Overview: The file_type and file_group Keywords
The
file_type
and
file_group
keywords
allow you to detect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and
NetBIOS-ssn (SMB) based on their type and version. Do
not use more than one
file_type
or
file_group
keyword
in a single intrusion rule.
Tip | Updating your vulnerability database (VDB) populates the intrusion rules editor with the most up-to-date file types, versions, and groups. |
Note | The system does not automatically enable preprocessors to
accomodate the
|
You must enable specific preprocessors if you want to generate events and, in an inline deployment, drop offending packets for traffic matching your file_type
or file_group
keywords.
Protocol |
Required Preprocessor or Preprocessor Option |
---|---|
FTP |
FTP/Telnet preprocessor and the Normalize TCP Payload inline normalization preprocessor option |
HTTP |
HTTP Inspect preprocessor to generate intrusion events in HTTP traffic |
SMTP |
SMTP preprocessor to generate intrusion events in HTTP traffic |
IMAP |
IMAP preprocessor |
POP3 |
POP preprocessor |
Netbios-ssn (SMB) |
The DCE/RPC preprocessor and the SMB File Inspection DCE/RPC preprocessor option |