file_data Syntax Rules
When the detected traffic contains files, if you want to perform threat detection on the file content, you can write file data detection rules. When defining a file detection rule, you need to mark keywords such as **file_data** and **file_type** before the detection item. Common protocol field modifiers (for example, http_uri) generally modify the **content** field right before it. For example: ``` content: "helloworld"; http_uri; ``` When **file_data** is used in a rule, **all** the **content** fields following **file_data** are modified to file data. For example: ``` flow:established, message; file_data; content: "helloworld"; content: "test123"; ``` The two **content** fields are used to check the file data. About adding **file_type**: 1. If the file is of the unknown or html type, you do not need to add **file_type**. 2. For other types of files, you need to add **file_type**. Other types include office, pdf, swf, flv, and mov, etc. For example: ``` flow:established, message; file_data; file_type:pdf; content: "|2f|BitsPerComponent"; fast_pattern; ``` The PDF file content is checked. If the file content matches **|2f|BitsPerComponent**, the rule is matched.