Project

General

Profile

Actions

Feature #6417

closed

Allow base64_decode/base64_data to consume transforms

Added by Jason Taylor about 1 year ago. Updated 5 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

While working with some xor'd and then base64 encoded data I was attempting to write a signature using base64_decode and base64_data and the xor transform but received the following error when Suricata was loading the signature.

Suricata version - This is Suricata version 7.0.3-dev (2fe2d8250 2023-10-19) running in SYSTEM mode

sample rule (Sascha confirmed what I was seeing with this signature):

alert tcp any any -> any any (msg: "xor then base64"; http.request_body; xor:"ffffff"; base64_decode:bytes 8, offset 1, relative; base64_data; content:"baz";)

Error: detect: previous transforms not consumed (list: 2, transform_cnt 1) [DetectBufferGetActiveList:detect-engine.c:1460]
Error: detect: error parsing signature "alert tcp any any -> any any (msg: "xor then base64"; http.request_body; xor:"ffffff"; base64_decode:bytes 8, offset 1, relative; base64_data; content:"baz";)" from file /home/satta/xor.rules at line 1 [DetectLoadSigFile:detect-engine-loader.c:180]


Related issues 1 (1 open0 closed)

Is duplicate of Suricata - Feature #4660: base64_decode cannot be used with Transformations like pcrexformNewOISF DevActions
Actions #1

Updated by Victor Julien 5 months ago

  • Is duplicate of Feature #4660: base64_decode cannot be used with Transformations like pcrexform added
Actions #2

Updated by Victor Julien 5 months ago

  • Status changed from New to Rejected
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)

Closing as duplicate of #4660

Actions

Also available in: Atom PDF