Project

General

Profile

Actions
Copy link

Feature #7114

open
VJ JL

from_base64: allow matching on decode error

Feature #7114: from_base64: allow matching on decode error

Added by Victor Julien almost 2 years ago. Updated 27 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Thinking about something like:

file.data; from_base64:strict,set_error; content:"BASE64_ECODE_BUF";

Not entirely sure what the buffer should be set to.

It could be used to make sure base64 at an expected location is valid, so it wouldn't match if it decoded correctly.

file.data; from_base64:strict,set_error; bsize:0;

Would also need to see how to express this, as the bsize here is useless.

Related issues 5 (4 open1 closed)

Related to Suricata - Feature #7313: transforms: have option on how to handle failureIn ReviewJeff LucovskyActions
Related to Suricata - Optimization #8466: detect/base64: determine behavior if buf size > buf lengthNewActions
Related to Suricata - Feature #8470: detect/transform: Create anomaly log on transform failureNewActions
Blocked by Suricata - Feature #6487: detect/transform: from_base64ClosedJeff LucovskyActions
Blocks Suricata - Task #8433: detect/transforms: Determine which transforms have error cases and can be handled like from_base64/pcrexformAssignedOISF DevActions

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #1

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #2

  • Subject changed from decode_base64: allow matching on decode error to from_base64: allow matching on decode error
  • Description updated (diff)

JL Updated by Jeff Lucovsky over 1 year ago ยท Edited Actions
Copy link
 #3

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Jeff Lucovsky

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #4

After more discussion, we think an event based approach may make more sense. Question is how.

One way would be to use detect events, like how the swf decoding uses. Problem would be that those are set on a per packet level, so most likely a different scope than the buffer that was decoded.

Perhaps a better way would be to create a per buffer event facility. Then the scope would remain the same.

file.data; from_base64:strict; buffer-event:base64_invalid_input;

A more generic scenario could be to use absent_or:

drop ... file.data; from_base64:strict; absent_or; content:"evil";

This would trigger a drop on a base64 decode failure, or if the content matches.

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #6

  • Related to Feature #7313: transforms: have option on how to handle failure added

PA Updated by Philippe Antoine 27 days ago Actions
Copy link
 #9

  • Blocks Task #8433: detect/transforms: Determine which transforms have error cases and can be handled like from_base64/pcrexform added

PA Updated by Philippe Antoine 27 days ago Actions
Copy link
 #10

  • Target version changed from TBD to 9.0.0-beta1

JL Updated by Jeff Lucovsky 18 days ago Actions
Copy link
 #11

  • Related to Optimization #8466: detect/base64: determine behavior if buf size > buf length added

JL Updated by Jeff Lucovsky 17 days ago Actions
Copy link
 #12

  • Related to Feature #8470: detect/transform: Create anomaly log on transform failure added
Actions
Copy link

Also available in: PDF Atom