Project

General

Profile

Actions
Copy link

Feature #1282

closed
JH JI

support for base64_decode from snort's ruleset

Feature #1282: support for base64_decode from snort's ruleset

Added by john howard over 11 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.0RC1
Effort:
Difficulty:
Label:

Description

I'm running pfSense 2.1.5-RELEASE (amd64) on (nano) FreeBSD 8.3-RELEASE-p16 with Suricata 2.0.3 pkg v2.0.2 and snortrules-snapshot-2962.tar.gz with snort 'balanced' IPS rules. I'm seeing the following in my logs:

18/9/2014 -- 14:04:22 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'base64_decode'.

There seem to be only a few snort rules that cough up this message.

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
 #2

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.0RC2

DH Updated by Duane Howard over 10 years ago Actions
Copy link
 #3

Any updates on this? I'd love to see this in 2.1 final.

JI Updated by Jason Ish over 10 years ago Actions
Copy link
 #4

Looks like base64_data would also be required. base64_decode decodes the data, base64_data sets the cursor for pattern matching. Probably doesn't make sense to do one without the other.

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #5

  • Target version changed from 3.0RC2 to 70

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #6

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.0RC1
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: PDF Atom