Project

General

Profile

Actions

Feature #7114

open

from_base64: allow matching on decode error

Added by Victor Julien 6 months ago. Updated about 2 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Thinking about something like:

file.data; from_base64:strict,set_error; content:"BASE64_ECODE_BUF";

Not entirely sure what the buffer should be set to.

It could be used to make sure base64 at an expected location is valid, so it wouldn't match if it decoded correctly.

file.data; from_base64:strict,set_error; bsize:0;

Would also need to see how to express this, as the bsize here is useless.


Related issues 1 (0 open1 closed)

Blocked by Suricata - Feature #6487: transform: from_base64ClosedJeff LucovskyActions
Actions #1

Updated by Victor Julien 6 months ago

Actions #2

Updated by Victor Julien 6 months ago

  • Subject changed from decode_base64: allow matching on decode error to from_base64: allow matching on decode error
  • Description updated (diff)
Actions #3

Updated by Jeff Lucovsky about 2 months ago

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jeff Lucovsky
Actions #4

Updated by Victor Julien about 2 months ago

After more discussion, we think an event based approach may make more sense. Question is how.

One way would be to use detect events, like how the swf decoding uses. Problem would be that those are set on a per packet level, so most likely a different scope than the buffer that was decoded.

Perhaps a better way would be to create a per buffer event facility. Then the scope would remain the same.

file.data; from_base64:strict; buffer-event:base64_invalid_input;

A more generic scenario could be to use absent_or:

drop ... file.data; from_base64:strict; absent_or; content:"evil";

This would trigger a drop on a base64 decode failure, or if the content matches.

Actions

Also available in: Atom PDF