Project

General

Profile

Actions

Feature #6417

open

Allow base64_decode/base64_data to consume transforms

Added by Jason Taylor 7 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

While working with some xor'd and then base64 encoded data I was attempting to write a signature using base64_decode and base64_data and the xor transform but received the following error when Suricata was loading the signature.

Suricata version - This is Suricata version 7.0.3-dev (2fe2d8250 2023-10-19) running in SYSTEM mode

sample rule (Sascha confirmed what I was seeing with this signature):

alert tcp any any -> any any (msg: "xor then base64"; http.request_body; xor:"ffffff"; base64_decode:bytes 8, offset 1, relative; base64_data; content:"baz";)

Error: detect: previous transforms not consumed (list: 2, transform_cnt 1) [DetectBufferGetActiveList:detect-engine.c:1460]
Error: detect: error parsing signature "alert tcp any any -> any any (msg: "xor then base64"; http.request_body; xor:"ffffff"; base64_decode:bytes 8, offset 1, relative; base64_data; content:"baz";)" from file /home/satta/xor.rules at line 1 [DetectLoadSigFile:detect-engine-loader.c:180]

No data to display

Actions

Also available in: Atom PDF