Draft: detect/from_base64: Add transform for decoding base64 data

[jlucovsky]

This PR adds a transform for base64 encoded data.

Here's a rule showing the transform:

alert http any any -> any any (msg:"from_base64 transform"; flow:established,from_server; http.response_body; from_base64; content: "This is Suricata"; sid: 1;)

This rule decodes the buffer from http.response_body and alerts if the decoded buffer is This is Suricata.

Link to redmine ticket: 5220

Describe changes:

• Added transform from_base64
• Added brief documentation
• Added unit test

suricata-verify-pr: 805 #suricata-verify-repo: #suricata-verify-branch: #suricata-update-pr: #suricata-update-repo: #suricata-update-branch: #libhtp-pr: #libhtp-repo: #libhtp-branch:

[suricata-qa]

ERROR:

ERROR: QA failed on build_asan.

Pipeline 6896

[victorjulien]

I was hoping to see if we can support the syntax of the existing base64_decode keyword, where the base64_data would just become a no-op. Think this is doable?

[jlucovsky]

You're asking if base64_decode can become a transform, i think? If so, that's why this is a draft to see if from_base64 is viable -- so a poc.

[suricata-qa]

Information: QA ran without warnings.

Pipeline 6936

[suricata-qa]

Warning: no commits in this PR have specified the following ticket(s):

• 5220 - https://redmine.openinfosecfoundation.org/issues/5220

Please update the commit(s) and submit a new PR.

[catenacyber]

@jlucovsky do you need feedback on this PR ?

[suricata-qa]

Information: QA ran without warnings.

Pipeline 6936

[suricata-qa]

Information: QA ran without warnings.

Pipeline 6936

[catenacyber]

Jeff, is this draft still live ?

[catenacyber]

ping @jlucovsky ?

[suricata-qa]

Information: QA ran without warnings.

Pipeline 6936

[victorjulien]

Needs rework.