Fortinet white logo
Fortinet white logo

file_type

file_type

Use the file_type keyword to match a class of file types, where each class contains several related subtypes. The IPS engine file type matching uses "file magic" to decide what type of file the content is, working in a manner similar to the Linux file command.

Currently, for the HTTP protocol, the first 13 or more bytes of body content will be categorized into a file type. If the result is a subtype of the class specified by a --file_type <class> option in a signature, it is a match.

File type may not be limited to the subtypes listed in the following section. When you are unsure about the file type, you can rely on the protocol fields if they contain some fields such as content-type. For example, the IPS engine marks a tiff file as file type IMAGE.

The feature works in this manner:

  1. The traffic is parsed by the protocol decoder.
  2. A check is done to determine the presence of a file for HTTP, MIME, and FTP.
  3. If the decoder finds that there is a file in the traffic, it calls the file type function to identify what type of file it is.
  4. To narrow down the file type results, a class is selected based on the file type.
  5. The result is saved with the protocol, for signature use. If a signature includes this keyword, it checks whether the given type has been matched.
Syntax:
--file_type <class>;

The file type classes are listed in the following table with their associated subtypes:

<class>

subtypes

COMPRESS

arj, bzip, bzip2, cab, gzip,lzh,lzw,rar, rpm, tar, upx, zip

IMAGE

gif, gif87a, gif89a, jpeg, png

SCRIPT

.bat, .css, .hta, .vba, .vbs, genscript, javascript, perlscript, shellscript, wordbasic

VIDEO

.avi, MPEG

AUDIO

.mp3

STREAM

stream

MSOFFICE

MSOFFICE, PPT

PDF

.pdf

FLASH

FLASH

EXE

.com, .dll, .exe

HTML

HTML

XML

XML, WORDML

UNKNOWN

unknown, ActiveMIME, AIM, FORM, HLP, MIME, .txt

Examples:
--file_type PDF;
--file_type EXE;

file_type

file_type

Use the file_type keyword to match a class of file types, where each class contains several related subtypes. The IPS engine file type matching uses "file magic" to decide what type of file the content is, working in a manner similar to the Linux file command.

Currently, for the HTTP protocol, the first 13 or more bytes of body content will be categorized into a file type. If the result is a subtype of the class specified by a --file_type <class> option in a signature, it is a match.

File type may not be limited to the subtypes listed in the following section. When you are unsure about the file type, you can rely on the protocol fields if they contain some fields such as content-type. For example, the IPS engine marks a tiff file as file type IMAGE.

The feature works in this manner:

  1. The traffic is parsed by the protocol decoder.
  2. A check is done to determine the presence of a file for HTTP, MIME, and FTP.
  3. If the decoder finds that there is a file in the traffic, it calls the file type function to identify what type of file it is.
  4. To narrow down the file type results, a class is selected based on the file type.
  5. The result is saved with the protocol, for signature use. If a signature includes this keyword, it checks whether the given type has been matched.
Syntax:
--file_type <class>;

The file type classes are listed in the following table with their associated subtypes:

<class>

subtypes

COMPRESS

arj, bzip, bzip2, cab, gzip,lzh,lzw,rar, rpm, tar, upx, zip

IMAGE

gif, gif87a, gif89a, jpeg, png

SCRIPT

.bat, .css, .hta, .vba, .vbs, genscript, javascript, perlscript, shellscript, wordbasic

VIDEO

.avi, MPEG

AUDIO

.mp3

STREAM

stream

MSOFFICE

MSOFFICE, PPT

PDF

.pdf

FLASH

FLASH

EXE

.com, .dll, .exe

HTML

HTML

XML

XML, WORDML

UNKNOWN

unknown, ActiveMIME, AIM, FORM, HLP, MIME, .txt

Examples:
--file_type PDF;
--file_type EXE;