signatures: Move ISO 9660 signature to policy

The previous "fix" caused significant performance degradation without
the signature ever having a chance to trigger. Moving it to policy
seems the best compromise, the alternative being outright removing it.

NEWS

@@ -26,6 +26,13 @@ Changed Functionality
   would reproduce the same fuid, even if the command itself did not result in
   a file transfer over a data connection (e.g., CWD, DEL, PASV, SIZE).
 
+- The ISO 9660 file signature has been moved into the policy directory. The
+  signature has previously been non-functional due to implicit anchoring. Further,
+  this signature requires users to significantly increase their
+  ``default_file_bof_buffer_size``. Users can now enable this signature by loading
+  ``frameworks/signatures/iso-9660`` which also increases the BOF buffer sufficiently.
+  Note, doing so may increase memory and CPU usage significantly.
+
 Removed Functionality
 ---------------------
 

scripts/base/frameworks/files/magic/general.sig

@@ -296,18 +296,3 @@ signature file-windows-minidump {
     file-mime "application/x-windows-minidump", 50
     file-magic /^MDMP/
 }
-
-# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
-# The following sector is a volume descriptor with magic string "CD001"
-# at offset 1: 16 * 2048  + 1 = 32769
-signature file-iso9660 {
-        file-mime "application/x-iso9660-image", 99
-        file-magic /^.{32769}CD001/
-}
-
-# ISO 9660 disk image, magic string match in next volume descriptor.
-# 17 * 2048  + 1 = 34817
-signature file-iso9660-2 {
-        file-mime "application/x-iso9660-image", 99
-        file-magic /^.{34817}CD001/
-}

scripts/policy/frameworks/signatures/iso-9660.sig

@@ -0,0 +1,10 @@
+# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
+# The following sector is a volume descriptor with magic string "CD001"
+# at offset 1: 16 * 2048 + 1 = 32769.
+#
+# However, we do not use exact offset matching /^.{32769}CD001/ as this
+# results in major performance degradation.
+signature file-iso9660 {
+        file-mime "application/x-iso9660-image", 99
+        file-magic /.*CD001/
+}

scripts/policy/frameworks/signatures/iso-9660.zeek

@@ -0,0 +1,8 @@
+##! Load signature for ISO 9660 disk image and increase
+##! default_file_bof_buffer_size to make it functional.
+@load-sigs ./iso-9660
+
+# CD001 string is in the 17th sector.
+@if ( default_file_bof_buffer_size < (16 + 1) * 2048 )
+redef default_file_bof_buffer_size = (16 + 1) * 2048;
+@endif

scripts/test-all-policy.zeek

@@ -72,6 +72,7 @@
 @load frameworks/notice/extend-email/hostnames.zeek
 @load files/x509/disable-certificate-events-known-certs.zeek
 @load frameworks/packet-filter/shunt.zeek
+@load frameworks/signatures/iso-9660.zeek
 @load frameworks/software/version-changes.zeek
 @load frameworks/software/vulnerable.zeek
 # @load frameworks/spicy/record-spicy-batch.zeek

testing/btest/scripts/base/files/mime/iso-9660.zeek

@@ -7,6 +7,8 @@
 @load base/protocols/http
 @load base/frameworks/files
 
+@load frameworks/signatures/iso-9660
+
 redef default_file_bof_buffer_size = 40000;
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)