Feature #7114: from_base64: allow matching on decode error - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community
Open Doc tasks

Actions

Copy link

Feature #7114

open

VJ JL

from_base64: allow matching on decode error

Feature #7114: from_base64: allow matching on decode error

Added by Victor Julien almost 2 years ago. Updated about 2 months ago.

Status:

In Review

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

9.0.0-beta1

Effort:

Difficulty:

Label:

Description

Thinking about something like:

file.data; from_base64:strict,set_error; content:"BASE64_ECODE_BUF";

Not entirely sure what the buffer should be set to.

It could be used to make sure base64 at an expected location is valid, so it wouldn't match if it decoded correctly.

file.data; from_base64:strict,set_error; bsize:0;

Would also need to see how to express this, as the bsize here is useless.

Related issues 5 (4 open — 1 closed)

Related to Suricata - Feature #7313: transforms: have option on how to handle failure	In Review	Jeff Lucovsky	Actions
Related to Suricata - Optimization #8466: detect/base64: determine behavior if buf size > buf length	New		Actions
Related to Suricata - Feature #8470: detect/transform: Create anomaly log on transform failure	New		Actions
Blocked by Suricata - Feature #6487: detect/transform: from_base64	Closed	Jeff Lucovsky	Actions
Blocks Suricata - Task #8433: detect/transforms: Determine which transforms have error cases and can be handled like from_base64/pcrexform	Assigned	OISF Dev	Actions

Issue # Delay: days Cancel Multiple values allowed (comma separated).

History
Notes
Property changes

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
#1

Blocked by Feature #6487: detect/transform: from_base64 added

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
#2

Subject changed from decode_base64: allow matching on decode error to from_base64: allow matching on decode error
Description updated (diff)

JL Updated by Jeff Lucovsky over 1 year ago · Edited Actions
Copy link
#3

Status changed from New to In Review
Assignee changed from OISF Dev to Jeff Lucovsky

~~https://github.com/OISF/suricata/pull/12085~~

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#4

After more discussion, we think an event based approach may make more sense. Question is how.

One way would be to use detect events, like how the swf decoding uses. Problem would be that those are set on a per packet level, so most likely a different scope than the buffer that was decoded.

Perhaps a better way would be to create a per buffer event facility. Then the scope would remain the same.

file.data; from_base64:strict; buffer-event:base64_invalid_input;

A more generic scenario could be to use absent_or:

drop ... file.data; from_base64:strict; absent_or; content:"evil";

This would trigger a drop on a base64 decode failure, or if the content matches.

JL Updated by Jeff Lucovsky over 1 year ago Actions
Copy link
#5

https://github.com/OISF/suricata/pull/12337

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
#6

Related to Feature #7313: transforms: have option on how to handle failure added

PA Updated by Philippe Antoine 6 months ago Actions
Copy link
#7

https://github.com/OISF/suricata-verify/pull/2212

JL Updated by Jeff Lucovsky 4 months ago Actions
Copy link
#8

Draft PR: https://github.com/OISF/suricata/pull/14734

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#9

Blocks Task #8433: detect/transforms: Determine which transforms have error cases and can be handled like from_base64/pcrexform added

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#10

Target version changed from TBD to 9.0.0-beta1

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
#11

Related to Optimization #8466: detect/base64: determine behavior if buf size > buf length added

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
#12

Related to Feature #8470: detect/transform: Create anomaly log on transform failure added

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Feature #7114

from_base64: allow matching on decode error

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
#1

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
#2

JL Updated by Jeff Lucovsky over 1 year ago · Edited Actions
Copy link
#3

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#4

JL Updated by Jeff Lucovsky over 1 year ago Actions
Copy link
#5

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
#6

PA Updated by Philippe Antoine 6 months ago Actions
Copy link
#7

JL Updated by Jeff Lucovsky 4 months ago Actions
Copy link
#8

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#9

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#10

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
#11

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
#12

Project

General

Profile

Suricata

Custom queries

Feature #7114

from_base64: allow matching on decode error

VJ Updated by Victor Julien almost 2 years ago ActionsCopy link #1

VJ Updated by Victor Julien almost 2 years ago ActionsCopy link #2

JL Updated by Jeff Lucovsky over 1 year ago · Edited ActionsCopy link #3

VJ Updated by Victor Julien over 1 year ago ActionsCopy link #4

JL Updated by Jeff Lucovsky over 1 year ago ActionsCopy link #5

PA Updated by Philippe Antoine about 1 year ago ActionsCopy link #6

PA Updated by Philippe Antoine 6 months ago ActionsCopy link #7

JL Updated by Jeff Lucovsky 4 months ago ActionsCopy link #8

PA Updated by Philippe Antoine about 2 months ago ActionsCopy link #9

PA Updated by Philippe Antoine about 2 months ago ActionsCopy link #10

JL Updated by Jeff Lucovsky about 1 month ago ActionsCopy link #11

JL Updated by Jeff Lucovsky about 1 month ago ActionsCopy link #12

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
#1

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
#2

JL Updated by Jeff Lucovsky over 1 year ago · Edited Actions
Copy link
#3

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
#4

JL Updated by Jeff Lucovsky over 1 year ago Actions
Copy link
#5

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
#6

PA Updated by Philippe Antoine 6 months ago Actions
Copy link
#7

JL Updated by Jeff Lucovsky 4 months ago Actions
Copy link
#8

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#9

PA Updated by Philippe Antoine about 2 months ago Actions
Copy link
#10

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
#11

JL Updated by Jeff Lucovsky about 1 month ago Actions
Copy link
#12