[Zeek] File detection signature - ISO

Jon Siwek jsiwek at corelight.com
Wed Feb 27 08:21:39 PST 2019


On Tue, Feb 26, 2019 at 7:17 PM Darren S. <phatbuckett at gmail.com> wrote:
>
> ISO files (ISO 9660 media images) - magic bytes 43 44 30 30 31 (CD001)
> at offset(s). Is this omitted intentionally for any reason (confidence
> or similar),

Maybe omitted because of the way the matching works -- it buffers up
to a certain number of bytes (default is 4096) at the beginning of the
file and then checks for matches once upon the buffer becoming full.
Seems the offset needed to check for the magic 'CD001' identifier is
32k+ ? That may be a bit much to do generally.

> or is it sensible to add a signature for this?

You can try extending the signatures with your own for it, but may
also need to increase the `default_file_bof_buffer_size` option and
test that doesn't have undesired performance effects.

>  How would an update or addition typically happen?
>
> https://github.com/zeek/zeek/tree/master/scripts/base/frameworks/files/magic

Typically, a simple pull request to add a signature would be
considered, but here I'm not sure how likely it would be to include
one for ISO 9660 by default since it also means an increase in the
default buffer sizes used for all file type matching.  That requires
more cautious performance and resource utilization testing/review.

Though maybe an alternate route would be if there's changes to the
file matching engine to make it sophisticated enough to better match
this case with minimal resources -- that would be something to
consider, but also more involved/effortful.

- Jon


More information about the Zeek mailing list