From: Mike Stepanek (mstepane) Date: Wed, 29 Jun 2022 17:06:53 +0000 (+0000) Subject: Pull request #3404: File type finding using IPS rules X-Git-Tag: 3.1.33.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a1a66cbd1338a5dfd57f582bba922025e8f7339;p=thirdparty%2Fsnort3.git Pull request #3404: File type finding using IPS rules Merge in SNORT/snort3 from ~BJANDHYA/snort3:poc_file_type to master Squashed commit of the following: commit bc98bab3ec3f6e42ef512f2729c8e8940b49b770 Author: krishnakanth Date: Mon Jun 27 10:34:11 2022 +0530 framework: update base API version to 14 commit 48da0d392030ec7af45bb0fde117acc2e216d844 Author: Bhargava Jandhyala Date: Fri Dec 3 06:54:35 2021 -0500 file_api: file type identification over ips engine modified: src/framework/cursor.cc --- diff --git a/lua/CMakeLists.txt b/lua/CMakeLists.txt index b8866ef03..3c6c1ac80 100644 --- a/lua/CMakeLists.txt +++ b/lua/CMakeLists.txt @@ -2,7 +2,7 @@ set (LUA_SCRIPTS balanced.lua connectivity.lua - file_magic.lua + file_magic.rules inline.lua max_detect.lua security.lua diff --git a/lua/file_magic.lua b/lua/file_magic.lua deleted file mode 100644 index e8804a55b..000000000 --- a/lua/file_magic.lua +++ /dev/null @@ -1,207 +0,0 @@ -file_magic = -{ - { type = 'XLW', id = 1, category = 'Office Documents', msg = 'Excel spreadsheet subheader (MS Office)', rev = 1, group = 'office', magic = { { content = '| 09 08 10 00 00 06 05 00 |', offset = 512, }, }, }, - { type = 'POSIX_TAR', id = 2, category = 'Archive', msg = 'POSIX Tape Archive file', rev = 1, magic = { { content = '| 75 73 74 61 72 00 |', offset = 257, }, }, }, - { type = 'OLD_TAR', id = 3, category = 'Archive', msg = 'Pre-POSIX Tape Archive file', rev = 1, magic = { { content = '| 75 73 74 61 72 20 |', offset = 257, }, }, }, - { type = 'MOV', id = 4, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 66 72 65 65 |', offset = 4, }, }, }, - { type = 'MOV', id = 5, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 6D 6F 6F 76 |', offset = 4, }, }, }, - { type = 'MOV', id = 6, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 6D 64 61 74 |', offset = 4, }, }, }, - { type = 'MOV', id = 7, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 70 6E 6F 74 |', offset = 4, }, }, }, - { type = 'MOV', id = 8, category = 'Multimedia', msg = 'QuickTime movie file', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 |', offset = 4, }, }, }, - { type = 'LHA', id = 9, category = 'Archive', msg = 'File compressed with lha utility/algorithm (lha, lzh)', rev = 1, magic = { { content = '| 2D 6C 68 |', offset = 2, }, }, }, - { type = 'ISO', id = 10, category = 'System files', msg = 'Disc Image file based on ISO-9660 standard (iso)c', rev = 1, magic = { { content = '| 43 44 30 30 31 |', offset = 32769, }, }, }, - { type = 'ISO', id = 11, category = 'System files', msg = 'Disc Image file based on ISO-9660 standard (iso)c', rev = 1, magic = { { content = '| 43 44 30 30 31 |', offset = 34817, }, }, }, - { type = 'ISO', id = 12, category = 'System files', msg = 'Disc Image file based on ISO-9660 standard (iso)c', rev = 1, magic = { { content = '| 43 44 30 30 31 |', offset = 36865, }, }, }, - { type = 'S3M', id = 13, category = 'Multimedia', msg = 'S3M audio module format', rev = 1, group = 'audio', magic = { { content = '| 53 43 52 4d |', offset = 44, }, }, }, - { type = 'FLIC', id = 14, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|11 AF|', offset = 4, }, { content = '|40 01|', offset = 8, }, { content = '|c8 00|', offset = 10, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, }, - { type = 'FLIC', id = 15, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|12 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, }, - { type = 'FLIC', id = 16, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|44 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, }, - { type = 'FLIC', id = 17, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|30 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, }, - { type = 'FLIC', id = 18, category = 'Multimedia', msg = 'FLIC Animation file', rev = 2, magic = { { content = '|31 AF|', offset = 4, }, { content = '|00 00|', offset = 20, }, { content = '|00 00 00 00 00 00 00 00|', offset = 42, }, }, }, - { type = 'MSEXE', id = 21, category = 'Executables,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'Windows/DOS executable file ', rev = 1, magic = { { content = '| 4D 5A|', offset = 0, }, }, }, - { type = 'PDF', id = 22, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, magic = { { content = '| 25 50 44 46|', offset = 0, }, }, }, - { type = 'RTF', id = 23, category = 'Office Documents,Dynamic Analysis Capable', msg = 'Rich text format word processing file ', rev = 2, magic = { { content = '| 7B 5C 72 74|', offset = 0, }, }, }, - { type = 'RIFF', id = 24, category = 'Multimedia', msg = 'Resource Interchange File Format', rev = 1, magic = { { content = '| 52 49 46 46|', offset = 0, }, }, }, - { type = 'MSCHM', id = 25, category = 'Office Documents', msg = 'Microsoft Compiled HTML Help File', rev = 1, magic = { { content = '| 49 54 53 46|', offset = 0, }, }, }, - { type = 'MSCAB', id = 26, category = 'Archive', msg = 'Microsoft Windows CAB', rev = 1, magic = { { content = '| 4D 53 43 46|', offset = 0, }, }, }, - { type = 'MSOLE2', id = 27, category = 'Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'Microsoft Object Linking and Embedding Compound File, used for office documents as well as installers', rev = 1, magic = { { content = '| D0 CF 11 E0 A1 B1 1A E1|', offset = 0, }, }, }, - { type = 'MSSZDD', id = 28, category = 'Archive', msg = 'SZDD file format', rev = 1, magic = { { content = '| 53 5A 44 44 88 F0 27 33 |', offset = 0, }, }, }, - { type = 'ZIP', id = 29, category = 'Archive', msg = 'PKZIP archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, }, }, - { type = 'RAR', id = 30, category = 'Archive', msg = 'WinRAR compressed archive file', rev = 1, magic = { { content = '| 52 61 72 21 1A 07 00 |', offset = 0, }, }, }, - { type = '7Z', id = 31, category = 'Archive', msg = '7-Zip compressed file', rev = 1, magic = { { content = '| 37 7A BC AF 27 1C |', offset = 0, }, }, }, - { type = 'BZ', id = 32, category = 'Archive', msg = 'bzip2 compressed archive', rev = 1, magic = { { content = '| 42 5A 68 |', offset = 0, }, }, }, - { type = 'GZ', id = 33, category = 'Archive', msg = 'GZ', rev = 1, magic = { { content = '| 1F 8B 08 |', offset = 0, }, }, }, - { type = 'ARJ', id = 34, category = 'Archive', msg = 'Compressed archive file', rev = 1, magic = { { content = '| 60 EA 00 00 |', offset = 0, }, }, }, - { type = 'ISHIELD_MSI', id = 35, category = 'Executables', msg = 'Install Shield v5.x or 6.x compressed file', rev = 1, magic = { { content = '| 49 53 63 28 |', offset = 0, }, }, }, - { type = 'BINHEX', id = 36, category = 'Executables', msg = 'Macintosh BinHex 4 Compressed Archive', rev = 1, magic = { { content = '| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |', offset = 0, }, }, }, - { type = 'MAIL', id = 37, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 46 72 6F 6D 20 20 20 |', offset = 0, }, }, }, - { type = 'MAIL', id = 38, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 46 72 6F 6D 20 3F 3F 3F |', offset = 0, }, }, }, - { type = 'MAIL', id = 39, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 46 72 6F 6D 3A 20 |', offset = 0, }, }, }, - { type = 'MAIL', id = 40, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |', offset = 0, }, }, }, - { type = 'MAIL', id = 41, category = 'Office Documents', msg = 'E-mail files for Netscape, Eudora, Outlook Express and QuickMail.', rev = 1, magic = { { content = '| 58 2D |', offset = 0, }, }, }, - { type = 'TNEF', id = 42, category = 'Office Documents', msg = 'Transport Neutral Encapsulation Format, an E-mail attachment format', rev = 1, magic = { { content = '| 78 9F 3E 22 |', offset = 0, }, }, }, - { type = 'BINARY_DATA', id = 43, category = 'Executables', msg = 'Universal Binary/Java Bytecode', rev = 1, magic = { { content = '| CA FE BA BE|', offset = 0, }, }, }, - { type = 'UUENCODED', id = 44, category = 'Encoded', msg = 'UUencoded file', rev = 1, magic = { { content = '| 62 65 67 69 6E |', offset = 0, }, }, }, - { type = 'SCRENC', id = 45, category = 'Encoded', msg = 'Script encoder file', rev = 1, magic = { { content = '| 23 40 7E 5E |', offset = 0, }, }, }, - { type = 'ELF', id = 46, category = 'Executables', msg = 'Executable and Linking Format executable file (Linux/Unix)', rev = 1, magic = { { content = '| 7F 45 4C 46|', offset = 0, }, }, }, - { type = 'MACHO', id = 47, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| CE FA ED FE |', offset = 0, }, }, }, - { type = 'MACHO', id = 48, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| CF FA ED FE |', offset = 0, }, }, }, - { type = 'MACHO', id = 49, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| FE ED FA CE |', offset = 0, }, }, }, - { type = 'MACHO', id = 50, category = 'Executables,Local Malware Analysis Capable', msg = 'Mach object file format ', rev = 1, magic = { { content = '| FE ED FA CF |', offset = 0, }, }, }, - { type = 'SIS', id = 51, category = 'Archive', msg = 'Software Installation Script, an archive for Symbian OS', rev = 1, magic = { { content = '| 19 04 00 10 |', offset = 0, }, }, }, - { type = 'SWF', id = 52, category = 'Multimedia', msg = 'Flash file ', rev = 1, magic = { { content = '| 43 57 53 |', offset = 0, }, }, }, - { type = 'SWF', id = 53, category = 'Multimedia', msg = 'Flash file ', rev = 1, magic = { { content = '| 46 57 53 |', offset = 0, }, }, }, - { type = 'SWF', id = 54, category = 'Multimedia', msg = 'Flash file ', rev = 1, magic = { { content = '| 58 46 49 52|', offset = 0, }, }, }, - { type = 'CPIO_ODC', id = 55, category = 'Archive', msg = 'Archive created with the cpio utility- standard ASCII format', rev = 1, magic = { { content = '| 30 37 30 37 30 37 |', offset = 0, }, }, }, - { type = 'CPIO_NEWC', id = 56, category = 'Archive', msg = 'Archive created with the cpio utility- new ASCII (aka SVR4) format', rev = 1, magic = { { content = '| 30 37 30 37 30 31 |', offset = 0, }, }, }, - { type = 'CPIO_CRC', id = 57, category = 'Archive', msg = 'Archive created with the cpio utility- CRC format', rev = 1, magic = { { content = '| 30 37 30 37 30 32 |', offset = 0, }, }, }, - { type = 'MPEG', id = 58, category = 'Multimedia', msg = 'MPEG video file', rev = 1, group = 'video', magic = { { content = '| 00 00 01 B3|', offset = 0, }, }, }, - { type = 'MPEG', id = 59, category = 'Multimedia', msg = 'MPEG video file', rev = 1, group = 'video', magic = { { content = '| 00 00 01 BA|', offset = 0, }, }, }, - { type = 'EPS', id = 60, category = 'PDF files', msg = 'Adobe encapsulated PostScript file', rev = 1, magic = { { content = '| 25 21 50 53 2D 41 64 6F 62 65 2D |', offset = 0, }, }, }, - { type = 'RMF', id = 61, category = 'Multimedia', msg = 'RealNetworks RealMedia streaming media file', rev = 1, magic = { { content = '| 2E 52 4D 46 |', offset = 0, }, }, }, - { type = 'GIF', id = 62, category = 'Graphics', msg = 'GIF', rev = 1, group = 'multimedia', magic = { { content = '| 47 49 46 38 37 61 |', offset = 0, }, }, }, - { type = 'GIF', id = 63, category = 'Graphics', msg = 'GIF', rev = 1, group = 'multimedia', magic = { { content = '| 47 49 46 38 39 61 |', offset = 0, }, }, }, - { type = 'MP3', id = 64, category = 'Multimedia', msg = 'MPEG-1 Audio Layer 3 (MP3) audio file', rev = 1, group = 'audio', magic = { { content = '| 49 44 33 |', offset = 0, }, }, }, - { type = 'MP3', id = 65, category = 'Multimedia', msg = 'MPEG-1 Audio Layer 3 (MP3) audio file', rev = 1, group = 'audio', magic = { { content = '| FF FB |', offset = 0, }, }, }, - { type = 'OGG', id = 66, category = 'Multimedia', msg = 'Ogg Vorbis Codec compressed Multimedia file', rev = 1, group = 'audio', magic = { { content = '| 4F 67 67 53 |', offset = 0, }, }, }, - { type = 'RIFX', id = 67, category = 'Multimedia', msg = 'RIFX audio format', rev = 1, group = 'audio', magic = { { content = '| 52 49 46 58 |', offset = 0, }, }, }, - { type = 'SYMANTEC', id = 68, category = 'System files', msg = 'Symantec files', rev = 1, magic = { { content = '| 58 2D 53 79 6D 61 6E 74 65 63 2D |', offset = 0, }, }, }, - { type = 'PNG', id = 69, category = 'Graphics', msg = 'Portable Network Graphics file', rev = 1, group = 'multimedia', magic = { { content = '| 89 50 4E 47 0D 0A 1A 0A |', offset = 0, }, }, }, - { type = 'JPEG', id = 70, category = 'Graphics', msg = 'JPEG/JFIF graphics file', rev = 1, group = 'multimedia', magic = { { content = '| FF D8 FF E0 |', offset = 0, }, }, }, - { type = 'JARPACK', id = 72, category = 'Executables', msg = 'Jar pack file', rev = 1, magic = { { content = '| CA FE D0 0D |', offset = 0, }, }, }, - { type = 'JAR', id = 73, category = 'Archive', msg = 'Java archive file', rev = 3, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 4D 45 54 41 2D 49 4E 46 2F |', offset = 30, }, }, }, - { type = 'FLV', id = 74, category = 'Multimedia', msg = 'Flash video file', rev = 1, group = 'video', magic = { { content = '| 46 4C 56 01 |', offset = 0, }, }, }, - { type = 'WAV', id = 76, category = 'Multimedia', msg = 'Waveform Audio File Format', rev = 1, group = 'audio', magic = { { content = '| 62 65 61 74 |', offset = 0, }, }, }, - { type = 'WAV', id = 77, category = 'Multimedia', msg = 'Waveform Audio File Format', rev = 1, group = 'audio', magic = { { content = '| 4D 58 43 33 |', offset = 0, }, }, }, - { type = 'FFMPEG', id = 78, category = 'Multimedia', msg = 'ffmpeg Multimedia framework', rev = 1, magic = { { content = '| 34 58 4D 56 |', offset = 0, }, }, }, - { type = 'DMG', id = 79, category = 'System files', msg = 'Apple Disk Image', rev = 1, magic = { { content = '| 45 52 02 00 |', offset = 0, }, }, }, - { type = 'DMG', id = 80, category = 'System files', msg = 'Apple Disk Image', rev = 1, magic = { { content = '| 32 49 4D 47 |', offset = 0, }, }, }, - { type = 'IVR', id = 81, category = 'Multimedia', msg = 'RealPlayer video file', rev = 1, group = 'video', magic = { { content = '| 2E 52 45 43 |', offset = 0, }, }, }, - { type = 'IVR', id = 82, category = 'Multimedia', msg = 'RealPlayer video file', rev = 1, group = 'video', magic = { { content = '| 2E 52 31 4D |', offset = 0, }, }, }, - { type = 'RA', id = 83, category = 'Multimedia', msg = 'RealAudio file', rev = 1, group = 'audio', magic = { { content = '| 2E 52 4D 46 00 00 00 12 00 |', offset = 0, }, }, }, - { type = 'RA', id = 84, category = 'Multimedia', msg = 'RealAudio file', rev = 1, group = 'audio', magic = { { content = '| 2E 72 61 FD 00 |', offset = 0, }, }, }, - { type = 'VMDK', id = 85, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '| 43 4F 57 44 |', offset = 0, }, }, }, - { type = 'VMDK', id = 86, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '|4B 44 4D |', offset = 0, }, }, }, - { type = 'VMDK', id = 87, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |', offset = 0, }, }, }, - { type = 'VMDK', id = 88, category = 'System files', msg = 'Virtual Machine Disk', rev = 1, magic = { { content = '| 2E 03 00 00 01 |', offset = 0, }, }, }, - { type = 'FLAC', id = 89, category = 'Multimedia', msg = 'Free Lossless Audio Codec file', rev = 1, group = 'audio', magic = { { content = '| 66 4C 61 43 00 00 00 22 |', offset = 0, }, }, }, - { type = 'S3M', id = 90, category = 'Multimedia', msg = 'S3M audio module format', rev = 1, group = 'audio', magic = { { content = '| 53 43 52 4d |', offset = 0, }, }, }, - { type = 'ASF', id = 91, category = 'Multimedia', msg = 'Microsoft Windows Media Audio/Video File ', rev = 1, group = 'audio', magic = { { content = '| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |', offset = 0, }, }, }, - { type = 'MSWORD_MAC5', id = 93, category = 'Office Documents', msg = 'Microsoft Word for Mac 5', rev = 1, group = 'office', magic = { { content = '| FE 37 00 23|', offset = 0, }, }, }, - { type = 'SYLKc', id = 94, category = 'System files', msg = 'Microsoft symbolic Link', rev = 1, magic = { { content = '| 49 44 3B 50 |', offset = 0, }, }, }, - { type = 'WP', id = 95, category = 'Office Documents', msg = 'WordPerfect text and graphics file', rev = 1, magic = { { content = '| FF 57 50 43|', offset = 0, }, }, }, - { type = 'WP', id = 96, category = 'Office Documents', msg = 'WordPerfect text and graphics file', rev = 1, magic = { { content = '| 81 CD AB|', offset = 0, }, }, }, - { type = 'TIFF', id = 97, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 49 49 2A 00|', offset = 0, }, }, }, - { type = 'TIFF', id = 98, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 49 20 49|', offset = 0, }, }, }, - { type = 'TIFF', id = 99, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 4D 4D 00 2A|', offset = 0, }, }, }, - { type = 'TIFF', id = 100, category = 'Graphics', msg = 'Tagged Image File Format file', rev = 1, group = 'multimedia', magic = { { content = '| 4D 4D 00 2B|', offset = 0, }, }, }, - { type = 'MWL', id = 101, category = 'Office Documents', msg = 'Metastock technical analysis program for traders', rev = 1, magic = { { content = '| 5b 4d 65 74 61 53 74 6f 63 6b |', offset = 0, }, }, }, - { type = 'MDB', id = 102, category = 'Office Documents', msg = 'Microsoft Access file', rev = 1, magic = { { content = '| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |', offset = 0, }, }, }, - { type = 'ACCDB', id = 103, category = 'Office Documents', msg = 'Microsoft Access 2007 file', rev = 1, magic = { { content = '| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42|', offset = 0, }, }, }, - { type = 'MNY', id = 104, category = 'Office Documents', msg = 'Microsoft Money file', rev = 1, magic = { { content = '| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65|', offset = 0, }, }, }, - { type = 'REC', id = 105, category = 'Multimedia', msg = 'RealNetworks Realplayer REC', rev = 1, magic = { { content = '| 2e 72 65 63 00 |', offset = 0, }, }, }, - { type = 'R1M', id = 106, category = 'Multimedia', msg = 'RealNetworks Realplayer R1M', rev = 1, magic = { { content = '| 2e 72 31 6d |', offset = 0, }, }, }, - { type = 'WAB', id = 107, category = 'Office Documents', msg = 'Outlook address file', rev = 1, group = 'office', magic = { { content = '| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |', offset = 0, }, }, }, - { type = 'WAB', id = 108, category = 'Office Documents', msg = 'Outlook address file', rev = 1, group = 'office', magic = { { content = '| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |', offset = 0, }, }, }, - { type = 'M3U', id = 109, category = 'Multimedia', msg = 'Multimedia playlists', rev = 1, magic = { { content = '| 23 45 58 54 4d 33 55 |', offset = 0, }, }, }, - { type = 'MKV', id = 110, category = 'Multimedia', msg = 'Matroska stream file', rev = 1, magic = { { content = '| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61|', offset = 0, }, }, }, - { type = 'IMG_PICT', id = 111, category = 'Graphics', msg = 'ChromaGraph Graphics Card Bitmap Graphic file', rev = 1, group = 'multimedia', magic = { { content = '| 50 49 43 54 00 08 |', offset = 0, }, }, }, - { type = 'AMF', id = 112, category = 'Multimedia', msg = 'Advanced Module Format for digital music', rev = 1, group = 'audio', magic = { { content = '| 41 4d 46 |', offset = 0, }, }, }, - { type = 'WEBM', id = 113, category = 'Multimedia', msg = 'WebM audio-video format', rev = 1, group = 'audio,video', magic = { { content = '| 1A 45 DF A3|', offset = 0, }, }, }, - { type = 'MAYA', id = 114, category = 'Graphics', msg = 'Autodesk Maya', rev = 1, magic = { { content = '| 2f 2f 4d 61 79 61 |', offset = 0, }, }, }, - { type = 'MIDI', id = 115, category = 'Multimedia', msg = 'Musical Instrument Digital Interface (MIDI) sound file', rev = 1, group = 'audio', magic = { { content = '| 4D 54 68 64 |', offset = 0, }, }, }, - { type = 'PLS', id = 116, category = 'Multimedia', msg = 'multimedia playlists', rev = 1, magic = { { content = '| 5b 70 6c 61 79 6c 69 73 74 5d |', offset = 0, }, }, }, - { type = 'SMIL', id = 117, category = 'Multimedia', msg = 'Synchronized Multimedia Integration Language', rev = 1, magic = { { content = '| 3c 73 6d 69 6c 3e |', offset = 0, }, }, }, - { type = 'SAMI', id = 119, category = 'Multimedia', msg = 'Synchronized Accessible Media Interchange', rev = 1, magic = { { content = '| 3c 53 41 4d 49 |', offset = 0, }, }, }, - { type = 'NEW_OFFICE', id = 120, category = 'Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)', rev = 1, group = 'office', magic = { { content = '|50 4B 03 04 14 00 06 00|', offset = 0, }, }, }, - { type = 'DWG', id = 130, category = 'Graphics', msg = 'Autodesk AutoCAD file (dwg) ', rev = 1, magic = { { content = '| 41 43 31 30 |', offset = 0, }, }, }, - { type = 'MDI', id = 132, category = 'Office Documents', msg = 'Microsoft Document Imaging file (mdi)', rev = 1, magic = { { content = '| 45 50 |', offset = 0, }, }, }, - { type = 'PGD', id = 133, category = 'System files', msg = 'PGP disk image(PGD)', rev = 1, magic = { { content = '| 50 47 50 64 4D 41 49 4E |', offset = 0, }, }, }, - { type = 'PSD', id = 134, category = 'Graphics', msg = 'Photoshop image file (PSD)', rev = 1, magic = { { content = '|38 42 50 53 |', offset = 0, }, }, }, - { type = '9XHIVE', id = 135, category = 'System files', msg = 'Windows 9x registry hive (REG)', rev = 1, magic = { { content = '| 43 52 45 47 |', offset = 0, }, }, }, - { type = 'REG', id = 136, category = 'System files', msg = 'Windows Registry and Registry Undo files (REG)', rev = 1, magic = { { content = '| 52 45 47 45 44 49 54 |', offset = 0, }, }, }, - { type = 'WMF', id = 137, category = 'Graphics', msg = 'Windows graphics metafile ', rev = 1, magic = { { content = '| 01 00 09 00 00 03 |', offset = 0, }, }, }, - { type = 'WRI', id = 138, category = 'Office Documents', msg = 'Windows Write document file (wri) ', rev = 1, magic = { { content = '| BE 00 00 00 AB 00 00 00 00 00 00 00 00|', offset = 0, }, }, }, - { type = 'RPM', id = 139, category = 'Executables', msg = 'RedHat Package Manager file', rev = 1, magic = { { content = '| ED AB EE DB |', offset = 0, }, }, }, - { type = 'ONE', id = 140, category = 'Office Documents', msg = 'Microsoft OneNote note', rev = 1, group = 'office', magic = { { content = '| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |', offset = 0, }, }, }, - { type = 'MP4', id = 141, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 00 00 00 18 66 74 79 70 33 67 70 35 |', offset = 0, }, }, }, - { type = 'MP4', id = 142, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 69 73 6F 6D |', offset = 4, }, }, }, - { type = 'PCAP', id = 143, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '| D4 C3 B2 A1 |', offset = 0, }, }, }, - { type = 'PCAP', id = 144, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|34 CD B2 A1 |', offset = 0, }, }, }, - { type = 'PCAP', id = 145, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|A1 B2 C3 D4 |', offset = 0, }, }, }, - { type = 'PCAP', id = 146, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|A1 B2 CD 34 |', offset = 0, }, }, }, - { type = 'PCAP', id = 147, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '|52 54 53 53 |', offset = 0, }, }, }, - { type = 'BMP', id = 148, category = 'Graphics', msg = 'Bitmap image file', rev = 1, group = 'multimedia', magic = { { content = '|42 4D |', offset = 0, }, }, }, - { type = 'ICO', id = 149, category = 'Graphics', msg = 'Windows icon file', rev = 1, magic = { { content = '| 00 00 01 00 |', offset = 0, }, }, }, - { type = 'TORRENT', id = 150, category = 'Executables', msg = 'BitTorrent File', rev = 1, magic = { { content = '| 64 38 3A 61 6E 6E 6F 75 6E 63 65 |', offset = 0, }, }, }, - { type = 'AMR', id = 151, category = 'Multimedia', msg = 'Adaptive Multi-Rate Codec File', rev = 1, magic = { { content = '| 23 21 41 4D 52|', offset = 0, }, }, }, - { type = 'SIT', id = 152, category = 'Archive', msg = 'StuffIt compressed archive', rev = 1, magic = { { content = '| 53 49 54 21 00|', offset = 0, }, }, }, - { type = 'PST', id = 153, category = 'Office Documents', msg = 'Microsoft Outlook Personal Folder File', rev = 1, group = 'office', magic = { { content = '| 21 42 44 4E |', offset = 0, }, }, }, - { type = 'HLP', id = 154, category = 'Office Documents', msg = 'Windows Help file', rev = 1, magic = { { content = '| 4C 4E 02 00 |', offset = 0, }, }, }, - { type = 'HLP', id = 155, category = 'Office Documents', msg = 'Windows Help file', rev = 1, magic = { { content = '| 3F 5F 03 00 |', offset = 0, }, }, }, - { type = 'AUTORUN', id = 156, category = 'Executables', msg = 'Windows Autorun setup file', rev = 1, magic = { { content = '| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |', offset = 0, }, }, }, - { type = 'JPEG', id = 157, category = 'Graphics', msg = 'JPEG/JFIF graphics file', rev = 1, group = 'multimedia', magic = { { content = '| FF D8 FF E1 |', offset = 0, }, }, }, - { type = 'ARJ', id = 158, category = 'Archive', msg = 'Compressed archive file', rev = 1, magic = { { content = '| 60 EA |', offset = 0, }, }, }, - { type = 'MP3', id = 159, category = 'Multimedia', msg = 'MPEG-1 Audio Layer 3 (MP3) audio file', rev = 1, group = 'audio', magic = { { content = '| FF FA |', offset = 0, }, }, }, - { type = 'SIT', id = 160, category = 'Archive', msg = 'StuffIt compressed archive', rev = 1, magic = { { content = '| 53 74 75 66 66 49 74 20 |', offset = 0, }, }, }, - { type = 'NTHIVE', id = 161, category = 'System files', msg = 'Windows NT registry hive (REG)', rev = 1, magic = { { content = '| 72 65 67 66 |', offset = 0, }, }, }, - { type = 'WMF', id = 162, category = 'Graphics', msg = 'Windows graphics metafile ', rev = 1, magic = { { content = '| D7 CD C6 9A |', offset = 0, }, }, }, - { type = 'SIS', id = 163, category = 'Archive', msg = 'Software Installation Script, an archive for Symbian OS', rev = 1, magic = { { content = '| 7A 1A 20 10 |', offset = 0, }, }, }, - { type = 'WRI', id = 164, category = 'Office Documents', msg = 'Windows Write document file (wri) ', rev = 1, magic = { { content = '| 31 BE|', offset = 0, }, }, }, - { type = 'WRI', id = 165, category = 'Office Documents', msg = 'Windows Write document file (wri) ', rev = 1, magic = { { content = '| 32 BE|', offset = 0, }, }, }, - { type = 'WAV', id = 166, category = 'Multimedia', msg = 'Waveform Audio File Format', rev = 1, group = 'audio', magic = { { content = '| 52 49 46 46 |', offset = 0, }, { content = '| 57 41 56 45 66 6D 74 20 |', offset = 8, }, }, }, - { type = 'MP4', id = 167, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 6D 70 34 32 |', offset = 4, }, }, }, - { type = 'MP4', id = 168, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 33 67 70 |', offset = 4, }, }, }, - { type = 'MP4', id = 169, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, group = 'video', magic = { { content = '| 66 74 79 70 4D 53 4E 56 |', offset = 4, }, }, }, - { type = 'DICM', id = 170, category = 'Multimedia', msg = 'Digital Imaging and Communications in Medicine', rev = 1, magic = { { content = '| 44 49 43 4D |', offset = 128, }, }, }, - { type = 'ZIP_ENC', id = 171, category = 'Archive', msg = 'PKZIP encrypted archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 01 |', offset = 6, }, }, }, - { type = 'EICAR', id = 273, category = 'Executables', msg = 'Standard Anti-Virus Test File', rev = 1, magic = { { content = '| 58 35 4F 21 50 25 |', offset = 0, }, }, }, - { type = 'XPS', id = 275, category = 'Office Documents', msg = 'Microsoft XML Paper Specification Document', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 46 69 78 65 64 44 6F 63 75 6D |', offset = 30, }, }, }, - { type = 'XPS', id = 277, category = 'Office Documents', msg = 'Microsoft XML Paper Specification Document', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 44 6F 63 75 6D 65 6E 74 73 2F |', offset = 30, }, }, }, - { type = 'XPS', id = 278, category = 'Office Documents', msg = 'Microsoft XML Paper Specification Document', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 4D 65 74 61 64 61 74 61 2F |', offset = 30, }, }, }, - { type = 'DMP', id = 279, category = 'System files', msg = 'Windows crash dump file', rev = 1, magic = { { content = '|4D 44 4D 50 93 A7|', offset = 0, }, }, }, - { type = 'DMP', id = 280, category = 'System files', msg = 'Windows crash dump file', rev = 1, magic = { { content = '|50 41 47 45 44 55 36 34|', offset = 0, }, }, }, - { type = 'DMP', id = 281, category = 'System files', msg = 'Windows crash dump file', rev = 1, magic = { { content = '|50 41 47 45 44 55 4D 50|', offset = 0, }, }, }, - { type = 'PDF', id = 282, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.0', magic = { { content = '| 25 50 44 46 2D 31 2E 30|', offset = 0, }, }, }, - { type = 'PDF', id = 283, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.1', magic = { { content = '| 25 50 44 46 2D 31 2E 31|', offset = 0, }, }, }, - { type = 'PDF', id = 284, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.2', magic = { { content = '| 25 50 44 46 2D 31 2E 32|', offset = 0, }, }, }, - { type = 'PDF', id = 285, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.3', magic = { { content = '| 25 50 44 46 2D 31 2E 33|', offset = 0, }, }, }, - { type = 'PDF', id = 286, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.4', magic = { { content = '| 25 50 44 46 2D 31 2E 34|', offset = 0, }, }, }, - { type = 'PDF', id = 287, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.5', magic = { { content = '| 25 50 44 46 2D 31 2E 35|', offset = 0, }, }, }, - { type = 'PDF', id = 288, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.6', magic = { { content = '| 25 50 44 46 2D 31 2E 36|', offset = 0, }, }, }, - { type = 'PDF', id = 289, category = 'PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable', msg = 'PDF file ', rev = 1, version = '1.7', magic = { { content = '| 25 50 44 46 2D 31 2E 37|', offset = 0, }, }, }, - { type = 'IntelHEX', id = 290, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 30 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 291, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 31 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 292, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 32 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 293, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 33 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 294, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 34 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 295, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 30 35 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 296, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 32 30 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 297, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 31 |', offset = 0, }, { content = '| 32 32 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 298, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 30 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 300, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 31 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 301, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 32 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 302, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 33 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 303, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 34 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 304, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 30 35 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 305, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 30 |', offset = 7, }, }, }, - { type = 'IntelHEX', id = 306, category = 'System files', msg = 'Binary files for Microcontroller/Other Chip based applications', rev = 1, magic = { { content = '| 3A 32 |', offset = 0, }, { content = '| 32 32 |', offset = 7, }, }, }, - { type = 'REG', id = 307, category = 'System files', msg = 'Windows Registry and Registry Undo files (REG)', rev = 1, magic = { { content = '| FF FE |', offset = 0, }, }, }, - { type = 'MSHTML', id = 308, category = 'Office Documents', msg = 'Proprietary layout engine for Microsoft Internet Explorer', rev = 1, magic = { { content = '| 3D 22 2D 2D 2D 2D 3D 5F |', offset = 60, }, }, }, - { type = 'VB', id = 311, category = 'System files', msg = 'Microsoft Visual Basic files, including .cs, .vb, and .vbp', rev = 1, magic = { { content = '| 54 79 70 65 3D 45 78 65 |', offset = 0, }, }, }, - { type = 'MP4', id = 313, category = 'Multimedia', msg = 'MPEG-4 video files', rev = 1, magic = { { content = '| 66 74 79 70 64 61 73 68 |', offset = 4, }, }, }, - { type = 'LNK', id = 314, category = 'Executables', msg = 'Microsoft Windows Shortcut Files', rev = 1, magic = { { content = '| 4C 00 00 00 01 14 02 00 |', offset = 0, }, }, }, - { type = 'SCR', id = 315, category = 'Executables', msg = 'Microsoft Windows Shortcut Files', rev = 1, magic = { { content = '| 44 43 4E 01 |', offset = 0, }, }, }, - { type = 'SCR', id = 316, category = 'Executables', msg = 'Microsoft Windows Shortcut Files', rev = 1, magic = { { content = '| 44 43 44 01 |', offset = 0, }, }, }, - { type = 'MKV', id = 317, category = 'Multimedia', msg = 'Matroska stream file', rev = 1, magic = { { content = '| 1A 45 DF A3 01 00 00 00 00 00 00 23 42 86 81 01 |', offset = 0, }, }, }, - { type = 'JAR', id = 318, category = 'Archive', msg = 'Java archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 63 6F 6E 74 65 6E 74 2F |', offset = 30, }, }, }, - { type = 'JAR', id = 319, category = 'Archive', msg = 'Java archive file', rev = 1, magic = { { content = '| 50 4B 03 04 |', offset = 0, }, { content = '| 6F 70 74 69 6F 6E 73 2F |', offset = 30, }, }, }, - { type = 'RAR', id = 320, category = 'Archive', msg = 'WinRAR compressed archive file', rev = 1, version = '1.1', magic = { { content = '| 52 61 72 21 1A 07 01 00 |', offset = 0, }, }, }, - { type = 'ALZ', id = 321, category = 'Archive', msg = 'Archive file for Microsoft created using software ALZip', rev = 1, magic = { { content = '| 41 4C 5A 01 |', offset = 0, }, }, }, - { type = 'EGG', id = 322, category = 'Archive', msg = 'Archive File for Microsoft created using software ALZip', rev = 1, magic = { { content = '| 45 47 47 41 |', offset = 0, }, }, }, - { type = 'HWP', id = 323, category = 'Office Documents', msg = 'Hangul word processor file', rev = 1, version = '3.0', magic = { { content = '| 48 57 50 20 44 6F 63 75 6D 65 6E 74 20 46 69 6C 65 |', offset = 0, }, }, }, - { type = 'SWF', id = 324, category = 'Multimedia', msg = 'Flash file', rev = 1, magic = { { content = '| 5A 57 53 |', offset = 0}, }, }, - { type = 'PCAP', id = 325, category = 'System files', msg = 'Packet capture file', rev = 1, magic = { { content = '| 0A 0D 0D 0A |', offset = 0, }, }, }, -} - -snort_whitelist_append("file_magic") diff --git a/lua/file_magic.rules b/lua/file_magic.rules new file mode 100644 index 000000000..65bb07bc9 --- /dev/null +++ b/lua/file_magic.rules @@ -0,0 +1,203 @@ +file_id ( msg:"Excel spreadsheet subheader (MS Office)"; file_meta:type XLW, id 1, category "Office Documents", group "office"; file_data; content: "| 09 08 10 00 00 06 05 00 |", depth 8, offset 512; gid:4; sid:1023865; rev:13; ) +file_id ( msg:"POSIX Tape Archive file"; file_meta:type POSIX_TAR, id 2, category "Archive"; file_data; content: "| 75 73 74 61 72 00 20 20 |", depth 8, offset 257; gid:4; sid:1023866; rev:13; ) +file_id ( msg:"Pre-POSIX Tape Archive file"; file_meta:type OLD_TAR, id 3, category "Archive"; file_data; content: "| 75 73 74 61 72 20 |", depth 6, offset 257; gid:4; sid:1023867; rev:13; ) +file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 4, category "Multimedia", group "video"; file_data; content: "| 66 72 65 65 |", depth 4, offset 4; gid:4; sid:1023868; rev:13; ) +file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 5, category "Multimedia", group "video"; file_data; content: "| 6D 6F 6F 76 |", depth 4, offset 4; gid:4; sid:1023869; rev:13; ) +file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 6, category "Multimedia", group "video"; file_data; content: "| 6D 64 61 74 |", depth 4, offset 4; gid:4; sid:1023870; rev:13; ) +file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 7, category "Multimedia", group "video"; file_data; content: "| 70 6E 6F 74 |", depth 4, offset 4; gid:4; sid:1023871; rev:13; ) +file_id ( msg:"QuickTime movie file"; file_meta:type MOV, id 8, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 |", depth 4, offset 4; gid:4; sid:1023872; rev:13; ) +file_id ( msg:"File compressed with lha utility/algorithm (lha, lzh)"; file_meta:type LHA, id 9, category "Archive"; file_data; content: "| 2D 6C 68 |", depth 3, offset 2; gid:4; sid:1023873; rev:13; ) +file_id ( msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 10, category "System files"; file_data; content: "| 43 44 30 30 31 |", depth 5, offset 32769; gid:4; sid:1023874; rev:13; ) +file_id ( msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 11, category "System files"; file_data; content: "| 43 44 30 30 31 |", depth 5, offset 34817; gid:4; sid:1023875; rev:13; ) +file_id ( msg:"Disc Image file based on ISO-9660 standard (iso)c"; file_meta:type ISO, id 12, category "System files"; file_data; content: "| 43 44 30 30 31 |", depth 5, offset 36865; gid:4; sid:1023876; rev:13; ) +file_id ( msg:"S3M audio module format"; file_meta:type S3M, id 13, category "Multimedia", group "audio"; file_data; content: "| 53 43 52 4d |", depth 4, offset 44; gid:4; sid:1023877; rev:13; ) +file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 14, category "Multimedia"; file_data; content: "| 11 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1023878; rev:13; ) +file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 15, category "Multimedia"; file_data; content: "| 12 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1023879; rev:13; ) +file_id ( msg:"Windows/DOS executable file"; file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content: "| 4D 5A |", depth 2, offset 0; gid:4; sid:1023880; rev:13; ) +file_id ( msg:"PDF file"; file_meta:type PDF, id 22, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content: "| 25 50 44 46 |", depth 4, offset 0; gid:4; sid:1023881; rev:13; ) +file_id ( msg:"Rich text format word processing file"; file_meta:type RTF, id 23, category "Office Documents,Dynamic Analysis Capable"; file_data; content: "| 7B 5C 72 74 |", depth 4, offset 0; gid:4; sid:1023882; rev:13; ) +file_id ( msg:"Resource Interchange File Format"; file_meta:type RIFF, id 24, category "Multimedia"; file_data; content: "| 52 49 46 46 |", depth 4, offset 0; gid:4; sid:1023883; rev:13; ) +file_id ( msg:"Microsoft Compiled HTML Help File"; file_meta:type MSCHM, id 25, category "Office Documents"; file_data; content: "| 49 54 53 46 |", depth 4, offset 0; gid:4; sid:1023884; rev:13; ) +file_id ( msg:"Microsoft Windows CAB"; file_meta:type MSCAB, id 26, category "Archive"; file_data; content: "| 4D 53 43 46 |", depth 4, offset 0; gid:4; sid:1023885; rev:13; ) +file_id ( msg:"Microsoft Object Linking and Embedding Compound File, used for office documents as well as installers"; file_meta:type MSOLE2, id 27, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable"; file_data; content: "| D0 CF 11 E0 A1 B1 1A E1 |", depth 8, offset 0; gid:4; sid:1023886; rev:13; ) +file_id ( msg:"SZDD file format"; file_meta:type MSSZDD, id 28, category "Archive"; file_data; content: "| 53 5A 44 44 88 F0 27 33 |", depth 8, offset 0; gid:4; sid:1023887; rev:13; ) +file_id ( msg:"PKZIP archive file"; file_meta:type ZIP, id 29, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; gid:4; sid:1023888; rev:13; ) +file_id ( msg:"WinRAR compressed archive file"; file_meta:type RAR, id 30, category "Archive"; file_data; content: "| 52 61 72 21 1A 07 00 |", depth 7, offset 0; gid:4; sid:1023889; rev:13; ) +file_id ( msg:"7-Zip compressed file"; file_meta:type 7Z, id 31, category "Archive"; file_data; content: "| 37 7A BC AF 27 1C |", depth 6, offset 0; gid:4; sid:1023890; rev:13; ) +file_id ( msg:"bzip2 compressed archive"; file_meta:type BZ, id 32, category "Archive"; file_data; content: "| 42 5A 68 |", depth 3, offset 0; gid:4; sid:1023891; rev:13; ) +file_id ( msg:"GZ"; file_meta:type GZ, id 33, category "Archive"; file_data; content: "| 1F 8B 08 |", depth 3, offset 0; gid:4; sid:1023892; rev:13; ) +file_id ( msg:"Compressed archive file"; file_meta:type ARJ, id 34, category "Archive"; file_data; content: "| 60 EA 00 00 |", depth 4, offset 0; gid:4; sid:1023893; rev:13; ) +file_id ( msg:"Install Shield v5.x or 6.x compressed file"; file_meta:type ISHIELD_MSI, id 35, category "Executables"; file_data; content: "| 49 53 63 28 |", depth 4, offset 0; gid:4; sid:1023894; rev:13; ) +file_id ( msg:"Macintosh BinHex 4 Compressed Archive"; file_meta:type BINHEX, id 36, category "Executables"; file_data; content: "| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |", depth 41, offset 0; gid:4; sid:1023895; rev:13; ) +file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 37, category "Office Documents"; file_data; content: "| 46 72 6F 6D 20 20 20 |", depth 7, offset 0; gid:4; sid:1023896; rev:13; ) +file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 38, category "Office Documents"; file_data; content: "| 46 72 6F 6D 20 3F 3F 3F |", depth 8, offset 0; gid:4; sid:1023897; rev:13; ) +file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 39, category "Office Documents"; file_data; content: "| 46 72 6F 6D 3A 20 |", depth 6, offset 0; gid:4; sid:1023898; rev:13; ) +file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 40, category "Office Documents"; file_data; content: "| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |", depth 13, offset 0; gid:4; sid:1023899; rev:13; ) +file_id ( msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; file_meta:type MAIL, id 41, category "Office Documents"; file_data; content: "| 58 2D |", depth 2, offset 0; gid:4; sid:1023900; rev:13; ) +file_id ( msg:"Transport Neutral Encapsulation Format, an E-mail attachment format"; file_meta:type TNEF, id 42, category "Office Documents"; file_data; content: "| 78 9F 3E 22 |", depth 4, offset 0; gid:4; sid:1023901; rev:13; ) +file_id ( msg:"Universal Binary/Java Bytecode"; file_meta:type BINARY_DATA, id 43, category "Executables"; file_data; content: "| CA FE BA BE |", depth 4, offset 0; gid:4; sid:1023902; rev:13; ) +file_id ( msg:"UUencoded file"; file_meta:type UUENCODED, id 44, category "Encoded"; file_data; content: "| 62 65 67 69 6E |", depth 5, offset 0; gid:4; sid:1023903; rev:13; ) +file_id ( msg:"Script encoder file"; file_meta:type SCRENC, id 45, category 'Encoded"; file_data; content: "| 23 40 7E 5E |", depth 4, offset 0; gid:4; sid:1023904; rev:13; ) +file_id ( msg:"Executable and Linking Format executable file (Linux/Unix)"; file_meta:type ELF, id 46, category "Executables"; file_data; content: "| 7F 45 4C 46 |", depth 4, offset 0; gid:4; sid:1023905; rev:13; ) +file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 47, category "Executables"; file_data; content: "| CE FA ED FE |", depth 4, offset 0; gid:4; sid:1023906; rev:13; ) +file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 48, category "Executables"; file_data; content: "| CF FA ED FE |", depth 4, offset 0; gid:4; sid:1023907; rev:13; ) +file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 49, category "Executables"; file_data; content: "| FE ED FA CE |", depth 4, offset 0; gid:4; sid:1023908; rev:13; ) +file_id ( msg:"Mach object file format"; file_meta:type MACHO, id 50, category "Executables"; file_data; content: "| FE ED FA CF |", depth 4, offset 0; gid:4; sid:1023909; rev:13; ) +file_id ( msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 51, category "Archive"; file_data; content: "| 19 04 00 10 |", depth 4, offset 0; gid:4; sid:1023910; rev:13; ) +file_id ( msg:"Flash file "; file_meta:type SWF, id 52, category "Multimedia"; file_data; content: "| 43 57 53 |", depth 3, offset 0; gid:4; sid:1023911; rev:13; ) +file_id ( msg:"Flash file "; file_meta:type SWF, id 53, category 'Multimedia"; file_data; content: "| 46 57 53 |", depth 3, offset 0; gid:4; sid:1023912; rev:13; ) +file_id ( msg:"Archive created with the cpio utility- standard ASCII format"; file_meta:type CPIO_ODC, id 55, category "Archive"; file_data; content: "| 30 37 30 37 30 37 |", depth 6, offset 0; gid:4; sid:1023913; rev:13; ) +file_id ( msg:"Archive created with the cpio utility- new ASCII (aka SVR4) format"; file_meta:type CPIO_NEWC, id 56, category "Archive"; file_data; content: "| 30 37 30 37 30 31 |", depth 6, offset 0; gid:4; sid:1023914; rev:13; ) +file_id ( msg:"Archive created with the cpio utility- CRC format"; file_meta:type CPIO_CRC, id 57, category "Archive"; file_data; content: "| 30 37 30 37 30 32 |", depth 6, offset 0; gid:4; sid:1023915; rev:13; ) +file_id ( msg:"MPEG video file"; file_meta:type MPEG, id 58, category "Multimedia", group "video"; file_data; content: "| 00 00 01 B3 |", depth 4, offset 0; gid:4; sid:1023916; rev:13; ) +file_id ( msg:"MPEG video file"; file_meta:type MPEG, id 59, category "Multimedia", group "video"; file_data; content: "| 00 00 01 BA |", depth 4, offset 0; gid:4; sid:1023917; rev:13; ) +file_id ( msg:"Adobe encapsulated PostScript file"; file_meta:type EPS, id 60, category "PDF files"; file_data; content: "| 25 21 50 53 2D 41 64 6F 62 65 2D |", depth 11, offset 0; gid:4; sid:1023918; rev:13; ) +file_id ( msg:"RealNetworks RealMedia streaming media file"; file_meta:type RMF, id 61, category "Multimedia"; file_data; content: "| 2E 52 4D 46 |", depth 4, offset 0; gid:4; sid:1023919; rev:13; ) +file_id ( msg:"GIF"; file_meta:type GIF, id 62, category "Graphics"; file_data; content: "| 47 49 46 38 37 61 |", depth 6, offset 0; gid:4; sid:1023920; rev:13; ) +file_id ( msg:"GIF"; file_meta:type GIF, id 63, category 'Graphics"; file_data; content: "| 47 49 46 38 39 61 |", depth 6, offset 0; gid:4; sid:1023921; rev:13; ) +file_id ( msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 64, category "Multimedia"; file_data; content: "| 49 44 33 |", depth 3, offset 0; gid:4; sid:1023922; rev:13; ) +file_id ( msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 65, category "Multimedia"; file_data; content: "| FF FB |", depth 2, offset 0; gid:4; sid:1023923; rev:13; ) +file_id ( msg:"Ogg Vorbis Codec compressed Multimedia file"; file_meta:type OGG, id 66, category "Multimedia"; file_data; content: "| 4F 67 67 53 |", depth 4, offset 0; gid:4; sid:1023924; rev:13; ) +file_id ( msg:"RIFX audio format"; file_meta:type RIFX, id 67, category "Multimedia", group "audio"; file_data; content: "| 52 49 46 58 |", depth 4, offset 0; gid:4; sid:1023925; rev:13; ) +file_id ( msg:"Symantec files"; file_meta:type SYMANTEC, id 68, category "System files"; file_data; content: "| 58 2D 53 79 6D 61 6E 74 65 63 2D |", depth 11, offset 0; gid:4; sid:1023926; rev:13; ) +file_id ( msg:"Portable Network Graphics file"; file_meta:type PNG, id 69, category "Graphics", group "multimedia"; file_data; content: "| 89 50 4E 47 0D 0A 1A 0A |", depth 8, offset 0; gid:4; sid:1023927; rev:13; ) +file_id ( msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 70, category "Graphics", group "multimedia"; file_data; content: "| FF D8 FF E0 |", depth 4, offset 0; gid:4; sid:1023928; rev:13; ) +file_id ( msg:"Jar pack file"; file_meta:type JARPACK, id 72, category "Executables"; file_data; content: "| CA FE D0 0D |", depth 4, offset 0; gid:4; sid:1023929; rev:13; ) +file_id ( msg:"Java archive file"; file_meta:type JAR, id 73, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 4D 45 54 41 2D 49 4E 46 2F |", depth 9, offset 30; gid:4; sid:1023930; rev:13; ) +file_id ( msg:"Flash video file"; file_meta:type FLV, id 74, category "Multimedia", group "video"; file_data; content: "| 46 4C 56 01 |", depth 4, offset 0; gid:4; sid:1023931; rev:13; ) +file_id ( msg:"Waveform Audio File Format"; file_meta:type WAV, id 76, category "Multimedia", group "audio"; file_data; content: "| 62 65 61 74 |", depth 4, offset 0; gid:4; sid:1023932; rev:13; ) +file_id ( msg:"Waveform Audio File Format"; file_meta:type WAV, id 77, category "Multimedia", group "video"; file_data; content: "| 4D 58 43 33 |", depth 4, offset 0; gid:4; sid:1023933; rev:13; ) +file_id ( msg:"ffmpeg Multimedia framework"; file_meta:type FFMPEG, id 78, category "Multimedia"; file_data; content: "| 34 58 4D 56 |", depth 4, offset 0; gid:4; sid:1023934; rev:13; ) +file_id ( msg:"Apple Disk Image"; file_meta:type DMG, id 79, category "System files"; file_data; content: "| 45 52 02 00 |", depth 4, offset 0; gid:4; sid:1023935; rev:13; ) +file_id ( msg:"Apple Disk Image"; file_meta:type DMG, id 80, category "System files"; file_data; content: "| 32 49 4D 47 |", depth 4, offset 0; gid:4; sid:1023936; rev:13; ) +file_id ( msg:"RealPlayer video file"; file_meta:type IVR, id 81, category "Multimedia", group "video"; file_data; content: "| 2E 52 45 43 |", depth 4, offset 0; gid:4; sid:1023937; rev:13; ) +file_id ( msg:"RealPlayer video file"; file_meta:type IVR, id 82, category "Multimedia", group "video"; file_data; content: "| 2E 52 31 4D |", depth 4, offset 0; gid:4; sid:1023938; rev:13; ) +file_id ( msg:"RealAudio file"; file_meta:type RA, id 83, category "Multimedia", group "audio"; file_data; content: "| 2E 52 4D 46 00 00 00 12 00 |", depth 9, offset 0; gid:4; sid:1023939; rev:13; ) +file_id ( msg:"RealAudio file"; file_meta:type RA, id 84, category "Multimedia", group "audio"; file_data; content: "| 2E 72 61 FD 00 |", depth 5, offset 0; gid:4; sid:1023940; rev:13; ) +file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 85, category "System files"; file_data; content: "| 43 4F 57 44 |", depth 4, offset 0; gid:4; sid:1023941; rev:13; ) +file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 86, category "System files"; file_data; content: "|4B 44 4D |", depth 3, offset 0; gid:4; sid:1023942; rev:13; ) +file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 87, category "System files"; file_data; content: "| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |", depth 16, offset 0; gid:4; sid:1023943; rev:13; ) +file_id ( msg:"Virtual Machine Disk"; file_meta:type VMDK, id 88, category "System files"; file_data; content: "| 2E 03 00 00 01 |", depth 5, offset 0; gid:4; sid:1023864; rev:13; ) +file_id ( msg:"Free Lossless Audio Codec file"; file_meta:type FLAC, id 89, category "Multimedia", group "audio"; file_data; content: "| 66 4C 61 43 00 00 00 22 |", depth 8, offset 0; gid:4; sid:1023945; rev:13; ) +file_id ( msg:"S3M audio module format"; file_meta:type S3M, id 90 , category "Multimedia", group "audio"; file_data; content: "| 53 43 52 4d |", depth 4, offset 0; gid:4; sid:1023946; rev:13; ) +file_id ( msg:"Microsoft Windows Media Audio/Video File"; file_meta:type ASF, id 91, category "Multimedia", group "audio"; file_data;content: "| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |", depth 16, offset 0; gid:4; sid:1023947; rev:13; ) +file_id ( msg:"Microsoft Word for Mac 5"; file_meta:type MSWORD_MAC5, id 93, category "Office Documents", group "office"; file_data; content: "| FE 37 00 23 |", depth 4, offset 0; gid:4; sid:1023948; rev:13; ) +file_id ( msg:"Microsoft symbolic Link"; file_meta:type SYLKc, id 94, category "System files"; file_data; content: "| 49 44 3B 50 |", depth 4, offset 0; gid:4; sid:1023949; rev:13; ) +file_id ( msg:"WordPerfect text and graphics file"; file_meta:type WP, id 95, category "Office Documents"; file_data; content: "| FF 57 50 43 |", depth 4, offset 0; gid:4; sid:1023950; rev:13; ) +file_id ( msg:"WordPerfect text and graphics file"; file_meta:type WP, id 96, category "Office Documents"; file_data; content: "| 81 CD AB |", depth 3, offset 0; gid:4; sid:1023951; rev:13; ) +file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 97, category "Graphics", group "multimedia"; file_data; content: "| 49 49 2A 00 |", depth 4, offset 0; gid:4; sid:1023952; rev:13; ) +file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 98, category "Graphics", group "multimedia"; file_data; content: "| 49 20 49 |", depth 3, offset 0; gid:4; sid:1023953; rev:13; ) +file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 99, category "Graphics", group "multimedia"; file_data; content: "| 4D 4D 00 2A |", depth 4, offset 0; gid:4; sid:1023954; rev:13; ) +file_id ( msg:"Tagged Image File Format file"; file_meta:type TIFF, id 100, category "Graphics", group "multimedia"; file_data; content: "| 4D 4D 00 2B |", depth 4, offset 0; gid:4; sid:1023955; rev:13; ) +file_id ( msg:"Metastock technical analysis program for traders"; file_meta:type MWL, id 101, category "Office Documents"; file_data; content: "| 5b 4d 65 74 61 53 74 6f 63 6b |", depth 10, offset 0; gid:4; sid:1023956; rev:13; ) +file_id ( msg:"Microsoft Access file"; file_meta:type MDB, id 102, category "Office Documents"; file_data; content: "| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |", depth 19, offset 0; gid:4; sid:1023957; rev:13; ) +file_id ( msg:"Microsoft Access 2007 file"; file_meta:type ACCDB, id 103, category "Office Documents"; file_data; content: "| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 |", depth 19, offset 0; gid:4; sid:1023958; rev:13; ) +file_id ( msg:"Microsoft Money file"; file_meta:type MNY, id 104, category "Office Documents"; file_data; content: "| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 |", depth 19, offset 0; gid:4; sid:1023959; rev:13; ) +file_id ( msg:"RealNetworks Realplayer REC"; file_meta:type REC, id 105, category "Multimedia"; file_data; content: "| 2e 72 65 63 00 |", depth 5, offset 0; gid:4; sid:1023960; rev:13; ) +file_id ( msg:"RealNetworks Realplayer R1M"; file_meta:type R1M, id 106, category "Multimedia"; file_data; content: "| 2e 72 31 6d |", depth 4, offset 0; gid:4; sid:1023961; rev:13; ) +file_id ( msg:"Outlook address file"; file_meta:type WAB, id 107, category "Office Documents", group "office"; file_data; content: "| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |", depth 16, offset 0; gid:4; sid:1023962; rev:13; ) +file_id ( msg:"Outlook address file"; file_meta:type WAB, id 108, category "Office Documents", group "office"; file_data; content: "| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |", depth 16, offset 0; gid:4; sid:1023963; rev:13; ) +file_id ( msg:"Multimedia playlists"; file_meta:type M3U, id 109, category "Multimedia"; file_data; content: "| 23 45 58 54 4d 33 55 |", depth 7, offset 0; gid:4; sid:1023964; rev:13; ) +file_id ( msg:"Matroska stream file"; file_meta:type MKV, id 110, category "Multimedia"; file_data; content: "| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 |", depth 16, offset 0; gid:4; sid:1023965; rev:13; ) +file_id ( msg:"ChromaGraph Graphics Card Bitmap Graphic file"; file_meta:type IMG_PICT, id 111, category "Graphics", group "multimedia"; file_data; content: "| 50 49 43 54 00 08 |", depth 6, offset 0; gid:4; sid:1029966; rev:13; ) +file_id ( msg:"Advanced Module Format for digital music"; file_meta:type AMF, id 112, category "Multimedia", group "audio"; file_data; content: "| 41 4d 46 |", depth 3, offset 0; gid:4; sid:1023967; rev:13; ) +file_id ( msg:"WebM audio-video format"; file_meta:type WEBM, id 113, category "Multimedia", group "audio,video"; file_data; content: "| 1A 45 DF A3 |", depth 4, offset 0; gid:4; sid:1023968; rev:13; ) +file_id ( msg:"Autodesk Maya"; file_meta:type MAYA, id 114, category "Graphics"; file_data; content: "| 2f 2f 4d 61 79 61 |", depth 6, offset 0; gid:4; sid:1023969; rev:13; ) +file_id ( msg:"Musical Instrument Digital Interface (MIDI) sound file"; file_meta:type MIDI, id 115, category "Multimedia", group "audio"; file_data; content: "| 4D 54 68 64 |", depth 4, offset 0; gid:4; sid:1023970; rev:13; ) +file_id ( msg:"multimedia playlists"; file_meta:type PLS, id 116, category "Multimedia"; file_data; content: "| 5b 70 6c 61 79 6c 69 73 74 5d |", depth 10, offset 0; gid:4; sid:1023971; rev:13; ) +file_id ( msg:"Synchronized Multimedia Integration Language"; file_meta:type SMIL, id 117, category "Multimedia"; file_data; content: "| 3c 73 6d 69 6c 3e |", depth 6, offset 0; gid:4; sid:1023972; rev:13; ) +file_id ( msg:"Synchronized Accessible Media Interchange"; file_meta:type SAMI, id 119, category "Multimedia"; file_data; content: "| 3c 53 41 4d 49 |", depth 5, offset 0; gid:4; sid:1023973; rev:13; ) +file_id ( msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; file_meta:type NEW_OFFICE, id 120, category "Office Documents,Dynamic Analysis Capable,Local Malware Analysis Capable", group "office"; file_data; content: "| 50 4B 03 04 14 00 06 00 |", depth 8, offset 0; gid:4; sid:1023974; rev:13; ) +file_id ( msg:"Autodesk AutoCAD file (dwg) "; file_meta:type DWG, id 130, category "Graphics"; file_data; content: "| 41 43 31 30 |", depth 4, offset 0; gid:4; sid:1023975; rev:13; ) +file_id ( msg:"Microsoft Document Imaging file (mdi)"; file_meta:type MDI, id 132, category "Office Documents"; file_data; content: "| 45 50 |", depth 2, offset 0; gid:4; sid:1023976; rev:13; ) +file_id ( msg:"PGP disk image(PGD)"; file_meta:type PGD, id 133, category "System files"; file_data; content: "| 50 47 50 64 4D 41 49 4E |", depth 8, offset 0; gid:4; sid:1023977; rev:13; ) +file_id ( msg:"Photoshop image file (PSD)"; file_meta:type PSD, id 134, category "Graphics"; file_data; content: "| 38 42 50 53 |", depth 4, offset 0; gid:4; sid:1023978; rev:13; ) +file_id ( msg:"Windows 9x registry hive (REG)"; file_meta:type 9XHIVE, id 135, category "System files"; file_data; content: "| 43 52 45 47 |", depth 4, offset 0; gid:4; sid:1023979; rev:13; ) +file_id ( msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 136, category "System files"; file_data; content: "| 52 45 47 45 44 49 54 |", depth 7, offset 0; gid:4; sid:1023980; rev:13; ) +file_id ( msg:"Windows graphics metafile "; file_meta:type WMF, id 137, category "Graphics"; file_data; content: "| 01 00 09 00 00 03 |", depth 6, offset 0; gid:4; sid:1023981; rev:13; ) +file_id ( msg:"Windows Write document file (wri) "; file_meta:type WRI, id 138, category "Office Documents"; file_data; content: "| BE 00 00 00 AB 00 00 00 00 00 00 00 00 |", depth 13, offset 0; gid:4; sid:1023982; rev:13; ) +file_id ( msg:"RedHat Package Manager file"; file_meta:type RPM, id 139, category "Executables"; file_data; content: "| ED AB EE DB |", depth 4, offset 0; gid:4; sid:1023983; rev:13; ) +file_id ( msg:"Microsoft OneNote note"; file_meta:type ONE, id 140, category "Office Documents", group "office"; file_data; content: "| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |", depth 16, offset 0; gid:4; sid:1023984; rev:13; ) +file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 141, category "Multimedia", group "video"; file_data; content: "| 00 00 00 18 66 74 79 70 33 67 70 35 |", depth 12, offset 0; gid:4; sid:1023985; rev:13; ) +file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 142, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 69 73 6F 6D |", depth 8, offset 4; gid:4; sid:1023986; rev:13; ) +file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 143, category "System files"; file_data; content: "| D4 C3 B2 A1 |", depth 4, offset 0; gid:4; sid:1023987; rev:13; ) +file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 144, category "System files"; file_data; content: "| 34 CD B2 A1 |", depth 4, offset 0; gid:4; sid:1023988; rev:13; ) +file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 145, category "System files"; file_data; content: "| A1 B2 C3 D4 |", depth 4, offset 0; gid:4; sid:1023989; rev:13; ) +file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 146, category "System files"; file_data; content: "| A1 B2 CD 34 |", depth 4, offset 0; gid:4; sid:1023990; rev:13; ) +file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 147, category "System files"; file_data; content: "| 52 54 53 53 |", depth 4, offset 0; gid:4; sid:1023991; rev:13; ) +file_id ( msg:"Bitmap image file"; file_meta:type BMP, id 148, category "Graphics", group "multimedia"; file_data; content: "| 42 4D |", depth 2, offset 0; gid:4; sid:1023992; rev:13; ) +file_id ( msg:"Windows icon file"; file_meta:type ICO, id 149, category "Graphics"; file_data; content: "| 00 00 01 00 |", depth 4, offset 0; gid:4; sid:1023993; rev:13; ) +file_id ( msg:"BitTorrent File"; file_meta:type TORRENT, id 150, category "Executables"; file_data; content: "| 64 38 3A 61 6E 6E 6F 75 6E 63 65 |", depth 11, offset 0; gid:4; sid:1023994; rev:13; ) +file_id ( msg:"Adaptive Multi-Rate Codec File"; file_meta:type AMR, id 151, category "Multimedia"; file_data; content: "| 23 21 41 4D 52 |", depth 5, offset 0; gid:4; sid:1023995; rev:13; ) +file_id ( msg:"StuffIt compressed archive"; file_meta:type SIT, id 152, category "Archive"; file_data; content: "| 53 49 54 21 00 |", depth 5, offset 0; gid:4; sid:1023996; rev:13; ) +file_id ( msg:"Microsoft Outlook Personal Folder File"; file_meta:type PST, id 153, category "Office Documents", group "office"; file_data; content: "| 21 42 44 4E |", depth 4, offset 0; gid:4; sid:1023997; rev:13; ) +file_id ( msg:"Windows Help file"; file_meta:type HLP, id 154, category "Office Documents"; file_data; content: "| 4C 4E 02 00 |", depth 4, offset 0; gid:4; sid:1023998; rev:13; ) +file_id ( msg:"Windows Help file"; file_meta:type HLP, id 155, category "Office Documents"; file_data; content: "| 3F 5F 03 00 |", depth 4, offset 0; gid:4; sid:1023999; rev:13; ) +file_id ( msg:"Windows Autorun setup file"; file_meta:type AUTORUN, id 156, category "Executables"; file_data; content: "| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |", depth 11, offset 0; gid:4; sid:1024000; rev:13; ) +file_id ( msg:"JPEG/JFIF graphics file"; file_meta:type JPEG, id 157, category "Graphics", group "multimedia"; file_data; content: "| FF D8 FF E1 |", depth 4, offset 0; gid:4; sid:1024001; rev:13; ) +file_id ( msg:"Compressed archive file"; file_meta:type ARJ, id 158, category "Archive"; file_data; content: "| 60 EA |", depth 2, offset 0; gid:4; sid:1024002; rev:13; ) +file_id ( msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; file_meta:type MP3, id 159, category "Multimedia", group "audio"; file_data; content: "| FF FA |", depth 2, offset 0; gid:4; sid:1024003; rev:13; ) +file_id ( msg:"StuffIt compressed archive"; file_meta:type SIT, id 160, category "Archive"; file_data; content: "| 53 74 75 66 66 49 74 20 |", depth 8, offset 0; gid:4; sid:1024004; rev:13; ) +file_id ( msg:"Windows graphics metafile "; file_meta:type WMF, id 162, category "Graphics"; file_data; content: "| D7 CD C6 9A |", depth 4, offset 0; gid:4; sid:1024005; rev:13; ) +file_id ( msg:"Software Installation Script, an archive for Symbian OS"; file_meta:type SIS, id 163, category "Archive"; file_data; content: "| 7A 1A 20 10 |", depth 4, offset 0; gid:4; sid:1024006; rev:13; ) +file_id ( msg:"Windows Write document file (wri) "; file_meta:type WRI, id 164, category "Office Documents"; file_data; content: "| 31 BE |", depth 2, offset 0; gid:4; sid:1024007; rev:13; ) +file_id ( msg:"Windows Write document file (wri) "; file_meta:type WRI, id 165, category "Office Documents"; file_data; content: "| 32 BE |", depth 2, offset 0; gid:4; sid:1024008; rev:13; ) +file_id ( msg:"Waveform Audio File Format"; file_meta:type WAV, id 166, category "Multimedia", group "audio"; file_data; content: "| 52 49 46 46 |", depth 4, offset 0; content: "| 57 41 56 45 66 6D 74 20 |", depth 8, offset 8; gid:4; sid:1024009; rev:13; ) +file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 167, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 6D 70 34 32 |", depth 8, offset 4; gid:4; sid:1024010; rev:13; ) +file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 168, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 33 67 70 |", depth 7, offset 4; gid:4; sid:1024011; rev:13; ) +file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 169, category "Multimedia", group "video"; file_data; content: "| 66 74 79 70 4D 53 4E 56 |", depth 8, offset 4; gid:4; sid:1024012; rev:13; ) +file_id ( msg:"Digital Imaging and Communications in Medicine"; file_meta:type DICM, id 170, category "Multimedia"; file_data; content: "| 44 49 43 4D |", depth 4, offset 128; gid:4; sid:1024013; rev:13; ) +file_id ( msg:"PKZIP encrypted archive file"; file_meta:type ZIP_ENC, id 171, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 01 |", depth 1, offset 6; gid:4; sid:1024014; rev:13; ) +file_id ( msg:"Standard Anti-Virus Test File"; file_meta:type EICAR, id 273, category "Executables"; file_data; content: "| 58 35 4F 21 50 25 |", depth 6, offset 0; gid:4; sid:1024015; rev:13; ) +file_id ( msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 275, category "Office Documents"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 46 69 78 65 64 44 6F 63 75 6D |", depth 10, offset 30; gid:4; sid:1024016; rev:13; ) +file_id ( msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 277, category "Office Documents"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 44 6F 63 75 6D 65 6E 74 73 2F |", depth 10, offset 30; gid:4; sid:1024017; rev:13; ) +file_id ( msg:"Microsoft XML Paper Specification Document"; file_meta:type XPS, id 278, category "Office Documents"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 4D 65 74 61 64 61 74 61 2F |", depth 9, offset 30; gid:4; sid:1024018; rev:13; ) +file_id ( msg:"Windows crash dump file"; file_meta:type DMP, id 279, category "System files"; file_data; content: "| 4D 44 4D 50 93 A7 |", depth 6, offset 0; gid:4; sid:1024019; rev:13; ) +file_id ( msg:"Windows crash dump file"; file_meta:type DMP, id 280, category "System files"; file_data; content: "| 50 41 47 45 44 55 36 34 |", depth 8, offset 0; gid:4; sid:104020; rev:13; ) +file_id ( msg:"Windows crash dump file"; file_meta:type DMP, id 281, category "System files"; file_data; content: "| 50 41 47 45 44 55 4D 50 |", depth 8, offset 0; gid:4; sid:1024021; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 282, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.0"; file_data; content: "| 25 50 44 46 2D 31 2E 30 |", depth 8, offset 0; gid:4; sid:1024022; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 283, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.1"; file_data; content: "| 25 50 44 46 2D 31 2E 31 |", depth 8, offset 0; gid:4; sid:1024023; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 284, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.2"; file_data; content: "| 25 50 44 46 2D 31 2E 32 |", depth 8, offset 0; gid:4; sid:1024024; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 285, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.3"; file_data; content: "| 25 50 44 46 2D 31 2E 33 |", depth 8, offset 0; gid:4; sid:1024025; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 286, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.4"; file_data; content: "| 25 50 44 46 2D 31 2E 34 |", depth 8, offset 0; gid:4; sid:1024026; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 287, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.5"; file_data; content: "| 25 50 44 46 2D 31 2E 35 |", depth 8, offset 0; gid:4; sid:1024027; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 288, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.6"; file_data; content: "| 25 50 44 46 2D 31 2E 36 |", depth 8, offset 0; gid:4; sid:1024028; rev:13; ) +file_id ( msg:"PDF file "; file_meta:type PDF, id 289, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.7"; file_data; content: "| 25 50 44 46 2D 31 2E 37 |", depth 8, offset 0;gid:4; sid:1024029; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 290, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 30 |", depth 2, offset 7; gid:4; sid:1024030; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 291, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 31 |", depth 2, offset 7; gid:4; sid:1024031; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 292, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 32 |", depth 2, offset 7; gid:4; sid:1024032; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 293, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 33 |", depth 2, offset 7; gid:4; sid:1024033; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 294, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 34 |", depth 2, offset 7; gid:4; sid:1024034; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 295, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 30 35 |", depth 2, offset 7; gid:4; sid:1024035; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 296, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 32 30 |", depth 2, offset 7; gid:4; sid:1024036; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 297, category "System files"; file_data; content: "| 3A 31 |", depth 2, offset 0; content: "| 32 32 |", depth 2, offset 7; gid:4; sid:1024037; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 298, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 30 |", depth 2, offset 7; gid:4; sid:1024038; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 300, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 31 |", depth 2, offset 7; gid:4; sid:1024039; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 301, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 32 |", depth 2, offset 7; gid:4; sid:1024040; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 302, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 33 |", depth 2, offset 7; gid:4; sid:1024041; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 303, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 34 |", depth 2, offset 7; gid:4; sid:1024042; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 304, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 30 35 |", depth 2, offset 7; gid:4; sid:1024043; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 306, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 32 32 |", depth 2, offset 7; gid:4; sid:1024044; rev:13; ) +file_id ( msg:"Windows Registry and Registry Undo files (REG)"; file_meta:type REG, id 307, category "System files"; file_data; content: "| FF FE |", depth 2, offset 0; gid:4; sid:1024045; rev:13; ) +file_id ( msg:"Proprietary layout engine for Microsoft Internet Explorer"; file_meta:type MSHTML, id 308, category "Office Documents"; file_data; content: "| 3D 22 2D 2D 2D 2D 3D 5F |", depth 8, offset 60; gid:4; sid:1024046; rev:13; ) +file_id ( msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 310, category "System files"; file_data; content: "| EF BB BF |", depth 3, offset 0; gid:4; sid:1024047; rev:13; ) +file_id ( msg:"Microsoft Visual Basic files, including .cs, .vb, and .vbp"; file_meta:type VB, id 311, category "System files"; file_data; content: "| 54 79 70 65 3D 45 78 65 |", depth 8, offset 0; gid:4; sid:1024048; rev:13; ) +file_id ( msg:"MPEG-4 video files"; file_meta:type MP4, id 313, category "Multimedia"; file_data; content: "| 66 74 79 70 64 61 73 68 |", depth 8, offset 4; gid:4; sid:1024049; rev:13; ) +file_id ( msg:"Microsoft Windows Shortcut Files"; file_meta:type LNK, id 314, category "Executables"; file_data; content: "| 4C 00 00 00 01 14 02 00 |", depth 8, offset 0; gid:4; sid:1024050; rev:13; ) +file_id ( msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 315, category "Executables"; file_data; content: "| 44 43 4E 01 |", depth 4, offset 0; gid:4; sid:1024051; rev:13; ) +file_id ( msg:"Microsoft Windows Shortcut Files"; file_meta:type SCR, id 316, category "Executables"; file_data; content: "| 44 43 44 01 |", depth 4, offset 0; gid:4; sid:1024052; rev:13; ) +file_id ( msg:"Matroska stream file"; file_meta:type MKV, id 317, category "Multimedia"; file_data; content: "| 1A 45 DF A3 01 00 00 00 00 00 00 23 42 86 81 01 |", depth 16, offset 0; gid:4; sid:1024053; rev:13; ) +file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 16, category "Multimedia"; file_data; content: "| 44 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1024054; rev:13; ) +file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 17, category "Multimedia"; file_data; content: "| 30 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1024055; rev:13; ) +file_id ( msg:"FLIC Animation file"; file_meta:type FLIC, id 18, category "Multimedia"; file_data; content: "| 31 AF |", depth 2, offset 4; content: "| 40 01 |", depth 2, offset 8 ; content: "| c8 00 |", depth 2, offset 10 ; file_data; content: "| 00 00 |", depth 2, offset 20 ; file_data; content: "| 00 00 00 00 00 00 00 00 |", depth 8, offset 42; gid:4; sid:1024056; rev:13; ) +file_id ( msg:"Windows NT registry hive (REG)"; file_meta:type NTHIVE, id 161, category "System files"; file_data; content: "| 72 65 67 66 |", depth 4, offset 0; gid:4; sid:1024057; rev:13; ) +file_id ( msg:"Binary files for Microcontroller/Other Chip based applications"; file_meta:type IntelHEX, id 305, category "System files"; file_data; content: "| 3A 32 |", depth 2, offset 0; content: "| 32 30 |", depth 2, offset 7; gid:4; sid:1024058; rev:13; ) +file_id ( msg:"Java archive file"; file_meta:type JAR, id 318, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 63 6F 6E 74 65 6E 74 2F |", depth 8, offset 30; gid:4; sid:1024059; rev:13; ) +file_id ( msg:"Java archive file"; file_meta:type JAR, id 319, category "Archive"; file_data; content: "| 50 4B 03 04 |", depth 4, offset 0; content: "| 6F 70 74 69 6F 6E 73 2F |", depth 8, offset 30; gid:4; sid:1024060; rev:13; ) +file_id ( msg:"WinRAR compressed archive file"; file_meta:type RAR, id 320, category "Archive", version "1.1"; file_data; content: "| 52 61 72 21 1A 07 01 00 |", depth 8, offset 0; gid:4; sid:1024061; rev:13; ) +file_id ( msg:"Archive file for Microsoft created using software ALZip"; file_meta:type ALZ, id 321, category "Archive"; file_data; content: "| 41 4C 5A 01 |", depth 4, offset 0; gid:4; sid:1024062; rev:13; ) +file_id ( msg:"Archive File for Microsoft created using software ALZip"; file_meta:type EGG, id 322, category "Archive"; file_data; content: "| 45 47 47 41 |", depth 4, offset 0; gid:4; sid:1024063; rev:13; ) +file_id ( msg:"Hangul word processor file"; file_meta:type HWP, id 323, category "Office Documents", version "3.0"; file_data; content: "| 48 57 50 20 44 6F 63 75 6D 65 6E 74 20 46 69 6C 65 |", depth 17, offset 0; gid:4; sid:1024064; rev:13; ) +file_id ( msg:"Flash file"; file_meta:type SWF, id 324, category "Multimedia"; file_data; content: "| 5A 57 53 |", depth 3, offset 0; gid:4; sid:1024065; rev:13; ) +file_id ( msg:"Packet capture file"; file_meta:type PCAP, id 325, category "System files"; file_data; content: "| 0A 0D 0D 0A |", depth 4, offset 0; gid:4; sid:1024066; rev:13; ) +file_id ( msg:"Flash file "; file_meta:type SWF, id 54, category "Multimedia"; file_data; content: "| 58 46 49 52 |", depth 4, offset 0; gid:4; sid:1024067; rev:13; ) diff --git a/lua/snort.lua b/lua/snort.lua index e9021b426..a4e9b4f7a 100644 --- a/lua/snort.lua +++ b/lua/snort.lua @@ -28,7 +28,6 @@ HOME_NET = 'any' EXTERNAL_NET = 'any' include 'snort_defaults.lua' -include 'file_magic.lua' --------------------------------------------------------------------------- -- 2. configure inspection @@ -89,7 +88,7 @@ http_inspect = default_http_inspect http2_inspect = { } -- see file_magic.lua for file id rules -file_id = { file_rules = file_magic } +file_id = { rules_file = 'file_magic.rules' } file_policy = { } -- the following require additional configuration to be fully effective: diff --git a/src/actions/CMakeLists.txt b/src/actions/CMakeLists.txt index acb3102ce..2ec6f48c7 100644 --- a/src/actions/CMakeLists.txt +++ b/src/actions/CMakeLists.txt @@ -10,6 +10,7 @@ set (IPS_ACTION_SOURCES act_alert.cc act_block.cc act_drop.cc + act_file_id.cc act_log.cc act_pass.cc act_reject.cc diff --git a/src/actions/act_file_id.cc b/src/actions/act_file_id.cc new file mode 100644 index 000000000..b0503e203 --- /dev/null +++ b/src/actions/act_file_id.cc @@ -0,0 +1,99 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// act_file_id.cc author Bhargava Jandhyala + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "actions.h" +#include "detection/detect.h" +#include "file_api/file_flows.h" +#include "file_api/file_identifier.h" +#include "managers/action_manager.h" +#include "parser/parser.h" +#include "utils/stats.h" + +using namespace snort; + +#define s_name "file_id" + +#define s_help \ + "file_id file type id" + +//------------------------------------------------------------------------- +// ips action +//------------------------------------------------------------------------- + +class File_IdAction : public IpsAction +{ +public: + File_IdAction() : IpsAction(s_name, nullptr) { } + void exec(Packet*, const OptTreeNode* otn) override; +}; + +void File_IdAction::exec(Packet* p, const OptTreeNode* otn) +{ + if (!p->flow) + return; + FileFlows* files = FileFlows::get_file_flows(p->flow, false); + if (!files) + return; + FileContext* file = files->get_current_file_context(); + if (!file) + return; + file->set_file_type(otn->sigInfo.file_id); +} + +//------------------------------------------------------------------------- + +static IpsAction* file_id_ctor(Module*) +{ return new File_IdAction; } + +static void file_id_dtor(IpsAction* p) +{ delete p; } + +static ActionApi file_id_api +{ + { + PT_IPS_ACTION, + sizeof(ActionApi), + ACTAPI_VERSION, + 0, + API_RESERVED, + API_OPTIONS, + s_name, + s_help, + nullptr, // mod_ctor + nullptr, // mod_dtor + }, + IpsAction::IAP_OTHER, + nullptr, + nullptr, + nullptr, + nullptr, + file_id_ctor, + file_id_dtor +}; + +const BaseApi* act_file_id[] = +{ + &file_id_api.base, + nullptr +}; + diff --git a/src/actions/ips_actions.cc b/src/actions/ips_actions.cc index 3726dab4b..ec866bdc0 100644 --- a/src/actions/ips_actions.cc +++ b/src/actions/ips_actions.cc @@ -33,6 +33,7 @@ extern const BaseApi* act_react[]; extern const BaseApi* act_alert[]; extern const BaseApi* act_block[]; extern const BaseApi* act_drop[]; +extern const BaseApi* act_file_id[]; extern const BaseApi* act_log[]; extern const BaseApi* act_pass[]; extern const BaseApi* act_reject[]; @@ -46,6 +47,7 @@ void load_actions() PluginManager::load_plugins(act_alert); PluginManager::load_plugins(act_block); PluginManager::load_plugins(act_drop); + PluginManager::load_plugins(act_file_id); PluginManager::load_plugins(act_log); PluginManager::load_plugins(act_pass); PluginManager::load_plugins(act_reject); diff --git a/src/detection/detection_options.cc b/src/detection/detection_options.cc index e6dfa6538..75abf52e9 100644 --- a/src/detection/detection_options.cc +++ b/src/detection/detection_options.cc @@ -414,7 +414,7 @@ int detection_option_node_evaluate( do { rval = (int)IpsOption::NO_MATCH; // FIXIT-L refactor to eliminate casts to int. - if ( node->otn ) + if ( node->otn and !node->otn->sigInfo.file_id ) { SnortProtocolId snort_protocol_id = p->get_snort_protocol_id(); int check_ports = 1; diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 67040823e..a18dd49c0 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -962,7 +962,7 @@ static int fp_search(RuleGroup* port_group, Packet* p, bool srvc) } static inline void eval_fp( - RuleGroup* port_group, Packet* p, char ip_rule, bool srvc) + RuleGroup* port_group, Packet* p, char ip_rule, bool srvc, bool force = false) { const uint8_t* tmp_payload = nullptr; uint16_t tmp_dsize = 0; @@ -985,7 +985,7 @@ static inline void eval_fp( } } - if ( DetectionEngine::content_enabled(p) ) + if ( DetectionEngine::content_enabled(p) or force) { if ( fp_search(port_group, p, srvc) ) return; @@ -1080,13 +1080,13 @@ static inline void eval_nfp( // for performance purposes. static inline void fpEvalHeaderSW( - RuleGroup* port_group, Packet* p, char ip_rule, FPTask task, bool srvc = false) + RuleGroup* port_group, Packet* p, char ip_rule, FPTask task, bool srvc = false, bool force = false) { - if ( !p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT) ) + if ( !force and !p->is_detection_enabled(p->packet_flags & PKT_FROM_CLIENT)) return; if ( task & FPTask::FP ) - eval_fp(port_group, p, ip_rule, srvc); + eval_fp(port_group, p, ip_rule, srvc, force); if ( task & FPTask::NON_FP ) eval_nfp(port_group, p, ip_rule); @@ -1356,3 +1356,61 @@ static void fp_immediate(MpseGroup* mpg, Packet* p, const uint8_t* buf, unsigned } } +static inline int fp_do_actions(OtnxMatchData* omd, Packet* p) +{ + if (!omd->have_match) + return 0; + + for (unsigned i = 0; i < p->context->conf->num_rule_types; i++) + { + if (omd->matchInfo[i].iMatchCount) + { + qsort(omd->matchInfo[i].MatchArray, omd->matchInfo[i].iMatchCount, + sizeof(void*), sortOrderByContentLength); + const OptTreeNode* otn = omd->matchInfo[i].MatchArray[0]; + RuleTreeNode* rtn = getRtnFromOtn(otn); + IpsAction* act = get_ips_policy()->action[rtn->action]; + act->exec(p, otn); + } + } + + return 0; +} + +void fp_eval_service_group(Packet* p, SnortProtocolId snort_protocol_id) +{ + Profile mpse_profile(mpsePerfStats); + RuleGroup* svc = p->context->conf->sopgTable->get_port_group(true, snort_protocol_id); + + if (!svc) + return; + + IpsContext* c = p->context; + init_match_info(c); + c->searches.mf = rule_tree_queue; + c->searches.context = c; + assert(!c->searches.items.size()); + + IpsContext::ActiveRules actv_rules = c->active_rules; + c->active_rules = IpsContext::CONTENT; + IpsPolicy* ips_policy = snort::get_ips_policy(); + snort::set_ips_policy(get_default_ips_policy(SnortConfig::get_conf())); + + print_pkt_info(p, "file_id fast-patterns"); //FIXIT + fpEvalHeaderSW(svc, p, 0, FPTask::FP, true, true); + MpseStash* stash = c->stash; + c->searches.search_sync(); + { + Profile rule_profile(rulePerfStats); + stash->process(c); + + print_pkt_info(p, "file_id non-fast-patterns"); //FIXIT + fpEvalHeaderSW(svc, p, 0, FPTask::NON_FP, true); + + fp_do_actions(c->otnx, p); + + c->searches.items.clear(); + } + c->active_rules = actv_rules; + snort::set_ips_policy(ips_policy); +} diff --git a/src/detection/fp_detect.h b/src/detection/fp_detect.h index 53ebc14a3..18a6d6eaa 100644 --- a/src/detection/fp_detect.h +++ b/src/detection/fp_detect.h @@ -31,6 +31,7 @@ #include "main/thread.h" #include "profiler/profiler_defs.h" +#include "target_based/snort_protocols.h" #define REBUILD_FLAGS (PKT_REBUILT_FRAG | PKT_REBUILT_STREAM) @@ -98,6 +99,7 @@ void fp_clear_context(const snort::IpsContext&); void fp_full(snort::Packet*); void fp_partial(snort::Packet*); void fp_complete(snort::Packet*, bool search = false); +void fp_eval_service_group(snort::Packet*, SnortProtocolId); #endif diff --git a/src/detection/ips_context.h b/src/detection/ips_context.h index b23622c47..937482e4e 100644 --- a/src/detection/ips_context.h +++ b/src/detection/ips_context.h @@ -81,6 +81,9 @@ public: SnortProtocolId get_snort_protocol_id() { return flow.proto_id; } + void set_snort_protocol_id(SnortProtocolId id) + { flow.proto_id = id; } + void disable_detection(); void disable_inspection(); @@ -154,6 +157,8 @@ public: DataPointer file_data = DataPointer(nullptr, 0); DataBuffer alt_data = {}; + unsigned file_pos = 0; + bool file_type_process = false; uint64_t context_num; uint64_t packet_number = 0; diff --git a/src/detection/signature.h b/src/detection/signature.h index 98d8eb739..2c5d2a664 100644 --- a/src/detection/signature.h +++ b/src/detection/signature.h @@ -28,6 +28,7 @@ #include #include +#include "rules.h" #include "target_based/snort_protocols.h" namespace snort @@ -98,7 +99,7 @@ struct SigInfo const ClassType* class_type = nullptr; - uint32_t gid = 0; + uint32_t gid = GID_DEFAULT; uint32_t sid = 0; uint32_t rev = 0; @@ -107,6 +108,7 @@ struct SigInfo bool builtin = false; Target target = TARGET_NONE; + uint64_t file_id = 0; }; snort::GHash* OtnLookupNew(); diff --git a/src/file_api/file_api.h b/src/file_api/file_api.h index dd06165a5..537fe47d2 100644 --- a/src/file_api/file_api.h +++ b/src/file_api/file_api.h @@ -212,6 +212,8 @@ inline FileCharEncoding get_character_encoding(const char* file_name, size_t len SO_PUBLIC uint64_t get_file_processed_size(Flow* flow); SO_PUBLIC FilePosition get_file_position(Packet* pkt); +SO_PUBLIC void set_rule_id_from_type(SnortConfig* sc, uint64_t id, std::string type, + std::string file_category, std::string file_version, std::vector file_groups); SO_PUBLIC void get_magic_rule_ids_from_type(const std::string& type, const std::string& version, FileTypeBitSet& ids_set, SnortConfig*); } diff --git a/src/file_api/file_config.cc b/src/file_api/file_config.cc index 2d5d01318..51304240a 100644 --- a/src/file_api/file_config.cc +++ b/src/file_api/file_config.cc @@ -37,20 +37,6 @@ using namespace snort; -bool FileConfig::process_file_magic(FileMagicData& magic) -{ - bool negated = false; - std::string str = '"' + magic.content_str + '"'; - - if ( !parse_byte_code(str.c_str(), negated, magic.content) ) - return false; - - if (negated) - return false; - - return true; -} - uint32_t FileConfig::find_file_type_id(const uint8_t* buf, int len, uint64_t file_offset, void** context) { @@ -58,12 +44,12 @@ uint32_t FileConfig::find_file_type_id(const uint8_t* buf, int len, } /*The main function for parsing rule option*/ -void FileConfig::process_file_rule(FileMagicRule& rule) +void FileConfig::process_file_rule(FileMeta& rule) { - fileIdentifier.insert_file_rule(rule); + fileIdentifier.add_file_id(rule); } -const FileMagicRule* FileConfig::get_rule_from_id(uint32_t id) const +const FileMeta* FileConfig::get_rule_from_id(uint32_t id) const { return fileIdentifier.get_rule_from_id(id); } @@ -82,7 +68,7 @@ std::string FileConfig::file_type_name(uint32_t id) const else if (SNORT_FILE_TYPE_CONTINUE == id) return "Undecided file type, continue..."; - const FileMagicRule* info = get_rule_from_id(id); + const FileMeta* info = get_rule_from_id(id); if (info != nullptr) return info->type; @@ -123,5 +109,16 @@ void get_magic_rule_ids_from_type(const std::string& type, const std::string& ve else ids_set.reset(); } + +void set_rule_id_from_type(SnortConfig* sc, uint64_t id, std::string type, + std::string file_category, std::string file_version, std::vector file_groups) +{ + FileConfig* conf = get_file_config(sc); + if (conf) + { + FileMeta rule(id, type, file_category, file_version, file_groups); + conf->process_file_rule(rule); + } +} } diff --git a/src/file_api/file_config.h b/src/file_api/file_config.h index 7dd3111c2..41d012437 100644 --- a/src/file_api/file_config.h +++ b/src/file_api/file_config.h @@ -24,6 +24,7 @@ // This provides the basic configuration for file processing #include "main/snort_config.h" +#include "detection/detection_engine.h" #include "file_api/file_identifier.h" #define DEFAULT_FILE_TYPE_DEPTH 1460 @@ -44,11 +45,10 @@ class FileConfig { public: - const FileMagicRule* get_rule_from_id(uint32_t) const; + const FileMeta* get_rule_from_id(uint32_t) const; void get_magic_rule_ids_from_type(const std::string&, const std::string&, snort::FileTypeBitSet&) const; - void process_file_rule(FileMagicRule&); - bool process_file_magic(FileMagicData&); + void process_file_rule(FileMeta&); uint32_t find_file_type_id(const uint8_t* buf, int len, uint64_t file_offset, void** context); std::string file_type_name(uint32_t id) const; @@ -69,6 +69,7 @@ public: bool trace_type = false; bool trace_signature = false; bool trace_stream = false; + SnortProtocolId snort_protocol_id = UNKNOWN_PROTOCOL_ID; private: FileIdentifier fileIdentifier; diff --git a/src/file_api/file_identifier.cc b/src/file_api/file_identifier.cc index 895c693b0..15fe3dede 100644 --- a/src/file_api/file_identifier.cc +++ b/src/file_api/file_identifier.cc @@ -46,25 +46,16 @@ struct MergeNode { IdentifierNode* shared_node; /*the node that is shared*/ IdentifierNode* append_node; /*the node that is added*/ -} ; +}; -void FileMagicData::clear() -{ - content_str.clear(); - content.clear(); - offset = 0; -} - -void FileMagicRule::clear() +void FileMeta::clear() { rev = 0; - message.clear(); type.clear(); id = 0; category.clear(); version.clear(); groups.clear(); - file_magics.clear(); } void FileIdentifier::init_merge_hash() @@ -133,177 +124,21 @@ IdentifierNode* FileIdentifier::clone_node(IdentifierNode* start) return node; } -IdentifierNode* FileIdentifier::create_trie_from_magic(FileMagicRule& rule, uint32_t type_id) -{ - IdentifierNode* current; - IdentifierNode* root = nullptr; - - if (rule.file_magics.empty() || !type_id) - return nullptr; - - /* Content magics are sorted based on offset, this - * will help compile the file magic trio - */ - std::sort(rule.file_magics.begin(),rule.file_magics.end()); - - current = (IdentifierNode*)calloc_mem(sizeof(*current)); - current->state = ID_NODE_NEW; - root = current; - - for (auto magic:rule.file_magics) - { - unsigned int i; - current->offset = magic.offset; - for (i = 0; i < magic.content.size(); i++) - { - IdentifierNode* node = (IdentifierNode*)calloc_mem(sizeof(*node)); - uint8_t index = magic.content[i]; - node->offset = magic.offset + i + 1; - node->state = ID_NODE_NEW; - current->next[index] = node; - current = node; - } - } - - /*Last node has type name*/ - current->type_id = type_id; - return root; -} - -/*This function examines whether to update the trie based on shared state*/ - -bool FileIdentifier::update_next(IdentifierNode* start, IdentifierNode** next_ptr, - IdentifierNode* append) -{ - IdentifierNode* next = (*next_ptr); - MergeNode merge_node; - IdentifierNode* result; - - if (!append || (next == append)) - return false; - - merge_node.append_node = append; - merge_node.shared_node = next; - if (!next) - { - /*reuse the append*/ - *next_ptr = append; - set_node_state_shared(append); - return false; - } - else if ((result = (IdentifierNode*)identifier_merge_hash->find(&merge_node))) - { - /*the same pointer has been processed, reuse it*/ - *next_ptr = result; - set_node_state_shared(result); - return false; - } - else - { - if ((start->offset < append->offset) && (next->offset > append->offset)) - { - /*offset could have gap when non 0 offset is allowed */ - unsigned int index; - IdentifierNode* node = (IdentifierNode*)calloc_mem(sizeof(*node)); - merge_node.shared_node = next; - merge_node.append_node = append; - node->offset = append->offset; - - for (index = 0; index < MAX_BRANCH; index++) - { - node->next[index] = next; - } - - set_node_state_shared(next); - next = node; - identifier_merge_hash->insert(&merge_node, next); - } - else if (next->state == ID_NODE_SHARED) - { - /*shared, need to clone one*/ - IdentifierNode* current_next = next; - merge_node.shared_node = current_next; - merge_node.append_node = append; - next = clone_node(current_next); - set_node_state_shared(next); - identifier_merge_hash->insert(&merge_node, next); - } - - *next_ptr = next; - } - - return true; -} - -/* - * Append magic to existing trie - */ -void FileIdentifier::update_trie(IdentifierNode* start, IdentifierNode* append) -{ - unsigned int i; - - if ((!start )||(!append)||(start == append)) - return; - - if (start->offset == append->offset ) - { - /* when we come here, make sure this tree is not shared - * Update start trie using append information*/ - - assert(start->state != ID_NODE_SHARED); - - if (append->type_id) - { - if (start->type_id) - ParseWarning(WARN_RULES, "Duplicated type definition '%u -> %u at offset %u", - start->type_id, append->type_id, append->offset); - start->type_id = append->type_id; - } - - for (i = 0; i < MAX_BRANCH; i++) - { - if (update_next(start,&start->next[i], append->next[i])) - { - update_trie(start->next[i], append->next[i]); - } - } - } - else if (start->offset < append->offset ) - { - for (i = 0; i < MAX_BRANCH; i++) - { - if (update_next(start,&start->next[i], append)) - update_trie(start->next[i], append); - } - } -} - -void FileIdentifier::insert_file_rule(FileMagicRule& rule) +void FileIdentifier::add_file_id(FileMeta& rule) { - IdentifierNode* node; - if (!identifier_root) { identifier_root = (IdentifierNode*)calloc_mem(sizeof(*identifier_root)); init_merge_hash(); } - if (rule.id >= FILE_ID_MAX) - { - ParseError("file type: rule id %u exceeds max id of %d", rule.id, FILE_ID_MAX-1); - return; - } - if (file_magic_rules[rule.id].id > 0) { - ParseError("file type: duplicated rule id %u defined", rule.id); + ParseError("file type: rule id %u found duplicate", rule.id); return; } file_magic_rules[rule.id] = rule; - - node = create_trie_from_magic(rule, rule.id); - update_trie(identifier_root, node); } /* @@ -359,7 +194,7 @@ uint32_t FileIdentifier::find_file_type_id(const uint8_t* buf, int len, uint64_t return file_type_id; } -const FileMagicRule* FileIdentifier::get_rule_from_id(uint32_t id) const +const FileMeta* FileIdentifier::get_rule_from_id(uint32_t id) const { if ((id < FILE_ID_MAX) && (file_magic_rules[id].id > 0)) { @@ -378,7 +213,10 @@ void FileIdentifier::get_magic_rule_ids_from_type(const std::string& type, { if (type == file_magic_rules[i].type) { - if (version.empty() or version == file_magic_rules[i].version) + std::string s = "\"", tmp; + if (!version.empty()) + tmp = s+version+s; + if (tmp.empty() or tmp == file_magic_rules[i].version) { ids_set.set(file_magic_rules[i].id); } @@ -400,44 +238,33 @@ TEST_CASE ("FileIdMemory", "[FileMagic]") TEST_CASE ("FileIdRulePDF", "[FileMagic]") { - FileMagicData magic; - - magic.content = "PDF"; - magic.offset = 0; - - FileMagicRule rule; + FileMeta rule; rule.type = "pdf"; - rule.file_magics.emplace_back(magic); rule.id = 1; FileIdentifier rc; - rc.insert_file_rule(rule); + rc.add_file_id(rule); const char* data = "PDF"; void* context = nullptr; - CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 1); + CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == + SNORT_FILE_TYPE_UNKNOWN); } TEST_CASE ("FileIdRuleUnknow", "[FileMagic]") { - FileMagicData magic; - - magic.content = "PDF"; - magic.offset = 0; - - FileMagicRule rule; + FileMeta rule; rule.type = "pdf"; - rule.file_magics.emplace_back(magic); rule.id = 1; FileIdentifier rc; - rc.insert_file_rule(rule); + rc.add_file_id(rule); const char* data = "DDF"; @@ -449,102 +276,72 @@ TEST_CASE ("FileIdRuleUnknow", "[FileMagic]") TEST_CASE ("FileIdRuleEXE", "[FileMagic]") { - FileMagicData magic; - - magic.content = "PDF"; - magic.offset = 0; - - FileMagicRule rule; + FileMeta rule; rule.type = "exe"; - rule.file_magics.emplace_back(magic); rule.id = 1; FileIdentifier rc; - rc.insert_file_rule(rule); - - magic.clear(); - magic.content = "EXE"; - magic.offset = 0; + rc.add_file_id(rule); rule.clear(); rule.type = "exe"; - rule.file_magics.emplace_back(magic); rule.id = 3; - rc.insert_file_rule(rule); + rc.add_file_id(rule); const char* data = "PDFooo"; void* context = nullptr; - CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 1); + CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == + SNORT_FILE_TYPE_UNKNOWN); } TEST_CASE ("FileIdRulePDFEXE", "[FileMagic]") { - FileMagicData magic; - - magic.content = "PDF"; - magic.offset = 0; - - FileMagicRule rule; + FileMeta rule; rule.type = "exe"; - rule.file_magics.emplace_back(magic); rule.id = 1; FileIdentifier rc; - rc.insert_file_rule(rule); - - magic.clear(); - magic.content = "EXE"; - magic.offset = 3; + rc.add_file_id(rule); rule.clear(); rule.type = "exe"; - rule.file_magics.emplace_back(magic); rule.id = 3; - rc.insert_file_rule(rule); + rc.add_file_id(rule); const char* data = "PDFEXE"; void* context = nullptr; // Match the last one - CHECK((rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 3)); + CHECK((rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == + SNORT_FILE_TYPE_UNKNOWN)); } TEST_CASE ("FileIdRuleFirst", "[FileMagic]") { - FileMagicData magic; - - magic.content = "PDF"; - magic.offset = 0; - - FileMagicRule rule; + FileMeta rule; rule.type = "exe"; - rule.file_magics.emplace_back(magic); rule.id = 1; FileIdentifier rc; - rc.insert_file_rule(rule); - - magic.clear(); - magic.content = "EXE"; - magic.offset = 3; + rc.add_file_id(rule); rule.clear(); rule.type = "exe"; - rule.file_magics.emplace_back(magic); rule.id = 3; - rc.insert_file_rule(rule); + rc.add_file_id(rule); const char* data = "PDF"; void* context = nullptr; - CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == 1); + CHECK(rc.find_file_type_id((const uint8_t*)data, strlen(data), 0, &context) == + SNORT_FILE_TYPE_UNKNOWN); } #endif diff --git a/src/file_api/file_identifier.h b/src/file_api/file_identifier.h index 06edc035a..eb9c16dce 100644 --- a/src/file_api/file_identifier.h +++ b/src/file_api/file_identifier.h @@ -45,33 +45,21 @@ enum IdNodeState ID_NODE_SHARED }; -class FileMagicData -{ -public: - void clear(); - std::string content_str; /* magic content to match*/ - std::string content; /* magic content raw values*/ - uint32_t offset; /* pattern search start offset */ - bool operator <(const FileMagicData& magic) const - { - return (offset < magic.offset); - } -}; - -typedef std::vector FileMagics; - -class FileMagicRule +class FileMeta { public: + FileMeta() { } + FileMeta(uint type_id, const std::string& type_name, const std::string& file_category, const std::string& + file_version, const std::vector& file_groups) + : id(type_id), type(type_name),category(file_category),version(file_version),groups( + file_groups) { } void clear(); uint32_t rev = 0; uint32_t id = 0; - std::string message; std::string type; std::string category; std::string version; std::vector groups; - FileMagics file_magics; }; struct IdentifierNode @@ -89,9 +77,9 @@ class FileIdentifier public: ~FileIdentifier(); uint32_t memory_usage() const { return memory_used; } - void insert_file_rule(FileMagicRule& rule); + void add_file_id(FileMeta& rule); uint32_t find_file_type_id(const uint8_t* buf, int len, uint64_t offset, void** context); - const FileMagicRule* get_rule_from_id(uint32_t) const; + const FileMeta* get_rule_from_id(uint32_t) const; void get_magic_rule_ids_from_type(const std::string&, const std::string&, snort::FileTypeBitSet&) const; @@ -101,14 +89,13 @@ private: void set_node_state_shared(IdentifierNode* start); IdentifierNode* clone_node(IdentifierNode* start); bool update_next(IdentifierNode* start, IdentifierNode** next_ptr, IdentifierNode* append); - IdentifierNode* create_trie_from_magic(FileMagicRule& rule, uint32_t type_id); void update_trie(IdentifierNode* start, IdentifierNode* append); /*properties*/ IdentifierNode* identifier_root = nullptr; /*Root of magic tries*/ uint32_t memory_used = 0; /*Track memory usage*/ snort::GHash* identifier_merge_hash = nullptr; - FileMagicRule file_magic_rules[FILE_ID_MAX + 1]; + FileMeta file_magic_rules[FILE_ID_MAX + 1]; IDMemoryBlocks id_memory_blocks; }; diff --git a/src/file_api/file_lib.cc b/src/file_api/file_lib.cc index 61bacf00b..1056d1ece 100644 --- a/src/file_api/file_lib.cc +++ b/src/file_api/file_lib.cc @@ -39,6 +39,7 @@ #include "main/snort_config.h" #include "managers/inspector_manager.h" #include "packet_tracer/packet_tracer.h" +#include "profiler/profiler.h" #include "protocols/packet.h" #include "utils/util.h" #include "utils/util_utf.h" @@ -52,9 +53,12 @@ #include "file_segment.h" #include "file_stats.h" #include "file_module.h" +#include "detection/fp_detect.h" using namespace snort; +THREAD_LOCAL ProfileStats file_perf_stats; + // Convert UTF16-LE file name to UTF-8. // Returns allocated name. Caller responsible for freeing the buffer. char* FileContext::get_UTF8_fname(size_t* converted_len) @@ -187,6 +191,11 @@ uint64_t FileInfo::get_file_size() const return file_size; } +void FileInfo::set_file_type(uint64_t id) +{ + file_type_id = id; +} + uint32_t FileInfo::get_file_type() const { return file_type_id; @@ -451,6 +460,7 @@ void FileContext::check_policy(Flow* flow, FileDirection dir, FilePolicyBase* po bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size, FilePosition position, FilePolicyBase* policy) { + Profile profile(file_perf_stats); Flow* flow = p->flow; if ( config->trace_stream ) @@ -484,7 +494,7 @@ bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size, /*file type id*/ if (is_file_type_enabled()) { - process_file_type(file_data, data_size, position); + process_file_type(p, file_data, data_size, position); /*Don't care unknown file type*/ if (get_file_type() == SNORT_FILE_TYPE_UNKNOWN) @@ -613,13 +623,12 @@ bool FileContext::process(Packet* p, const uint8_t* file_data, int data_size, * 3) file magics are exhausted in depth * */ -void FileContext::process_file_type(const uint8_t* file_data, int data_size, FilePosition position) +void FileContext::find_file_type_from_ips(Packet* pkt, const uint8_t* file_data, int + data_size, + FilePosition position) { - /* file type already found and no magics to continue */ - if (file_type_id && !file_type_context) - return; - bool depth_exhausted = false; + bool set_file_context = false; if ((int64_t)processed_bytes + data_size >= config->file_type_depth) { @@ -627,15 +636,42 @@ void FileContext::process_file_type(const uint8_t* file_data, int data_size, Fil assert(data_size > 0); depth_exhausted = true; } - - file_type_id = - config->find_file_type_id(file_data, data_size, processed_bytes, &file_type_context); - + const FileConfig* const conf = get_file_config(); + DetectionEngine de; + Packet* p = DetectionEngine::get_current_packet(); + p->flow = pkt->flow; + p->pkth = pkt->pkth; + + p->context->file_data = { file_data, (unsigned int)data_size }; + p->context->file_pos = processed_bytes; + p->context->file_type_process = true; + p->context->set_snort_protocol_id(conf->snort_protocol_id); + p->packet_flags |= PKT_ALLOW_MULTIPLE_DETECT; + p->proto_bits |= PROTO_BIT__PDU; + + FileFlows* files = FileFlows::get_file_flows(p->flow, false); + if (files and (!files->get_current_file_context() or files->get_current_file_context() != this)) + { + files->set_current_file_context(this); + set_file_context =true; + } + fp_eval_service_group(p, conf->snort_protocol_id); + if (set_file_context) + { + files->set_current_file_context(nullptr); + } /* Check whether file transfer is done or type depth is reached */ - if ( (position == SNORT_FILE_END) || (position == SNORT_FILE_FULL) || depth_exhausted ) + if ((position == SNORT_FILE_END) || (position == SNORT_FILE_FULL) || depth_exhausted) finalize_file_type(); } +void FileContext::process_file_type(Packet* pkt,const uint8_t* file_data, int data_size, + FilePosition position) +{ + /* file type already found and no magics to continue */ + find_file_type_from_ips(pkt, file_data, data_size, position); +} + void FileContext::process_file_signature_sha256(const uint8_t* file_data, int data_size, FilePosition position) { @@ -896,32 +932,3 @@ void FileContext::print(std::ostream& log) log << "File size: " << file_size << std::endl; log << "Processed size: " << processed_bytes << std::endl; } - -/** -bool file_IDs_from_type(const void *conf, const char *type, - uint32_t **ids, uint32_t *count) -{ - if ( !type ) - return false; - - return get_ids_from_type(conf, type, ids, count); -} - -bool file_IDs_from_type_version(const void *conf, const char *type, - const char *version, uint32_t **ids, uint32_t *count ) -{ - if ( !type || !version ) - return false; - - return get_ids_from_type_version(conf, type, version, ids, count); -} - -bool file_IDs_from_group(const void *conf, const char *group, - uint32_t **ids, uint32_t *count) -{ - if ( !group ) - return false; - - return get_ids_from_group(conf, group, ids, count); -} - **/ diff --git a/src/file_api/file_lib.h b/src/file_api/file_lib.h index 7c9ab5da1..6266728df 100644 --- a/src/file_api/file_lib.h +++ b/src/file_api/file_lib.h @@ -54,6 +54,7 @@ public: FileInfo(const FileInfo& other); FileInfo& operator=(const FileInfo& other); uint32_t get_file_type() const; + void set_file_type(uint64_t index); void set_file_name(const char* file_name, uint32_t name_size); void set_url(const char* url, uint32_t url_size); std::string& get_file_name(); @@ -132,7 +133,6 @@ public: bool process(Packet*, const uint8_t* file_data, int data_size, FilePosition, FilePolicyBase*); bool process(Packet*, const uint8_t* file_data, int data_size, uint64_t offset, FilePolicyBase*, FilePosition position=SNORT_FILE_POSITION_UNKNOWN); - void process_file_type(const uint8_t* file_data, int data_size, FilePosition); void process_file_signature_sha256(const uint8_t* file_data, int data_size, FilePosition); void update_file_size(int data_size, FilePosition position); void stop_file_capture(); @@ -163,8 +163,10 @@ private: FileConfig* config; bool cacheable = true; - inline void finalize_file_type(); - inline void finish_signature_lookup(Packet*, bool, FilePolicyBase*); + void finalize_file_type(); + void finish_signature_lookup(Packet*, bool, FilePolicyBase*); + void find_file_type_from_ips(Packet*, const uint8_t *file_data, int data_size, FilePosition); + void process_file_type(Packet*, const uint8_t* file_data, int data_size, FilePosition); }; } #endif diff --git a/src/file_api/file_module.cc b/src/file_api/file_module.cc index c38214368..275d28f49 100644 --- a/src/file_api/file_module.cc +++ b/src/file_api/file_module.cc @@ -38,49 +38,12 @@ #include "file_service.h" #include "file_stats.h" +#include "parser/parser.h" + using namespace snort; THREAD_LOCAL const Trace* file_trace = nullptr; - -static const Parameter file_magic_params[] = -{ - { "content", Parameter::PT_STRING, nullptr, nullptr, - "file magic content" }, - - { "offset", Parameter::PT_INT, "0:max32", "0", - "file magic offset" }, - - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } -}; - -static const Parameter file_rule_params[] = -{ - { "rev", Parameter::PT_INT, "0:max32", "0", - "rule revision" }, - - { "msg", Parameter::PT_STRING, nullptr, nullptr, - "information about the file type" }, - - { "type", Parameter::PT_STRING, nullptr, nullptr, - "file type name" }, - - { "id", Parameter::PT_INT, "0:max32", "0", - "file type id" }, - - { "category", Parameter::PT_STRING, nullptr, nullptr, - "file type category" }, - - { "group", Parameter::PT_STRING, nullptr, nullptr, - "comma separated list of groups associated with file type" }, - - { "version", Parameter::PT_STRING, nullptr, nullptr, - "file type version" }, - - { "magic", Parameter::PT_LIST, file_magic_params, nullptr, - "list of file magic rules" }, - - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } -}; +extern THREAD_LOCAL snort::ProfileStats file_perf_stats; static const Parameter file_id_params[] = { @@ -120,8 +83,8 @@ static const Parameter file_id_params[] = { "show_data_depth", Parameter::PT_INT, "0:max53", "100", "print this many octets" }, - { "file_rules", Parameter::PT_LIST, file_rule_params, nullptr, - "list of file magic rules" }, + { "rules_file", Parameter::PT_STRING, nullptr, nullptr, + "name of file with IPS rules for file identification" }, { "trace_type", Parameter::PT_BOOL, nullptr, "false", "enable runtime dump of type info" }, @@ -165,6 +128,9 @@ const TraceOption* FileIdModule::get_trace_options() const return &filetrace_options; } +ProfileStats* FileIdModule::get_profile() const +{ return &file_perf_stats; } + const PegInfo* FileIdModule::get_pegs() const { return file_pegs; } @@ -240,74 +206,11 @@ bool FileIdModule::set(const char*, Value& v, SnortConfig*) else if ( v.is("decompress_buffer_size") ) FileService::decode_conf.set_decompress_buffer_size(v.get_uint32()); - - else if ( v.is("rev") ) - rule.rev = v.get_uint32(); - - else if ( v.is("msg") ) - rule.message = v.get_string(); - - else if ( v.is("type") ) - rule.type = v.get_string(); - - else if ( v.is("id") ) - rule.id = v.get_uint32(); - - else if ( v.is("category") ) - rule.category = v.get_string(); - - else if ( v.is("group") ) + else if ( v.is("rules_file") ) { - std::istringstream stream(v.get_string()); - std::string tmpstr; - while (std::getline(stream, tmpstr, ',')) - { - rule.groups.emplace_back(tmpstr); - } - } - - else if ( v.is("version") ) - rule.version = v.get_string(); - - else if ( v.is("content") ) - magic.content_str = v.get_string(); - - else if ( v.is("offset") ) - magic.offset = v.get_uint32(); - - return true; -} - -bool FileIdModule::begin(const char* fqn, int idx, SnortConfig*) -{ - if (!idx) - return true; - - if ( !strcmp(fqn, "file_id.file_rules") ) - { - rule.clear(); - } - else if ( !strcmp(fqn, "file_id.file_rules.magic") ) - { - magic.clear(); - } - - return true; -} - -bool FileIdModule::end(const char* fqn, int idx, SnortConfig*) -{ - if (!idx) - return true; - - if ( !strcmp(fqn, "file_id.file_rules") ) - { - fc->process_file_rule(rule); - } - else if ( !strcmp(fqn, "file_id.file_rules.magic") ) - { - fc->process_file_magic(magic); - rule.file_magics.emplace_back(magic); + std::string s = "include "; + s += v.get_string(); + parser_append_rules_special(s.c_str()); } return true; @@ -329,3 +232,4 @@ void FileIdModule::reset_stats() file_stats_clear(); Module::reset_stats(); } + diff --git a/src/file_api/file_module.h b/src/file_api/file_module.h index 97d120083..a394bdadf 100644 --- a/src/file_api/file_module.h +++ b/src/file_api/file_module.h @@ -48,9 +48,8 @@ public: ~FileIdModule() override; bool set(const char*, snort::Value&, snort::SnortConfig*) override; - bool begin(const char*, int, snort::SnortConfig*) override; - bool end(const char*, int, snort::SnortConfig*) override; + snort::ProfileStats* get_profile() const override; const PegInfo* get_pegs() const override; PegCount* get_counts() const override; @@ -73,8 +72,7 @@ public: const snort::RuleMap* get_rules() const override; private: - FileMagicRule rule; - FileMagicData magic; + FileMeta rule; FileConfig *fc = nullptr; }; diff --git a/src/file_api/file_service.cc b/src/file_api/file_service.cc index 47480e341..ecd7688ac 100644 --- a/src/file_api/file_service.cc +++ b/src/file_api/file_service.cc @@ -63,7 +63,7 @@ void FileService::post_init() { MimeSession::init(); - const FileConfig* const conf = get_file_config(); + FileConfig* const conf = get_file_config(); if (!conf) return; @@ -82,11 +82,13 @@ void FileService::post_init() capture_memcap = conf->capture_memcap; capture_block_size = conf->capture_block_size; } + const SnortConfig* sc = SnortConfig::get_conf(); + conf->snort_protocol_id = sc->proto_ref->find("file_id"); } void FileService::verify_reload(const SnortConfig* sc) { - const FileConfig* const conf = get_file_config(sc); + FileConfig* const conf = get_file_config(sc); if (!conf) return; @@ -101,6 +103,11 @@ void FileService::verify_reload(const SnortConfig* sc) if (capture_block_size != conf->capture_block_size) ReloadError("Changing file_id.capture_block_size requires a restart.\n"); } + + if (conf->snort_protocol_id == UNKNOWN_PROTOCOL_ID) + { + conf->snort_protocol_id = sc->proto_ref->find("file_id"); + } } void FileService::close() diff --git a/src/framework/base_api.h b/src/framework/base_api.h index df2b91e60..ccf1b4099 100644 --- a/src/framework/base_api.h +++ b/src/framework/base_api.h @@ -29,7 +29,7 @@ // this is the current version of the base api // must be prefixed to subtype version -#define BASE_API_VERSION 13 +#define BASE_API_VERSION 14 // set options to API_OPTIONS to ensure compatibility #ifndef API_OPTIONS diff --git a/src/framework/cursor.cc b/src/framework/cursor.cc index f4c32cbaa..9f3e3591c 100644 --- a/src/framework/cursor.cc +++ b/src/framework/cursor.cc @@ -28,6 +28,7 @@ #include "detection/detection_engine.h" #include "detection/detection_util.h" #include "protocols/packet.h" +#include "detection/ips_context.h" using namespace snort; @@ -44,6 +45,7 @@ Cursor::Cursor(const Cursor& rhs) buf = rhs.buf; sz = rhs.sz; pos = rhs.pos; + file_pos = rhs.file_pos; if (rhs.data) { @@ -95,17 +97,16 @@ void Cursor::set_data(CursorData* cd) void Cursor::reset(Packet* p) { - if ( p->flow and p->flow->gadget ) + if (p->flow and p->flow->gadget) { const DataBuffer& buf = DetectionEngine::get_alt_buffer(p); - if ( buf.len ) + if (buf.len) { set("alt_data", buf.data, buf.len); return; } } - set("pkt_data", p->data, p->get_detect_limit()); } diff --git a/src/framework/cursor.h b/src/framework/cursor.h index f5362a204..4954f0bd8 100644 --- a/src/framework/cursor.h +++ b/src/framework/cursor.h @@ -85,6 +85,12 @@ public: void set(const char* s, const uint8_t* b, unsigned n) { name = s; buf = b; sz = n; pos = delta = 0; } + void set(const char* s, const uint8_t* b, unsigned n, unsigned pos_file) + { + file_pos = pos_file; + name = s; buf = b; sz = n; pos = delta = 0; + } + const uint8_t* buffer() const { return buf; } @@ -127,6 +133,17 @@ public: return true; } + bool set_pos_file(unsigned n) + { + file_pos = n; + return true; + } + + unsigned get_file_pos() const + { + return file_pos; + } + bool set_delta(unsigned n) { if (n > sz) @@ -145,6 +162,7 @@ private: unsigned sz = 0; // size of buffer unsigned pos = 0; // current pos unsigned delta = 0; // loop offset + unsigned file_pos = 0; // file pos CursorDataVec* data = nullptr; // data stored on the cursor }; diff --git a/src/framework/file_policy.cc b/src/framework/file_policy.cc index cd74d6cc1..717b16703 100644 --- a/src/framework/file_policy.cc +++ b/src/framework/file_policy.cc @@ -78,7 +78,7 @@ bool FilePolicy::get_file_capture() const return capture_enabled; } -void FilePolicy::insert_file_rule(FileRule& rule) +void FilePolicy::add_file_id(FileRule& rule) { file_rules.emplace_back(rule); diff --git a/src/framework/file_policy.h b/src/framework/file_policy.h index a0fe8cc07..393af19ee 100644 --- a/src/framework/file_policy.h +++ b/src/framework/file_policy.h @@ -69,7 +69,7 @@ public: // This is called after file signature is complete FileVerdict signature_lookup(snort::Packet*, snort::FileInfo*) override; - void insert_file_rule(FileRule&); + void add_file_id(FileRule&); void set_file_type(bool enabled); void set_file_signature(bool enabled); void set_file_capture(bool enabled); diff --git a/src/framework/ips_action.h b/src/framework/ips_action.h index 160ec6a74..33e9ced3d 100644 --- a/src/framework/ips_action.h +++ b/src/framework/ips_action.h @@ -46,6 +46,7 @@ class SO_PUBLIC IpsAction public: enum IpsActionPriority : uint16_t { + IAP_OTHER = 1, IAP_LOG = 10, IAP_ALERT = 20, IAP_REWRITE = 30, diff --git a/src/ips_options/CMakeLists.txt b/src/ips_options/CMakeLists.txt index 445143c0a..bb51945d9 100644 --- a/src/ips_options/CMakeLists.txt +++ b/src/ips_options/CMakeLists.txt @@ -57,6 +57,7 @@ set (IPS_SOURCES ips_detection_filter.cc ips_dsize.cc ips_file_data.cc + ips_file_meta.cc ips_flow.cc ips_flowbits.cc ips_flowbits.h diff --git a/src/ips_options/ips_content.cc b/src/ips_options/ips_content.cc index 3fe853233..1b00b05ca 100644 --- a/src/ips_options/ips_content.cc +++ b/src/ips_options/ips_content.cc @@ -68,6 +68,7 @@ public: int8_t offset_var; /* byte_extract variable indices for offset, */ int8_t depth_var; /* depth, distance, within */ + bool offset_set = false; unsigned match_delta; /* Maximum distance we can jump to search for this pattern again. */ }; @@ -298,7 +299,14 @@ static int uniSearchReal(ContentData* cd, Cursor& c) depth = cd->pmd.depth; int pos = c.get_delta(); + int file_pos = c.get_file_pos(); + if (file_pos and cd->offset_set) + { + offset -= file_pos; + if (offset < 0) + return 0; + } if ( !pos ) { if ( cd->pmd.is_relative() ) @@ -446,6 +454,7 @@ static void parse_offset(ContentData* cd, const char* data) { cd->pmd.offset = parse_int(data, "offset"); cd->offset_var = IPS_OPTIONS_NO_VAR; + cd->offset_set = true; } else { diff --git a/src/ips_options/ips_file_data.cc b/src/ips_options/ips_file_data.cc index d69ca1072..207072d80 100644 --- a/src/ips_options/ips_file_data.cc +++ b/src/ips_options/ips_file_data.cc @@ -57,8 +57,8 @@ IpsOption::EvalStatus FileDataOption::eval(Cursor& c, Packet* p) if ( !dp.data || !dp.len ) return NO_MATCH; - c.set(s_name, dp.data, dp.len); + c.set_pos_file(p->context->file_pos); return MATCH; } diff --git a/src/ips_options/ips_file_meta.cc b/src/ips_options/ips_file_meta.cc new file mode 100644 index 000000000..21c9d5922 --- /dev/null +++ b/src/ips_options/ips_file_meta.cc @@ -0,0 +1,182 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2022-2022 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// Author: Bhargava Jandhyala + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include + +#include "detection/detection_engine.h" +#include "detection/treenodes.h" +#include "file_api/file_flows.h" +#include "framework/cursor.h" +#include "framework/ips_option.h" +#include "framework/module.h" +#include "main/thread_config.h" +#include "profiler/profiler.h" +#include "protocols/packet.h" + +using namespace snort; + +#define s_name "file_meta" + +//-------------------------------------------------------------------------- +// file_meta option config +//-------------------------------------------------------------------------- + +struct FileMetaData +{ + uint32_t file_id; + std::string file_type; + std::string category; + std::string version; + std::vector groups; +}; + +//------------------------------------------------------------------------- +// module +//------------------------------------------------------------------------- + +static const Parameter s_params[] = +{ + { "type", Parameter::PT_STRING, nullptr, nullptr, + "file type to set" }, + + { "id", Parameter::PT_INT, "1:1023", nullptr, + "file type id" }, + + { "category", Parameter::PT_STRING, nullptr, nullptr, + "file type category" }, + + { "group", Parameter::PT_STRING, nullptr, nullptr, + "comma separated list of groups associated with file type" }, + + { "version", Parameter::PT_STRING, nullptr, nullptr, + "file type version" }, + + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } +}; + +#define s_help \ + "rule option to set file metadata (file type and id)" + +class FileMetaModule : public Module +{ +public: + FileMetaModule() : Module(s_name, s_help, s_params) { } + bool set(const char*, Value&, SnortConfig*) override; + bool end(const char*, int, SnortConfig*) override; + + Usage get_usage() const override + { + return DETECT; + } + +public: + FileMetaData fmc; +}; + +bool FileMetaModule::set(const char*, Value& v, SnortConfig*) +{ + if (v.is("type")) + { + fmc.file_type = v.get_string(); + } + else if (v.is("id")) + { + fmc.file_id = v.get_uint32(); + } + else if (v.is("category")) + { + fmc.category = v.get_string(); + } + else if (v.is("group")) + { + std::istringstream stream(v.get_string()); + std::string tmpstr; + while (std::getline(stream, tmpstr, ',')) + { + fmc.groups.emplace_back(tmpstr); + } + } + else if (v.is("version")) + fmc.version = v.get_string(); + else + return false; + + return true; +} + +bool FileMetaModule::end(const char*, int, SnortConfig* sc) +{ + set_rule_id_from_type(sc, fmc.file_id, fmc.file_type,fmc.category, fmc.version, fmc.groups); + return true; +} + +//------------------------------------------------------------------------- +// api methods +//------------------------------------------------------------------------- + +static Module* mod_ctor() +{ + return new FileMetaModule; +} + +static void mod_dtor(Module* m) +{ + delete m; +} + +static IpsOption* file_meta_ctor(Module* p, OptTreeNode* otn) +{ + FileMetaModule* m = (FileMetaModule*)p; + otn->sigInfo.file_id = m->fmc.file_id; + return nullptr; +} + +static const IpsApi file_meta_api = +{ + { + PT_IPS_OPTION, + sizeof(IpsApi), + IPSAPI_VERSION, + 0, + API_RESERVED, + API_OPTIONS, + s_name, + s_help, + mod_ctor, + mod_dtor + }, + OPT_TYPE_META, + 1, + PROTO_BIT__NONE, + nullptr, + nullptr, + nullptr, + nullptr, + file_meta_ctor, + nullptr, + nullptr +}; + +const BaseApi* ips_file_meta = &file_meta_api.base; + diff --git a/src/ips_options/ips_options.cc b/src/ips_options/ips_options.cc index 31fcb2bb1..5886c0a74 100644 --- a/src/ips_options/ips_options.cc +++ b/src/ips_options/ips_options.cc @@ -32,6 +32,7 @@ extern const BaseApi* ips_content; extern const BaseApi* ips_detection_filter; extern const BaseApi* ips_dsize; extern const BaseApi* ips_file_data; +extern const BaseApi* ips_file_meta; extern const BaseApi* ips_flow; extern const BaseApi* ips_flowbits; extern const BaseApi* ips_md5; @@ -99,6 +100,7 @@ static const BaseApi* ips_options[] = ips_detection_filter, ips_dsize, ips_file_data, + ips_file_meta, ips_flow, ips_flowbits, ips_md5, diff --git a/src/main/policy.cc b/src/main/policy.cc index 2e62e3d8b..ab699fb00 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -119,7 +119,7 @@ FilePolicy* NetworkPolicy::get_file_policy() const { return file_policy; } void NetworkPolicy::add_file_policy_rule(FileRule& file_rule) -{ file_policy->insert_file_rule(file_rule); } +{ file_policy->add_file_id(file_rule); } InspectionPolicy* NetworkPolicy::get_user_inspection_policy(unsigned user_id) { diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc index bce02f307..4f1b3e886 100644 --- a/src/parser/parse_rule.cc +++ b/src/parser/parse_rule.cc @@ -92,6 +92,8 @@ static bool s_capture = false; static std::string s_type; static std::string s_body; +static bool action_file_id = false; + struct SoRule { SoRule(RuleTreeNode* rtn, const OptTreeNode* otn) : @@ -105,6 +107,9 @@ struct SoRule static SoRule* s_so_rule = nullptr; +static bool rule_is_stateless() +{ return action_file_id; } + static int ValidateIPList(sfip_var_t* addrset, const char* token) { if (!addrset || !(addrset->head||addrset->neg_head)) @@ -773,6 +778,10 @@ void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn) ParseError("unknown rule action '%s'", s); return; } + if (!strcmp(s,"file_id")) + action_file_id = true; + else + action_file_id = false; if ( sc->dump_rule_meta() ) rtn.header = new RuleHeader(s); @@ -785,7 +794,7 @@ void parse_rule_type(SnortConfig* sc, const char* s, RuleTreeNode& rtn) rtn.listhead = get_rule_list(sc, s); } - if ( sc->get_default_rule_state() ) + if ( sc->get_default_rule_state() or rule_is_stateless() ) rtn.set_enabled(); } @@ -1002,12 +1011,9 @@ OptTreeNode* parse_rule_open(SnortConfig* sc, RuleTreeNode& rtn, bool stub) OptTreeNode* otn = new OptTreeNode; otn->state = new OtnState[ThreadConfig::get_instance_max()]; - if ( !stub ) - otn->sigInfo.gid = GID_DEFAULT; - otn->snort_protocol_id = rtn.snort_protocol_id; - if ( sc->get_default_rule_state() ) + if ( sc->get_default_rule_state() or rule_is_stateless() ) rtn.set_enabled(); IpsManager::reset_options(); @@ -1020,9 +1026,6 @@ OptTreeNode* parse_rule_open(SnortConfig* sc, RuleTreeNode& rtn, bool stub) static void parse_rule_state(SnortConfig* sc, const RuleTreeNode& rtn, OptTreeNode* otn) { - if ( !otn->sigInfo.gid ) - otn->sigInfo.gid = GID_DEFAULT; - if ( otn->num_detection_opts ) { ParseError("%u:%u rule state stubs do not support detection options", @@ -1193,6 +1196,11 @@ void parse_rule_close(SnortConfig* sc, RuleTreeNode& rtn, OptTreeNode* otn) std::string service = sc->proto_ref->get_name(otn->snort_protocol_id); add_service_to_otn(sc, otn, service.c_str()); } + if (!otn->sigInfo.services.size() and action_file_id) + { + add_service_to_otn(sc, otn, "file_id"); + action_file_id = false; + } validate_services(sc, otn); OtnLookupAdd(sc->otn_map, otn); diff --git a/src/parser/parser.cc b/src/parser/parser.cc index 9298f0b05..eaedc900b 100644 --- a/src/parser/parser.cc +++ b/src/parser/parser.cc @@ -68,6 +68,7 @@ using namespace snort; static struct rule_index_map_t* ruleIndexMap = nullptr; static std::string s_aux_rules; +static std::string s_special_rules; class RuleTreeHashKeyOps : public HashKeyOperations { @@ -427,6 +428,14 @@ void ParseRules(SnortConfig* sc) if ( p->enable_builtin_rules ) ModuleManager::load_rules(sc); + if (!idx and !s_special_rules.empty()) + { + push_parse_location("W", "./", "rule args"); + parse_rules_string(sc, s_special_rules.c_str()); + pop_parse_location(); + s_special_rules.clear(); + } + if ( !p->include.empty() ) { std::string path = p->includer; @@ -451,7 +460,7 @@ void ParseRules(SnortConfig* sc) pop_parse_location(); } - if ( !idx and !s_aux_rules.empty() ) + if (!idx and !s_aux_rules.empty()) { p->includer.clear(); push_parse_location("W", "./", "rule args"); @@ -844,6 +853,12 @@ void parser_append_rules(const char* s) s_aux_rules += "\n"; } +void parser_append_rules_special(const char *s) +{ + s_special_rules += s; + s_special_rules += "\n"; +} + void parser_append_includes(const char* d) { Directory dir(d); diff --git a/src/parser/parser.h b/src/parser/parser.h index 3311259c3..0aacdeb1e 100644 --- a/src/parser/parser.h +++ b/src/parser/parser.h @@ -55,6 +55,7 @@ void VarTablesFree(snort::SnortConfig*); void parser_append_rules(const char*); void parser_append_includes(const char*); +void parser_append_rules_special(const char *); int ParseBool(const char* arg); diff --git a/src/service_inspectors/dce_rpc/dce_smb2_file.cc b/src/service_inspectors/dce_rpc/dce_smb2_file.cc index 1d4a2859d..fc1f84c72 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2_file.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2_file.cc @@ -277,7 +277,7 @@ bool Dce2Smb2FileTracker::process_data(const uint32_t current_flow_key, const ui file->set_file_name(file_name, file_name_len); file->set_file_size(file_size.load() ? file_size.load() : UNKNOWN_FILE_SIZE); } - + FileFlows::get_file_flows(p->flow); bool continue_processing = file_flows->file_process(p, file_name_hash, file_data, data_size, file_offset, direction, file_id); diff --git a/src/service_inspectors/mms/mms_splitter.cc b/src/service_inspectors/mms/mms_splitter.cc index 2ebccfca5..4802cbf08 100644 --- a/src/service_inspectors/mms/mms_splitter.cc +++ b/src/service_inspectors/mms/mms_splitter.cc @@ -186,6 +186,7 @@ StreamSplitter::Status MmsSplitter::scan(Packet* p, const uint8_t* data, uint32_ Packet* tmp_pkt = new Packet(false); tmp_pkt->data = cur_pkt_ctx.data; tmp_pkt->dsize = cur_pkt_ctx.len; + tmp_pkt->context = nullptr; Cursor mms_cur = Cursor(tmp_pkt); diff --git a/tools/snort2lua/config_states/config_file.cc b/tools/snort2lua/config_states/config_file.cc index 963ff6b37..5c7388418 100644 --- a/tools/snort2lua/config_states/config_file.cc +++ b/tools/snort2lua/config_states/config_file.cc @@ -139,9 +139,9 @@ bool File::convert(std::istringstream& data_stream) retval = false; } - // Always add the file_rules option to reference the file magic rules. + // Always add the rules_file option to reference the file magic rules. table_api.open_table("file_id"); - table_api.add_option("file_rules", "$file_magic"); + table_api.add_option("rules_file", "$file_magic"); table_api.close_table(); return retval;