ISO files (ISO 9660 media images) - magic bytes 43 44 30 30 31 (CD001)
at offset(s). Is this omitted intentionally for any reason (confidence
or similar), or is it sensible to add a signature for this? Just
noting delivery of malicious ISO files as malware containers over
recent years. I notice recent libmagic having a couple of entries for
this. How would an update or addition typically happen?
https://github.com/zeek/zeek/tree/master/scripts/base/frameworks/files/magic
ISO files (ISO 9660 media images) - magic bytes 43 44 30 30 31 (CD001)
at offset(s). Is this omitted intentionally for any reason (confidence
or similar),
Maybe omitted because of the way the matching works -- it buffers up
to a certain number of bytes (default is 4096) at the beginning of the
file and then checks for matches once upon the buffer becoming full.
Seems the offset needed to check for the magic 'CD001' identifier is
32k+ ? That may be a bit much to do generally.
or is it sensible to add a signature for this?
You can try extending the signatures with your own for it, but may
also need to increase the `default_file_bof_buffer_size` option and
test that doesn't have undesired performance effects.
How would an update or addition typically happen?
https://github.com/zeek/zeek/tree/master/scripts/base/frameworks/files/magic
Typically, a simple pull request to add a signature would be
considered, but here I'm not sure how likely it would be to include
one for ISO 9660 by default since it also means an increase in the
default buffer sizes used for all file type matching. That requires
more cautious performance and resource utilization testing/review.
Though maybe an alternate route would be if there's changes to the
file matching engine to make it sophisticated enough to better match
this case with minimal resources -- that would be something to
consider, but also more involved/effortful.
- Jon