Project

General

Profile

Actions
Copy link

Feature #4660

closed
AW

base64_decode cannot be used with Transformations like pcrexform

Feature #4660: base64_decode cannot be used with Transformations like pcrexform

Added by albert wang over 4 years ago. Updated 7 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

I want to extract the regular matching content and then base64 decode it.

alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";

But,it reported a erro : previous transforms not consumed (list: 2, transform_cnt 1)

I found the reason,This is because base64_decode cannot be used with Transformations like pcrexform;
So I can only add pcre:"/./"; before base64_decode . But this pcre:"/./"; is meaningless.

alert http any any -> any any (msg:"test";flow:from_client,established;http.request_body;pcrexform:"#(\w{8})#";pcre:"/./";base64_decode:bytes 4,offset 0 ;base64_data;conten:"test";

Related issues 2 (0 open2 closed)

Related to Suricata - Feature #6487: detect/transform: from_base64ClosedJeff LucovskyActions
Has duplicate Suricata - Feature #6417: Allow base64_decode/base64_data to consume transformsRejectedActions
Actions
Copy link

Also available in: PDF Atom