transform/base64: Add "set_error" to detect if buffer is valid base64 encoded content #12085
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Issue: 7114 Extend the `from_base64` transform with the `set_error` keyword. This can be used to detect whether the input buffer is base64-encoded or not. When `set_error` is used and the content is not encoded, the output will be a buffer with fixed contents: `"BASE64_ECODE_BUF"` Rule writers can use this with a following `content: "BASE64_ECODE_BUF"` to check if the input buffer is not base64-encoded. Add the content negation symbol `!` to ensure the content is base64-encoded: `content: !"BASE64_ECODE_BUF"`
jlucovsky
requested review from
jasonish,
jufajardini and
victorjulien
as code owners
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #12085 +/- ##
==========================================
+ Coverage 83.37% 83.39% +0.01%
==========================================
Files 910 910
Lines 257556 257582 +26
==========================================
+ Hits 214748 214802 +54
+ Misses 42808 42780 -28
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 23248 |
|
Closing as we're going in a different direction for signaling failure cases. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds to the
from_base64decode and provides an indication of whether the input buffer is properly encoded as a base64 buffer. Useset_errorand if the buffer cannot be decoded, the output buffer will be set toBASE64_ECODE_BUFUse this rule snippet to test whether the input is not properly encoded:
Use this rule snippet to test if the input is base64 encoded:
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7114
Describe changes:
set_errorto the transform's available option listset_erroris usedProvide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=OISF/suricata-verify#2117
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=