Overview: The file_type and file_group Keywords

The file_type and file_group keywords allow you to detect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB) based on their type and version. Do not use more than one file_type or file_group keyword in a single intrusion rule.

Tip	Updating your vulnerability database (VDB) populates the intrusion rules editor with the most up-to-date file types, versions, and groups.

Note	The system does not automatically enable preprocessors to accomodate the `file_type` and `file_group` keywords.

You must enable specific preprocessors if you want to generate events and, in an inline deployment, drop offending packets for traffic matching your file_type or file_group keywords.

file_type and file_group Intrusion Event Generation
Protocol	Required Preprocessor or Preprocessor Option
FTP	FTP/Telnet preprocessor and the Normalize TCP Payload inline normalization preprocessor option
HTTP	HTTP Inspect preprocessor to generate intrusion events in HTTP traffic
SMTP	SMTP preprocessor to generate intrusion events in HTTP traffic
IMAP	IMAP preprocessor
POP3	POP preprocessor
Netbios-ssn (SMB)	The DCE/RPC preprocessor and the SMB File Inspection DCE/RPC preprocessor option