Actions
Feature #7114
openfrom_base64: allow matching on decode error
Effort:
Difficulty:
Label:
Description
Thinking about something like:
file.data; from_base64:strict,set_error; content:"BASE64_ECODE_BUF";
Not entirely sure what the buffer should be set to.
It could be used to make sure base64 at an expected location is valid, so it wouldn't match if it decoded correctly.
file.data; from_base64:strict,set_error; bsize:0;
Would also need to see how to express this, as the bsize here is useless.
Updated by Victor Julien 6 months ago
- Blocked by Feature #6487: transform: from_base64 added
Updated by Victor Julien 6 months ago
- Subject changed from decode_base64: allow matching on decode error to from_base64: allow matching on decode error
- Description updated (diff)
Updated by Jeff Lucovsky about 2 months ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Jeff Lucovsky
Updated by Victor Julien about 2 months ago
After more discussion, we think an event based approach may make more sense. Question is how.
One way would be to use detect events, like how the swf decoding uses. Problem would be that those are set on a per packet level, so most likely a different scope than the buffer that was decoded.
Perhaps a better way would be to create a per buffer event facility. Then the scope would remain the same.
file.data; from_base64:strict; buffer-event:base64_invalid_input;
A more generic scenario could be to use absent_or:
drop ... file.data; from_base64:strict; absent_or; content:"evil";
This would trigger a drop on a base64 decode failure, or if the content matches.
Actions