you can't yet. What is your goal, what do you want to achieve?
I'm trying to write a bypass for traffic from BBC iPlayer. iPlayer works using hundreds of little post requests to IP addresses in the Akamai network, I'm trying to write a rule that intercepts this early in the cycle and applies a stop cycle rule so as to not burden the server/AV scanner with processing requests that we are happy to let through. The MimeType looked the easiest and lest intensive way to identify this traffic, though the rule will apply to other sites that use application/x-fcs as well, the URL filtering would prevent access to any unsavoury sites. A good portion of our traffic is to iPlayer so this should help keep our load low when we scale up to all the customers.
You can create a rule which checks for the Content-Type header reported by the server. It will not do magic byte checking, but it is a selection criteria that would allow for the bypass you want.
I believe the property would be:
Header.Response.Get ("Content-Type") equals "application/x-fcs"
Ah!! thank you Erik.
I was thinking in totaly the wrong way. Magic Bytes are preferable, but this will acomplish exactly what I need.
Magic Bytes are usually preferable, but with some data types, you can't do them because they are random binary streams of data with no set format.
I don't know what iPlayer is, this method should suffice.
if you could provide us some samples of traffic, I could try to add signatures for for this content.
P.S. instead accessing to headers directly, it's better to use the MediaType.FromHeader property that will take care for removing additional parameters from original Header's value. And it also will perform "normalization" of mime type, basing on table of existing type aliases