file_data

The file_data option sets the detection cursor to either the HTTP response body for HTTP traffic or file data sent via other application protocols that has been processed and captured by Snort's "file API". Data in this buffer can contain normalized and decoded data depending on the service used to send the file data, as well as the specific configurations enabled for the different service inspectors included in Snort.

Using this option to detect file data is as simple as specifying file_data; before any and and all payload options one wants to match there.

This rule option can be used several times in a rule if desired.

Services that support the file_data buffer include:

  • http
  • pop3
  • imap
  • smtp
  • ftp-data
  • netbios-ssn

The following sub-sections explain what the file_data buffer could contain for each of the above services. One should refer to each inspector's default configurations, and adjust them accordingly in the Snort Lua configuration.

HTTP

For HTTP traffic, the file_data buffer points to the normalized HTTP response body, and the specific normalizations that occur depend on one's Snort configuration. This includes things like the decompression of ZIP, SWF, and PDF files, the decoding of UTF-* encodings, JavaScript normalization, and deflate and gzip decompression. Additionally, Snort can also de-chunk chunked messages and place the de-chunked message body in the file_data buffer.

The default configurations can be seen with the following Snort command:

$ snort --help-module http_inspect

POP3/IMAP/SMTP

The file_data buffer for mail traffic also depends on one's specific configuration. By default, Snort will place email headers, decoded MIME attachments, and non-decoded MIME attachments in the file_data buffer. The decoders enabled by default in Snort include base64, quoted-printable, MIME, and Unix-to-Unix.

Note that if MIME decoding is disabled, then Snort will place the unencoded MIME data in the file_data buffer.

The default configurations can be seen with the following commands:

$ snort --help-module pop
$ snort --help-module imap
$ snort --help-module smtp

FTP data

For FTP traffic, the file_data buffer will contain any raw files sent over an FTP-data session.

SMB

Snort 3's DCE/RPC service inspector is aware of SMB request and response command codes and will process files seen in SMB2 READ responses and SMB2 WRITE requests. The file_data buffer is then set to the raw files processed in both of these two SMB message types.

The default configurations can be seen with the following commands:

$ snort --help-module dce_smb

Format:

file_data;

Examples:

alert http (
  …
  flow:to_client,established;
  file_data;
  content:"<script>var aaaaaaa";
  …
)
alert file (
  …
  flow:to_client,established;
  file_data;
  content:"MZ",depth 2;
  …
)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (
  …
  file_data;
  content:"decoded SMTP file here"
  …
)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (
  …
  content:"|FE|SMB";
  content:"|08|", distance 8, within 1;
  file_data;
  content:"MALWARE";
  …
)