signatures: Fix ISO 9960 signature

This signature only really works when default_file_bof_buffer_size is bumped
to a sufficient value (40k).

scripts/base/frameworks/files/magic/general.sig

@@ -297,8 +297,17 @@ signature file-windows-minidump {
     file-magic /^MDMP/
 }
 
-# ISO 9660 disk image
+# ISO 9660 disk image: First 16 sectors (2k) are arbitrary data.
+# The following sector is a volume descriptor with magic string "CD001"
+# at offset 1: 16 * 2048  + 1 = 32769
 signature file-iso9660 {
         file-mime "application/x-iso9660-image", 99
-        file-magic /CD001/
+        file-magic /^.{32769}CD001/
+}
+
+# ISO 9660 disk image, magic string match in next volume descriptor.
+# 17 * 2048  + 1 = 34817
+signature file-iso9660-2 {
+        file-mime "application/x-iso9660-image", 99
+        file-magic /^.{34817}CD001/
 }

testing/btest/Baseline/scripts.base.files.mime.iso-9660/files.log.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+fuid	source	mime_type	filename
+FbxMVx2s9vO46GnVh2	HTTP	application/x-iso9660-image	myiso.iso

testing/btest/scripts/base/files/mime/iso-9660.zeek

@@ -0,0 +1,16 @@
+# @TEST-DOC: Test ISO 9660 mime detection works with increased default_file_bof_buffer_size.
+#
+# @TEST-EXEC: zcat <$TRACES/http/iso-download.pcap.gz | zeek -b -r - %INPUT
+# @TEST-EXEC: zeek-cut -m fuid source mime_type filename < files.log > files.log.cut
+# @TEST-EXEC: btest-diff files.log.cut
+
+@load base/protocols/http
+@load base/frameworks/files
+
+redef default_file_bof_buffer_size = 40000;
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
+	{
+	if ( f$source == "HTTP" )
+		f$info$filename = split_string(c$http$uri, /\//)[-1];
+	}