Rule Category

FILE-IDENTIFY -- Snort has detecte File Type indicators associated with packet data, which it will use to facilitate a flowbit, a method of stringing rules together. In a flowbit, one rule examines packets for file type indications, which it uses to switch rules pertaining to that file type from a dormant to active state in order to process the appropriate packets. File-type rules stay dormant to prevent alerts on innocent traffic. That same traffic, when contained in, for instance, a .doc file attached to an email, might be a threat and should be scanned.

Alert Message

FILE-IDENTIFY Microsoft Write file download file attachment detected

Rule Explanation

None provided

What To Look For

Known Usage

No public information

False Positives

No known false positives


MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:

Rule Vulnerability

CVE Additional Information