From d2409dd43260e9e909fb0acc323817ebde76da8b Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 21 Feb 2024 10:28:25 +0100 Subject: [PATCH] signatures: Fix ISO 9960 signature This signature only really works when default_file_bof_buffer_size is bumped to a sufficient value (40k). --- scripts/base/frameworks/files/magic/general.sig | 13 +++++++++++-- .../files.log.cut | 3 +++ testing/btest/Traces/http/iso-download.pcap.gz | Bin 0 -> 7601 bytes .../btest/scripts/base/files/mime/iso-9660.zeek | 16 ++++++++++++++++ 4 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.files.mime.iso-9660/files.log.cut create mode 100644 testing/btest/Traces/http/iso-download.pcap.gz create mode 100644 testing/btest/scripts/base/files/mime/iso-9660.zeek diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index f0e41018f6..c9a3df1f60 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -297,8 +297,17 @@ signature file-windows-minidump { file-magic /^MDMP/ } -# ISO 9660 disk image +# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data. +# The following sector is a volume descriptor with magic string "CD001" +# at offset 1: 16 * 2048 + 1 = 32769 signature file-iso9660 { file-mime "application/x-iso9660-image", 99 - file-magic /CD001/ + file-magic /^.{32769}CD001/ +} + +# ISO 9660 disk image, magic string match in next volume descriptor. +# 17 * 2048 + 1 = 34817 +signature file-iso9660-2 { + file-mime "application/x-iso9660-image", 99 + file-magic /^.{34817}CD001/ } diff --git a/testing/btest/Baseline/scripts.base.files.mime.iso-9660/files.log.cut b/testing/btest/Baseline/scripts.base.files.mime.iso-9660/files.log.cut new file mode 100644 index 0000000000..62fb889149 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.mime.iso-9660/files.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +fuid source mime_type filename +FbxMVx2s9vO46GnVh2 HTTP application/x-iso9660-image myiso.iso diff --git a/testing/btest/Traces/http/iso-download.pcap.gz b/testing/btest/Traces/http/iso-download.pcap.gz new file mode 100644 index 0000000000000000000000000000000000000000..69f649461468b33cf4865d8add74796588cdd550 GIT binary patch literal 7601 zcmXw8YgiN4)^5L^)~cs+G`1Y28pTT#8dIeffnutHsAwX{r2;y~D^&;)L8t=mb81y6 zD$adamn3ScsN959$N(ysGJ;`XnEh?c?mwP9`&qLt?|Rp}7X0*& zKi*UEWXpRWY>Sf%H_H=aqU9Sl&)KnQ!;bg5n@9g}>`CcgJtO~dW7+rP9|!$wpReo0 zDc^pZy1ION#0UTQ_($dT@_(c*T|D*YDa$UNnswpAjTMJ~oVaN2ti`K?esc=*y}r-U zXaCQs<31cee*00ksND&T_xmr!<;GRNjRQka6S;Eb?OQ(`?$~+{kGuwUTT_XgWg*ia#qK%yAoGFWrP;ZYha4=I_XbSQ?>+8) zlbSd>ij_%sZk--DtvbXv`LO3m!W_E$P_lRN*87d~JYoyxdyLD}PtwFIrg^+_6yBRW z_@DTJ)ctpczI5G1ir3DGq4f{->&_}FxW|^>7ZdiJ)OxjkoslXb0<*{4y8n3A>Db0C z44(OP&$Wbe(>+gH@@KC18u~mZi&O9vZPh7pk$p84^Gf_eVpbUa1s&2aqQ_R9>%DjX z{OQJ=5F|_=K9F{m520Bjzjca`EmD!1Gn75bB|{o&6-kH(sJ{uv}!P{{BVlNqtzO>yf-1l2fSReWXztjlH!%u zr+LnG8~FC9F_YKU*j+7|xwQ=H)AX?i!xCsg1>Y@iS6J8zxG-(xK6++EuKUz!Tb^aH zv7tU>ZG|lT>$H)_Z>H1p0uNXYuUNIM*(EQjCAG6JJU{dvRWFz`f&WHP^s{;Q{LG>u|0h(52oykm2~`hYiSzC8K>F<^VOrQ@*Eny$?C4>yz~<`;pa-Rr&#`23b)C^BCpEU4dov;I?Zl#3!I}jI+>GySj17g(?+f> zzj@XBX?d){{2vg+Ql33JP5$OKTRUFKAfrzan0E{DpRgf5)}b=_N-? ze|ned+dB455I3Qkb$yh>mck!dAD^i+==^%xTuc*fMsj<)g1kNZuGD9IpflhN_MI&r z7at+pe%j_j0oec=@*^5$cIKSzy-GgpCKPJeyA!)jr`~UY+yAyOw!7KSc1Z=%!Li zqoo}OY4Z9*J!y-_sjXE(lM9R|xVn5#CUM<oW9xi(*1|;4X`}s_y>cw`PJ5T@79zrxrhym7CtWEE${E~AK3@F?ly{_zf{8Z zm?eic^2WxVf4YF{JTakX{xcwdHf4aAK|7RE#3@?ZLzzn-=wZKWH4Cf6Wqu*#`h5eo zmrZ$oAuDvD-vj=!lTY09ntr=Dr+jF{`Rs?6)~+ZTGpX_1 z=F$Zu{By7Oyvogy<)Yl?>xgYCkF^MQUat7(=Z{Ik*dqLB*Q*9suYm>D({-70_R-t?#;27pjj#}Vue^wS0>^_h zSw7t8XvVRSRirSs&lWIoVn`<41O4KRfYj7Zjp8o!3g?o7IM-x`jQZ08_KwiL{nv2U zfYU-)M4@<5CYj6qAuaTG3Su?wY=RW_iB;wa7|E`*Vw>7z*u{*nJ?mL~~ zby)AF=43@myYhJ2)SPRjvph>SztU_J9MK8hK21|>6uka^e9jNG?L#HJJN3N5&Klz; z!Rs)`oCQ&}r|Q#qU2O*jd#^p;X}xw@emLOugto#akC-XLy-eO!kt-?ko|=@b6F^#f z)J{~!XvP}Kq$e{x*KC%$?r^lzyfCG-tL8o8t3mfw7R_cOxs1|u8VQi406oq2HiDn( z*z{m-WHn13N`&Ay@9T|Ae8vYkLz#|sxWIzHD0#%|BTPr1?_TFRFjU+Q>4~ugnHIh_ zGx=EtKV#4o<+Jzt?YUJ0Tef~8%k=unmK_2g@sDuia*L>h0;?&$)oA{zY~Y`A9%`3? z$ftvs(|l*29W6LFo?7*Vf$x6a_jeeRdlys+;W#DvhnifgRDjnG*uCU%?qCoXTg?iM z+3Xe55<9I}uTr8=M$|{iPj*{0%$N3dA+{UIAWHNXWvcJ6h!&1w(uSFdY*N7uN;r<- z9w3^W?dWXpLj)gw03&)!S#w`lM0@^;AKy`d;|2|KIscKK_|5_UTBm{mN^nsG|2s|q zxbN+KPu^33a)bD`8Z7e@z`Lc`;~^dE8pJ)UW^d}e7|}QH+f5MBM&dNx!O$65Z5F=g z82hhaiVIZ4j;&%hIfDr1wbB`Ake?+lVzdw5)EB*p%zUQknBxYBa2;2zduc9NGc?#Z z(608Y`)jCUQi;RCmD%O@zH#|sWyYwb0~v?em(A=)y=^6nhWQbe>e!4Tc3Ltsx+w9@ zt1BPlP|zGu8pO}kPBKOl$cTC=&DyGyMEKt}W`=W5T%a|Xi43*2*ZtDWrl$Ug z(%+y0hYjL;YN$dsPL!PFqY0D7meteRUHy6lMv$haxyZT^`di)@>LE>vXKBfc+quAv7;7=J}ss z9Q?-!FB>#ym=zQ#VC^dWcyTz_=K=u1-FM1n!%t4LW7JkplV@n#8#EQp(SkdZ8t-92 zVU9AAizw?WBY8H{tKHl`6*s_EBP=v%x{YL1jso`SuZj`pURelkhW$19SOsNDvQh*#?pJ_qpJ5xn3gJ?v*r+DCF9oo*64TZe9eXl} zTS;)lZ7;^!kb%A1ZiGh+=KE?gwp>A86=B2ARB)Y=EE0j*2m$Q2;XJuUGv+l+Wk2m+ zw39Y@|7152in6Dr6W>zuwe1#-_rGxgwi(H_l(1w~mq?@rs{1 zJhf0G!sH;X_@SwCa*ubW_?LxM+PmcWyLu9BJARLe`b6J7v4Qsw?21cfwzP&M2^pl& zA_t@NsUEM_*8Jg*6`C1=Bh6rbpa#(u3h?J>>@|TrDPm2q5 zf;AH)++;O&yGh0*USMU(i~uQ}%IiPd-M0Qp!IhM}+X$X46@WXnxUi;ZCb5vcg!o|P zF1qaG0sQzX1tTcw8;U$#pb*Rc##gxzI=TRVf*Y1artL@UkHH2b=}*a@8^zkYdeFGi zUM!#%f;@xynHoM=D&f{F#9Gr;#*jhGniR&dIF8ml{>)x)Xiz~{CH#Wmd_R zN(t+#*{GMEj6*QCY_6xlSz7bj2qX3@;I}g|a!o3rF@O^y=zlYtCDi!wpp3Bd%gyRWLbUBBWAHyw|j*=b9I1SR)mJSP;G1>kY{GlRO zP~rwP0Epf8Z@?HE7tSql0n-T1>XySwL$MNeXrSRK+P&9e<)elXuf-n}l~Ll0w8mlt zL1_wd<9M9E$H#!whk|(`(0oL~9Sp^OI5g3B3RrzLdnYE57T3Rro!)9BmQdn{YFOhT z;RZ+HI{L|&s6tlIPiwMYTgWKf&g3(dcs(Ui@?dl67JOrT-}T&x-Njp=%cJ(KGB1|APirn z5I%GPzldP@svI^n2E$kLD zwuy#;R7O8-62;N(di*)_RZ6_vV%=M>28(nGa)Sp>v`z??DB%c#yPP87c&*swRXX-? z5Vr)0i4{5Q@|*a3iP4NSgegj9)LT3mo(ulfhQcdik%-b>jHl}g)9oBa%8lS>19T_2 z{1w^kK|hQQem$LkfgO>;Xu3Ns;(iQscv=W}O88$9Oh;?<;7g2heiN-Jq(O&~+;Btz zi~R8ikwzy28Kjng>$`bzRS}x>PISQ{Ay}gXqzG1qKbs2$pWtY^b!>hCJDALfv!7ew z4rh$sn<^NugiZt}4a{M!)p+klA{&+(V5tZ`K%g$$i}zZ@$>4y2tW(1xq=G&P#qlV0 z?EN6lyP6$5;mHumPIh>}M=H2d3Ccw9#wQXk(uC(KiAwHIL4z9Z$W*|BC>)QsjxBJ3 z>Ri^NbRrTNd;g24fXrx)ptQY|^t%oV@$@5X`nHPPZy=3oalvnTa`V?X7L$t1Gr;{K zIP#Nhc8dmc4dU6_AkLJ+I29+*q6H(ciKi-3X&`IWq<)qFvQ5|x#Iu)zIa4wN*461j z(;Pb>;VB_-Qi6jbupROG`4|jHb2L*M%t=$2aECbBRKdfRTU6vF1KF%5Q?4suh8epN ztYf=_IB7EDrSxL*`*7O=#3|tvM5?9?shV?x*o~X$aWE&VX1$BDSN-2tW%TDhyP4VhVu+f&-t9*7%~y`TJ1s5i>fxaYx0d&;Yp)7V zaS#~1zu>LuI=erv@B0l`VAkxcmq$JuSoL=1Osp-Myn24tbqL{>_$*H*Wv`(~bRhoPwzEz0E!3;2wf=L~t^Hjt@^wXr{`NeMB(pE?-k6@UvKV zqnsa@XKPAMAP=%Wn+1=qUI9hNR$OU!C?SIj{}U7&cVk6eaW}IN|W?@3Ft)Cn|9$1<()* z@2gyGw&E2`dWGU&q_uA-cyVCe1-bcub}k^c7(uQ9UKc?%GLo{(!ERgJtOBV9m@R^J z!#}4bo*p->n?b1%u2#ae1oy%4&oS@zq{mN&Oh%fG9KCD4b@7aMJMhGC&Rob! zlW2zvXkh@~V3N=vzWbkne5!_>(E@nZ0aw*c#vCkQqmr3d-Ep+q50?)OT98j`(ay2@ zrG@wk%SsJ$`m_Na6T#(ZVc7ro)OsajM1hQ^mlEea(u2rJm}k(4GZ(Q^q*6j!EgD-A zo`*Ui+@SPCw*B6*y;rSt3x0^v{G%7;-0N zj9&rkn!{|+8@krxg%sV3knjNL0jatk@iN!9Ytrvwi{Bli+;nVc0h@?c z7j$hi_u+q+z--~L@Gw=gPOdqu*LJLSL@0Yj?3)zEU5!rU>+w2IBGB!QurpPtu48*9 zX>+P(!@VlvZu3(Puu!B(+EJDAI`UNR;Os-*wzwTjVgtKh<#ta6xLOf*qyd-*TzL%HFsLm72{?;S#S$H zGt@YArFFch@!u$zoXS1E6H%40uB#@aJ8emP>#e!G5%DWUl0vUU`h0zwrk;23Wer=O z<`(KGm@!7?;g+z`_Gx>~n_aE-^=VCpEv-#6N_hN;Z4&m91mBOIF{DXF|bso$Qd2-8Q*FCcC~v+?#gfOXD=A~zpBG$Gp-$WJ-bHzQtDl&>E}OA Me^NQ->4)$AKbL*d@&Et; literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/files/mime/iso-9660.zeek b/testing/btest/scripts/base/files/mime/iso-9660.zeek new file mode 100644 index 0000000000..2d047f0364 --- /dev/null +++ b/testing/btest/scripts/base/files/mime/iso-9660.zeek @@ -0,0 +1,16 @@ +# @TEST-DOC: Test ISO 9660 mime detection works with increased default_file_bof_buffer_size. +# +# @TEST-EXEC: zcat <$TRACES/http/iso-download.pcap.gz | zeek -b -r - %INPUT +# @TEST-EXEC: zeek-cut -m fuid source mime_type filename < files.log > files.log.cut +# @TEST-EXEC: btest-diff files.log.cut + +@load base/protocols/http +@load base/frameworks/files + +redef default_file_bof_buffer_size = 40000; + +event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) + { + if ( f$source == "HTTP" ) + f$info$filename = split_string(c$http$uri, /\//)[-1]; + }