Project

General

Profile

Actions

Feature #1282

closed

support for base64_decode from snort's ruleset

Added by john howard about 8 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

I'm running pfSense 2.1.5-RELEASE (amd64) on (nano) FreeBSD 8.3-RELEASE-p16 with Suricata 2.0.3 pkg v2.0.2 and snortrules-snapshot-2962.tar.gz with snort 'balanced' IPS rules. I'm seeing the following in my logs:

18/9/2014 -- 14:04:22 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'base64_decode'.

There seem to be only a few snort rules that cough up this message.

Actions #2

Updated by Victor Julien about 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.0RC2
Actions #3

Updated by Duane Howard about 7 years ago

Any updates on this? I'd love to see this in 2.1 final.

Actions #4

Updated by Jason Ish about 7 years ago

Looks like base64_data would also be required. base64_decode decodes the data, base64_data sets the cursor for pattern matching. Probably doesn't make sense to do one without the other.

Actions #5

Updated by Victor Julien almost 7 years ago

  • Target version changed from 3.0RC2 to 70
Actions #6

Updated by Victor Julien almost 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.0RC1
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF