signatures: Move ISO 9660 signature to policy

The previous "fix" caused significant performance degradation without the signature ever having a chance to trigger. Moving it to policy seems the best compromise, the alternative being outright removing it.
2025-10-12 11:38:20 +00:00 · 2024-02-26 13:32:27 +01:00 · 2024-02-26 13:32:27 +01:00 · 1a5ce65e3d
commit 1a5ce65e3d
parent f96600391a
6 changed files with 28 additions and 15 deletions
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@ -296,18 +296,3 @@ signature file-windows-minidump {
    file-mime "application/x-windows-minidump", 50
    file-magic /^MDMP/
 }
-
-# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
-# The following sector is a volume descriptor with magic string "CD001"
-# at offset 1: 16 * 2048  + 1 = 32769
-signature file-iso9660 {
-        file-mime "application/x-iso9660-image", 99
-        file-magic /^.{32769}CD001/
-}
-
-# ISO 9660 disk image, magic string match in next volume descriptor.
-# 17 * 2048  + 1 = 34817
-signature file-iso9660-2 {
-        file-mime "application/x-iso9660-image", 99
-        file-magic /^.{34817}CD001/
-}
--- a/scripts/policy/frameworks/signatures/iso-9660.sig
+++ b/scripts/policy/frameworks/signatures/iso-9660.sig
@ -0,0 +1,10 @@
+# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
+# The following sector is a volume descriptor with magic string "CD001"
+# at offset 1: 16 * 2048 + 1 = 32769.
+#
+# However, we do not use exact offset matching /^.{32769}CD001/ as this
+# results in major performance degradation.
+signature file-iso9660 {
+        file-mime "application/x-iso9660-image", 99
+        file-magic /.*CD001/
+}
--- a/scripts/policy/frameworks/signatures/iso-9660.zeek
+++ b/scripts/policy/frameworks/signatures/iso-9660.zeek
@ -0,0 +1,8 @@
+##! Load signature for ISO 9660 disk image and increase
+##! default_file_bof_buffer_size to make it functional.
+@load-sigs ./iso-9660
+
+# CD001 string is in the 17th sector.
+@if ( default_file_bof_buffer_size < (16 + 1) * 2048 )
+redef default_file_bof_buffer_size = (16 + 1) * 2048;
+@endif
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -72,6 +72,7 @@
@load frameworks/notice/extend-email/hostnames.zeek
@load files/x509/disable-certificate-events-known-certs.zeek
@load frameworks/packet-filter/shunt.zeek
+@load frameworks/signatures/iso-9660.zeek
@load frameworks/software/version-changes.zeek
@load frameworks/software/vulnerable.zeek
 # @load frameworks/spicy/record-spicy-batch.zeek