Project

General

Profile

Actions

Feature #4660

open

base64_decode cannot be used with Transformations like pcrexform

Added by albert wang over 3 years ago. Updated 10 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I want to extract the regular matching content and then base64 decode it.

alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";

But,it reported a erro : previous transforms not consumed (list: 2, transform_cnt 1)

I found the reason,This is because base64_decode cannot be used with Transformations like pcrexform;
So I can only add pcre:"/./"; before base64_decode . But this pcre:"/./"; is meaningless.

alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";pcre:"/./";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";


Related issues 2 (0 open2 closed)

Related to Suricata - Feature #6487: transform: from_base64ClosedJeff LucovskyActions
Has duplicate Suricata - Feature #6417: Allow base64_decode/base64_data to consume transformsRejectedActions
Actions #1

Updated by Philippe Antoine over 1 year ago

  • Tracker changed from Optimization to Feature
  • Assignee set to OISF Dev
  • Target version set to 8.0.0-beta1

As I understand, a solution could be a transform that is base64_decoding (instead of a keyword)

Actions #2

Updated by Juliana Fajardini Reichow 6 months ago

  • Subject changed from base64_decode cannot used with Transformations like pcrexform to base64_decode cannot be used with Transformations like pcrexform
Actions #3

Updated by Victor Julien 6 months ago

  • Has duplicate Feature #6417: Allow base64_decode/base64_data to consume transforms added
Actions #4

Updated by Philippe Antoine 10 days ago

Is your use case possible with the new transform from_base64 ?

Actions #5

Updated by Philippe Antoine 10 days ago

Actions #6

Updated by Philippe Antoine 10 days ago

  • Assignee changed from OISF Dev to Jeff Lucovsky
Actions

Also available in: Atom PDF