file_type

The file_type rule option is used write rules that are constrained to a given file type, a specific version of a file type, several different file types, or several file types of varying versions.

Rule writers can use this option by specifying either a single file type name, a file type name and a specific version, or multiple file type names with optional version numbers. File type version numbers are specified with a comma followed by the specific version number to look for, and multiple type names are then separated by a single space character.

The entire file_type argument should be wrapped in double quotes if specifying a version as well.

Use of file identification rules

It's important to note that successful use of file_type requires the prescence of "file identification rules" that leverage the Snort rule engine to define the matches that indicate a particular file type is present in the traffic currently being inspected. Open source Snort 3 includes definitions for the most common file types, such as EXE, PDF, and Office files, and those are located in file_magic.rules.

These identification rules are created as file_id rules, and more info about them and their syntax can be found in the file_id manual page.

Format:

file_type:"type_name[,type_version]…[ type_name[,type_version]…]…";

Note: This is one of the few rule options where whitespace does matter.

Examples:

# look for PDF files
file_type:"PDF";

# look for version 1.6 PDF files
file_type:"PDF,1.6";

# look for version 1.6 or version 1.7 PDF files
file_type:"PDF,1.6,1.7";

# look for MSEXE, MSCAB, or MSOLE files
file_type:"MSEXE MSCAB MSOLE2";