properties. They depend on properly configured
:doc:`../file-extraction/file-extraction`.
+file.data
+---------
+
+The ``file.data`` sticky buffer matches on contents of files that are
+seen in flows that Suricata evaluates. The various payload keywords can
+be used (e.g. ``startswith``, ``nocase`` and ``bsize``) with ``file.data``.
+
+Example::
+
+ alert smtp any any -> any any (msg:"smtp app layer file.data example"; \
+ file.data; content:"example file content"; sid:1; rev:1)
+
+ alert http any any -> any any (msg:"http app layer file.data example"; \
+ file.data; content:"example file content"; sid:2; rev:1)
+
+ alert tcp any any -> any any (msg:"tcp file.data example"; \
+ file.data; content:"example file content"; sid:4; rev:1)
+
+**Note** file_data is the legacy notation but can still be used.
+
+
file.name
---------
than 1k, 'content:!"<html"; depth:1024;' can only match if the
pattern '<html' is absent from the first inspected chunk.
-- ``file_data`` can also be used with SMTP
+
+- Refer to :doc:`file-keywords` for additional information.
sigmatch_table[DETECT_FILE_DATA].name = "file.data";
sigmatch_table[DETECT_FILE_DATA].alias = "file_data";
sigmatch_table[DETECT_FILE_DATA].desc = "make content keywords match on file data";
- sigmatch_table[DETECT_FILE_DATA].url = "/rules/http-keywords.html#file-data";
+ sigmatch_table[DETECT_FILE_DATA].url = "/rules/file-keywords.html#file-data";
sigmatch_table[DETECT_FILE_DATA].Setup = DetectFiledataSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_FILE_DATA].RegisterTests = DetectFiledataRegisterTests;
projects / thirdparty / suricata.git / commitdiff
