Project

General

Profile

Actions
Copy link

Feature #8128

open
PA OD

rules/transform: add json_decode transform

Feature #8128: rules/transform: add json_decode transform

Added by Philippe Antoine 5 months ago. Updated 2 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Like url_decode but for "\u003f", and also remove white spaces...

Files

backslash-u-json.pcap (1.15 KB) backslash-u-json.pcap Philippe Antoine, 12/08/2025 09:22 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Task #8123: Suricon 2025 BrainstormAssignedVictor JulienActions

PA Updated by Philippe Antoine 5 months ago Actions
Copy link
 #1

  • Related to Task #8123: Suricon 2025 Brainstorm added

VJ Updated by Victor Julien 5 months ago Actions
Copy link
 #2

  • Subject changed from Transform: json decode to rules/transform: add json_decode transform

Could be prototyped using Lua transform.

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
 #3

Pcap courtesy of Ron Bowes after his Suricon talk

VJ Updated by Victor Julien 4 months ago Actions
Copy link
 #4

Is the idea here to normalize/decode the JSON, but not parse it into a document tree? I remember from the discussion that there are also issues around key ordering.

PA Updated by Philippe Antoine 4 months ago Actions
Copy link
 #5

For me this was about \u decoding + space removal, no key ordering

PA Updated by Philippe Antoine 2 months ago Actions
Copy link
 #6

  • Status changed from New to Assigned
Actions
Copy link

Also available in: PDF Atom