-    { type = 'PDF', id = 283, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.1', magic = { { content = '| 25 50 44 46 2D 31 2E 31|', offset = 0, }, }, },
-    { type = 'PDF', id = 284, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.2', magic = { { content = '| 25 50 44 46 2D 31 2E 32|', offset = 0, }, }, },
-    { type = 'PDF', id = 285, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.3', magic = { { content = '| 25 50 44 46 2D 31 2E 33|', offset = 0, }, }, },
-    { type = 'PDF', id = 286, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.4', magic = { { content = '| 25 50 44 46 2D 31 2E 34|', offset = 0, }, }, },
-    { type = 'PDF', id = 287, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.5', magic = { { content = '| 25 50 44 46 2D 31 2E 35|', offset = 0, }, }, },
-    { type = 'PDF', id = 288, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.6', magic = { { content = '| 25 50 44 46 2D 31 2E 36|', offset = 0, }, }, },
-    { type = 'PDF', id = 289, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.7', magic = { { content = '| 25 50 44 46 2D 31 2E 37|', offset = 0, }, }, },
-    { type = 'IntelHEX', id = 290, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 30 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 291, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 31 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 292, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 32 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 293, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 33 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 294, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 34 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 295, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 35 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 296, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 32 30 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 297, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 32 32 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 298, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 30 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 300, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 31 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 301, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 32 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 302, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 33 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 303, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 34 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 304, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 35 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 305, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 30 |', offset = 7, }, }, },
-    { type = 'IntelHEX', id = 306, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 32 |', offset = 7, }, }, },
-    { type = 'REG', id = 307, category = 'System files', msg = 'Windows Registry and Registry Undo files (REG)', rev = 1, magic = { { content = '| FF FE |', offset = 0, }, }, },
-    { type = 'MSHTML', id = 308, category = 'Office Documents', msg = 'Proprietary layout engine for Microsoft Internet Explorer', rev = 1, magic = { { content = '| 3D 22 2D 2D 2D 2D 3D 5F |', offset = 60, }, }, },
-    { type = 'VB', id = 311, category = 'System files', msg = 'Microsoft Visual Basic files, including .cs, .vb, and .vbp', rev = 1, magic = { { content = '| 54 79 70 65 3D 45 78 65 |', offset = 0, }, }, },
-    { type = 'MP4', id = 313, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, magic = { { content = '| 66 74 79 70 64 61 73 68 |', offset = 4, }, }, },
-    { type = 'LNK', id = 314, category = 'Executables', msg = 'Microsoft Windows Shortcut Files', rev = 1, magic = { { content = '| 4C 00 00 00 01 14 02 00 |', offset = 0, }, }, },
-    { type = 'SCR', id = 315, category = 'Executables', msg = 'Microsoft Windows Shortcut Files', rev = 1, magic = { { content = '| 44 43 4E 01 |', offset = 0, }, }, },
-    { type = 'SCR', id = 316, category = 'Executables', msg = 'Microsoft Windows Shortcut Files', rev = 1, magic = { { content = '| 44 43 44 01 |', offset = 0, }, }, },
-    { type = 'MKV', id = 317, category = 'Multimedia', msg = 'Matroska stream file', rev = 1, magic = { { content = '| 1A 45 DF A3 01 00 00 00 00 00 00 23 42 86 81 01 |', offset = 0, }, }, },
-    { type = 'JAR', id = 318, category = 'Archive', msg = 'Java archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 63 6F 6E 74 65 6E 74 2F |', offset = 30, }, }, },
-    { type = 'JAR', id = 319, category = 'Archive', msg = 'Java archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 6F 70 74 69 6F 6E 73 2F |', offset = 30, }, }, },
-    { type = 'RAR', id = 320, category = 'Archive', msg = 'WinRAR compressed archive file', rev = 1, version = '1.1', magic = { { content = '| 52 61 72 21 1A 07 01 00 |', offset = 0, }, }, },
-    { type = 'ALZ', id = 321, category = 'Archive', msg = 'Archive file for Microsoft created using software ALZip', rev = 1, magic = { { content = '| 41 4C 5A 01 |', offset = 0, }, }, },
-    { type = 'EGG', id = 322, category = 'Archive', msg = 'Archive File for Microsoft created using software ALZip', rev = 1, magic = { { content = '| 45 47 47 41 |', offset = 0, }, }, },
-    { type = 'HWP', id = 323, category = 'Office Documents', msg = 'Hangul word processor file', rev = 1, version = '3.0', magic = { { content = '| 48 57 50 20 44 6F 63 75 6D 65 6E 74 20 46 69 6C 65 |', offset = 0, }, }, },
-    { type = 'SWF', id = 324, category = 'Multimedia', msg = 'Flash file', rev = 1, magic = { { content = '| 5A 57 53 |', offset = 0}, }, },
-    { type = 'PCAP', id = 325, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '| 0A 0D 0D 0A |', offset = 0, }, }, },
-}
-
-snort_whitelist_append("file_magic")

diff --git a/lua/file_magic.rules b/lua/file_magic.rules
new file mode 100644 (file)
index 0000000..65bb07b
--- /dev/null
+++ b/lua/file_magic.rules
@@ -0,0 +1,203 @@
+file_id ( msg:"Excel spreadsheet subheader (MS Office)"; file_meta:type XLW, id 1, category "Office Documents", group "office"; file_data; content: "| 09 08 10 00 00 06 05 00 |", depth 8, offset 512; gid:4; sid:1023865; rev:13; )
+file_id ( msg:"POSIX Tape Archive file"; file_meta:type POSIX_TAR, id 2, category "Archive"; file_data; content: "| 75 73 74 61 72 00 20 20 |", depth 8, offset 257; gid:4; sid:1023866; rev:13; )
+file_id ( msg:"Pre-POSIX Tape Archive file"; file_meta:type OLD_TAR, id 3, category "Archive"; file_data; content: "| 75 73 74 61 72 20 |", depth 6, offset 257; gid:4; sid:1023867; rev:13; )
+file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 4, category "Multimedia", group "video"; file_data; content: "| 66 72 65 65 |", depth 4, offset 4; gid:4; sid:1023868; rev:13; )
+file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 5, category "Multimedia", group "video"; file_data; content: "| 6D 6F 6F 76 |", depth 4, offset 4; gid:4; sid:1023869; rev:13; )
+file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 6, category "Multimedia", group "video"; file_data; content: "| 6D 64 61 74 |", depth 4, offset 4; gid:4; sid:1023870; rev:13; )
+file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 7, category "Multimedia", group "video"; file_data; content: "| 70 6E 6F 74 |", depth 4, offset 4; gid:4; sid:1023871; rev:13; )
+file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 8, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 |", depth 4, offset 4; gid:4; sid:1023872; rev:13; )
+file_id ( msg:"File compressed with lha utility/algorithm (lha, lzh)"; file_meta:type LHA, id 9, category "Archive"; file_data; content: "| 2D 6C 68 |", depth 3, offset 2; gid:4; sid:1023873; rev:13; )
+file_id ( msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 10, category "System files"; file_data; content: "| 43 44 30 30 31 |", depth 5, offset 32769; gid:4; sid:1023874; rev:13; )
+file_id ( msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 11, category "System files"; file_data; content: "| 43 44 30 30 31 |", depth 5, offset 34817; gid:4; sid:1023875; rev:13; )
+file_id ( msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 12, category "System files"; file_data; content: "| 43 44 30 30 31 |", depth 5, offset 36865; gid:4; sid:1023876; rev:13; )
+file_id ( msg:"S3M audio module format"; file_meta:type S3M, id 13, category "Multimedia", group "audio"; file_data;  content: "| 53 43 52 4d |", depth 4, offset 44;    gid:4; sid:1023877; rev:13; )
+file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 14, category "Multimedia"; file_data; content: "| 11 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1023878; rev:13; )
+file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 15, category "Multimedia"; file_data; content: "| 12 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1023879; rev:13; )
+file_id ( msg:"Windows/DOS executable file"; file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content: "| 4D 5A |", depth 2, offset 0; gid:4; sid:1023880; rev:13; )
+file_id ( msg:"PDF file"; file_meta:type PDF, id 22, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content: "| 25 50 44 46 |", depth 4, offset 0; gid:4; sid:1023881; rev:13; )
+file_id ( msg:"Rich text format word processing file"; file_meta:type RTF, id 23, category "Office Documents,Dynamic Analysis Capable"; file_data; content: "| 7B 5C 72 74 |", depth 4, offset 0; gid:4; sid:1023882; rev:13; )
+file_id ( msg:"Resource Interchange File Format"; file_meta:type RIFF, id 24, category "Multimedia"; file_data; content: "| 52 49 46 46 |", depth 4, offset 0; gid:4; sid:1023883; rev:13; )
+file_id ( msg:"Microsoft Compiled HTML Help File"; file_meta:type MSCHM, id 25, category "Office Documents"; file_data; content: "| 49 54 53 46 |", depth 4, offset 0; gid:4; sid:1023884; rev:13; )
+file_id ( msg:"Microsoft Windows CAB"; file_meta:type MSCAB, id 26, category "Archive"; file_data; content: "| 4D 53 43 46 |", depth 4, offset 0; gid:4; sid:1023885; rev:13; )
+file_id ( msg:"Microsoft Object Linking and Embedding Compound File, used for office documents as well as installers"; file_meta:type MSOLE2, id 27, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content: "| D0 CF 11 E0 A1 B1 1A E1 |", depth 8, offset 0; gid:4; sid:1023886; rev:13; )
+file_id ( msg:"SZDD file format"; file_meta:type MSSZDD, id 28, category "Archive"; file_data; content: "| 53 5A 44 44 88 F0 27 33 |", depth 8, offset 0; gid:4; sid:1023887; rev:13; )
+file_id ( msg:"PKZIP archive file"; file_meta:type ZIP, id 29, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; gid:4; sid:1023888; rev:13; )
+file_id ( msg:"WinRAR compressed archive file"; file_meta:type RAR, id 30, category "Archive"; file_data; content: "| 52 61 72 21 1A 07 00 |", depth 7, offset 0; gid:4; sid:1023889; rev:13; )
+file_id ( msg:"7-Zip compressed file"; file_meta:type 7Z, id 31, category "Archive"; file_data; content: "| 37 7A BC AF 27 1C |", depth 6, offset 0; gid:4; sid:1023890; rev:13; )
+file_id ( msg:"bzip2 compressed archive"; file_meta:type BZ, id 32, category "Archive"; file_data; content: "| 42 5A 68 |", depth 3, offset 0; gid:4; sid:1023891; rev:13; )
+file_id ( msg:"GZ"; file_meta:type GZ, id 33, category "Archive"; file_data; content: "| 1F 8B 08 |", depth 3, offset 0; gid:4; sid:1023892; rev:13; )
+file_id ( msg:"Compressed archive file"; file_meta:type ARJ, id 34, category "Archive"; file_data; content: "| 60 EA 00 00 |", depth 4, offset 0; gid:4; sid:1023893; rev:13; )
+file_id ( msg:"Install Shield v5.x or 6.x compressed file"; file_meta:type ISHIELD_MSI, id 35, category "Executables"; file_data; content: "| 49 53 63 28 |", depth 4, offset 0; gid:4; sid:1023894; rev:13; )
+file_id ( msg:"Macintosh BinHex 4 Compressed Archive"; file_meta:type BINHEX, id 36, category "Executables"; file_data; content: "| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |", depth 41, offset 0; gid:4; sid:1023895; rev:13; )
+file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 37, category "Office Documents"; file_data; content: "| 46 72 6F 6D 20 20 20 |", depth 7, offset 0; gid:4; sid:1023896; rev:13; )
+file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 38, category "Office Documents"; file_data; content: "| 46 72 6F 6D 20 3F 3F 3F |", depth 8, offset 0; gid:4; sid:1023897; rev:13; )
+file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 39, category "Office Documents"; file_data; content: "| 46 72 6F 6D 3A 20 |", depth 6, offset 0; gid:4; sid:1023898; rev:13; )
+file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 40, category "Office Documents"; file_data; content: "| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |", depth 13, offset 0; gid:4; sid:1023899; rev:13; )
+file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 41, category "Office Documents"; file_data; content: "| 58 2D |", depth 2, offset 0; gid:4; sid:1023900; rev:13; )
+file_id ( msg:"Transport Neutral Encapsulation Format, an E-mail attachment format"; file_meta:type TNEF, id 42, category "Office Documents"; file_data; content: "| 78 9F 3E 22 |", depth 4, offset 0; gid:4; sid:1023901; rev:13; )
+file_id ( msg:"Universal Binary/Java Bytecode"; file_meta:type BINARY_DATA, id 43, category "Executables"; file_data; content: "| CA FE BA BE |", depth 4, offset 0; gid:4; sid:1023902; rev:13; )
+file_id ( msg:"UUencoded file"; file_meta:type UUENCODED, id 44, category "Encoded"; file_data; content: "| 62 65 67 69 6E |", depth 5, offset 0; gid:4; sid:1023903; rev:13; )
+file_id ( msg:"Script encoder file"; file_meta:type SCRENC, id 45, category 'Encoded"; file_data; content: "| 23 40 7E 5E |", depth 4, offset 0; gid:4; sid:1023904; rev:13; )
+file_id ( msg:"Executable and Linking Format executable file (Linux/Unix)"; file_meta:type ELF, id 46, category "Executables"; file_data; content: "| 7F 45 4C 46 |", depth 4, offset 0; gid:4; sid:1023905; rev:13; )
+file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 47, category "Executables"; file_data; content: "| CE FA ED FE |", depth 4, offset 0; gid:4; sid:1023906; rev:13; )
+file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 48, category "Executables"; file_data; content: "| CF FA ED FE |", depth 4, offset 0; gid:4; sid:1023907; rev:13; )
+file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 49, category "Executables"; file_data; content: "| FE ED FA CE |", depth 4, offset 0; gid:4; sid:1023908; rev:13; )
+file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 50, category "Executables"; file_data; content: "| FE ED FA CF |", depth 4, offset 0; gid:4; sid:1023909; rev:13; )
+file_id ( msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 51, category "Archive"; file_data; content: "| 19 04 00 10 |", depth 4, offset 0; gid:4; sid:1023910; rev:13; )
+file_id ( msg:"Flash file "; file_meta:type SWF, id 52, category "Multimedia"; file_data; content: "| 43 57 53 |", depth 3, offset 0; gid:4; sid:1023911; rev:13; )
+file_id ( msg:"Flash file "; file_meta:type SWF, id 53, category 'Multimedia"; file_data; content: "| 46 57 53 |", depth 3, offset 0; gid:4; sid:1023912; rev:13; )
+file_id ( msg:"Archive created with the cpio utility- standard ASCII format"; file_meta:type CPIO_ODC, id 55, category "Archive"; file_data; content: "| 30 37 30 37 30 37 |", depth 6, offset 0; gid:4; sid:1023913; rev:13; )
+file_id ( msg:"Archive created with the cpio utility- new ASCII (aka SVR4) format"; file_meta:type CPIO_NEWC, id 56, category "Archive"; file_data; content: "| 30 37 30 37 30 31 |", depth 6, offset 0;  gid:4; sid:1023914; rev:13; )
+file_id ( msg:"Archive created with the cpio utility- CRC format"; file_meta:type CPIO_CRC, id 57, category "Archive"; file_data; content: "| 30 37 30 37 30 32 |", depth 6, offset 0; gid:4; sid:1023915; rev:13; )
+file_id ( msg:"MPEG video file"; file_meta:type MPEG, id 58, category "Multimedia", group "video"; file_data; content: "| 00 00 01 B3 |", depth 4, offset 0; gid:4; sid:1023916; rev:13; )
+file_id ( msg:"MPEG video file"; file_meta:type MPEG, id 59, category "Multimedia", group "video"; file_data; content: "| 00 00 01 BA |", depth 4, offset 0; gid:4; sid:1023917; rev:13; )
+file_id ( msg:"Adobe encapsulated PostScript file"; file_meta:type EPS, id 60, category "PDF files"; file_data; content: "| 25 21 50 53 2D 41 64 6F 62 65 2D |", depth 11, offset 0; gid:4; sid:1023918; rev:13; )
+file_id ( msg:"RealNetworks  RealMedia streaming media file"; file_meta:type RMF, id 61, category "Multimedia"; file_data; content: "| 2E 52 4D 46 |", depth 4, offset 0; gid:4; sid:1023919; rev:13; )
+file_id ( msg:"GIF"; file_meta:type GIF, id 62, category "Graphics"; file_data; content: "| 47 49 46 38 37 61 |", depth 6, offset 0; gid:4; sid:1023920; rev:13; )
+file_id ( msg:"GIF"; file_meta:type GIF, id 63, category 'Graphics"; file_data; content: "| 47 49 46 38 39 61 |", depth 6, offset 0; gid:4; sid:1023921; rev:13; )
+file_id ( msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 64, category "Multimedia"; file_data; content: "| 49 44 33 |", depth 3, offset 0; gid:4; sid:1023922; rev:13; )
+file_id ( msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 65, category "Multimedia"; file_data; content: "| FF FB |", depth 2, offset 0; gid:4; sid:1023923; rev:13; )
+file_id ( msg:"Ogg Vorbis Codec compressed Multimedia file"; file_meta:type OGG, id 66, category "Multimedia"; file_data; content: "| 4F 67 67 53 |", depth 4, offset 0; gid:4; sid:1023924; rev:13; )
+file_id ( msg:"RIFX audio format"; file_meta:type RIFX, id 67, category "Multimedia", group "audio"; file_data; content: "| 52 49 46 58 |", depth 4, offset 0; gid:4; sid:1023925; rev:13; )
+file_id ( msg:"Symantec files"; file_meta:type SYMANTEC, id 68, category "System files"; file_data; content: "| 58 2D 53 79 6D 61 6E 74 65 63 2D |", depth 11, offset 0; gid:4; sid:1023926; rev:13; )
+file_id ( msg:"Portable Network Graphics file"; file_meta:type PNG, id 69, category "Graphics", group "multimedia"; file_data; content: "| 89 50 4E 47 0D 0A 1A 0A |", depth 8, offset 0; gid:4; sid:1023927; rev:13; )
+file_id ( msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 70, category "Graphics", group "multimedia"; file_data; content: "| FF D8 FF E0 |", depth 4, offset 0; gid:4; sid:1023928; rev:13; )
+file_id ( msg:"Jar pack file"; file_meta:type JARPACK, id 72, category "Executables"; file_data; content: "| CA FE D0 0D |", depth 4, offset 0; gid:4; sid:1023929; rev:13; )
+file_id ( msg:"Java archive file"; file_meta:type JAR, id 73, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 4D 45 54 41 2D 49 4E 46 2F |", depth 9, offset 30; gid:4; sid:1023930; rev:13; )
+file_id ( msg:"Flash video file"; file_meta:type FLV, id 74, category "Multimedia", group "video"; file_data; content: "| 46 4C 56 01 |", depth 4, offset 0; gid:4; sid:1023931; rev:13; )
+file_id ( msg:"Waveform Audio File Format"; file_meta:type WAV, id 76, category "Multimedia", group "audio"; file_data; content: "| 62 65 61 74 |", depth 4, offset 0; gid:4; sid:1023932; rev:13; )
+file_id ( msg:"Waveform Audio File Format"; file_meta:type WAV, id 77, category "Multimedia", group "video"; file_data; content: "| 4D 58 43 33 |", depth 4, offset 0; gid:4; sid:1023933; rev:13; )
+file_id ( msg:"ffmpeg Multimedia framework"; file_meta:type FFMPEG, id 78, category "Multimedia"; file_data; content: "| 34 58 4D 56 |", depth 4, offset 0; gid:4; sid:1023934; rev:13; )
+file_id ( msg:"Apple Disk Image"; file_meta:type DMG, id 79, category "System files"; file_data; content: "| 45 52 02 00 |", depth 4, offset 0; gid:4; sid:1023935; rev:13; )
+file_id ( msg:"Apple Disk Image"; file_meta:type DMG, id 80, category "System files"; file_data; content: "| 32 49 4D 47 |", depth 4, offset 0; gid:4; sid:1023936; rev:13; )
+file_id ( msg:"RealPlayer video file"; file_meta:type IVR, id 81, category "Multimedia", group "video"; file_data; content: "| 2E 52 45 43 |", depth 4, offset 0; gid:4; sid:1023937; rev:13; )
+file_id ( msg:"RealPlayer video file"; file_meta:type IVR, id 82, category "Multimedia", group "video"; file_data; content: "| 2E 52 31 4D |", depth 4, offset 0; gid:4; sid:1023938; rev:13; )
+file_id ( msg:"RealAudio file"; file_meta:type RA, id 83, category "Multimedia", group "audio"; file_data; content: "| 2E 52 4D 46 00 00 00 12 00 |", depth 9, offset 0; gid:4; sid:1023939; rev:13; )
+file_id ( msg:"RealAudio file"; file_meta:type RA, id 84, category "Multimedia", group "audio"; file_data; content: "| 2E 72 61 FD 00 |", depth 5, offset 0; gid:4; sid:1023940; rev:13; )
+file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 85, category "System files"; file_data; content: "| 43 4F 57 44 |", depth 4, offset 0; gid:4; sid:1023941; rev:13; )
+file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 86, category "System files"; file_data; content: "|4B 44 4D |", depth 3, offset 0; gid:4; sid:1023942; rev:13; )
+file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 87, category "System files"; file_data; content: "| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |", depth 16, offset 0; gid:4; sid:1023943; rev:13; )
+file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 88, category "System files"; file_data; content: "| 2E 03 00 00 01 |", depth 5, offset 0; gid:4; sid:1023864; rev:13; )
+file_id ( msg:"Free Lossless Audio Codec file"; file_meta:type FLAC, id 89, category "Multimedia", group "audio"; file_data; content: "| 66 4C 61 43 00 00 00 22 |", depth 8, offset 0; gid:4; sid:1023945; rev:13; )
+file_id ( msg:"S3M audio module format"; file_meta:type S3M, id 90 , category "Multimedia", group "audio"; file_data; content: "| 53 43 52 4d |", depth 4, offset 0; gid:4; sid:1023946; rev:13; )
+file_id ( msg:"Microsoft Windows Media Audio/Video File"; file_meta:type ASF, id 91, category "Multimedia", group "audio"; file_data;content: "| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |", depth 16, offset 0; gid:4; sid:1023947; rev:13; )
+file_id ( msg:"Microsoft Word for Mac 5"; file_meta:type MSWORD_MAC5, id 93, category "Office Documents", group "office"; file_data; content: "| FE 37 00 23 |", depth 4, offset 0; gid:4; sid:1023948; rev:13; )
+file_id ( msg:"Microsoft symbolic Link"; file_meta:type SYLKc, id 94, category "System files"; file_data; content: "| 49 44 3B 50 |", depth 4, offset 0; gid:4; sid:1023949; rev:13; )
+file_id ( msg:"WordPerfect text and graphics file"; file_meta:type WP, id 95, category "Office Documents"; file_data; content: "| FF 57 50 43 |", depth 4, offset 0; gid:4; sid:1023950; rev:13; )
+file_id ( msg:"WordPerfect text and graphics file"; file_meta:type WP, id 96, category "Office Documents"; file_data; content: "| 81 CD AB |", depth 3, offset 0; gid:4; sid:1023951; rev:13; )
+file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 97, category "Graphics", group "multimedia"; file_data; content: "| 49 49 2A 00 |", depth 4, offset 0; gid:4; sid:1023952; rev:13; )
+file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 98, category "Graphics", group "multimedia"; file_data; content: "| 49 20 49 |", depth 3, offset 0;   gid:4; sid:1023953; rev:13; )
+file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 99, category "Graphics", group "multimedia"; file_data; content: "| 4D 4D 00 2A |", depth 4, offset 0; gid:4; sid:1023954; rev:13; )
+file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 100, category "Graphics", group "multimedia"; file_data; content: "| 4D 4D 00 2B |", depth 4, offset 0; gid:4; sid:1023955; rev:13; )
+file_id ( msg:"Metastock technical analysis program for traders"; file_meta:type MWL, id 101, category "Office Documents"; file_data; content: "| 5b 4d 65 74 61 53 74 6f 63 6b |", depth 10, offset 0; gid:4; sid:1023956; rev:13; )
+file_id ( msg:"Microsoft Access file"; file_meta:type MDB, id 102, category "Office Documents"; file_data; content: "| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |", depth 19, offset 0; gid:4; sid:1023957; rev:13; )
+file_id ( msg:"Microsoft Access 2007 file"; file_meta:type ACCDB, id 103, category "Office Documents"; file_data; content: "| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 |", depth 19, offset 0; gid:4; sid:1023958; rev:13; )
+file_id ( msg:"Microsoft Money file"; file_meta:type MNY, id 104, category "Office Documents"; file_data; content: "| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 |", depth 19, offset 0; gid:4; sid:1023959; rev:13; )
+file_id ( msg:"RealNetworks Realplayer REC"; file_meta:type REC, id 105, category "Multimedia"; file_data; content: "| 2e 72 65 63 00 |", depth 5, offset 0; gid:4; sid:1023960; rev:13; )
+file_id ( msg:"RealNetworks Realplayer R1M"; file_meta:type R1M, id 106, category "Multimedia"; file_data; content: "| 2e 72 31 6d |", depth 4, offset 0; gid:4; sid:1023961; rev:13; )
+file_id ( msg:"Outlook address file"; file_meta:type WAB, id 107, category "Office Documents", group "office"; file_data; content: "| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |", depth 16, offset 0; gid:4; sid:1023962; rev:13; )
+file_id ( msg:"Outlook address file"; file_meta:type WAB, id 108, category "Office Documents", group "office"; file_data; content: "| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |", depth 16, offset 0; gid:4; sid:1023963; rev:13; )
+file_id ( msg:"Multimedia playlists"; file_meta:type M3U, id 109, category "Multimedia"; file_data; content: "| 23 45 58 54 4d 33 55 |", depth 7, offset 0; gid:4; sid:1023964; rev:13; )
+file_id ( msg:"Matroska stream file"; file_meta:type MKV, id 110, category "Multimedia"; file_data; content: "| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 |", depth 16, offset 0; gid:4; sid:1023965; rev:13; )
+file_id ( msg:"ChromaGraph Graphics Card Bitmap Graphic file"; file_meta:type IMG_PICT, id 111, category "Graphics", group "multimedia"; file_data; content: "| 50 49 43 54 00 08 |", depth 6, offset 0; gid:4; sid:1029966; rev:13; )
+file_id ( msg:"Advanced Module Format for digital music"; file_meta:type AMF, id 112, category "Multimedia", group "audio"; file_data; content: "| 41 4d 46 |", depth 3, offset 0; gid:4; sid:1023967; rev:13; )
+file_id ( msg:"WebM audio-video format"; file_meta:type WEBM, id 113, category "Multimedia", group "audio,video"; file_data; content: "| 1A 45 DF A3 |", depth 4, offset 0; gid:4; sid:1023968; rev:13; )
+file_id ( msg:"Autodesk Maya"; file_meta:type MAYA, id 114, category "Graphics"; file_data; content: "| 2f 2f 4d 61 79 61 |", depth 6, offset 0; gid:4; sid:1023969; rev:13; )
+file_id ( msg:"Musical Instrument Digital Interface (MIDI) sound file"; file_meta:type MIDI, id 115, category "Multimedia", group "audio"; file_data; content: "| 4D 54 68 64 |", depth 4, offset 0; gid:4; sid:1023970; rev:13; )
+file_id ( msg:"multimedia playlists"; file_meta:type PLS, id 116, category "Multimedia"; file_data; content: "| 5b 70 6c 61 79 6c 69 73 74 5d |", depth 10, offset 0; gid:4; sid:1023971; rev:13; )
+file_id ( msg:"Synchronized Multimedia Integration Language"; file_meta:type SMIL, id 117, category "Multimedia"; file_data; content: "| 3c 73 6d 69 6c 3e |", depth 6, offset 0; gid:4; sid:1023972; rev:13; )
+file_id ( msg:"Synchronized Accessible Media Interchange"; file_meta:type SAMI, id 119, category "Multimedia"; file_data; content: "| 3c 53 41 4d 49 |", depth 5, offset 0; gid:4; sid:1023973; rev:13; )
+file_id ( msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 120, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content: "| 50 4B 03 04 14 00 06 00 |", depth 8, offset 0; gid:4; sid:1023974; rev:13; )
+file_id ( msg:"Autodesk AutoCAD file (dwg) "; file_meta:type DWG, id 130, category "Graphics"; file_data; content: "| 41 43 31 30 |", depth 4, offset 0; gid:4; sid:1023975; rev:13; )
+file_id ( msg:"Microsoft Document Imaging file (mdi)"; file_meta:type MDI, id 132, category "Office Documents"; file_data; content: "| 45 50 |", depth 2, offset 0; gid:4; sid:1023976; rev:13; )
+file_id ( msg:"PGP disk image(PGD)"; file_meta:type PGD, id 133, category "System files"; file_data; content: "| 50 47 50 64 4D 41 49 4E |", depth 8, offset 0; gid:4; sid:1023977; rev:13; )
+file_id ( msg:"Photoshop image file (PSD)"; file_meta:type PSD, id 134, category "Graphics"; file_data; content: "| 38 42 50 53 |", depth 4, offset 0; gid:4; sid:1023978; rev:13; )
+file_id ( msg:"Windows 9x registry hive (REG)"; file_meta:type 9XHIVE, id 135, category "System files"; file_data; content: "| 43 52 45 47 |", depth 4, offset 0; gid:4; sid:1023979; rev:13; )
+file_id ( msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 136, category "System files"; file_data; content: "| 52 45 47 45 44 49 54 |", depth 7, offset 0; gid:4; sid:1023980; rev:13; )
+file_id ( msg:"Windows graphics metafile "; file_meta:type WMF, id 137, category "Graphics"; file_data; content: "| 01 00 09 00 00 03 |", depth 6, offset 0; gid:4; sid:1023981; rev:13; )
+file_id ( msg:"Windows Write document file (wri) "; file_meta:type WRI, id 138, category "Office Documents"; file_data; content: "| BE 00 00 00 AB 00 00 00 00 00 00 00 00 |", depth 13, offset 0; gid:4; sid:1023982; rev:13; )
+file_id ( msg:"RedHat Package Manager file"; file_meta:type RPM, id 139, category "Executables"; file_data; content: "| ED AB EE DB |", depth 4, offset 0; gid:4; sid:1023983; rev:13; )
+file_id ( msg:"Microsoft OneNote note"; file_meta:type ONE, id 140, category "Office Documents", group "office"; file_data; content: "| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |", depth 16, offset 0; gid:4; sid:1023984; rev:13; )
+file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 141, category "Multimedia", group "video"; file_data; content: "| 00 00 00 18 66 74 79 70 33 67 70 35 |", depth 12, offset 0; gid:4; sid:1023985; rev:13; )
+file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 142, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 69 73 6F 6D |", depth 8, offset 4; gid:4; sid:1023986; rev:13; )
+file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 143, category "System files"; file_data; content: "| D4 C3 B2 A1 |", depth 4, offset 0; gid:4; sid:1023987; rev:13; )
+file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 144, category "System files"; file_data; content: "| 34 CD B2 A1 |", depth 4, offset 0; gid:4; sid:1023988; rev:13; )
+file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 145, category "System files"; file_data; content: "| A1 B2 C3 D4 |", depth 4, offset 0; gid:4; sid:1023989; rev:13; )
+file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 146, category "System files"; file_data; content: "| A1 B2 CD 34 |", depth 4, offset 0; gid:4; sid:1023990; rev:13; )
+file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 147, category "System files"; file_data; content: "| 52 54 53 53 |", depth 4, offset 0; gid:4; sid:1023991; rev:13; )
+file_id ( msg:"Bitmap image file"; file_meta:type BMP, id 148, category "Graphics", group "multimedia"; file_data; content: "| 42 4D |", depth 2, offset 0; gid:4; sid:1023992; rev:13; )
+file_id ( msg:"Windows icon file"; file_meta:type ICO, id 149, category "Graphics"; file_data; content: "| 00 00 01 00 |", depth 4, offset 0; gid:4; sid:1023993; rev:13; )
+file_id ( msg:"BitTorrent File"; file_meta:type TORRENT, id 150, category "Executables"; file_data; content: "| 64 38 3A 61 6E 6E 6F 75 6E 63 65 |", depth 11, offset 0; gid:4; sid:1023994; rev:13; )
+file_id ( msg:"Adaptive Multi-Rate Codec File"; file_meta:type AMR, id 151, category "Multimedia"; file_data; content: "| 23 21 41 4D 52 |", depth 5, offset 0; gid:4; sid:1023995; rev:13; )
+file_id ( msg:"StuffIt compressed archive"; file_meta:type SIT, id 152, category "Archive"; file_data; content: "| 53 49 54 21 00 |", depth 5, offset 0; gid:4; sid:1023996; rev:13; )
+file_id ( msg:"Microsoft Outlook Personal Folder File"; file_meta:type PST, id 153, category "Office Documents", group "office"; file_data; content: "| 21 42 44 4E |", depth 4, offset 0; gid:4; sid:1023997; rev:13; )
+file_id ( msg:"Windows Help file"; file_meta:type HLP, id 154, category "Office Documents"; file_data; content: "| 4C 4E 02 00 |", depth 4, offset 0; gid:4; sid:1023998; rev:13; )
+file_id ( msg:"Windows Help file"; file_meta:type HLP, id 155, category "Office Documents"; file_data; content: "| 3F 5F 03 00 |", depth 4, offset 0; gid:4; sid:1023999; rev:13; )
+file_id ( msg:"Windows Autorun setup file"; file_meta:type AUTORUN, id 156, category "Executables"; file_data; content: "| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |", depth 11, offset 0; gid:4; sid:1024000; rev:13; )
+file_id ( msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 157, category "Graphics", group "multimedia"; file_data; content: "| FF D8 FF E1 |", depth 4, offset 0; gid:4; sid:1024001; rev:13; )
+file_id ( msg:"Compressed archive file"; file_meta:type ARJ, id 158, category "Archive"; file_data; content: "| 60 EA |", depth 2, offset 0; gid:4; sid:1024002; rev:13; )
+file_id ( msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 159, category "Multimedia", group "audio"; file_data; content: "| FF FA |", depth 2, offset 0; gid:4; sid:1024003; rev:13; )
+file_id ( msg:"StuffIt compressed archive"; file_meta:type SIT, id 160, category "Archive"; file_data; content: "| 53 74 75 66 66 49 74 20 |", depth 8, offset 0; gid:4; sid:1024004; rev:13; )
+file_id ( msg:"Windows graphics metafile "; file_meta:type WMF, id 162, category "Graphics"; file_data; content: "| D7 CD C6 9A |", depth 4, offset 0; gid:4; sid:1024005; rev:13; )
+file_id ( msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 163, category "Archive"; file_data; content: "| 7A 1A 20 10 |", depth 4, offset 0; gid:4; sid:1024006; rev:13; )
+file_id ( msg:"Windows Write document file (wri) "; file_meta:type WRI, id 164, category "Office Documents"; file_data; content: "| 31 BE |", depth 2, offset 0; gid:4; sid:1024007; rev:13; )
+file_id ( msg:"Windows Write document file (wri) "; file_meta:type WRI, id 165, category "Office Documents"; file_data; content: "| 32 BE |", depth 2, offset 0; gid:4; sid:1024008; rev:13; )
+file_id ( msg:"Waveform Audio File Format"; file_meta:type WAV, id 166, category "Multimedia", group "audio"; file_data; content: "| 52 49 46 46 |", depth 4, offset 0; content: "| 57 41 56 45 66 6D 74 20 |", depth 8, offset 8; gid:4; sid:1024009; rev:13; )
+file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 167, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 6D 70 34 32 |", depth 8, offset 4; gid:4; sid:1024010; rev:13; )
+file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 168, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 33 67 70 |", depth 7, offset 4; gid:4; sid:1024011; rev:13; )
+file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 169, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 4D 53 4E 56 |", depth 8, offset 4; gid:4; sid:1024012; rev:13; )
+file_id ( msg:"Digital Imaging and Communications in Medicine"; file_meta:type DICM, id 170, category "Multimedia"; file_data; content: "| 44 49 43 4D |", depth 4, offset 128; gid:4; sid:1024013; rev:13; )
+file_id ( msg:"PKZIP encrypted archive file"; file_meta:type ZIP_ENC, id 171, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 01 |", depth 1, offset 6; gid:4; sid:1024014; rev:13; )
+file_id ( msg:"Standard Anti-Virus Test File"; file_meta:type EICAR, id 273, category "Executables"; file_data; content: "| 58 35 4F 21 50 25 |", depth 6, offset 0; gid:4; sid:1024015; rev:13; )
+file_id ( msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 275, category "Office Documents"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 46 69 78 65 64 44 6F 63 75 6D |", depth 10, offset 30; gid:4; sid:1024016; rev:13; )
+file_id ( msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 277, category "Office Documents"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 44 6F 63 75 6D 65 6E 74 73 2F |", depth 10, offset 30; gid:4; sid:1024017; rev:13; )
+file_id ( msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 278, category "Office Documents"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 4D 65 74 61 64 61 74 61 2F |", depth 9, offset 30; gid:4; sid:1024018; rev:13; )
+file_id ( msg:"Windows crash dump file"; file_meta:type DMP, id 279, category "System files"; file_data; content: "| 4D 44 4D 50 93 A7 |", depth 6, offset 0; gid:4; sid:1024019; rev:13; )
+file_id ( msg:"Windows crash dump file"; file_meta:type DMP, id 280, category "System files"; file_data; content: "| 50 41 47 45 44 55 36 34 |", depth 8, offset 0; gid:4; sid:104020; rev:13; )
+file_id ( msg:"Windows crash dump file"; file_meta:type DMP, id 281, category "System files"; file_data; content: "| 50 41 47 45 44 55 4D 50 |", depth 8, offset 0; gid:4; sid:1024021; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 282, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.0"; file_data; content: "| 25 50 44 46 2D 31 2E 30 |", depth 8, offset 0; gid:4; sid:1024022; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 283, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.1"; file_data; content: "| 25 50 44 46 2D 31 2E 31 |", depth 8, offset 0; gid:4; sid:1024023; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 284, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.2"; file_data; content: "| 25 50 44 46 2D 31 2E 32 |", depth 8, offset 0; gid:4; sid:1024024; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 285, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.3"; file_data; content: "| 25 50 44 46 2D 31 2E 33 |", depth 8, offset 0; gid:4; sid:1024025; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 286, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.4"; file_data; content: "| 25 50 44 46 2D 31 2E 34 |", depth 8, offset 0; gid:4; sid:1024026; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 287, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.5"; file_data; content: "| 25 50 44 46 2D 31 2E 35 |", depth 8, offset 0; gid:4; sid:1024027; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 288, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.6"; file_data; content: "| 25 50 44 46 2D 31 2E 36 |", depth 8, offset 0; gid:4; sid:1024028; rev:13; )
+file_id ( msg:"PDF file "; file_meta:type PDF, id 289, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.7"; file_data; content: "| 25 50 44 46 2D 31 2E 37 |", depth 8, offset 0;gid:4; sid:1024029; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 290, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 30 |", depth 2, offset 7; gid:4; sid:1024030; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 291, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 31 |", depth 2, offset 7; gid:4; sid:1024031; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 292, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 32 |", depth 2, offset 7; gid:4; sid:1024032; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 293, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 33 |", depth 2, offset 7; gid:4; sid:1024033; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 294, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 34 |", depth 2, offset 7; gid:4; sid:1024034; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 295, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 35 |", depth 2, offset 7; gid:4; sid:1024035; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 296, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 32 30 |", depth 2, offset 7; gid:4; sid:1024036; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 297, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 32 32 |", depth 2, offset 7; gid:4; sid:1024037; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 298, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 30 |", depth 2, offset 7; gid:4; sid:1024038; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 300, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 31 |", depth 2, offset 7; gid:4; sid:1024039; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 301, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 32 |", depth 2, offset 7; gid:4; sid:1024040; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 302, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 33 |", depth 2, offset 7; gid:4; sid:1024041; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 303, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 34 |", depth 2, offset 7; gid:4; sid:1024042; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 304, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 35 |", depth 2, offset 7; gid:4; sid:1024043; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 306, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 32 32 |", depth 2, offset 7; gid:4; sid:1024044; rev:13; )
+file_id ( msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 307, category "System files"; file_data; content: "| FF FE |", depth 2, offset 0; gid:4; sid:1024045; rev:13; )
+file_id ( msg:"Proprietary layout engine for Microsoft Internet Explorer"; file_meta:type MSHTML, id 308, category "Office Documents"; file_data; content: "| 3D 22 2D 2D 2D 2D 3D 5F |", depth 8, offset 60; gid:4; sid:1024046; rev:13; )
+file_id ( msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 310, category "System files"; file_data; content: "| EF BB BF |", depth 3, offset 0; gid:4; sid:1024047; rev:13; )
+file_id ( msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 311, category "System files"; file_data; content: "| 54 79 70 65 3D 45 78 65 |", depth 8, offset 0; gid:4; sid:1024048; rev:13; )
+file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 313, category "Multimedia"; file_data; content: "| 66 74 79 70 64 61 73 68 |", depth 8, offset 4; gid:4; sid:1024049; rev:13; )
+file_id ( msg:"Microsoft Windows Shortcut Files"; file_meta:type LNK, id 314, category "Executables"; file_data; content: "| 4C 00 00 00 01 14 02 00 |", depth 8, offset 0; gid:4; sid:1024050; rev:13; )
+file_id ( msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 315, category "Executables"; file_data; content: "| 44 43 4E 01 |", depth 4, offset 0; gid:4; sid:1024051; rev:13; )
+file_id ( msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 316, category "Executables"; file_data; content: "| 44 43 44 01 |", depth 4, offset 0; gid:4; sid:1024052; rev:13; )
+file_id ( msg:"Matroska stream file"; file_meta:type MKV, id 317, category "Multimedia"; file_data; content: "| 1A 45 DF A3 01 00 00 00 00 00 00 23 42 86 81 01 |", depth 16, offset 0; gid:4; sid:1024053; rev:13; )
+file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 16, category "Multimedia"; file_data; content: "| 44 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1024054; rev:13; )
+file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 17, category "Multimedia"; file_data; content: "| 30 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1024055; rev:13; )
+file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 18, category "Multimedia"; file_data; content: "| 31 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1024056; rev:13; )
+file_id ( msg:"Windows NT registry hive (REG)"; file_meta:type NTHIVE, id 161, category "System files"; file_data; content: "| 72 65 67 66 |", depth 4, offset 0; gid:4; sid:1024057; rev:13; )
+file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 305, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 32 30 |", depth 2, offset 7; gid:4; sid:1024058; rev:13; )
+file_id ( msg:"Java archive file"; file_meta:type JAR, id 318, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 63 6F 6E 74 65 6E 74 2F |", depth 8, offset 30; gid:4; sid:1024059; rev:13; )
+file_id ( msg:"Java archive file"; file_meta:type JAR, id 319, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 6F 70 74 69 6F 6E 73 2F |", depth 8, offset 30; gid:4; sid:1024060; rev:13; )
+file_id ( msg:"WinRAR compressed archive file"; file_meta:type RAR, id 320, category "Archive", version "1.1"; file_data; content: "| 52 61 72 21 1A 07 01 00 |", depth 8, offset 0; gid:4; sid:1024061; rev:13; )
+file_id ( msg:"Archive file for Microsoft created using software ALZip"; file_meta:type ALZ, id 321, category "Archive"; file_data; content: "| 41 4C 5A 01 |", depth 4, offset 0; gid:4; sid:1024062; rev:13; )
+file_id ( msg:"Archive File for Microsoft created using software ALZip"; file_meta:type EGG, id 322, category "Archive"; file_data; content: "| 45 47 47 41 |", depth 4, offset 0; gid:4; sid:1024063; rev:13; )
+file_id ( msg:"Hangul word processor file"; file_meta:type HWP, id 323, category "Office Documents", version "3.0"; file_data; content: "| 48 57 50 20 44 6F 63 75 6D 65 6E 74 20 46 69 6C 65 |", depth 17, offset 0; gid:4; sid:1024064; rev:13; )
+file_id ( msg:"Flash file"; file_meta:type SWF, id 324, category "Multimedia"; file_data; content: "| 5A 57 53 |", depth 3, offset 0; gid:4; sid:1024065; rev:13; )
+file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 325, category "System files"; file_data; content: "| 0A 0D 0D 0A |", depth 4, offset 0; gid:4; sid:1024066; rev:13; )
+file_id ( msg:"Flash file "; file_meta:type SWF, id 54, category "Multimedia"; file_data; content: "| 58 46 49 52 |", depth 4, offset 0; gid:4; sid:1024067; rev:13; )

diff --git a/lua/snort.lua b/lua/snort.lua
index e9021b426c591e540c97e6fc43d24cf6dbf16461..a4e9b4f7ad7f1f6107b52bc8f90ab09c8c2f421d 100644 (file)
--- a/lua/snort.lua
+++ b/lua/snort.lua
@@ -28,7 +28,6 @@ HOME_NET = 'any'
 EXTERNAL_NET = 'any'
 
 include 'snort_defaults.lua'
-include 'file_magic.lua'
 
 ---------------------------------------------------------------------------
 -- 2. configure inspection
@@ -89,7 +88,7 @@ http_inspect = default_http_inspect
 http2_inspect = { }
 
 -- see file_magic.lua for file id rules
-file_id = { file_rules = file_magic }
+file_id = { rules_file = 'file_magic.rules' }
 file_policy = { }
 
 -- the following require additional configuration to be fully effective:

diff --git a/src/actions/CMakeLists.txt b/src/actions/CMakeLists.txt
index acb3102ce3bd8746dc9502154338ffa532c1a578..2ec6f48c7d8c9ce4a674cf6bc38ae9f229d2f3b4 100644 (file)
--- a/src/actions/CMakeLists.txt
+++ b/src/actions/CMakeLists.txt
@@ -10,6 +10,7 @@ set (IPS_ACTION_SOURCES
     act_alert.cc
     act_block.cc
     act_drop.cc
+    act_file_id.cc
     act_log.cc
     act_pass.cc
     act_reject.cc

diff --git a/src/actions/act_file_id.cc b/src/actions/act_file_id.cc
new file mode 100644 (file)
index 0000000..b0503e2
--- /dev/null
+++ b/src/actions/act_file_id.cc
@@ -0,0 +1,99 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+// act_file_id.cc author Bhargava Jandhyala <bjandhya@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "actions.h"
+#include "detection/detect.h"
+#include "file_api/file_flows.h"
+#include "file_api/file_identifier.h"
+#include "managers/action_manager.h"
+#include "parser/parser.h"
+#include "utils/stats.h"
+
+using namespace snort;
+
+#define s_name "file_id"
+
+#define s_help \
+    "file_id file type id"
+
+//-------------------------------------------------------------------------
+// ips action
+//-------------------------------------------------------------------------
+
+class File_IdAction : public IpsAction
+{
+public:
+    File_IdAction() : IpsAction(s_name, nullptr) { }
+    void exec(Packet*, const OptTreeNode* otn) override;
+};
+
+void File_IdAction::exec(Packet* p, const OptTreeNode* otn)
+{
+    if (!p->flow)
+      return;
+    FileFlows* files = FileFlows::get_file_flows(p->flow, false);
+    if (!files)
+        return;
+    FileContext* file = files->get_current_file_context();
+    if (!file)
+        return;
+    file->set_file_type(otn->sigInfo.file_id);
+}
+
+//-------------------------------------------------------------------------
+
+static IpsAction* file_id_ctor(Module*)
+{ return new File_IdAction; }
+
+static void file_id_dtor(IpsAction* p)
+{ delete p; }
+
+static ActionApi file_id_api
+{
+    {
+        PT_IPS_ACTION,
+        sizeof(ActionApi),
+        ACTAPI_VERSION,
+        0,
+        API_RESERVED,
+        API_OPTIONS,
+        s_name,
+        s_help,
+        nullptr,  // mod_ctor
+        nullptr,  // mod_dtor
+    },
+    IpsAction::IAP_OTHER,
+    nullptr,
+    nullptr,
+    nullptr,
+    nullptr,
+    file_id_ctor,
+    file_id_dtor
+};
+
+const BaseApi* act_file_id[] =
+{
+    &file_id_api.base,
+    nullptr
+};
+

diff --git a/src/actions/ips_actions.cc b/src/actions/ips_actions.cc
index 3726dab4b60c39576910eb0e823cad5a8c6575de..ec866bdc08abc432b71ee1682dccfe6e45879b15 100644 (file)
--- a/src/actions/ips_actions.cc
+++ b/src/actions/ips_actions.cc
@@ -33,6 +33,7 @@ extern const BaseApi* act_react[];
 extern const BaseApi* act_alert[];
 extern const BaseApi* act_block[];
 extern const BaseApi* act_drop[];
+extern const BaseApi* act_file_id[];
 extern const BaseApi* act_log[];
 extern const BaseApi* act_pass[];
 extern const BaseApi* act_reject[];
@@ -46,6 +47,7 @@ void load_actions()
     PluginManager::load_plugins(act_alert);
     PluginManager::load_plugins(act_block);
     PluginManager::load_plugins(act_drop);
+    PluginManager::load_plugins(act_file_id);
     PluginManager::load_plugins(act_log);
     PluginManager::load_plugins(act_pass);
     PluginManager::load_plugins(act_reject);

diff --git a/src/detection/detection_options.cc b/src/detection/detection_options.cc
index e6dfa65389c5c83255aea7c757cda36a41e7e0ea..75abf52e9b6c49bc93d0303ad5173ec81f5daa19 100644 (file)
--- a/src/detection/detection_options.cc
+++ b/src/detection/detection_options.cc
@@ -414,7 +414,7 @@ int detection_option_node_evaluate(
     do
     {
         rval = (int)IpsOption::NO_MATCH;  // FIXIT-L refactor to eliminate casts to int.
-        if ( node->otn )
+        if ( node->otn and !node->otn->sigInfo.file_id )
         {
             SnortProtocolId snort_protocol_id = p->get_snort_protocol_id();
             int check_ports = 1;

diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc
index 67040823e159c64fbbba46635486781551cc9d8f..a18dd49c072d6034d1c22c8564a25e57d995e42b 100644 (file)
--- a/src/detection/fp_detect.cc
+++ b/src/detection/fp_detect.cc
@@ -962,7 +962,7 @@ static int fp_search(RuleGroup* port_group, Packet* p, bool srvc)
 }
 
 static inline void eval_fp(
-    RuleGroup* port_group, Packet* p, char ip_rule, bool srvc)
+    RuleGroup* port_group, Packet* p, char ip_rule, bool srvc, bool force = false)
 {
     const uint8_t* tmp_payload = nullptr;
     uint16_t tmp_dsize = 0;
@@ -985,7 +985,7 @@ static inline void eval_fp(
         }
     }
 
-    if ( DetectionEngine::content_enabled(p) )
+    if ( DetectionEngine::content_enabled(p) or force)
     {
         if ( fp_search(port_group, p, srvc) )
             return;
@@ -1080,13 +1080,13 @@ static inline void eval_nfp(
 //  for performance purposes.
 
 static inline void fpEvalHeaderSW(
-    RuleGroup* port_group, Packet* p, char ip_rule, FPTask task, bool srvc = false)
+    RuleGroup* port_group, Packet* p, char ip_rule, FPTask task, bool srvc = false, bool force = false)
 {
-    if ( !p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT) )
+    if ( !force and !p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT))
         return;
 
     if ( task & FPTask::FP )
-        eval_fp(port_group, p, ip_rule, srvc);
+        eval_fp(port_group, p, ip_rule, srvc, force);
 
     if ( task & FPTask::NON_FP )
         eval_nfp(port_group, p, ip_rule);
@@ -1356,3 +1356,61 @@ static void fp_immediate(MpseGroup* mpg, Packet* p, const uint8_t* buf, unsigned
     }
 }
 
+static inline int fp_do_actions(OtnxMatchData* omd, Packet* p)
+{
+    if (!omd->have_match)
+        return 0;
+
+    for (unsigned i = 0; i < p->context->conf->num_rule_types; i++)
+    {
+        if (omd->matchInfo[i].iMatchCount)
+        {
+            qsort(omd->matchInfo[i].MatchArray, omd->matchInfo[i].iMatchCount,
+                sizeof(void*), sortOrderByContentLength);
+            const OptTreeNode* otn = omd->matchInfo[i].MatchArray[0];
+            RuleTreeNode* rtn = getRtnFromOtn(otn);
+            IpsAction* act = get_ips_policy()->action[rtn->action];
+            act->exec(p, otn);
+        }
+    }
+
+    return 0;
+}
+
+void fp_eval_service_group(Packet* p, SnortProtocolId snort_protocol_id)
+{
+    Profile mpse_profile(mpsePerfStats);
+    RuleGroup* svc = p->context->conf->sopgTable->get_port_group(true, snort_protocol_id);
+
+    if (!svc)
+        return;
+
+    IpsContext* c = p->context;
+    init_match_info(c);
+    c->searches.mf = rule_tree_queue;
+    c->searches.context = c;
+    assert(!c->searches.items.size());
+
+    IpsContext::ActiveRules actv_rules = c->active_rules;
+    c->active_rules = IpsContext::CONTENT;
+    IpsPolicy* ips_policy = snort::get_ips_policy();
+    snort::set_ips_policy(get_default_ips_policy(SnortConfig::get_conf()));
+
+    print_pkt_info(p, "file_id fast-patterns"); //FIXIT
+    fpEvalHeaderSW(svc, p, 0, FPTask::FP, true, true);
+    MpseStash* stash = c->stash;
+    c->searches.search_sync();
+    {
+        Profile rule_profile(rulePerfStats);
+        stash->process(c);
+
+        print_pkt_info(p, "file_id non-fast-patterns"); //FIXIT
+        fpEvalHeaderSW(svc, p, 0, FPTask::NON_FP, true);
+
+        fp_do_actions(c->otnx, p);
+
+        c->searches.items.clear();
+    }
+    c->active_rules = actv_rules;
+    snort::set_ips_policy(ips_policy);
+}

diff --git a/src/detection/fp_detect.h b/src/detection/fp_detect.h
index 53ebc14a3239c972ae4e1264fa66104284d787b5..18a6d6eaac4984a109c8b454ef74ed0d48c6ba4d 100644 (file)
--- a/src/detection/fp_detect.h
+++ b/src/detection/fp_detect.h
@@ -31,6 +31,7 @@
 
 #include "main/thread.h"
 #include "profiler/profiler_defs.h"
+#include "target_based/snort_protocols.h"
 
 #define REBUILD_FLAGS (PKT_REBUILT_FRAG | PKT_REBUILT_STREAM)
 
@@ -98,6 +99,7 @@ void fp_clear_context(const snort::IpsContext&);
 void fp_full(snort::Packet*);
 void fp_partial(snort::Packet*);
 void fp_complete(snort::Packet*, bool search = false);
+void fp_eval_service_group(snort::Packet*, SnortProtocolId);
 
 #endif
 

diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h
index b23622c4744020992e3a4b2f9be6c170ab0d075c..937482e4e6e58ac90ef7323c63186a35c51e4ad3 100644 (file)
--- a/src/detection/ips_context.h
+++ b/src/detection/ips_context.h
@@ -81,6 +81,9 @@ public:
     SnortProtocolId get_snort_protocol_id()
     { return flow.proto_id; }
 
+    void set_snort_protocol_id(SnortProtocolId id)
+    { flow.proto_id = id; }
+
     void disable_detection();
     void disable_inspection();
 
@@ -154,6 +157,8 @@ public:
 
     DataPointer file_data = DataPointer(nullptr, 0);
     DataBuffer alt_data = {};
+    unsigned file_pos = 0;
+    bool file_type_process = false;
 
     uint64_t context_num;
     uint64_t packet_number = 0;

diff --git a/src/detection/signature.h b/src/detection/signature.h
index 98d8eb739189b32cefed17c720d07122009ec33b..2c5d2a6649043b1d51dd9403a8cb9059a7c77dc1 100644 (file)
--- a/src/detection/signature.h
+++ b/src/detection/signature.h
@@ -28,6 +28,7 @@
 #include <cstdio>
 #include <string>
 
+#include "rules.h"
 #include "target_based/snort_protocols.h"
 
 namespace snort
@@ -98,7 +99,7 @@ struct SigInfo
 
     const ClassType* class_type = nullptr;
 
-    uint32_t gid = 0;
+    uint32_t gid = GID_DEFAULT;
     uint32_t sid = 0;
     uint32_t rev = 0;
 
@@ -107,6 +108,7 @@ struct SigInfo
 
     bool builtin = false;
     Target target = TARGET_NONE;
+    uint64_t file_id = 0;
 };
 
 snort::GHash* OtnLookupNew();

diff --git a/src/file_api/file_api.h b/src/file_api/file_api.h
index dd06165a5d26e209cef8df80ce52c4d9029a30d2..537fe47d2c6cf77dc0c86cbd490b4ea7b67eadfb 100644 (file)
--- a/src/file_api/file_api.h
+++ b/src/file_api/file_api.h
@@ -212,6 +212,8 @@ inline FileCharEncoding get_character_encoding(const char* file_name, size_t len
 
 SO_PUBLIC uint64_t get_file_processed_size(Flow* flow);
 SO_PUBLIC FilePosition get_file_position(Packet* pkt);
+SO_PUBLIC void set_rule_id_from_type(SnortConfig* sc, uint64_t id, std::string type,
+    std::string file_category, std::string file_version, std::vector<std::string> file_groups);
 SO_PUBLIC void get_magic_rule_ids_from_type(const std::string& type,
     const std::string& version, FileTypeBitSet& ids_set, SnortConfig*);
 }

diff --git a/src/file_api/file_config.cc b/src/file_api/file_config.cc
index 2d5d013189744c4078c25e30e042bf50a27bf95c..51304240aca455e0e9cd41b19bd07020195f18f9 100644 (file)
--- a/src/file_api/file_config.cc
+++ b/src/file_api/file_config.cc
@@ -37,20 +37,6 @@
 
 using namespace snort;
 
-bool FileConfig::process_file_magic(FileMagicData& magic)
-{
-    bool negated = false;
-    std::string str = '"' + magic.content_str + '"';
-
-    if ( !parse_byte_code(str.c_str(), negated, magic.content) )
-        return false;
-
-    if (negated)
-        return false;
-
-    return true;
-}
-
 uint32_t FileConfig::find_file_type_id(const uint8_t* buf, int len,
     uint64_t file_offset, void** context)
 {
@@ -58,12 +44,12 @@ uint32_t FileConfig::find_file_type_id(const uint8_t* buf, int len,
 }
 
 /*The main function for parsing rule option*/
-void FileConfig::process_file_rule(FileMagicRule& rule)
+void FileConfig::process_file_rule(FileMeta& rule)
 {
-    fileIdentifier.insert_file_rule(rule);
+    fileIdentifier.add_file_id(rule);
 }
 
-const FileMagicRule* FileConfig::get_rule_from_id(uint32_t id) const
+const FileMeta* FileConfig::get_rule_from_id(uint32_t id) const
 {
     return fileIdentifier.get_rule_from_id(id);
 }
@@ -82,7 +68,7 @@ std::string FileConfig::file_type_name(uint32_t id) const
     else if (SNORT_FILE_TYPE_CONTINUE == id)
         return "Undecided file type, continue...";
 
-    const FileMagicRule* info = get_rule_from_id(id);
+    const FileMeta* info = get_rule_from_id(id);
 
     if (info != nullptr)
         return info->type;
@@ -123,5 +109,16 @@ void get_magic_rule_ids_from_type(const std::string& type, const std::string& ve
     else
         ids_set.reset();
 }
+
+void set_rule_id_from_type(SnortConfig* sc, uint64_t id, std::string type,
+    std::string file_category, std::string file_version, std::vector<std::string> file_groups)
+{
+    FileConfig* conf = get_file_config(sc);
+    if (conf)
+    {
+        FileMeta rule(id, type, file_category, file_version, file_groups);
+        conf->process_file_rule(rule);
+    }
+}
 }
 

diff --git a/src/file_api/file_config.h b/src/file_api/file_config.h
index 7dd3111c2157836864a35cf49a9620a510c75718..41d01243786cee8909e6fee5d4b0a0385d30fd99 100644 (file)
--- a/src/file_api/file_config.h
+++ b/src/file_api/file_config.h
@@ -24,6 +24,7 @@
 
 // This provides the basic configuration for file processing
 #include "main/snort_config.h"
+#include "detection/detection_engine.h"
 #include "file_api/file_identifier.h"
 
 #define DEFAULT_FILE_TYPE_DEPTH 1460
@@ -44,11 +45,10 @@
 class FileConfig
 {
 public:
-    const FileMagicRule* get_rule_from_id(uint32_t) const;
+    const FileMeta* get_rule_from_id(uint32_t) const;
     void get_magic_rule_ids_from_type(const std::string&, const std::string&,
         snort::FileTypeBitSet&) const;
-    void process_file_rule(FileMagicRule&);
-    bool process_file_magic(FileMagicData&);
+    void process_file_rule(FileMeta&);
     uint32_t find_file_type_id(const uint8_t* buf, int len, uint64_t file_offset, void** context);
     std::string file_type_name(uint32_t id) const;
 
@@ -69,6 +69,7 @@ public:
     bool trace_type = false;
     bool trace_signature = false;
     bool trace_stream = false;
+    SnortProtocolId snort_protocol_id = UNKNOWN_PROTOCOL_ID;
 
 private:
     FileIdentifier fileIdentifier;

diff --git a/src/file_api/file_identifier.cc b/src/file_api/file_identifier.cc
index 895c693b0ef289d0ccc1c57d51444c3c1401b5be..15fe3dede1f7bbda6f37911831d701392cf5c9dd 100644 (file)
--- a/src/file_api/file_identifier.cc
+++ b/src/file_api/file_identifier.cc
@@ -46,25 +46,16 @@ struct MergeNode
 {
     IdentifierNode* shared_node;  /*the node that is shared*/
     IdentifierNode* append_node;  /*the node that is added*/
-} ;
+};
 
-void FileMagicData::clear()
-{
-    content_str.clear();
-    content.clear();
-    offset = 0;
-}
-
-void FileMagicRule::clear()
+void FileMeta::clear()
 {
     rev = 0;
-    message.clear();
     type.clear();
     id = 0;
     category.clear();
     version.clear();
     groups.clear();
-    file_magics.clear();
 }
 
 void FileIdentifier::init_merge_hash()
@@ -133,177 +124,21 @@ IdentifierNode* FileIdentifier::clone_node(IdentifierNode* start)
     return node;
 }
 
-IdentifierNode* FileIdentifier::create_trie_from_magic(FileMagicRule& rule, uint32_t type_id)
-{
-    IdentifierNode* current;
-    IdentifierNode* root = nullptr;
-
-    if (rule.file_magics.empty() || !type_id)
-        return nullptr;
-
-    /* Content magics are sorted based on offset, this
-     * will help compile the file magic trio
-     */
-    std::sort(rule.file_magics.begin(),rule.file_magics.end());
-
-    current =  (IdentifierNode*)calloc_mem(sizeof(*current));
-    current->state = ID_NODE_NEW;
-    root = current;
-
-    for (auto magic:rule.file_magics)
-    {
-        unsigned int i;
-        current->offset = magic.offset;
-        for (i = 0; i < magic.content.size(); i++)
-        {
-            IdentifierNode* node = (IdentifierNode*)calloc_mem(sizeof(*node));
-            uint8_t index = magic.content[i];
-            node->offset = magic.offset + i + 1;
-            node->state = ID_NODE_NEW;
-            current->next[index] = node;
-            current = node;
-        }
-    }
-
-    /*Last node has type name*/
-    current->type_id = type_id;
-    return root;
-}
-
-/*This function examines whether to update the trie based on shared state*/
-
-bool FileIdentifier::update_next(IdentifierNode* start, IdentifierNode** next_ptr,
-    IdentifierNode* append)
-{
-    IdentifierNode* next = (*next_ptr);
-    MergeNode merge_node;
-    IdentifierNode* result;
-
-    if (!append || (next == append))
-        return false;
-
-    merge_node.append_node = append;
-    merge_node.shared_node = next;
-    if (!next)
-    {
-        /*reuse the append*/
-        *next_ptr = append;
-        set_node_state_shared(append);
-        return false;
-    }
-    else if ((result = (IdentifierNode*)identifier_merge_hash->find(&merge_node)))
-    {
-        /*the same pointer has been processed, reuse it*/
-        *next_ptr = result;
-        set_node_state_shared(result);
-        return false;
-    }
-    else
-    {
-        if ((start->offset < append->offset) && (next->offset > append->offset))
-        {
-            /*offset could have gap when non 0 offset is allowed */
-            unsigned int index;
-            IdentifierNode* node = (IdentifierNode*)calloc_mem(sizeof(*node));
-            merge_node.shared_node = next;
-            merge_node.append_node = append;
-            node->offset = append->offset;
-
-            for (index = 0; index < MAX_BRANCH; index++)
-            {
-                node->next[index] = next;
-            }
-
-            set_node_state_shared(next);
-            next = node;
-            identifier_merge_hash->insert(&merge_node, next);
-        }
-        else if (next->state == ID_NODE_SHARED)
-        {
-            /*shared, need to clone one*/
-            IdentifierNode* current_next = next;
-            merge_node.shared_node = current_next;
-            merge_node.append_node = append;
-            next = clone_node(current_next);
-            set_node_state_shared(next);
-            identifier_merge_hash->insert(&merge_node, next);
-        }
-
-        *next_ptr = next;
-    }
-
-    return true;
-}
-
-/*
- * Append magic to existing trie
- */
-void FileIdentifier::update_trie(IdentifierNode* start, IdentifierNode* append)
-{
-    unsigned int i;
-
-    if ((!start )||(!append)||(start == append))
-        return;
-
-    if (start->offset == append->offset )
-    {
-        /* when we come here, make sure this tree is not shared
-         * Update start trie using append information*/
-
-        assert(start->state != ID_NODE_SHARED);
-
-        if (append->type_id)
-        {
-            if (start->type_id)
-                ParseWarning(WARN_RULES, "Duplicated type definition '%u -> %u at offset %u",
-                    start->type_id, append->type_id, append->offset);
-            start->type_id = append->type_id;
-        }
-
-        for (i = 0; i < MAX_BRANCH; i++)
-        {
-            if (update_next(start,&start->next[i], append->next[i]))
-            {
-                update_trie(start->next[i], append->next[i]);
-            }
-        }
-    }
-    else if (start->offset < append->offset )
-    {
-        for (i = 0; i < MAX_BRANCH; i++)
-        {
-            if (update_next(start,&start->next[i], append))
-                update_trie(start->next[i], append);
-        }
-    }
-}
-
-void FileIdentifier::insert_file_rule(FileMagicRule& rule)
+void FileIdentifier::add_file_id(FileMeta& rule)
 {
-    IdentifierNode* node;
-
     if (!identifier_root)
     {
         identifier_root = (IdentifierNode*)calloc_mem(sizeof(*identifier_root));
         init_merge_hash();
     }
 
-    if (rule.id >= FILE_ID_MAX)
-    {
-        ParseError("file type: rule id %u exceeds max id of %d", rule.id, FILE_ID_MAX-1);
-        return;
-    }
-
     if (file_magic_rules[rule.id].id > 0)
     {
-        ParseError("file type: duplicated rule id %u defined", rule.id);
+        ParseError("file type: rule id %u found duplicate", rule.id);
         return;
     }
 
     file_magic_rules[rule.id] = rule;
-
-    node = create_trie_from_magic(rule, rule.id);
-    update_trie(identifier_root, node);
 }
 
 /*
@@ -359,7 +194,7 @@ uint32_t FileIdentifier::find_file_type_id(const uint8_t* buf, int len, uint64_t
     return file_type_id;
 }
 
-const FileMagicRule* FileIdentifier::get_rule_from_id(uint32_t id) const
+const FileMeta* FileIdentifier::get_rule_from_id(uint32_t id) const
 {
     if ((id < FILE_ID_MAX) && (file_magic_rules[id].id > 0))
     {
@@ -378,7 +213,10 @@ void FileIdentifier::get_magic_rule_ids_from_type(const std::string& type,
     {
         if (type == file_magic_rules[i].type)
         {
-            if (version.empty() or version == file_magic_rules[i].version)
+            std::string s = "\"", tmp;
+            if (!version.empty())
+                tmp = s+version+s;
+            if (tmp.empty() or tmp == file_magic_rules[i].version)
             {
                 ids_set.set(file_magic_rules[i].id);
             }
@@ -400,44 +238,33 @@ TEST_CASE ("FileIdMemory", "[FileMagic]")
 
 TEST_CASE ("FileIdRulePDF", "[FileMagic]")
 {
-    FileMagicData magic;
-
-    magic.content = "PDF";
-    magic.offset = 0;
-
-    FileMagicRule rule;
+    FileMeta rule;
 
     rule.type = "pdf";
-    rule.file_magics.emplace_back(magic);
     rule.id = 1;
 
     FileIdentifier rc;
 
-    rc.insert_file_rule(rule);
+    rc.add_file_id(rule);
 
     const char* data = "PDF";
 
     void* context = nullptr;
 
-    CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 1);
+    CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) ==
+        SNORT_FILE_TYPE_UNKNOWN);
 }
 
 TEST_CASE ("FileIdRuleUnknow", "[FileMagic]")
 {
-    FileMagicData magic;
-
-    magic.content = "PDF";
-    magic.offset = 0;
-
-    FileMagicRule rule;
+    FileMeta rule;
 
     rule.type = "pdf";
-    rule.file_magics.emplace_back(magic);
     rule.id = 1;
 
     FileIdentifier rc;
 
-    rc.insert_file_rule(rule);
+    rc.add_file_id(rule);
 
     const char* data = "DDF";
 
@@ -449,102 +276,72 @@ TEST_CASE ("FileIdRuleUnknow", "[FileMagic]")
 
 TEST_CASE ("FileIdRuleEXE", "[FileMagic]")
 {
-    FileMagicData magic;
-
-    magic.content = "PDF";
-    magic.offset = 0;
-
-    FileMagicRule rule;
+    FileMeta rule;
 
     rule.type = "exe";
-    rule.file_magics.emplace_back(magic);
     rule.id = 1;
 
     FileIdentifier rc;
-    rc.insert_file_rule(rule);
-
-    magic.clear();
-    magic.content = "EXE";
-    magic.offset = 0;
+    rc.add_file_id(rule);
 
     rule.clear();
     rule.type = "exe";
-    rule.file_magics.emplace_back(magic);
     rule.id = 3;
 
-    rc.insert_file_rule(rule);
+    rc.add_file_id(rule);
 
     const char* data = "PDFooo";
     void* context = nullptr;
 
-    CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 1);
+    CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) ==
+        SNORT_FILE_TYPE_UNKNOWN);
 }
 
 TEST_CASE ("FileIdRulePDFEXE", "[FileMagic]")
 {
-    FileMagicData magic;
-
-    magic.content = "PDF";
-    magic.offset = 0;
-
-    FileMagicRule rule;
+    FileMeta rule;
 
     rule.type = "exe";
-    rule.file_magics.emplace_back(magic);
     rule.id = 1;
 
     FileIdentifier rc;
-    rc.insert_file_rule(rule);
-
-    magic.clear();
-    magic.content = "EXE";
-    magic.offset = 3;
+    rc.add_file_id(rule);
 
     rule.clear();
     rule.type = "exe";
-    rule.file_magics.emplace_back(magic);
     rule.id = 3;
 
-    rc.insert_file_rule(rule);
+    rc.add_file_id(rule);
 
     const char* data = "PDFEXE";
     void* context = nullptr;
 
     // Match the last one
-    CHECK((rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 3));
+    CHECK((rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) ==
+        SNORT_FILE_TYPE_UNKNOWN));
 }
 
 TEST_CASE ("FileIdRuleFirst", "[FileMagic]")
 {
-    FileMagicData magic;
-
-    magic.content = "PDF";
-    magic.offset = 0;
-
-    FileMagicRule rule;
+    FileMeta rule;
 
     rule.type = "exe";
-    rule.file_magics.emplace_back(magic);
     rule.id = 1;
 
     FileIdentifier rc;
-    rc.insert_file_rule(rule);
-
-    magic.clear();
-    magic.content = "EXE";
-    magic.offset = 3;
+    rc.add_file_id(rule);
 
     rule.clear();
     rule.type = "exe";
-    rule.file_magics.emplace_back(magic);
     rule.id = 3;
 
-    rc.insert_file_rule(rule);
+    rc.add_file_id(rule);
 
     const char* data = "PDF";
     void* context = nullptr;
 
-    CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 1);
+    CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) ==
+        SNORT_FILE_TYPE_UNKNOWN);
 }
 #endif
 

diff --git a/src/file_api/file_identifier.h b/src/file_api/file_identifier.h
index 06edc035a8584de9b4198508f6e319358687585b..eb9c16dcef9d3528266fe20b3225cc105881ff91 100644 (file)
--- a/src/file_api/file_identifier.h
+++ b/src/file_api/file_identifier.h
@@ -45,33 +45,21 @@ enum IdNodeState
     ID_NODE_SHARED
 };
 
-class FileMagicData
-{
-public:
-    void clear();
-    std::string content_str;   /* magic content to match*/
-    std::string content;       /* magic content raw values*/
-    uint32_t offset;           /* pattern search start offset */
-    bool operator <(const FileMagicData& magic) const
-    {
-        return (offset < magic.offset);
-    }
-};
-
-typedef std::vector<FileMagicData> FileMagics;
-
-class FileMagicRule
+class FileMeta
 {
 public:
+    FileMeta() { }
+    FileMeta(uint type_id, const std::string& type_name, const std::string& file_category, const std::string&
+        file_version, const std::vector<std::string>& file_groups)
+        : id(type_id), type(type_name),category(file_category),version(file_version),groups(
+            file_groups) { }
     void clear();
     uint32_t rev = 0;
     uint32_t id = 0;
-    std::string message;
     std::string type;
     std::string category;
     std::string version;
     std::vector<std::string> groups;
-    FileMagics file_magics;
 };
 
 struct IdentifierNode
@@ -89,9 +77,9 @@ class FileIdentifier
 public:
     ~FileIdentifier();
     uint32_t memory_usage() const { return memory_used; }
-    void insert_file_rule(FileMagicRule& rule);
+    void add_file_id(FileMeta& rule);
     uint32_t find_file_type_id(const uint8_t* buf, int len, uint64_t offset, void** context);
-    const FileMagicRule* get_rule_from_id(uint32_t) const;
+    const FileMeta* get_rule_from_id(uint32_t) const;
     void get_magic_rule_ids_from_type(const std::string&, const std::string&,
         snort::FileTypeBitSet&) const;
 
@@ -101,14 +89,13 @@ private:
     void set_node_state_shared(IdentifierNode* start);
     IdentifierNode* clone_node(IdentifierNode* start);
     bool update_next(IdentifierNode* start, IdentifierNode** next_ptr, IdentifierNode* append);
-    IdentifierNode* create_trie_from_magic(FileMagicRule& rule, uint32_t type_id);
     void update_trie(IdentifierNode* start, IdentifierNode* append);
 
     /*properties*/
     IdentifierNode* identifier_root = nullptr; /*Root of magic tries*/
     uint32_t memory_used = 0; /*Track memory usage*/
     snort::GHash* identifier_merge_hash = nullptr;
-    FileMagicRule file_magic_rules[FILE_ID_MAX + 1];
+    FileMeta file_magic_rules[FILE_ID_MAX + 1];
     IDMemoryBlocks id_memory_blocks;
 };
 

diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc
index 61bacf00b6a5f0e0f08db5e77d141d6275d4505a..1056d1eceb77d2cbfaa647348d7597b217e1bada 100644 (file)
--- a/src/file_api/file_lib.cc
+++ b/src/file_api/file_lib.cc
@@ -39,6 +39,7 @@
 #include "main/snort_config.h"
 #include "managers/inspector_manager.h"
 #include "packet_tracer/packet_tracer.h"
+#include "profiler/profiler.h"
 #include "protocols/packet.h"
 #include "utils/util.h"
 #include "utils/util_utf.h"
@@ -52,9 +53,12 @@
 #include "file_segment.h"
 #include "file_stats.h"
 #include "file_module.h"
+#include "detection/fp_detect.h"
 
 using namespace snort;
 
+THREAD_LOCAL ProfileStats file_perf_stats;
+
 // Convert UTF16-LE file name to UTF-8.
 // Returns allocated name. Caller responsible for freeing the buffer.
 char* FileContext::get_UTF8_fname(size_t* converted_len)
@@ -187,6 +191,11 @@ uint64_t FileInfo::get_file_size() const
     return file_size;
 }
 
+void FileInfo::set_file_type(uint64_t id)
+{
+    file_type_id = id;
+}
+
 uint32_t FileInfo::get_file_type() const
 {
     return file_type_id;
@@ -451,6 +460,7 @@ void FileContext::check_policy(Flow* flow, FileDirection dir, FilePolicyBase* po
 bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size,
     FilePosition position, FilePolicyBase* policy)
 {
+    Profile profile(file_perf_stats);
     Flow* flow = p->flow;
 
     if ( config->trace_stream )
@@ -484,7 +494,7 @@ bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size,
     /*file type id*/
     if (is_file_type_enabled())
     {
-        process_file_type(file_data, data_size, position);
+        process_file_type(p, file_data, data_size, position);
 
         /*Don't care unknown file type*/
         if (get_file_type() == SNORT_FILE_TYPE_UNKNOWN)
@@ -613,13 +623,12 @@ bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size,
  * 3) file magics are exhausted in depth
  *
  */
-void FileContext::process_file_type(const uint8_t* file_data, int data_size, FilePosition position)
+void FileContext::find_file_type_from_ips(Packet* pkt, const uint8_t* file_data, int
+    data_size,
+    FilePosition position)
 {
-    /* file type already found and no magics to continue */
-    if (file_type_id && !file_type_context)
-        return;
-
     bool depth_exhausted = false;
+    bool set_file_context = false;
 
     if ((int64_t)processed_bytes + data_size >= config->file_type_depth)
     {
@@ -627,15 +636,42 @@ void FileContext::process_file_type(const uint8_t* file_data, int data_size, Fil
         assert(data_size > 0);
         depth_exhausted = true;
     }
-
-    file_type_id =
-        config->find_file_type_id(file_data, data_size, processed_bytes, &file_type_context);
-
+    const FileConfig* const conf = get_file_config();
+    DetectionEngine de;
+    Packet* p = DetectionEngine::get_current_packet();
+    p->flow = pkt->flow;
+    p->pkth = pkt->pkth;
+
+    p->context->file_data = { file_data, (unsigned int)data_size };
+    p->context->file_pos = processed_bytes;
+    p->context->file_type_process = true;
+    p->context->set_snort_protocol_id(conf->snort_protocol_id);
+    p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT;
+    p->proto_bits |= PROTO_BIT__PDU;
+
+    FileFlows* files = FileFlows::get_file_flows(p->flow, false);
+    if (files and (!files->get_current_file_context() or files->get_current_file_context() != this))
+    {
+        files->set_current_file_context(this);
+        set_file_context =true;
+    }
+    fp_eval_service_group(p, conf->snort_protocol_id);
+    if (set_file_context)
+    {
+        files->set_current_file_context(nullptr);
+    }
     /* Check whether file transfer is done or type depth is reached */
-    if ( (position == SNORT_FILE_END) || (position == SNORT_FILE_FULL) || depth_exhausted )
+    if ((position == SNORT_FILE_END) || (position == SNORT_FILE_FULL) || depth_exhausted)
         finalize_file_type();
 }
 
+void FileContext::process_file_type(Packet* pkt,const uint8_t* file_data, int data_size,
+    FilePosition position)
+{
+    /* file type already found and no magics to continue */
+    find_file_type_from_ips(pkt, file_data, data_size, position);
+}
+
 void FileContext::process_file_signature_sha256(const uint8_t* file_data, int data_size,
     FilePosition position)
 {
@@ -896,32 +932,3 @@ void FileContext::print(std::ostream& log)
     log << "File size: " << file_size << std::endl;
     log << "Processed size: " << processed_bytes << std::endl;
 }
-
-/**
-bool file_IDs_from_type(const void *conf, const char *type,
-     uint32_t **ids, uint32_t *count)
-{
-    if ( !type )
-        return false;
-
-    return get_ids_from_type(conf, type, ids, count);
-}
-
-bool file_IDs_from_type_version(const  void *conf, const char *type,
-    const char *version, uint32_t **ids, uint32_t *count )
-{
-    if ( !type || !version )
-        return false;
-
-    return get_ids_from_type_version(conf, type, version, ids, count);
-}
-
-bool file_IDs_from_group(const void *conf, const char *group,
-     uint32_t **ids, uint32_t *count)
-{
-    if ( !group )
-        return false;
-
-    return get_ids_from_group(conf, group, ids, count);
-}
- **/

diff --git a/src/file_api/file_lib.h b/src/file_api/file_lib.h
index 7c9ab5da1b546501b0c9590fc2a9c08f35cc2cdd..6266728df83a115bfe7ee3df3960cd8d64dcc670 100644 (file)
--- a/src/file_api/file_lib.h
+++ b/src/file_api/file_lib.h
@@ -54,6 +54,7 @@ public:
     FileInfo(const FileInfo& other);
     FileInfo& operator=(const FileInfo& other);
     uint32_t get_file_type() const;
+    void set_file_type(uint64_t index);
     void set_file_name(const char* file_name, uint32_t name_size);
     void set_url(const char* url, uint32_t url_size);
     std::string& get_file_name();
@@ -132,7 +133,6 @@ public:
     bool process(Packet*, const uint8_t* file_data, int data_size, FilePosition, FilePolicyBase*);
     bool process(Packet*, const uint8_t* file_data, int data_size, uint64_t offset, FilePolicyBase*,
         FilePosition position=SNORT_FILE_POSITION_UNKNOWN);
-    void process_file_type(const uint8_t* file_data, int data_size, FilePosition);
     void process_file_signature_sha256(const uint8_t* file_data, int data_size, FilePosition);
     void update_file_size(int data_size, FilePosition position);
     void stop_file_capture();
@@ -163,8 +163,10 @@ private:
     FileConfig*  config;
     bool cacheable = true;
 
-    inline void finalize_file_type();
-    inline void finish_signature_lookup(Packet*, bool, FilePolicyBase*);
+    void finalize_file_type();
+    void finish_signature_lookup(Packet*, bool, FilePolicyBase*);
+    void find_file_type_from_ips(Packet*, const uint8_t *file_data, int data_size, FilePosition);
+    void process_file_type(Packet*, const uint8_t* file_data, int data_size, FilePosition);
 };
 }
 #endif

diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc
index c38214368b27b59fdb3259f873462a631db46f5e..275d28f49a5b33453bc23976c01f16fd2c36914d 100644 (file)
--- a/src/file_api/file_module.cc
+++ b/src/file_api/file_module.cc
@@ -38,49 +38,12 @@
 #include "file_service.h"
 #include "file_stats.h"
 
+#include "parser/parser.h"
+
 using namespace snort;
 
 THREAD_LOCAL const Trace* file_trace = nullptr;
-
-static const Parameter file_magic_params[] =
-{
-    { "content", Parameter::PT_STRING, nullptr, nullptr,
-      "file magic content" },
-
-    { "offset", Parameter::PT_INT, "0:max32", "0",
-      "file magic offset" },
-
-    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
-static const Parameter file_rule_params[] =
-{
-    { "rev", Parameter::PT_INT, "0:max32", "0",
-      "rule revision" },
-
-    { "msg", Parameter::PT_STRING, nullptr, nullptr,
-      "information about the file type" },
-
-    { "type", Parameter::PT_STRING, nullptr, nullptr,
-      "file type name" },
-
-    { "id", Parameter::PT_INT, "0:max32", "0",
-      "file type id" },
-
-    { "category", Parameter::PT_STRING, nullptr, nullptr,
-      "file type category" },
-
-    { "group", Parameter::PT_STRING, nullptr, nullptr,
-      "comma separated list of groups associated with file type" },
-
-    { "version", Parameter::PT_STRING, nullptr, nullptr,
-      "file type version" },
-
-    { "magic", Parameter::PT_LIST, file_magic_params, nullptr,
-      "list of file magic rules" },
-
-    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
+extern THREAD_LOCAL snort::ProfileStats file_perf_stats;
 
 static const Parameter file_id_params[] =
 {
@@ -120,8 +83,8 @@ static const Parameter file_id_params[] =
     { "show_data_depth", Parameter::PT_INT, "0:max53", "100",
       "print this many octets" },
 
-    { "file_rules", Parameter::PT_LIST, file_rule_params, nullptr,
-      "list of file magic rules" },
+    { "rules_file", Parameter::PT_STRING, nullptr, nullptr,
+      "name of file with IPS rules for file identification" },
 
     { "trace_type", Parameter::PT_BOOL, nullptr, "false",
       "enable runtime dump of type info" },
@@ -165,6 +128,9 @@ const TraceOption* FileIdModule::get_trace_options() const
     return &filetrace_options;
 }
 
+ProfileStats* FileIdModule::get_profile() const
+{ return &file_perf_stats; }
+
 const PegInfo* FileIdModule::get_pegs() const
 { return file_pegs; }
 
@@ -240,74 +206,11 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*)
 
     else if ( v.is("decompress_buffer_size") )
         FileService::decode_conf.set_decompress_buffer_size(v.get_uint32());
-
-    else if ( v.is("rev") )
-        rule.rev = v.get_uint32();
-
-    else if ( v.is("msg") )
-        rule.message = v.get_string();
-
-    else if ( v.is("type") )
-        rule.type = v.get_string();
-
-    else if ( v.is("id") )
-        rule.id = v.get_uint32();
-
-    else if ( v.is("category") )
-        rule.category = v.get_string();
-
-    else if ( v.is("group") )
+    else if ( v.is("rules_file") )
     {
-        std::istringstream stream(v.get_string());
-        std::string tmpstr;
-        while (std::getline(stream, tmpstr, ','))
-        {
-            rule.groups.emplace_back(tmpstr);
-        }
-    }
-
-    else if ( v.is("version") )
-        rule.version = v.get_string();
-
-    else if ( v.is("content") )
-        magic.content_str = v.get_string();
-
-    else if ( v.is("offset") )
-        magic.offset = v.get_uint32();
-
-    return true;
-}
-
-bool FileIdModule::begin(const char* fqn, int idx, SnortConfig*)
-{
-    if (!idx)
-        return true;
-
-    if ( !strcmp(fqn, "file_id.file_rules") )
-    {
-        rule.clear();
-    }
-    else if ( !strcmp(fqn, "file_id.file_rules.magic") )
-    {
-        magic.clear();
-    }
-
-    return true;
-}
-
-bool FileIdModule::end(const char* fqn, int idx, SnortConfig*)
-{
-    if (!idx)
-        return true;
-
-    if ( !strcmp(fqn, "file_id.file_rules") )
-    {
-        fc->process_file_rule(rule);
-    }
-    else if ( !strcmp(fqn, "file_id.file_rules.magic") )
-    {
-        fc->process_file_magic(magic);
-        rule.file_magics.emplace_back(magic);
+        std::string s = "include ";
+        s += v.get_string();
+        parser_append_rules_special(s.c_str());
     }
 
     return true;
@@ -329,3 +232,4 @@ void FileIdModule::reset_stats()
     file_stats_clear();
     Module::reset_stats();
 }
+

diff --git a/src/file_api/file_module.h b/src/file_api/file_module.h
index 97d120083cfc7b13b510af664be372a71c874800..a394bdadfde359693611ec85e9f37a7e4e3e406c 100644 (file)
--- a/src/file_api/file_module.h
+++ b/src/file_api/file_module.h
@@ -48,9 +48,8 @@ public:
     ~FileIdModule() override;
 
     bool set(const char*, snort::Value&, snort::SnortConfig*) override;
-    bool begin(const char*, int, snort::SnortConfig*) override;
-    bool end(const char*, int, snort::SnortConfig*) override;
 
+    snort::ProfileStats* get_profile() const override;
     const PegInfo* get_pegs() const override;
     PegCount* get_counts() const override;
 
@@ -73,8 +72,7 @@ public:
     const snort::RuleMap* get_rules() const override;
 
 private:
-    FileMagicRule rule;
-    FileMagicData magic;
+    FileMeta rule;
     FileConfig *fc = nullptr;
 };
 

diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc
index 47480e3418e784373a562d49dee4e1acd9b4cb19..ecd7688acda5820750fc061f5011fafdaa000e63 100644 (file)
--- a/src/file_api/file_service.cc
+++ b/src/file_api/file_service.cc
@@ -63,7 +63,7 @@ void FileService::post_init()
 {
     MimeSession::init();
 
-    const FileConfig* const conf = get_file_config();
+    FileConfig* const conf = get_file_config();
 
     if (!conf)
         return;
@@ -82,11 +82,13 @@ void FileService::post_init()
         capture_memcap = conf->capture_memcap;
         capture_block_size = conf->capture_block_size;
     }
+    const SnortConfig* sc = SnortConfig::get_conf();
+    conf->snort_protocol_id = sc->proto_ref->find("file_id");
 }
 
 void FileService::verify_reload(const SnortConfig* sc)
 {
-    const FileConfig* const conf = get_file_config(sc);
+    FileConfig* const conf = get_file_config(sc);
 
     if (!conf)
         return;
@@ -101,6 +103,11 @@ void FileService::verify_reload(const SnortConfig* sc)
         if (capture_block_size != conf->capture_block_size)
             ReloadError("Changing file_id.capture_block_size requires a restart.\n");
     }
+
+    if (conf->snort_protocol_id == UNKNOWN_PROTOCOL_ID)
+    {
+        conf->snort_protocol_id = sc->proto_ref->find("file_id");
+    }
 }
 
 void FileService::close()

diff --git a/src/framework/base_api.h b/src/framework/base_api.h
index df2b91e60fb5a7ef049cf1ec9d1cbffc8c71079d..ccf1b40995014db8d98de563859499d6e4f985e4 100644 (file)
--- a/src/framework/base_api.h
+++ b/src/framework/base_api.h
@@ -29,7 +29,7 @@
 
 // this is the current version of the base api
 // must be prefixed to subtype version
-#define BASE_API_VERSION 13
+#define BASE_API_VERSION 14
 
 // set options to API_OPTIONS to ensure compatibility
 #ifndef API_OPTIONS

diff --git a/src/framework/cursor.cc b/src/framework/cursor.cc
index f4c32cbaa8295fe2544bf7ff5367f3e50290405b..9f3e3591c4b951b4705b24322210c139475a0e98 100644 (file)
--- a/src/framework/cursor.cc
+++ b/src/framework/cursor.cc
@@ -28,6 +28,7 @@
 #include "detection/detection_engine.h"
 #include "detection/detection_util.h"
 #include "protocols/packet.h"
+#include "detection/ips_context.h"
 
 using namespace snort;
 
@@ -44,6 +45,7 @@ Cursor::Cursor(const Cursor& rhs)
     buf = rhs.buf;
     sz = rhs.sz;
     pos = rhs.pos;
+    file_pos = rhs.file_pos;
 
     if (rhs.data)
     {
@@ -95,17 +97,16 @@ void Cursor::set_data(CursorData* cd)
 
 void Cursor::reset(Packet* p)
 {
-    if ( p->flow and p->flow->gadget )
+    if (p->flow and p->flow->gadget)
     {
         const DataBuffer& buf = DetectionEngine::get_alt_buffer(p);
 
-        if ( buf.len )
+        if (buf.len)
         {
             set("alt_data", buf.data, buf.len);
             return;
         }
     }
-
     set("pkt_data", p->data, p->get_detect_limit());
 }
 

diff --git a/src/framework/cursor.h b/src/framework/cursor.h
index f5362a204d739a4c5fefff4c9a356aedb9339774..4954f0bd8ba9e573be0077a5c9c1c64a1c7f6b2d 100644 (file)
--- a/src/framework/cursor.h
+++ b/src/framework/cursor.h
@@ -85,6 +85,12 @@ public:
     void set(const char* s, const uint8_t* b, unsigned n)
     { name = s; buf = b; sz = n; pos = delta = 0; }
 
+    void set(const char* s, const uint8_t* b, unsigned n, unsigned pos_file)
+    {
+        file_pos = pos_file;
+        name = s; buf = b; sz = n; pos = delta = 0;
+    }
+
     const uint8_t* buffer() const
     { return buf; }
 
@@ -127,6 +133,17 @@ public:
         return true;
     }
 
+    bool set_pos_file(unsigned n)
+    {
+        file_pos = n;
+        return true;
+    }
+
+    unsigned get_file_pos() const
+    {
+        return file_pos;
+    }
+
     bool set_delta(unsigned n)
     {
         if (n > sz)
@@ -145,6 +162,7 @@ private:
     unsigned sz = 0;               // size of buffer
     unsigned pos = 0;              // current pos
     unsigned delta = 0;            // loop offset
+    unsigned file_pos = 0;         // file pos
     CursorDataVec* data = nullptr; // data stored on the cursor
 };
 

diff --git a/src/framework/file_policy.cc b/src/framework/file_policy.cc
index cd74d6cc1478bd380ffb47bdb0bdad0de4de5ffa..717b16703a3625f0b5e4ef47a1f1d2644a1b9215 100644 (file)
--- a/src/framework/file_policy.cc
+++ b/src/framework/file_policy.cc
@@ -78,7 +78,7 @@ bool FilePolicy::get_file_capture() const
     return capture_enabled;
 }
 
-void FilePolicy::insert_file_rule(FileRule& rule)
+void FilePolicy::add_file_id(FileRule& rule)
 {
     file_rules.emplace_back(rule);
 

diff --git a/src/framework/file_policy.h b/src/framework/file_policy.h
index a0fe8cc07d495bfaae7f31c066ed23628124f303..393af19ee88523e8eac06ee5f772e218d75704c7 100644 (file)
--- a/src/framework/file_policy.h
+++ b/src/framework/file_policy.h
@@ -69,7 +69,7 @@ public:
     // This is called after file signature is complete
     FileVerdict signature_lookup(snort::Packet*, snort::FileInfo*) override;
 
-    void insert_file_rule(FileRule&);
+    void add_file_id(FileRule&);
     void set_file_type(bool enabled);
     void set_file_signature(bool enabled);
     void set_file_capture(bool enabled);

diff --git a/src/framework/ips_action.h b/src/framework/ips_action.h
index 160ec6a7451ff9f021b3ea47d0e0aca352ae93c9..33e9ced3d0bd25444978df6bb9397148b28a5fec 100644 (file)
--- a/src/framework/ips_action.h
+++ b/src/framework/ips_action.h
@@ -46,6 +46,7 @@ class SO_PUBLIC IpsAction
 public:
     enum IpsActionPriority : uint16_t
     {
+        IAP_OTHER = 1,
         IAP_LOG = 10,
         IAP_ALERT = 20,
         IAP_REWRITE = 30,

diff --git a/src/ips_options/CMakeLists.txt b/src/ips_options/CMakeLists.txt
index 445143c0ad6fecbb99897968b28dee6b6d0ed8fe..bb51945d97b32ee8a0275cb6e0ea5dd7cfc20569 100644 (file)
--- a/src/ips_options/CMakeLists.txt
+++ b/src/ips_options/CMakeLists.txt
@@ -57,6 +57,7 @@ set (IPS_SOURCES
     ips_detection_filter.cc
     ips_dsize.cc
     ips_file_data.cc
+    ips_file_meta.cc
     ips_flow.cc
     ips_flowbits.cc
     ips_flowbits.h

diff --git a/src/ips_options/ips_content.cc b/src/ips_options/ips_content.cc
index 3fe853233833d31aef2f380812e45ff975bc1150..1b00b05ca8b165b54836b6ac9a0d69038177f6ab 100644 (file)
--- a/src/ips_options/ips_content.cc
+++ b/src/ips_options/ips_content.cc
@@ -68,6 +68,7 @@ public:
 
     int8_t offset_var;      /* byte_extract variable indices for offset, */
     int8_t depth_var;       /* depth, distance, within */
+    bool offset_set = false;
 
     unsigned match_delta;   /* Maximum distance we can jump to search for this pattern again. */
 };
@@ -298,7 +299,14 @@ static int uniSearchReal(ContentData* cd, Cursor& c)
         depth = cd->pmd.depth;
 
     int pos = c.get_delta();
+    int file_pos = c.get_file_pos();
 
+    if (file_pos and cd->offset_set)
+    {
+        offset -= file_pos;
+        if (offset < 0)
+            return 0;
+    }
     if ( !pos )
     {
         if ( cd->pmd.is_relative() )
@@ -446,6 +454,7 @@ static void parse_offset(ContentData* cd, const char* data)
     {
         cd->pmd.offset = parse_int(data, "offset");
         cd->offset_var = IPS_OPTIONS_NO_VAR;
+        cd->offset_set = true;
     }
     else
     {

diff --git a/src/ips_options/ips_file_data.cc b/src/ips_options/ips_file_data.cc
index d69ca107210e8782c4afcc663d5623ca0bdd2aa2..207072d8059534969430e8da4e8800acd8f726a5 100644 (file)
--- a/src/ips_options/ips_file_data.cc
+++ b/src/ips_options/ips_file_data.cc
@@ -57,8 +57,8 @@ IpsOption::EvalStatus FileDataOption::eval(Cursor& c, Packet* p)
 
     if ( !dp.data || !dp.len )
         return NO_MATCH;
-
     c.set(s_name, dp.data, dp.len);
+    c.set_pos_file(p->context->file_pos);
 
     return MATCH;
 }

diff --git a/src/ips_options/ips_file_meta.cc b/src/ips_options/ips_file_meta.cc
new file mode 100644 (file)
index 0000000..21c9d59
--- /dev/null
+++ b/src/ips_options/ips_file_meta.cc
@@ -0,0 +1,182 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// Author: Bhargava Jandhyala <bjandhya@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <unordered_map>
+
+#include "detection/detection_engine.h"
+#include "detection/treenodes.h"
+#include "file_api/file_flows.h"
+#include "framework/cursor.h"
+#include "framework/ips_option.h"
+#include "framework/module.h"
+#include "main/thread_config.h"
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
+
+using namespace snort;
+
+#define s_name "file_meta"
+
+//--------------------------------------------------------------------------
+// file_meta option config
+//--------------------------------------------------------------------------
+
+struct FileMetaData
+{
+    uint32_t file_id;
+    std::string file_type;
+    std::string category;
+    std::string version;
+    std::vector<std::string> groups;
+};
+
+//-------------------------------------------------------------------------
+// module
+//-------------------------------------------------------------------------
+
+static const Parameter s_params[] =
+{
+    { "type", Parameter::PT_STRING, nullptr, nullptr,
+      "file type to set" },
+
+    { "id", Parameter::PT_INT, "1:1023", nullptr,
+      "file type id" },
+
+    { "category", Parameter::PT_STRING, nullptr, nullptr,
+      "file type category" },
+
+    { "group", Parameter::PT_STRING, nullptr, nullptr,
+      "comma separated list of groups associated with file type" },
+
+    { "version", Parameter::PT_STRING, nullptr, nullptr,
+      "file type version" },
+
+    { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
+#define s_help \
+    "rule option to set file metadata (file type and id)"
+
+class FileMetaModule : public Module
+{
+public:
+    FileMetaModule() : Module(s_name, s_help, s_params) { }
+    bool set(const char*, Value&, SnortConfig*) override;
+    bool end(const char*, int, SnortConfig*) override;
+
+    Usage get_usage() const override
+    {
+        return DETECT;
+    }
+
+public:
+    FileMetaData fmc;
+};
+
+bool FileMetaModule::set(const char*, Value& v, SnortConfig*)
+{
+    if (v.is("type"))
+    {
+        fmc.file_type = v.get_string();
+    }
+    else if (v.is("id"))
+    {
+        fmc.file_id = v.get_uint32();
+    }
+    else if (v.is("category"))
+    {
+        fmc.category = v.get_string();
+    }
+    else if (v.is("group"))
+    {
+        std::istringstream stream(v.get_string());
+        std::string tmpstr;
+        while (std::getline(stream, tmpstr, ','))
+        {
+            fmc.groups.emplace_back(tmpstr);
+        }
+    }
+    else if (v.is("version"))
+        fmc.version = v.get_string();
+    else
+        return false;
+
+    return true;
+}
+
+bool FileMetaModule::end(const char*, int, SnortConfig* sc)
+{
+    set_rule_id_from_type(sc, fmc.file_id, fmc.file_type,fmc.category, fmc.version, fmc.groups);
+    return true;
+}
+
+//-------------------------------------------------------------------------
+// api methods
+//-------------------------------------------------------------------------
+
+static Module* mod_ctor()
+{
+    return new FileMetaModule;
+}
+
+static void mod_dtor(Module* m)
+{
+    delete m;
+}
+
+static IpsOption* file_meta_ctor(Module* p, OptTreeNode* otn)
+{
+    FileMetaModule* m = (FileMetaModule*)p;
+    otn->sigInfo.file_id = m->fmc.file_id;
+    return nullptr;
+}
+
+static const IpsApi file_meta_api =
+{
+    {
+      PT_IPS_OPTION,
+      sizeof(IpsApi),
+      IPSAPI_VERSION,
+      0,
+      API_RESERVED,
+      API_OPTIONS,
+      s_name,
+      s_help,
+      mod_ctor,
+      mod_dtor
+    },
+    OPT_TYPE_META,
+    1,
+    PROTO_BIT__NONE,
+    nullptr,
+    nullptr,
+    nullptr,
+    nullptr,
+    file_meta_ctor,
+    nullptr,
+    nullptr
+};
+
+const BaseApi* ips_file_meta = &file_meta_api.base;
+

diff --git a/src/ips_options/ips_options.cc b/src/ips_options/ips_options.cc
index 31fcb2bb1f28eed5c97d4608f687432459ccdb76..5886c0a7474ca7a624913cbf098c494f253025d2 100644 (file)
--- a/src/ips_options/ips_options.cc
+++ b/src/ips_options/ips_options.cc
@@ -32,6 +32,7 @@ extern const BaseApi* ips_content;
 extern const BaseApi* ips_detection_filter;
 extern const BaseApi* ips_dsize;
 extern const BaseApi* ips_file_data;
+extern const BaseApi* ips_file_meta;
 extern const BaseApi* ips_flow;
 extern const BaseApi* ips_flowbits;
 extern const BaseApi* ips_md5;
@@ -99,6 +100,7 @@ static const BaseApi* ips_options[] =
     ips_detection_filter,
     ips_dsize,
     ips_file_data,
+    ips_file_meta,
     ips_flow,
     ips_flowbits,
     ips_md5,

diff --git a/src/main/policy.cc b/src/main/policy.cc
index 2e62e3d8bd50e058438294bcbdc61645435cb208..ab699fb00670a497a491603e1d43660c3df83354 100644 (file)
--- a/src/main/policy.cc
+++ b/src/main/policy.cc
@@ -119,7 +119,7 @@ FilePolicy* NetworkPolicy::get_file_policy() const
 { return file_policy; }
 
 void NetworkPolicy::add_file_policy_rule(FileRule& file_rule)
-{ file_policy->insert_file_rule(file_rule); }
+{ file_policy->add_file_id(file_rule); }
 
 InspectionPolicy* NetworkPolicy::get_user_inspection_policy(unsigned user_id)
 {

diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index bce02f30733cf8b8814c8899756156209a83b11b..4f1b3e886eb9e30b64f49524f6b421784bfe3365 100644 (file)
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -92,6 +92,8 @@ static bool s_capture = false;
 static std::string s_type;
 static std::string s_body;
 
+static bool action_file_id = false;
+
 struct SoRule
 {
     SoRule(RuleTreeNode* rtn, const OptTreeNode* otn) :
@@ -105,6 +107,9 @@ struct SoRule
 
 static SoRule* s_so_rule = nullptr;
 
+static bool rule_is_stateless()
+{ return action_file_id; }
+
 static int ValidateIPList(sfip_var_t* addrset, const char* token)
 {
     if (!addrset || !(addrset->head||addrset->neg_head))
@@ -773,6 +778,10 @@ void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn)
         ParseError("unknown rule action '%s'", s);
         return;
     }
+    if (!strcmp(s,"file_id"))
+        action_file_id = true;
+    else
+        action_file_id = false;
 
     if ( sc->dump_rule_meta() )
         rtn.header = new RuleHeader(s);
@@ -785,7 +794,7 @@ void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn)
         rtn.listhead = get_rule_list(sc, s);
     }
 
-    if ( sc->get_default_rule_state() )
+    if ( sc->get_default_rule_state() or rule_is_stateless() )
         rtn.set_enabled();
 }
 
@@ -1002,12 +1011,9 @@ OptTreeNode* parse_rule_open(SnortConfig* sc, RuleTreeNode& rtn, bool stub)
     OptTreeNode* otn = new OptTreeNode;
     otn->state = new OtnState[ThreadConfig::get_instance_max()];
 
-    if ( !stub )
-        otn->sigInfo.gid = GID_DEFAULT;
-
     otn->snort_protocol_id = rtn.snort_protocol_id;
 
-    if ( sc->get_default_rule_state() )
+    if ( sc->get_default_rule_state() or rule_is_stateless() )
         rtn.set_enabled();
 
     IpsManager::reset_options();
@@ -1020,9 +1026,6 @@ OptTreeNode* parse_rule_open(SnortConfig* sc, RuleTreeNode& rtn, bool stub)
 
 static void parse_rule_state(SnortConfig* sc, const RuleTreeNode& rtn, OptTreeNode* otn)
 {
-    if ( !otn->sigInfo.gid )
-        otn->sigInfo.gid = GID_DEFAULT;
-
     if ( otn->num_detection_opts )
     {
         ParseError("%u:%u rule state stubs do not support detection options",
@@ -1193,6 +1196,11 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn)
         std::string service = sc->proto_ref->get_name(otn->snort_protocol_id);
         add_service_to_otn(sc, otn, service.c_str());
     }
+    if (!otn->sigInfo.services.size() and action_file_id)
+    {
+        add_service_to_otn(sc, otn, "file_id");
+        action_file_id = false;
+    }
 
     validate_services(sc, otn);
     OtnLookupAdd(sc->otn_map, otn);

diff --git a/src/parser/parser.cc b/src/parser/parser.cc
index 9298f0b05e12e878c9a1c844bff851c98ff80a2e..eaedc900bc37d1658db2970a90e1dab81f45dd70 100644 (file)
--- a/src/parser/parser.cc
+++ b/src/parser/parser.cc
@@ -68,6 +68,7 @@ using namespace snort;
 static struct rule_index_map_t* ruleIndexMap = nullptr;
 
 static std::string s_aux_rules;
+static std::string s_special_rules;
 
 class RuleTreeHashKeyOps : public HashKeyOperations
 {
@@ -427,6 +428,14 @@ void ParseRules(SnortConfig* sc)
         if ( p->enable_builtin_rules )
             ModuleManager::load_rules(sc);
 
+        if (!idx and !s_special_rules.empty())
+        {
+            push_parse_location("W", "./", "rule args");
+            parse_rules_string(sc, s_special_rules.c_str());
+            pop_parse_location();
+            s_special_rules.clear();
+        }
+
         if ( !p->include.empty() )
         {
             std::string path = p->includer;
@@ -451,7 +460,7 @@ void ParseRules(SnortConfig* sc)
             pop_parse_location();
         }
 
-        if ( !idx and !s_aux_rules.empty() )
+        if (!idx and !s_aux_rules.empty())
         {
             p->includer.clear();
             push_parse_location("W", "./", "rule args");
@@ -844,6 +853,12 @@ void parser_append_rules(const char* s)
     s_aux_rules += "\n";
 }
 
+void parser_append_rules_special(const char *s)
+{
+    s_special_rules += s;
+    s_special_rules += "\n";
+}
+
 void parser_append_includes(const char* d)
 {
     Directory dir(d);

diff --git a/src/parser/parser.h b/src/parser/parser.h
index 3311259c331fad1a14b0ca1eb5c5c2a2783f7f6f..0aacdeb1e924eee5843652fae7d356a4fc4302e0 100644 (file)
--- a/src/parser/parser.h
+++ b/src/parser/parser.h
@@ -55,6 +55,7 @@ void VarTablesFree(snort::SnortConfig*);
 
 void parser_append_rules(const char*);
 void parser_append_includes(const char*);
+void parser_append_rules_special(const char *);
 
 int ParseBool(const char* arg);
 

diff --git a/src/service_inspectors/dce_rpc/dce_smb2_file.cc b/src/service_inspectors/dce_rpc/dce_smb2_file.cc
index 1d4a2859d5ce2e45b74124e40068aa6e28a4b515..fc1f84c72d62ea45bff7089d0a56716923856851 100644 (file)
--- a/src/service_inspectors/dce_rpc/dce_smb2_file.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2_file.cc
@@ -277,7 +277,7 @@ bool Dce2Smb2FileTracker::process_data(const uint32_t current_flow_key, const ui
             file->set_file_name(file_name, file_name_len);
             file->set_file_size(file_size.load() ? file_size.load() : UNKNOWN_FILE_SIZE);
         }
-
+        FileFlows::get_file_flows(p->flow);
         bool continue_processing = file_flows->file_process(p, file_name_hash, file_data, data_size,
            file_offset, direction, file_id);
     

diff --git a/src/service_inspectors/mms/mms_splitter.cc b/src/service_inspectors/mms/mms_splitter.cc
index 2ebccfca527e3d3aa08028d095f2f3cc7a518b99..4802cbf08b75452c996a5ea26780519e488070b6 100644 (file)
--- a/src/service_inspectors/mms/mms_splitter.cc
+++ b/src/service_inspectors/mms/mms_splitter.cc
@@ -186,6 +186,7 @@ StreamSplitter::Status MmsSplitter::scan(Packet* p, const uint8_t* data, uint32_
     Packet* tmp_pkt = new Packet(false);
     tmp_pkt->data  = cur_pkt_ctx.data;
     tmp_pkt->dsize = cur_pkt_ctx.len;
+    tmp_pkt->context = nullptr;
 
     Cursor mms_cur = Cursor(tmp_pkt);
 

diff --git a/tools/snort2lua/config_states/config_file.cc b/tools/snort2lua/config_states/config_file.cc
index 963ff6b37915afa6b58d8dbd23cac820bbdad52d..5c73884182496b15c279500d57e33f5f004eed95 100644 (file)
--- a/tools/snort2lua/config_states/config_file.cc
+++ b/tools/snort2lua/config_states/config_file.cc
@@ -139,9 +139,9 @@ bool File::convert(std::istringstream& data_stream)
             retval = false;
     }
 
-    // Always add the file_rules option to reference the file magic rules.
+    // Always add the rules_file option to reference the file magic rules.
     table_api.open_table("file_id");
-    table_api.add_option("file_rules", "$file_magic");
+    table_api.add_option("rules_file", "$file_magic");
     table_api.close_table();
 
     return retval;