The file_meta rule option is used to set the file metadata for a given file identification rule. This option sets the type name, numerical id value, category, groups, and version for the file that will be matched.

This rule option has two required arguments:

  1. type type: string to give the file identifier a name
  2. id type_id: integer value that should be unique to this particular file identifier rule

There are also three additional optional arguments that rule-writers can use to add greater specificity to the file_id rule:

  1. category type_category: string that sets the category of the file being identified
  2. group type_groups: string that contains a list of groups—separated by commas—associated with that particular file type
  3. version type_version: string that sets the version of the particular file that's being identified

Each of these arguments is separated by commas.

Note: This rule option should only be used in file_id rules.


file_meta:type type, id type_id[, category "type_category"] \
          [, group "type_groups"][, version "type_version"];


# defines the parameters for Windows/DOS executable files
file_meta:type MSEXE, id 21, category "Executables,Dynamic Analysis Capable"; 
file_meta:type PDF, id 282, category "PDF files", version "1.0"; 
file_meta:type MOV, id 4, category "Multimedia", group "video";