0

Latest Suricata added support to base64_decode and base64_data (https://suricata.readthedocs.io/en/latest/rules/base64-keywords.html). On the other hand, there is no way to apply the rule to the HTTP client body only. For example, something like: 

alert http any any -> any any (msg:"Example"; http_client_body; base64_decode; pcre:"..."; sid:10001; rev:1;)

Is there any way to decode only the request body?

csabinho
  • 1,579
  • 1
  • 18
  • 28
indelgort
  • 1

1 Answers1

0

could you elaborate a little more on why you're using PCRE here and what you're aiming to pick up on? As far as I'm aware, PCRE cannot be used in conjunction with the Suricata base64_* keywords.

    alert http any any -> any any (msg:"Example"; http.request_body; base64_decode:offset 0; base64_data; content:"..."; sid:10001; rev:1;)

Here's an edit of your rule and the changes I made:

  1. Removed 'http_client_body' because we have 'http.request_body' in Suricata 5.0. Also, if you did want to use 'http_client_body', it would come after the content in which you're hoping to match. 'http.request_body' is a sticky buffer so all content following it are considered to be part of that buffer.
  2. Added 'offset 0' to indicate where you're wanting to begin base64 string extraction (in this case, the beginning of the buffer).
  3. Added 'base64_data' which is a requirement (according to documentation) when using the base64 decoding features in Suricata 5.0.
  4. Converted the PCRE to a standard content 'buffer'.
Sev
  • 13
  • 3