have a question about base64_decode

[ASpade123]

hello, i have a question about base64_decode:
when i have a rule such as:
alert http any any -> any any (msg:"this is test", flow:established, to_server; http.request_body; content:"test"; fast_pattern; base64_decode: bytes 1024, offset 0, relative; base64_data; ..........)
it can't be parsed because offset must be positive, non-zero values only. But i think offset can be set to 0 after i look through suricata document and source code.
Could you help with it? Thanks.

[duanehoward]

I suspect you're correct. The original versions of this tool were largely based on the Snort documentation, as Suricata docs were a bit sparse, and they claimed to be mostly compatible. I've got an open question in the Suricata Discord channel to confirm this. It might take a bit for me to fix this as I haven't been actively working on this and my dev environment is probably falling apart (note there are other known issues that are less trivial to solve that you might bump into).

I'll try to fix this after confirming with the Suricata dev team.

[muskan399]

Hi, this is not fixed yet?

[duanehoward]

Sorry, no. I've not had time to invest in this project in quite some time. Well tested pull requests are welcome, I'll try to review them in a timely fashion. One of the past PRs introduced some issues that have been non-trivial to fix and have made it difficult to be able to iterate on smaller issues.