The base64_decode and base64_data Keywords

You can use the base64_decode and base64_data keywords in combination to instruct the rules engine to decode and inspect specified data as Base64 data. This can be useful, for example, for inspecting Base64-encoded HTTP Authentication request headers and Base64-encoded data in HTTP PUT and POST requests.

These keywords are particularly useful for decoding and inspecting Base64 data in HTTP requests. However, you can also use them with any protocol such as SMTP that uses the space and tab characters the same way HTTP uses these characters to extend a lengthy header line over multiple lines. When this line extension, which is known as folding, is not present in a protocol that uses it, inspection ends at any carriage return or line feed that is not followed with a space or tab.

base64_decode

The base64_decode keyword instructs the rules engine to decode packet data as Base64 data. Optional arguments let you specify the number of bytes to decode and where in the data to begin decoding.

You can use the base64_decode keyword once in a rule; it must precede at least one instance of the base64_data keyword.

Before decoding Base64 data, the rules engine unfolds lengthy headers that are folded across multiple lines. Decoding ends when the rules engine encounters any the following:

  • the end of a header line

  • the specified number of bytes to decode

  • the end of the packet

The following table describes the arguments you can use with the base64_decode keyword.

Optional base64_decode Arguments

Argument

Description

Bytes

Specifies the number of bytes to decode. When not specified, decoding continues to the end of a header line or the end of the packet payload, whichever comes first. You can specify a positive, non-zero value.

Offset

Determines the offset relative to the start of the packet payload or, when you also specify Relative, relative to the current inspection location. You can specify a positive, non-zero value.

Relative

Specifies inspection relative to the current inspection location.

base64_data

The base64_data keyword provides a reference for inspecting Base64 data decoded using the base64_decode keyword. The base64_data keyword sets inspection to begin at the start of the decoded Base64 data. Optionally, you can then use the positional arguments available for other keywords such as content or byte_test to further specify the location to inspect.

You must use the base64_data keyword at least once after using the base64_decode keyword; optionally, you can use base64_data multiple times to return to the beginning of the decoded Base64 data.

Note the following when inspecting Base64 data:

  • You cannot use the fast pattern matcher.

  • If you interrupt Base64 inspection in a rule with an intervening HTTP content argument, you must insert another base64_data keyword in the rule before further inspecting Base64 data.