I see that:
scripts/base/protocols/http/file-ident.sig
lets me create magic byte signatures for filetypes I have an interest in. This seems to be specific to http.
My problem is that I want to detect files sent via smtp. Right now, files.log does NOT have filenames for things I am sending as attachments, such as mytext.ext. When I send this as attachment, there is no filename *.ext… As such, I would like to attach this to the file analyzer so that I can get notices for files that have the magic byte headers I am concerned with. Is there an easy way to do this for smtp and ftp?
Actually, I do not see file-ident.sig anywhere in the source tree, or my deployment tree. Where is this kept? Thanks!
This was broken out a couple of releases ago. There are a bunch of file signature files in base/frameworks/files/magic/
.Seth
Hmm. So I modified the msoffice.sig with this
/\x21\x42\x44\x4E/
but the sig doesnt fire. However when I do
/!BDN/
it does. What gives? 
Also, whats the number after the mimetype association mean? My mimetype is
application/outlook, 5
Thanks!
Sorry, thats /^… and /^!..
/\x21\x42\x44\x4E/
but the sig doesnt fire. However when I do
/!BDN/
it does. What gives? 
I'm not sure offhand why that wouldn't work.
Also, whats the number after the mimetype association mean? My mimetype is
application/outlook, 5
That's a priority. Since multiple matches can happen, we've tried to make the signatures that should be more specific and reliable be higher priority. The current numbers are a bit haphazard though.
.Seth