OISF · regit · Jul 24, 2022 · Jul 6, 2025 · Jul 6, 2025 · Jul 6, 2025
diff --git a/configure.ac b/configure.ac
@@ -9,6 +9,9 @@
     LT_INIT
     PKG_PROG_PKG_CONFIG
 
+    gpl_license_only="no"
+    proprietary_license_only="no"
+
     dnl Taken from https://llvm.org/svn/llvm-project/llvm/trunk/autoconf/configure.ac
     dnl check if we compile using clang or gcc. On some systems the gcc binary is
     dnl is actually clang, so do a compile test.
@@ -1765,12 +1768,23 @@
         fi
     fi
 
+  # mimetype
+    AC_ARG_ENABLE(gpl-mimetype,
+           AS_HELP_STRING([--disable-gpl-mimetype], [Do not embed GPL data in mimetype support [default=no]]),
+                        [enable_gpl_mimetype="$enableval"],[enable_gpl_mimetype=yes])
+    AS_IF([test "x$enable_gpl_mimetype" = "xyes"], [
+        WITH_GPL_DATA="\"with-gpl-data\""
+        gpl_license_only="yes"
+        AC_SUBST(WITH_GPL_DATA)
+    ])
+
     # Napatech - Using the 3GD API
     AC_ARG_ENABLE(napatech,
                 AS_HELP_STRING([--enable-napatech],[Enable Napatech Devices]),
                 [ enable_napatech=$enableval ],
                 [ enable_napatech=no])
     AS_IF([test "x$enable_napatech" = "xyes"], [
+        proprietary_license_only="yes"
         if test "x$enable_shared" = "xno"; then
             echo
             echo "   ERROR! napatech cannot be enabled with --disable-shared"
@@ -2555,6 +2569,11 @@ AC_CONFIG_FILES(plugins/pfring/Makefile)
 AC_CONFIG_FILES(plugins/napatech/Makefile)
 AC_CONFIG_FILES(plugins/ndpi/Makefile)
 
+if test "$gpl_license_only" = "yes" and "$proprietary_license_only" = "yes"; then
+    echo "ERROR: The build options mix GPL and proprietary licenses."
+    exit 1
+fi
+
 AC_OUTPUT
 
 SURICATA_BUILD_CONF="Suricata Configuration:
@@ -2620,6 +2639,10 @@ Development settings:
   Debug validation enabled:                ${enable_debug_validation}
   Fuzz targets enabled:                    ${enable_fuzztargets}
 
+License Compatibility:
+  GNU Public License only:                 ${gpl_license_only}
+  Proprietary License only:                ${proprietary_license_only}
+
 Generic build parameters:
   Installation prefix:                     ${prefix}
   Configuration directory:                 ${e_sysconfdir}

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
@@ -127,6 +127,17 @@ here: https://redmine.openinfosecfoundation.org/issues/437
 
 ``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
 
+file.mimetype
+-------------
+
+Sticky buffer that matches on the MIME type guessed from the binary content of a file.
+
+Example::
+
+  file.mimetype; content:"application/vnd.microsoft.portable-executable";
+
+``file.mimetype`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
 filestore
 ---------
 

diff --git a/etc/schema.json b/etc/schema.json
@@ -1729,6 +1729,9 @@
                 "md5": {
                     "type": "string"
                 },
+                "mimetype": {
+                    "type": "string"
+                },
                 "sha1": {
                     "type": "string"
                 },
@@ -1788,6 +1791,9 @@
                     "md5": {
                         "type": "string"
                     },
+                    "mimetype": {
+                        "type": "string"
+                    },
                     "sha1": {
                         "type": "string"
                     },

diff --git a/rust/Cargo.lock.in b/rust/Cargo.lock.in
diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in
@@ -58,6 +58,8 @@ lru = "~0.12.5"
 der-parser = { version = "~9.0.0", default-features = false }
 kerberos-parser = { version = "~0.8.0", default-features = false }
 
+tree_magic_mini = { version = "~3.1.6", features = [@WITH_GPL_DATA@] }
+
 sawp-modbus = "~0.13.1"
 sawp-pop3 = "~0.13.1"
 sawp = "~0.13.1"

diff --git a/rust/src/filemimetype.rs b/rust/src/filemimetype.rs
@@ -0,0 +1,26 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+use crate::common::rust_string_to_c;
+use std::os::raw::c_char;
+
+#[no_mangle]
+pub unsafe extern "C" fn rs_get_mime_type(input: *const u8, len: u32) -> * mut c_char {
+    let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize);
+    let result = tree_magic_mini::from_u8(slice);
+    rust_string_to_c(result.to_string())
+}
diff --git a/rust/src/lib.rs b/rust/src/lib.rs
@@ -90,6 +90,7 @@ pub mod applayer;
 pub mod frames;
 pub mod filecontainer;
 pub mod filetracker;
+pub mod filemimetype;
 pub mod kerberos;
 pub mod detect;
 pub mod utils;

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -160,6 +160,7 @@ noinst_HEADERS = \
 	detect-fast-pattern.h \
 	detect-file-data.h \
 	detect-file-hash-common.h \
+	detect-file-mimetype.h \
 	detect-filemagic.h \
 	detect-filemd5.h \
 	detect-filename.h \
@@ -565,6 +566,7 @@ noinst_HEADERS = \
 	util-memcmp.h \
 	util-memcpy.h \
 	util-memrchr.h \
+	util-mimetype.h \
 	util-misc.h \
 	util-mpm-ac-ks.h \
 	util-mpm-ac-queue.h \
@@ -761,6 +763,7 @@ libsuricata_c_a_SOURCES = \
 	detect-fast-pattern.c \
 	detect-file-data.c \
 	detect-file-hash-common.c \
+	detect-file-mimetype.c \
 	detect-filemagic.c \
 	detect-filemd5.c \
 	detect-filename.c \
@@ -1147,6 +1150,7 @@ libsuricata_c_a_SOURCES = \
 	util-mem.c \
 	util-memcmp.c \
 	util-memrchr.c \
+	util-mimetype.c \
 	util-misc.c \
 	util-mpm-ac-ks-small.c \
 	util-mpm-ac-ks.c \

diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c
@@ -36,6 +36,7 @@
 #include "app-layer-smtp.h"
 
 #include "util-enum.h"
+#include "util-file.h"
 #include "util-mpm.h"
 #include "util-debug.h"
 #include "util-byte.h"
@@ -1193,7 +1194,7 @@ static int SMTPProcessRequest(
             } else if (smtp_config.raw_extraction) {
                 if (FileOpenFileWithId(&tx->files_ts, &smtp_config.sbcfg, state->file_track_id++,
                             (uint8_t *)rawmsgname, strlen(rawmsgname), NULL, 0,
-                            FILE_NOMD5 | FILE_NOMAGIC) == 0) {
+                            FILE_NOMD5 | FILE_NOMAGIC | FILE_NOMIMETYPE) == 0) {
                     SMTPNewFile(tx, tx->files_ts.tail);
                 }
             } else if (smtp_config.decode_mime) {

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
@@ -128,6 +128,25 @@ int SignatureIsFilemagicInspecting(const Signature *s)
     return 0;
 }
 
+/**
+ *  \brief Check if a signature contains the file.mimetype keyword.
+ *
+ *  \param s signature
+ *
+ *  \retval 0 no
+ *  \retval 1 yes
+ */
+int SignatureIsFileMimetypeInspecting(const Signature *s)
+{
+    if (s == NULL)
+        return 0;
+
+    if (s->file_flags & FILE_SIG_NEED_MIMETYPE)
+        return 1;
+
+    return 0;
+}
+
 /**
  *  \brief Check if a signature contains the filemd5 keyword.
  *

diff --git a/src/detect-engine-build.h b/src/detect-engine-build.h
@@ -23,6 +23,7 @@ void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
 
 int SignatureIsFilestoring(const Signature *);
 int SignatureIsFilemagicInspecting(const Signature *);
+int SignatureIsFileMimetypeInspecting(const Signature *);
 int SignatureIsFileMd5Inspecting(const Signature *);
 int SignatureIsFileSha1Inspecting(const Signature *s);
 int SignatureIsFileSha256Inspecting(const Signature *s);

diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c
@@ -92,6 +92,12 @@ static uint8_t DetectFileInspect(DetectEngineThreadCtx *det_ctx, Flow *f, const
             continue;
         }
 
+        if ((s->file_flags & FILE_SIG_NEED_MIMETYPE) && file_size == 0) {
+            SCLogDebug("sig needs file content, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
         if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
             SCLogDebug("sig needs file content, but we don't have any");
             r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -137,6 +137,7 @@
 #include "detect-filesha1.h"
 #include "detect-filesha256.h"
 #include "detect-filesize.h"
+#include "detect-file-mimetype.h"
 #include "detect-dataset.h"
 #include "detect-datarep.h"
 #include "detect-dsize.h"
@@ -565,6 +566,7 @@ void SigTableSetup(void)
     DetectFileSha1Register();
     DetectFileSha256Register();
     DetectFilesizeRegister();
+    DetectFileMimetypeRegister();
 
     DetectHttpUARegister();
     DetectHttpHHRegister();

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
@@ -327,6 +327,8 @@ enum DetectKeywordId {
     DETECT_VLAN_ID,
     DETECT_VLAN_LAYERS,
 
+    DETECT_FILE_MIMETYPE,
+
     /* make sure this stays last */
     DETECT_TBLSIZE_STATIC,
 };

diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c
@@ -600,6 +600,9 @@ void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
             sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
         }
 #endif
+        if (SignatureIsFileMimetypeInspecting(s)) {
+            sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMIMETYPE;
+        }
         if (SignatureIsFilestoring(s)) {
             // should be insured by caller that we do not overflow
             DEBUG_VALIDATE_BUG_ON(sgh->filestore_cnt == UINT16_MAX);