Project

General

Profile

Actions
Copy link

Feature #7313

open
PA JL

transforms: have option on how to handle failure

Feature #7313: transforms: have option on how to handle failure

Added by Philippe Antoine over 1 year ago. Updated 2 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Transforms like base64, pcrexform or urldecode may somehow fail.

Current default is to passthrough
But we could have an option to these keywords to behave differently, like return a NULL or 0-length buffer instead of the original one.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7114: from_base64: allow matching on decode errorIn ReviewJeff LucovskyActions

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #1

Passthorugh may be a good idea sometimes like dns.query; pcrexform:"\.([^\.]+\.[^\.]+)$"; to extract the top domain if it is a subdomain or just passthrough if it is not a subdomain

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #2

  • Assignee changed from OISF Dev to Jeff Lucovsky

Jeff, you have been working on this for base64, so assigning to you

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #3

  • Related to Feature #7114: from_base64: allow matching on decode error added

PA Updated by Philippe Antoine 2 months ago Actions
Copy link
 #4

  • Status changed from New to Assigned
  • Target version changed from TBD to 9.0.0-beta1

I think we should tackle this for 9

JL Updated by Jeff Lucovsky 6 days ago Actions
Copy link
 #5

  • Description updated (diff)

PA Updated by Philippe Antoine 2 days ago Actions
Copy link
 #6

  • Status changed from Assigned to In Review
Actions
Copy link

Also available in: PDF Atom