28 #define BASE64_DECODE_MAX 65535
36 static const char decode_pattern[] =
"\\s*(bytes\\s+(\\d+),?)?"
37 "\\s*(offset\\s+(\\d+),?)?"
45 static void DetectBase64DecodeRegisterTests(
void);
52 "Decodes base64 encoded data.";
54 "/rules/base64-keywords.html#base64-decode";
59 DetectBase64DecodeRegisterTests;
73 printf(
"Input data:\n");
86 payload = payload + data->
offset;
93 printf(
"Decoding:\n");
97 uint32_t consumed = 0, num_decoded = 0;
101 SCLogDebug(
"Decoded %d bytes from base64 data.",
105 printf(
"Decoded data:\n");
114 static int DetectBase64DecodeParse(
const char *
str, uint32_t *bytes,
115 uint32_t *
offset, uint8_t *relative)
118 const char *bytes_str = NULL;
119 const char *offset_str = NULL;
120 const char *relative_str = NULL;
134 if (pcre2_substring_get_bynumber(
135 decode_pcre.
match, 2, (PCRE2_UCHAR8 **)&bytes_str, &pcre2_len) == 0) {
137 SCLogError(
"Bad value for bytes: \"%s\"", bytes_str);
144 if (pcre2_substring_get_bynumber(
145 decode_pcre.
match, 4, (PCRE2_UCHAR8 **)&offset_str, &pcre2_len) == 0) {
147 SCLogError(
"Bad value for offset: \"%s\"", offset_str);
154 if (pcre2_substring_get_bynumber(
155 decode_pcre.
match, 5, (PCRE2_UCHAR8 **)&relative_str, &pcre2_len) == 0) {
156 if (strcmp(relative_str,
"relative") == 0) {
160 SCLogError(
"Invalid argument: \"%s\"", relative_str);
168 if (bytes_str != NULL) {
169 pcre2_substring_free((PCRE2_UCHAR8 *)bytes_str);
171 if (offset_str != NULL) {
172 pcre2_substring_free((PCRE2_UCHAR8 *)offset_str);
174 if (relative_str != NULL) {
175 pcre2_substring_free((PCRE2_UCHAR8 *)relative_str);
185 uint8_t relative = 0;
192 if (!DetectBase64DecodeParse(
str, &bytes, &
offset, &relative)) {
208 pm = SigMatchGetLastSMFromLists(s, 4,
242 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
271 static int g_http_header_buffer_id = 0;
273 static int DetectBase64TestDecodeParse(
void)
278 uint8_t relative = 0;
280 if (!DetectBase64DecodeParse(
"bytes 1", &bytes, &
offset, &relative)) {
283 if (bytes != 1 ||
offset != 0 || relative != 0) {
287 if (!DetectBase64DecodeParse(
"offset 9", &bytes, &
offset, &relative)) {
290 if (bytes != 0 ||
offset != 9 || relative != 0) {
294 if (!DetectBase64DecodeParse(
"relative", &bytes, &
offset, &relative)) {
297 if (bytes != 0 ||
offset != 0 || relative != 1) {
301 if (!DetectBase64DecodeParse(
"bytes 1, offset 2", &bytes, &
offset,
305 if (bytes != 1 ||
offset != 2 || relative != 0) {
309 if (!DetectBase64DecodeParse(
"bytes 1, offset 2, relative", &bytes, &
offset,
313 if (bytes != 1 ||
offset != 2 || relative != 1) {
317 if (!DetectBase64DecodeParse(
"offset 2, relative", &bytes, &
offset,
321 if (bytes != 0 ||
offset != 2 || relative != 1) {
326 if (DetectBase64DecodeParse(
"bytes 1, offset 2, relatve", &bytes, &
offset,
332 if (DetectBase64DecodeParse(
"byts 1, offset 2, relatve", &bytes, &
offset,
338 if (DetectBase64DecodeParse(
"bytes 1, offst 2, relatve", &bytes, &
offset,
344 if (DetectBase64DecodeParse(
"", &bytes, &
offset, &relative)) {
356 static int DetectBase64DecodeTestSetup(
void)
368 "alert tcp any any -> any any ("
369 "msg:\"DetectBase64DecodeTestSetup\"; "
370 "base64_decode; content:\"content\"; "
397 static int DetectBase64DecodeHttpHeaderTestSetup(
void)
409 "alert tcp any any -> any any ("
410 "msg:\"DetectBase64DecodeTestSetup\"; "
411 "content:\"Authorization: basic \"; http_header; "
412 "base64_decode; content:\"content\"; "
428 if (s->sm_lists_tail[g_http_header_buffer_id] == NULL) {
442 static int DetectBase64DecodeTestDecode(
void)
450 uint8_t payload[] = {
451 'S',
'G',
'V',
's',
'b',
'G',
'8',
'g',
452 'V',
'2',
'9',
'y',
'b',
'G',
'Q',
'=',
455 memset(&
tv, 0,
sizeof(
tv));
462 "alert tcp any any -> any any (msg:\"base64 test\"; "
483 if (det_ctx != NULL) {
497 static int DetectBase64DecodeTestDecodeWithOffset(
void)
505 uint8_t payload[] = {
506 'a',
'a',
'a',
'a',
'a',
'a',
'a',
'a',
507 'S',
'G',
'V',
's',
'b',
'G',
'8',
'g',
508 'V',
'2',
'9',
'y',
'b',
'G',
'Q',
'=',
510 char decoded[] =
"Hello World";
512 memset(&
tv, 0,
sizeof(
tv));
519 "alert tcp any any -> any any (msg:\"base64 test\"; "
520 "base64_decode: offset 8; "
543 if (det_ctx != NULL) {
557 static int DetectBase64DecodeTestDecodeLargeOffset(
void)
565 uint8_t payload[] = {
566 'S',
'G',
'V',
's',
'b',
'G',
'8',
'g',
567 'V',
'2',
'9',
'y',
'b',
'G',
'Q',
'=',
570 memset(&
tv, 0,
sizeof(
tv));
578 "alert tcp any any -> any any (msg:\"base64 test\"; "
579 "base64_decode: bytes 16, offset 32; "
599 if (det_ctx != NULL) {
613 static int DetectBase64DecodeTestDecodeRelative(
void)
621 uint8_t payload[] = {
622 'a',
'a',
'a',
'a',
'a',
'a',
'a',
'a',
623 'S',
'G',
'V',
's',
'b',
'G',
'8',
'g',
624 'V',
'2',
'9',
'y',
'b',
'G',
'Q',
'=',
626 char decoded[] =
"Hello World";
628 memset(&
tv, 0,
sizeof(
tv));
635 "alert tcp any any -> any any (msg:\"base64 test\"; "
636 "content:\"aaaaaaaa\"; "
637 "base64_decode: relative; "
660 if (det_ctx != NULL) {
674 static void DetectBase64DecodeRegisterTests(
void)
678 UtRegisterTest(
"DetectBase64TestDecodeParse", DetectBase64TestDecodeParse);
679 UtRegisterTest(
"DetectBase64DecodeTestSetup", DetectBase64DecodeTestSetup);
681 DetectBase64DecodeHttpHeaderTestSetup);
683 DetectBase64DecodeTestDecode);
685 DetectBase64DecodeTestDecodeWithOffset);
687 DetectBase64DecodeTestDecodeLargeOffset);
689 DetectBase64DecodeTestDecodeRelative);