Feature #4660
open
base64_decode cannot be used with Transformations like pcrexform
Added by albert wang almost 4 years ago.
Updated about 2 months ago.
Description
I want to extract the regular matching content and then base64 decode it.
alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";
But,it reported a erro : previous transforms not consumed (list: 2, transform_cnt 1)
I found the reason,This is because base64_decode cannot be used with Transformations like pcrexform;
So I can only add pcre:"/./"; before base64_decode . But this pcre:"/./"; is meaningless.
alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";pcre:"/./";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";
- Tracker changed from Optimization to Feature
- Assignee set to OISF Dev
- Target version set to 8.0.0-beta1
As I understand, a solution could be a transform that is base64_decoding (instead of a keyword)
- Subject changed from base64_decode cannot used with Transformations like pcrexform to base64_decode cannot be used with Transformations like pcrexform
- Has duplicate Feature #6417: Allow base64_decode/base64_data to consume transforms added
Is your use case possible with the new transform from_base64 ?
- Assignee changed from OISF Dev to Jeff Lucovsky
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
The use case is indeed solved by using the base64 decode transform: from_base64
alert http any any -> any any \
(msg:"test";flow:from_client,established;http.request_body; \
pcrexform:"#(\w{8})#"; from_base64:bytes 4,offset 0 ;content:"test";sid: 1;)
Also available in: Atom
PDF