Fortinet black logo

file_type

Copy Link
Copy Doc ID f21167b4-200c-11e9-b6f6-f8bc1258b856:422398
Download PDF

file_type

Use the file_type keyword to match a class of file types, where each class contains several related subtypes. The IPS engine file type matching uses "file magic" to decide what type of file the content is, working in a manner similar to the Linux file command.

Currently, for the HTTP protocol, the first 13 or more bytes of body content will be categorized into a file type. If the result is a subtype of the class specified by a --file_type <class> option in a signature, it is a match.

In most cases, the identification of file type is handled by the file type function. However, when you are unsure about the file type, you can rely on the protocol fields if they contain some fields such as content-type. So, file type may not be limited to the subtypes listed below. For example, a tiff file will be marked as file type IMAGE by the IPS engine, even though it is not included in our own file type function.

The feature works in this manner:

  1. The traffic is parsed by the protocol decoder.
  2. A check is done to determine the presence of a file for HTTP, MIME, and FTP.
  3. If the decoder finds that there is a file in the traffic, it will call the file type function to identify what type of file it is.
  4. To narrow down the file type results, a class is selected based on the file type.
  5. The result is saved with the protocol, for signature use. If a signature includes this keyword, it will check whether the given type has been matched.
Syntax:
--file_type <class>;

The file type classes are listed in the following table with their associated subtypes:

<class>

subtypes

COMPRESS

arj, bzip, bzip2, cab, gzip,lzh,lzw,rar, rpm, tar, upx, zip

IMAGE

gif, gif87a, gif89a, jpeg, png

SCRIPT

.bat, .css, .hta, .vba, .vbs, genscript, javascript, perlscript, shellscript, wordbasic

VIDEO

.avi, MPEG

AUDIO

.mp3

STREAM

stream

MSOFFICE

MSOFFICE, PPT

PDF

.pdf

FLASH

FLASH

EXE

.com, .dll, .exe

HTML

HTML

XML

XML, WORDML

UNKNOWN

unknown, ActiveMIME, AIM, FORM, HLP, MIME, .txt

Examples:
--file_type PDF;
--file_type EXE;

file_type

Use the file_type keyword to match a class of file types, where each class contains several related subtypes. The IPS engine file type matching uses "file magic" to decide what type of file the content is, working in a manner similar to the Linux file command.

Currently, for the HTTP protocol, the first 13 or more bytes of body content will be categorized into a file type. If the result is a subtype of the class specified by a --file_type <class> option in a signature, it is a match.

In most cases, the identification of file type is handled by the file type function. However, when you are unsure about the file type, you can rely on the protocol fields if they contain some fields such as content-type. So, file type may not be limited to the subtypes listed below. For example, a tiff file will be marked as file type IMAGE by the IPS engine, even though it is not included in our own file type function.

The feature works in this manner:

  1. The traffic is parsed by the protocol decoder.
  2. A check is done to determine the presence of a file for HTTP, MIME, and FTP.
  3. If the decoder finds that there is a file in the traffic, it will call the file type function to identify what type of file it is.
  4. To narrow down the file type results, a class is selected based on the file type.
  5. The result is saved with the protocol, for signature use. If a signature includes this keyword, it will check whether the given type has been matched.
Syntax:
--file_type <class>;

The file type classes are listed in the following table with their associated subtypes:

<class>

subtypes

COMPRESS

arj, bzip, bzip2, cab, gzip,lzh,lzw,rar, rpm, tar, upx, zip

IMAGE

gif, gif87a, gif89a, jpeg, png

SCRIPT

.bat, .css, .hta, .vba, .vbs, genscript, javascript, perlscript, shellscript, wordbasic

VIDEO

.avi, MPEG

AUDIO

.mp3

STREAM

stream

MSOFFICE

MSOFFICE, PPT

PDF

.pdf

FLASH

FLASH

EXE

.com, .dll, .exe

HTML

HTML

XML

XML, WORDML

UNKNOWN

unknown, ActiveMIME, AIM, FORM, HLP, MIME, .txt

Examples:
--file_type PDF;
--file_type EXE;