OISF · regit · Jul 23, 2025 · Jul 23, 2025 · Jul 6, 2025 · Jul 14, 2025
diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
@@ -1328,7 +1328,7 @@ jobs:
       - run: tar xf prep/suricata-update.tar.gz
       - run: tar xf prep/suricata-verify.tar.gz
       - run: ./autogen.sh
-      - run: ./configure --enable-unittests --enable-coccinelle
+      - run: ./configure --enable-unittests --enable-coccinelle --enable-mimetype --enable-bundled-gpl-mimetype
       - run: make -j ${{ env.CPUS }}
       - run: CONCURRENCY_LEVEL=${{ env.CPUS }} make check
       - run: python3 ./suricata-verify/run.py -q --debug-failed

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -68,7 +68,7 @@ jobs:
       - run: git config --global --add safe.directory /__w/suricata/suricata
       - run: ./scripts/bundle.sh
       - run: ./autogen.sh
-      - run: ./configure --enable-warnings
+      - run: ./configure --enable-warnings --enable-mimetype --enable-bundled-gpl-mimetype
       - name: Checking bindgen output
         working-directory: rust
         run: |

diff --git a/configure.ac b/configure.ac
@@ -1765,6 +1765,29 @@
         fi
     fi
 
+  # mimetype
+    AC_ARG_ENABLE(mimetype,
+           AS_HELP_STRING([--enable-mimetype], [Enable mimetype support [default=no]]),
+                        [enable_mimetype="$enableval"],[enable_mimetype=no])
+    AS_IF([test "x$enable_mimetype" = "xyes"], [
+        AC_DEFINE([HAVE_MIMETYPE],[1],(Mimetype support enabled))
+        AC_ARG_ENABLE(bundled-gpl-mimetype,
+               AS_HELP_STRING([--disable-bundled-gpl-mimetype], [Embed GPL data in mimetype support [default=yes]]),
+                            [enable_gpl_mimetype="$enableval"],[enable_gpl_mimetype=yes])
+        AS_IF([test "x$enable_gpl_mimetype" = "xyes"], [
+            WITH_GPL_DATA="\"with-gpl-data\""
+            AC_SUBST(WITH_GPL_DATA)
+        ])
+        AM_CONDITIONAL([HAVE_MIMETYPE], [true])
+        ],
+        [
+        AM_CONDITIONAL([HAVE_MIMETYPE], [false])
+        ]
+    )
+    if test "x$enable_gpl_mimetype" != "xyes"; then
+        enable_gpl_mimetype="no"
+    fi
+
     # Napatech - Using the 3GD API
     AC_ARG_ENABLE(napatech,
                 AS_HELP_STRING([--enable-napatech],[Enable Napatech Devices]),
@@ -2578,6 +2601,8 @@ SURICATA_BUILD_CONF="Suricata Configuration:
   Detection enabled:                       ${enable_detection}
 
   Libmagic support:                        ${enable_magic}
+  mimetype support:                        ${enable_mimetype}
+  GPL Mimetype DB inclusion:               ${enable_gpl_mimetype}
   libjansson support:                      ${enable_jansson}
   hiredis support:                         ${enable_hiredis}
   hiredis async with libevent:             ${enable_hiredis_async}

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
@@ -127,6 +127,21 @@ here: https://redmine.openinfosecfoundation.org/issues/437
 
 ``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
 
+file.mimetype
+-------------
+
+Sticky buffer that matches on the MIME type guessed from the binary content of a file.
+
+Example::
+
+  file.mimetype; content:"application/vnd.microsoft.portable-executable";
+
+``file.mimetype`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
+The MIME type analysis is faster than the magic analysis and the identification is also
+more reproducible across different Suricata versions and operating systems. Being a
+standard, this is also improving correlation with other tools.
+
 filestore
 ---------
 

diff --git a/etc/schema.json b/etc/schema.json
@@ -1729,6 +1729,10 @@
                 "md5": {
                     "type": "string"
                 },
+                "mimetype": {
+                    "type": "string",
+                    "description": "The MIME type of the file (e.g., application/pdf, image/png, etc.)"
+                },
                 "sha1": {
                     "type": "string"
                 },
@@ -1788,6 +1792,10 @@
                     "md5": {
                         "type": "string"
                     },
+                    "mimetype": {
+                        "type": "string",
+                        "description": "The MIME type of the file (e.g., application/pdf, image/png, etc.)"
+                    },
                     "sha1": {
                         "type": "string"
                     },

diff --git a/rust/Cargo.lock.in b/rust/Cargo.lock.in
diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in
@@ -35,6 +35,7 @@ debug = []
 debug-validate = []
 ja3 = []
 ja4 = []
+filemimetype = ["dep:tree_magic_mini"]
 
 [dependencies]
 nom7 = { version="7.1", package="nom" }
@@ -58,6 +59,8 @@ lru = "~0.12.5"
 der-parser = { version = "~9.0.0", default-features = false }
 kerberos-parser = { version = "~0.8.0", default-features = false }
 
+tree_magic_mini = { version = "~3.1.6", features = [@WITH_GPL_DATA@], optional = true }
+
 sawp-modbus = "~0.13.1"
 sawp-pop3 = "~0.13.1"
 sawp = "~0.13.1"

diff --git a/rust/Makefile.am b/rust/Makefile.am
@@ -39,6 +39,10 @@ if DEBUG
 RUST_FEATURES +=	debug
 endif
 
+if HAVE_MIMETYPE
+RUST_FEATURES +=	filemimetype
+endif
+
 if DEBUG_VALIDATION
 RUST_FEATURES +=	debug-validate
 endif

diff --git a/rust/src/filemimetype.rs b/rust/src/filemimetype.rs
@@ -0,0 +1,26 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+use crate::common::rust_string_to_c;
+use std::os::raw::c_char;
+
+#[no_mangle]
+pub unsafe extern "C" fn SCGetMimetype(input: *const u8, len: u32) -> * mut c_char {
+    let slice: &[u8] = std::slice::from_raw_parts(input as *mut u8, len as usize);
+    let result = tree_magic_mini::from_u8(slice);
+    rust_string_to_c(result.to_string())
+}
diff --git a/rust/src/lib.rs b/rust/src/lib.rs
@@ -90,6 +90,8 @@ pub mod applayer;
 pub mod frames;
 pub mod filecontainer;
 pub mod filetracker;
+#[cfg(feature = "filemimetype")]
+pub mod filemimetype;
 pub mod kerberos;
 pub mod detect;
 pub mod utils;

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -160,6 +160,7 @@ noinst_HEADERS = \
 	detect-fast-pattern.h \
 	detect-file-data.h \
 	detect-file-hash-common.h \
+	detect-file-mimetype.h \
 	detect-filemagic.h \
 	detect-filemd5.h \
 	detect-filename.h \
@@ -565,6 +566,7 @@ noinst_HEADERS = \
 	util-memcmp.h \
 	util-memcpy.h \
 	util-memrchr.h \
+	util-mimetype.h \
 	util-misc.h \
 	util-mpm-ac-ks.h \
 	util-mpm-ac-queue.h \
@@ -761,6 +763,7 @@ libsuricata_c_a_SOURCES = \
 	detect-fast-pattern.c \
 	detect-file-data.c \
 	detect-file-hash-common.c \
+	detect-file-mimetype.c \
 	detect-filemagic.c \
 	detect-filemd5.c \
 	detect-filename.c \
@@ -1147,6 +1150,7 @@ libsuricata_c_a_SOURCES = \
 	util-mem.c \
 	util-memcmp.c \
 	util-memrchr.c \
+	util-mimetype.c \
 	util-misc.c \
 	util-mpm-ac-ks-small.c \
 	util-mpm-ac-ks.c \

diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c
@@ -36,6 +36,7 @@
 #include "app-layer-smtp.h"
 
 #include "util-enum.h"
+#include "util-file.h"
 #include "util-mpm.h"
 #include "util-debug.h"
 #include "util-byte.h"
@@ -1193,7 +1194,7 @@ static int SMTPProcessRequest(
             } else if (smtp_config.raw_extraction) {
                 if (FileOpenFileWithId(&tx->files_ts, &smtp_config.sbcfg, state->file_track_id++,
                             (uint8_t *)rawmsgname, strlen(rawmsgname), NULL, 0,
-                            FILE_NOMD5 | FILE_NOMAGIC) == 0) {
+                            FILE_NOMD5 | FILE_NOMAGIC | FILE_NOMIMETYPE) == 0) {
                     SMTPNewFile(tx, tx->files_ts.tail);
                 }
             } else if (smtp_config.decode_mime) {

diff --git a/src/detect-engine-build.c b/src/detect-engine-build.c
@@ -128,6 +128,25 @@ int SignatureIsFilemagicInspecting(const Signature *s)
     return 0;
 }
 
+/**
+ *  \brief Check if a signature contains the file.mimetype keyword.
+ *
+ *  \param s signature
+ *
+ *  \retval 0 no
+ *  \retval 1 yes
+ */
+int SignatureIsFileMimetypeInspecting(const Signature *s)
+{
+    if (s == NULL)
+        return 0;
+
+    if (s->file_flags & FILE_SIG_NEED_MIMETYPE)
+        return 1;
+
+    return 0;
+}
+
 /**
  *  \brief Check if a signature contains the filemd5 keyword.
  *

diff --git a/src/detect-engine-build.h b/src/detect-engine-build.h
@@ -23,6 +23,7 @@ void PacketCreateMask(Packet *p, SignatureMask *mask, AppProto alproto,
 
 int SignatureIsFilestoring(const Signature *);
 int SignatureIsFilemagicInspecting(const Signature *);
+int SignatureIsFileMimetypeInspecting(const Signature *);
 int SignatureIsFileMd5Inspecting(const Signature *);
 int SignatureIsFileSha1Inspecting(const Signature *s);
 int SignatureIsFileSha256Inspecting(const Signature *s);

diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c
@@ -92,6 +92,12 @@ static uint8_t DetectFileInspect(DetectEngineThreadCtx *det_ctx, Flow *f, const
             continue;
         }
 
+        if ((s->file_flags & FILE_SIG_NEED_MIMETYPE) && file_size == 0) {
+            SCLogDebug("sig needs file content, but we don't have any");
+            r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+            continue;
+        }
+
         if ((s->file_flags & FILE_SIG_NEED_FILECONTENT) && file_size == 0) {
             SCLogDebug("sig needs file content, but we don't have any");
             r = DETECT_ENGINE_INSPECT_SIG_NO_MATCH;

diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -137,6 +137,7 @@
 #include "detect-filesha1.h"
 #include "detect-filesha256.h"
 #include "detect-filesize.h"
+#include "detect-file-mimetype.h"
 #include "detect-dataset.h"
 #include "detect-datarep.h"
 #include "detect-dsize.h"
@@ -565,6 +566,7 @@ void SigTableSetup(void)
     DetectFileSha1Register();
     DetectFileSha256Register();
     DetectFilesizeRegister();
+    DetectFileMimetypeRegister();
 
     DetectHttpUARegister();
     DetectHttpHHRegister();

diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h
@@ -235,6 +235,7 @@ enum DetectKeywordId {
     DETECT_FILESTORE_POSTMATCH,
     DETECT_FILEMAGIC,
     DETECT_FILE_MAGIC,
+    DETECT_FILE_MIMETYPE,
     DETECT_FILEMD5,
     DETECT_FILESHA1,
     DETECT_FILESHA256,

diff --git a/src/detect-engine-siggroup.c b/src/detect-engine-siggroup.c
@@ -600,6 +600,9 @@ void SigGroupHeadSetupFiles(const DetectEngineCtx *de_ctx, SigGroupHead *sgh)
             sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMAGIC;
         }
 #endif
+        if (SignatureIsFileMimetypeInspecting(s)) {
+            sgh->flags |= SIG_GROUP_HEAD_HAVEFILEMIMETYPE;
+        }
         if (SignatureIsFilestoring(s)) {
             // should be insured by caller that we do not overflow
             DEBUG_VALIDATE_BUG_ON(sgh->filestore_cnt == UINT16_MAX);