File Identification Rules
Snort minimum required version:
v3.1.35.0
File identification rules take advantage of Snort's detection engine to enable file type identification. These rules are basic Snort 3 rules, but instead of alerting on and/or blocking traffic, they identify files based on the contents of that file and then define a file type that can be used in subsequent rules with file_type options.
File identification rules have two key components:
- a rule header consisting of only
file_id, which tells Snort that the rule that follows is a file type definition - a
file_metarule option that set the file metadata for a given file identification rule
Because these rules are used to identify a particular file, rule-writers should look for any and all payload options in the file_data buffer.
More info on using the file_meta option is available on the file_meta manual page.
Examples:
file_id (
msg:"Windows/DOS executable file";
file_meta:type MSEXE,id 21,category "Executables,Dynamic Analysis Capable,Local Malware Analysis Capable";
file_data;
content:"|4D 5A|",depth 2,offset 0;
gid:4;
sid:16;
rev:1;
)
A file_id entry can also define a specific file type version, which is set via the version argument.
file_id (
msg:"PDF file";
file_meta:type PDF,id 282,category "PDF files,Dynamic Analysis Capable,Local Malware Analysis Capable",version "1.0";
file_data;
content:"|25 50 44 46 2D 31 2E 30|",depth 8,offset 0;
gid:4;
sid:158;
rev:1;
)
Enabling file identification
Use of file identification rules requires that the file_id and file_policy builtins are enabled in one's Snort 3 config. Fortunately, both are enabled by default in the standard snort.lua file:
file_id = { rules_file = 'file_magic.rules' }
file_policy = { }