Feature #4660: base64_decode cannot be used with Transformations like pcrexform - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #4660

open

base64_decode cannot be used with Transformations like pcrexform

Added by albert wang about 3 years ago. Updated 5 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

I want to extract the regular matching content and then base64 decode it.

alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";

But,it reported a erro : previous transforms not consumed (list: 2, transform_cnt 1)

I found the reason,This is because base64_decode cannot be used with Transformations like pcrexform;
So I can only add pcre:"/./"; before base64_decode . But this pcre:"/./"; is meaningless.

alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";pcre:"/./";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #4660

base64_decode cannot be used with Transformations like pcrexform

Updated by Philippe Antoine over 1 year ago

Updated by Juliana Fajardini Reichow 5 months ago

Updated by Victor Julien 5 months ago