File Identification Rules
File identification rules take advantage of Snort's detection engine to enable file type identification. These rules are basic Snort 3 rules, but instead of alerting on and/or blocking traffic, they identify files based on the contents of that file and then define a file type that can be used in subsequent rules with file_type options.
File identification rules have two key components:
- a rule header consisting of only
file_id, which tells Snort that the rule that follows is a file type definition - a
file_metarule option that set the file metadata for a given file identification rule
Because these rules are used to identify a particular file, rule-writers should look for any and all payload options in the file_data buffer.
More info on using the file_meta option is available on the file_meta manual page.
Examples:
file_id (
msg:"Windows/DOS executable file";
file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable";
file_data;
content:"| 4D 5A |", depth 2, offset 0;
gid:4;
sid:16;
rev:1;
)
A file_id entry can also define a specific file type version, which is set via the version argument.
file_id (
msg:"PDF file";
file_meta:type PDF, id 282, category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable", version "1.0";
file_data;
content:"| 25 50 44 46 2D 31 2E 30 |", depth 8, offset 0;
gid:4;
sid:158;
rev:1;
)
Enabling file identification
Use of file identification rules requires that the file_id and file_policy builtins are enabled in one's Snort 3 config. Fortunately, both are enabled by default in the standard snort.lua file:
file_id = { rules_file = 'file_magic.rules' }
file_policy = { }