Feature #8128: rules/transform: add json_decode transform - Suricata - Open Information Security Foundation

Actions

Feature #8128

open

rules/transform: add json_decode transform

Added by Philippe Antoine about 2 months ago. Updated 15 days ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

Effort:

Difficulty:

Label:

Description

Like url_decode but for "\u003f", and also remove white spaces...

Files

backslash-u-json.pcap (1.15 KB) backslash-u-json.pcap

Philippe Antoine, 12/08/2025 09:22 PM

Related issues 1 (1 open — 0 closed)

Actions

#1

Updated by Philippe Antoine about 2 months ago

Related to Task #8123: Suricon 2025 Brainstorm added

Actions

#2

Updated by Victor Julien about 1 month ago

Subject changed from Transform: json decode to rules/transform: add json_decode transform

Could be prototyped using Lua transform.

Actions

#3

Updated by Philippe Antoine 29 days ago

File backslash-u-json.pcap backslash-u-json.pcap added

Pcap courtesy of Ron Bowes after his Suricon talk

Actions

#4

Updated by Victor Julien 15 days ago

Is the idea here to normalize/decode the JSON, but not parse it into a document tree? I remember from the discussion that there are also issues around key ordering.

Actions

#5

Updated by Philippe Antoine 15 days ago

For me this was about \u decoding + space removal, no key ordering

Actions

Also available in: Atom PDF