Project

General

Profile

Actions

Bug #5885

closed

base64_decode not populating up to an invalid character

Added by Brandon Murphy almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This might be a regression of https://redmine.openinfosecfoundation.org/issues/5223

I was working on a base64_decode signature, and I'm having a hard time to get it firing. I've long forgotten where this ticket landed specific to what happens to the buffer when a non base64 character is hit. I was thinking it'd still populate the base64_data buffer with what could be decoded, but that doesn't seem to be the case.

reference: https://redmine.openinfosecfoundation.org/issues/5223
example: https://app.any.run/tasks/f785af40-6c70-43db-94cf-a67f9484301d/#
pcap attached:

In current my use case the string is API=Y21Wd2IzSjBaVzFoYVd4bWNtRjFaRUJoZEc4dVoyOTJMbUYxOmpqcHh4b3Rhb2w%3D

I was hoping that I could call the base64_decode, and it would populate base64_data with everything that can be decoded up to hitting that %.

A rule that doesn't hit with 6.0.9 or 7.0.0-beta1, but does hit in 6.0.6.
http.request_body; content:"API="; startswith; base64_decode:offset 0, relative; base64_data; content:"Ym9zLml";

If I add the url_decode transform it works great, but that transform is not available in all the engines.

http.request_body; url_decode; content:"API="; startswith; base64_decode:offset 0, relative; base64_data; content:"Ym9zLml";

I'm hoping to just get an understanding of what the expected behavior is, that will help determine if this is an issue, or just a difference in expectation


Files


Subtasks 1 (0 open1 closed)

Bug #5896: base64_decode not populating up to an invalid character (6.0.x backport)ClosedShivani BhardwajActions
Actions

Also available in: Atom PDF