When the detected traffic contains files, if you want to perform threat detection on the file content, you can write file data detection rules. When defining a file detection rule, you need to mark keywords such as **file_data** and **file_type** before the detection item.

Common protocol field modifiers (for example, http_uri) generally modify the **content** field right before it. For example:

```
 content: "helloworld"; http_uri;
```

When **file_data** is used in a rule, **all** the **content** fields following **file_data** are modified to file data. For example:

```
flow:established, message; file_data; content: "helloworld"; content: "test123";
```

The two **content** fields are used to check the file data.

About adding **file_type**: 1. If the file is of the unknown or html type, you do not need to add **file_type**. 2. For other types of files, you need to add **file_type**. Other types include office, pdf, swf, flv, and mov, etc. For example:

```
flow:established, message; file_data; file_type:pdf; content: "|2f|BitsPerComponent"; fast_pattern;
```

The PDF file content is checked. If the file content matches **|2f|BitsPerComponent**, the rule is matched.

file_data Syntax Rules