Project

General

Profile

Actions

Bug #3175

closed

File_data inspection depth while inspecting base64 decoded data (4.1.x)

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I had noticed that when needing to inspect SMTP traffic that suricata can use file_data to inspect the base64 encoded attachments. This doesn't seem to work correctly all of the time. It seems that anything that is small seems to work but if the attachment is large I can't inspect deep into the payload or sometimes not even at the beginning of the payload. I've attached a sample pcap and simple rule that looks for two things. MZ at the beginning of the file_data payload and CreateFont which shows up further in. I've tried adjusting the various settings for libhtp but ended up with the same results.

/opt/suricata/bin/suricata -V

This is Suricata version 4.0.0 RELEASE

--------------------------------------------------------------------------
Date: 12/26/2017 -- 07:18:17. Sorted by: number of matches.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 123456 1 1 26488 100.00 1 0 26488 26488.00 0.00 26488.00

Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #2395: File_data inspection depth while inspecting base64 decoded dataClosedVictor JulienActions
Actions #1

Updated by Victor Julien over 5 years ago

  • Copied from Bug #2395: File_data inspection depth while inspecting base64 decoded data added
Actions #2

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF