file_type
The file_type
rule option is used write rules that are constrained to a given file type, a specific version of a file type, several different file types, or several file types of varying versions.
Rule writers can use this option by specifying either a single file type name, a file type name and a specific version, or multiple file type names with optional version numbers. File type version numbers are specified with a comma followed by the specific version number to look for, and multiple type names are then separated by a single space character.
The entire file_type
argument should be wrapped in double quotes if specifying a version as well.
Use of file identification rules
It's important to note that successful use of file_type
requires the prescence of "file identification rules" that leverage the Snort rule engine to define the matches that indicate a particular file type is present in the traffic currently being inspected. Open source Snort 3 includes definitions for the most common file types, such as EXE, PDF, and Office files, and those are located in file_magic.rules.
These identification rules are created as file_id
rules, and more info about them and their syntax can be found in the file_id manual page.
Format:
file_type:"type_name[,type_version]…[ type_name[,type_version]…]…";
Note: This is one of the few rule options where whitespace does matter.
Examples:
# look for PDF files
file_type:"PDF";
# look for version 1.6 PDF files
file_type:"PDF,1.6";
# look for version 1.6 or version 1.7 PDF files
file_type:"PDF,1.6,1.7";
# look for MSEXE, MSCAB, or MSOLE files
file_type:"MSEXE MSCAB MSOLE2";