[Zeek] File detection signature - ISO
Darren S.
phatbuckett at gmail.com
Tue Feb 26 17:14:37 PST 2019
ISO files (ISO 9660 media images) - magic bytes 43 44 30 30 31 (CD001)
at offset(s). Is this omitted intentionally for any reason (confidence
or similar), or is it sensible to add a signature for this? Just
noting delivery of malicious ISO files as malware containers over
recent years. I notice recent libmagic having a couple of entries for
this. How would an update or addition typically happen?
https://github.com/zeek/zeek/tree/master/scripts/base/frameworks/files/magic
--
Darren Spruell
phatbuckett at gmail.com
More information about the Zeek
mailing list