The traffic is parsed by the protocol decoder.For example, a tiff file will be marked as file type IMAGE by the IPS engine, even though it is not included in our own file type function. So, file type may not be limited to the subtypes listed below.
However, when you are unsure about the file type, you can rely on the protocol fields if they contain some fields such as content-type. In most cases, the identification of file type is handled by the file type function. If the result is a subtype of the class specified by a -file_type option in a signature, it is a match.
The IPS engine file type matching uses 'file magic' to decide what type of file the content is, working in a manner similar to the Linux file command.Ĭurrently, for the HTTP protocol, the first 13 or more bytes of body content will be categorized into a file type. Use the file_type keyword to match a class of file types, where each class contains several related subtypes.
