Snort mailing list archives
snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy
From: Rdtsc via Snort-devel <snort-devel () lists snort org>
Date: Wed, 25 Nov 2020 17:41:17 +0300
Hello, I'm trying to use file_log to log results of my file_policy rules. In my config:* enable_file_type, enable_file_signatire and enable_file_capture* are all *true* for my rules and globally *enable_type/enable_signtaure = true.* Example of *my rule:* file_id.file_policy = { { when = {file_type_id = 62}, use = { verdict = "log",enable_file_type = true,enable_file_signature = true,enable_file_capture = true} } Then all works fine - specified in rule files are captured as SHA-named files. But *problem is next: *in file.log I see entries for the logged files with their sha and other correct info, except field *Verdict*: the verdict in oll these entries are set to *Unknown*. I've debugged some and found, that when both type and signature are enabled for rule, and we for example found known and good type (for example GIF). And then during step of processing signature for this file, we can not match on signature, because it is not specified in rule and our good verdict = FILE_VERDICT_LOG (which got earlier on file type processing) is reset/rewrote to FILE_VERDICT_UNKNOWN in signature processing phase. *Is it normal? My rule is matched but I have Unknown verdict. * May be support the 2nd verdict variable for the verdict that got on type phase. And then in file_log we log entry with the better verdict value (from signature or type phase). Ot another solution.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Rdtsc via Snort-devel (Nov 25)
- Re: snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy Nihal Desai (nihdesai) via Snort-devel (Nov 25)