snort3: unknown verdict when use only when.file_type_id and not when.sha256 in file_policy

[Rdtsc via Snort-devel <snort-devel () lists snort org>]

Hello,
I'm trying to use file_log to log results of my file_policy rules.

In my config:* enable_file_type, enable_file_signatire and
enable_file_capture* are all *true* for my rules and globally
*enable_type/enable_signtaure
= true.*

Example of *my rule:*
file_id.file_policy = { { when = {file_type_id = 62}, use = {  verdict =
"log",enable_file_type = true,enable_file_signature =
true,enable_file_capture = true} }

Then all works fine - specified in rule files are captured as SHA-named
files.

But *problem is next:  *in file.log I see entries for the logged files with
their sha and other correct info, except field *Verdict*:  the verdict in
oll these entries are set to *Unknown*.

I've debugged some and found, that when both type and signature are enabled
for rule, and we for example found known and good type (for example GIF).
And then during step of processing signature for this file, we can not
match on signature, because it is not specified in rule and our good
verdict = FILE_VERDICT_LOG (which got earlier on file type processing) is
reset/rewrote to FILE_VERDICT_UNKNOWN in signature processing phase.

*Is it normal? My rule is matched but I have Unknown verdict. *

May be support the 2nd verdict variable for the verdict that got on type
phase. And then in file_log we log entry with the better verdict value
(from signature or type phase). Ot another solution.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!