file_data

This option sets the cursor used for detection to one of the following buffers: 1. When the traffic being detected is HTTP it sets the buffer to, a. HTTP response body (without chunking/compression/normalization) b. HTTP de-chunked response body c. HTTP decompressed response body (when inspect_gzip is turned on) d. HTTP normalized response body (when normalized_javascript is turned on) e. HTTP UTF normalized response body (when normalize_utf is turned on) f. All of the above 2. When the traffic being detected is SMTP/POP/IMAP it sets the buffer to, a. SMTP/POP/IMAP data body (including Email headers and MIME when decoding is turned off) b. Base64 decoded MIME attachment (when b64_decode_depth is greater than -1) c. Non-Encoded MIME attachment (when bitenc_decode_depth is greater than -1) d. Quoted-Printable decoded MIME attachment (when qp_decode_depth is greater than -1) e. Unix-to-Unix decoded attachment (when uu_decode_depth is greater than -1)

Any relative or absolute content matches (without HTTP modifiers or rawbytes) and payload detecting rule options that follow file_data in a rule will apply to this buffer until explicitly reset by other rule options.

This rule option can be used several time in a rule.

The argument mime to file_data is deprecated. The rule options file_data will itself point to the decoded MIME attachment.