File Identification Rules

File identification rules take advantage of Snort's detection engine to enable file type identification. These rules are basic Snort 3 rules, but instead of alerting on and/or blocking traffic, they identify files based on the contents of that file and then define a file type that can be used in subsequent rules with file_type options.

File identification rules have two key components:

  • a rule header consisting of only file_id, which tells Snort that the rule that follows is a file type definition
  • a file_meta rule option that set the file metadata for a given file identification rule

Because these rules are used to identify a particular file, rule-writers should look for any and all payload options in the file_data buffer.

More info on using the file_meta option is available on the file_meta manual page.

Examples:

file_id (
    msg:"Windows/DOS executable file"; 
    file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable"; 
    file_data; 
    content:"| 4D 5A |", depth 2, offset 0; 
    gid:4; 
    sid:16; 
    rev:1;
)

A file_id entry can also define a specific file type version, which is set via the version argument.

file_id (
    msg:"PDF file"; 
    file_meta:type PDF, id 282, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.0"; 
    file_data; 
    content:"| 25 50 44 46 2D 31 2E 30 |", depth 8, offset 0; 
    gid:4; 
    sid:158; 
    rev:1;
)

Enabling file identification

Use of file identification rules requires that the file_id and file_policy builtins are enabled in one's Snort 3 config. Fortunately, both are enabled by default in the standard snort.lua file:

file_id = { rules_file = 'file_magic.rules' }
file_policy = { }