base64_decode and base64_data
Snort can decode base64-encoded data present in a packet's payload via the
base64_decode option. If base64-encoded data is found, it gets decoded and the base64-decoded data is then placed in the
base64_data sticky buffer.
base64_decode option tells Snort exactly which bytes to decode as base64. It can be declared by itself with just
base64_decode;, or it can take any combination of three optional arguments after
base64_decode:. Those optional arguments are:
|How many bytes to decode|
|Where in the payload to look for the base64 data to decode|
|Applies the offset relative to cursor instead of start of buffer|
As noted above, all three arguments are optional. Omitting the
bytes argument tells Snort to decode any base64-encoded data present until either the end of the buffer or the end of a present base64-encoded string. If the
offset argument is omitted, Snort will look for base64 data either at the start of the buffer or the current cursor position (i.e., it implicitly sets
offset to 0). And lastly, omitting
relative tells Snort to look for the bytes relative to beginning of the currently-set buffer rather than the current cursor position.
base64_decode[:[bytes bytes][, offset offset][, relative]];
http_header; content:"Authorization:",nocase; base64_decode:bytes 12, offset 6, relative;
base64_data options sets the detection cursor to the beginning of the base64 decoded—provided
base64_decode was in fact able to decode data.
This option does not take any arguments but requires that
base64_decode be specified before it.
Note: If matching content at the beginning of a base64 data buffer, users can use either
base64_decode:relative; base64_data; content:"AAAA";
http_header; content:"Authorization:",nocase; base64_decode:bytes 12, offset 6, relative; base64_data; content:"NTLMSSP", within 8;