Feature #4660
openbase64_decode cannot be used with Transformations like pcrexform
Description
I want to extract the regular matching content and then base64 decode it.
alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";
But,it reported a erro : previous transforms not consumed (list: 2, transform_cnt 1)
I found the reason,This is because base64_decode cannot be used with Transformations like pcrexform;
So I can only add pcre:"/./";
before base64_decode . But this pcre:"/./";
is meaningless.
alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";pcre:"/./";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";
Updated by Philippe Antoine over 1 year ago
- Tracker changed from Optimization to Feature
- Assignee set to OISF Dev
- Target version set to 8.0.0-beta1
As I understand, a solution could be a transform that is base64_decoding (instead of a keyword)
Updated by Juliana Fajardini Reichow 6 months ago
- Subject changed from base64_decode cannot used with Transformations like pcrexform to base64_decode cannot be used with Transformations like pcrexform
Updated by Victor Julien 6 months ago
- Has duplicate Feature #6417: Allow base64_decode/base64_data to consume transforms added
Updated by Philippe Antoine 10 days ago
Is your use case possible with the new transform from_base64
?
Updated by Philippe Antoine 10 days ago
- Related to Feature #6487: transform: from_base64 added
Updated by Philippe Antoine 10 days ago
- Assignee changed from OISF Dev to Jeff Lucovsky