signatures: Move ISO 9660 signature to policy

The previous "fix" caused significant performance degradation without the signature ever having a chance to trigger. Moving it to policy seems the best compromise, the alternative being outright removing it.
2025-10-13 12:08:20 +00:00 · 2024-02-26 13:32:27 +01:00 · 2024-02-26 13:32:27 +01:00 · 1a5ce65e3d
commit 1a5ce65e3d
parent f96600391a
6 changed files with 28 additions and 15 deletions
--- a/scripts/policy/frameworks/signatures/iso-9660.sig
+++ b/scripts/policy/frameworks/signatures/iso-9660.sig
@ -0,0 +1,10 @@
+# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
+# The following sector is a volume descriptor with magic string "CD001"
+# at offset 1: 16 * 2048 + 1 = 32769.
+#
+# However, we do not use exact offset matching /^.{32769}CD001/ as this
+# results in major performance degradation.
+signature file-iso9660 {
+        file-mime "application/x-iso9660-image", 99
+        file-magic /.*CD001/
+}
--- a/scripts/policy/frameworks/signatures/iso-9660.zeek
+++ b/scripts/policy/frameworks/signatures/iso-9660.zeek
@ -0,0 +1,8 @@
+##! Load signature for ISO 9660 disk image and increase
+##! default_file_bof_buffer_size to make it functional.
+@load-sigs ./iso-9660
+
+# CD001 string is in the 17th sector.
+@if ( default_file_bof_buffer_size < (16 + 1) * 2048 )
+redef default_file_bof_buffer_size = (16 + 1) * 2048;
+@endif