The file_data Keyword

The file_data keyword provides a pointer that serves as a reference for the positional arguments available for other keywords such as content, byte_jump, byte_test, and pcre. The detected traffic determines the type of data the file_data keyword points to. You can use the file_data keyword to point to the beginning of the following payload types:

  • HTTP response body

    To inspect HTTP response packets, the HTTP Inspect preprocessor must be enabled and you must configure the preprocessor to inspect HTTP responses. The file_data keyword matches if the HTTP Inspect preprocessor detects HTTP response body data.

  • Uncompressed gzip file data

    To inspect uncompressed gzip files in the HTTP response body, the HTTP Inspect preprocessor must be enabled and you must configure the preprocessor to inspect HTTP responses and to decompress gzip-compressed files in the HTTP response body. For more information, see the Inspect HTTP Responses and Inspect Compressed Data Server-Level HTTP Normalization options. The file_data keyword matches if the HTTP Inspect preprocessor detects uncompressed gzip data in the HTTP response body.

  • Normalized JavaScript

    To inspect normalized JavaScript data, the HTTP Inspect preprocessor must be enabled and you must configure the preprocessor to inspect HTTP responses. The file_data keyword matches if the HTTP Inspect preprocessor detects JavaScript in response body data.

  • SMTP payload

    To inspect the SMTP payload, the SMTP preprocessor must be enabled. The file_data keyword matches if the SMTP preprocessor detects SMTP data.

  • Encoded email attachments in SMTP, POP, or IMAP traffic

    To inspect email attachments in SMTP, POP, or IMAP traffic, the SMTP, POP, or IMAP preprocessor, respectively, must be enabled, alone or in any combination. Then, for each enabled preprocessor, you must ensure that the preprocessor is configured to decode each attachment encoding type that you want decoded. The attachment decoding options that you can configure for each preprocessor are: Base64 Decoding Depth, 7-Bit/8-Bit/Binary Decoding Depth, Quoted-Printable Decoding Depth, and Unix-to-Unix Decoding Depth.

    You can use multiple file_data keywords in a rule.