Feature #6417
closedAllow base64_decode/base64_data to consume transforms
Description
While working with some xor'd and then base64 encoded data I was attempting to write a signature using base64_decode and base64_data and the xor transform but received the following error when Suricata was loading the signature.
Suricata version - This is Suricata version 7.0.3-dev (2fe2d8250 2023-10-19) running in SYSTEM mode
sample rule (Sascha confirmed what I was seeing with this signature):
alert tcp any any -> any any (msg: "xor then base64"; http.request_body; xor:"ffffff"; base64_decode:bytes 8, offset 1, relative; base64_data; content:"baz";)
Error: detect: previous transforms not consumed (list: 2, transform_cnt 1) [DetectBufferGetActiveList:detect-engine.c:1460]
Error: detect: error parsing signature "alert tcp any any -> any any (msg: "xor then base64"; http.request_body; xor:"ffffff"; base64_decode:bytes 8, offset 1, relative; base64_data; content:"baz";)" from file /home/satta/xor.rules at line 1 [DetectLoadSigFile:detect-engine-loader.c:180]
Updated by Victor Julien 6 months ago
- Is duplicate of Feature #4660: base64_decode cannot be used with Transformations like pcrexform added
Updated by Victor Julien 6 months ago
- Status changed from New to Rejected
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)
Closing as duplicate of #4660