Project

General

Profile

Actions
Copy link

Feature #7313

open

transforms: have option on how to handle failure

Added by Philippe Antoine 5 months ago. Updated 3 days ago.

Status:
New
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Tansforms like base64, pcrexform or urldecode may somehow fail.

Current default is to passthrough
But we could have an option to these keywords to behave differently like return a NULL or 0-length buffer instead of the original one.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7114: from_base64: allow matching on decode errorIn ReviewJeff LucovskyActions
Actions
Copy link
 #1

Updated by Philippe Antoine 5 months ago

Passthorugh may be a good idea sometimes like dns.query; pcrexform:"\.([^\.]+\.[^\.]+)$"; to extract the top domain if it is a subdomain or just passthrough if it is not a subdomain

Actions
Copy link
 #2

Updated by Philippe Antoine 3 days ago

  • Assignee changed from OISF Dev to Jeff Lucovsky

Jeff, you have been working on this for base64, so assigning to you

Actions
Copy link
 #3

Updated by Philippe Antoine 3 days ago

  • Related to Feature #7114: from_base64: allow matching on decode error added
Actions
Copy link

Also available in: Atom PDF