Feature #7114
open
from_base64: allow matching on decode error
Added by Victor Julien 5 months ago.
Updated 16 days ago.
Description
Thinking about something like:
file.data; from_base64:strict,set_error; content:"BASE64_ECODE_BUF";
Not entirely sure what the buffer should be set to.
It could be used to make sure base64 at an expected location is valid, so it wouldn't match if it decoded correctly.
file.data; from_base64:strict,set_error; bsize:0;
Would also need to see how to express this, as the bsize here is useless.
- Subject changed from decode_base64: allow matching on decode error to from_base64: allow matching on decode error
- Description updated (diff)
- Status changed from New to In Review
- Assignee changed from OISF Dev to Jeff Lucovsky
After more discussion, we think an event based approach may make more sense. Question is how.
One way would be to use detect events, like how the swf decoding uses. Problem would be that those are set on a per packet level, so most likely a different scope than the buffer that was decoded.
Perhaps a better way would be to create a per buffer event facility. Then the scope would remain the same.
file.data; from_base64:strict; buffer-event:base64_invalid_input;
A more generic scenario could be to use absent_or:
drop ... file.data; from_base64:strict; absent_or; content:"evil";
This would trigger a drop on a base64 decode failure, or if the content matches.
Also available in: Atom
PDF