Draft: transform/from_base64: Signal error condition (use with absent) #12337
+89
−8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Issue: 7114 Extend the `from_base64` transform with the `set_error` keyword. This can be used to detect whether the input buffer is base64-encoded or not. When `set_error` is used and the content cannot be base64-decoded, the use of the absent keyword will trigger an alert.
Use set_error to signal when a buffer cannot be base64-decoded.
This example uses set_error and absent to alert on a buffer that cannot
be base64-decoded:
content:"/?arg="; from_base64: set_error; absent;
This example uses set_error and absent to alert on a buffer that cannot
be base64-decoded or if it can, matches the content shown::
content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10; \
absent: or_else; content:"sisatest"
Issue: 7114
Typo fixup for error message when there's no bufer available for the absent keyword..
Issue: 7114 Support absent keyword with empty buffers, such as those from a failed transform.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12337 +/- ##
==========================================
- Coverage 83.26% 83.23% -0.03%
==========================================
Files 912 912
Lines 257643 257684 +41
==========================================
- Hits 214521 214479 -42
- Misses 43122 43205 +83
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 24074 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Extend the from_base64 transform to signal cases when the buffer cannot be base64-decoded.
A transform option named
set_erroris added to modify the transform buffer. By default, the transform buffer is unmodified if the content cannot be base64-decoded. Ifset_erroris specified as a transform option and the buffer can't be base64-decoded, the buffer is truncated. In these cases, theabsentkeyword can be used withset_errorto trigger an alert.For example:
content:"/?arg="; from_base64: set_error; absent;will trigger an alert since the content is not base64-encoded.Link to ticket: https://redmine.openinfosecfoundation.org/issues/7114
Describe changes:
set_errorset_errorbehaviorset_errorwas specified and the buffer cannot be base64-decoe.Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2212
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=