file_type rule option is used write rules that are constrained to a given file type, a specific version of a file type, several different file types, or several file types of varying versions.
Rule writers can use this option by specifying either a single file type name, a file type name and a specific version, or multiple file type names with optional version numbers. File type version numbers are specified with a comma followed by the specific version number to look for, and multiple type names are then separated by a single space character.
file_type argument should be wrapped in double quotes if specifying a version as well.
It's important to note that successful use of
file_type requires the prescence of "file identification rules" that leverage the Snort rule engine to define the matches that indicate a particular file type is present in the traffic currently being inspected. Open source Snort 3 includes definitions for the most common file types, such as EXE, PDF, and Office files, and those are located in file_magic.rules.
These identification rules are created as
file_id rules, and more info about them and their syntax can be found in the file_id manual page.
Note: This is one of the few rule options where whitespace does matter.
# look for PDF files file_type:"PDF";
# look for version 1.6 PDF files file_type:"PDF,1.6";
# look for version 1.6 or version 1.7 PDF files file_type:"PDF,1.6,1.7";
# look for MSEXE, MSCAB, or MSOLE files file_type:"MSEXE MSCAB MSOLE2";