base64_decode and base64_data

Snort can decode base64-encoded data present in a packet's payload via the base64_decode option. If base64-encoded data is found, it gets decoded and the base64-decoded data is then placed in the base64_data sticky buffer.

base64_decode

The base64_decode option tells Snort exactly which bytes to decode as base64. It can be declared by itself with just base64_decode;, or it can take any combination of three optional arguments after base64_decode:. Those optional arguments are:

As noted above, all three arguments are optional. Omitting the bytes argument tells Snort to decode any base64-encoded data present until either the end of the buffer or the end of a present base64-encoded string. If the offset argument is omitted, Snort will look for base64 data either at the start of the buffer or the current cursor position (i.e., it implicitly sets offset to 0). And lastly, omitting relative tells Snort to look for the bytes relative to beginning of the currently-set buffer rather than the current cursor position.

Format:

base64_decode[:[bytes bytes][, offset offset][, relative]];

Examples:

base64_decode;

base64_decode:relative;

http_header;
content:"Authorization:",nocase;
base64_decode:bytes 12, offset 6, relative;

base64_data

The base64_data options sets the detection cursor to the beginning of the base64 decoded—provided base64_decode was in fact able to decode data.

This option does not take any arguments but requires that base64_decode be specified before it.

Note: If matching content at the beginning of a base64 data buffer, users can use either depth/offset or distance/within.

Format:

base64_data;

Examples:

base64_decode:relative;
base64_data;
content:"AAAA";

http_header;
content:"Authorization:",nocase;
base64_decode:bytes 12, offset 6, relative;
base64_data;
content:"NTLMSSP", within 8;