Project

General

Profile

Actions
Copy link

Feature #7114

open

from_base64: allow matching on decode error

Added by Victor Julien 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Thinking about something like:

file.data; from_base64:strict,set_error; content:"BASE64_ECODE_BUF";

Not entirely sure what the buffer should be set to.

It could be used to make sure base64 at an expected location is valid, so it wouldn't match if it decoded correctly.

file.data; from_base64:strict,set_error; bsize:0;

Would also need to see how to express this, as the bsize here is useless.

Related issues 1 (0 open1 closed)

Blocked by Suricata - Feature #6487: transform: from_base64ClosedJeff LucovskyActions
Actions
Copy link
 #1

Updated by Victor Julien 3 months ago

Actions
Copy link
 #2

Updated by Victor Julien 3 months ago

  • Subject changed from decode_base64: allow matching on decode error to from_base64: allow matching on decode error
  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF