Filtering out literal newlines in base64 payload

I’ve been messing with pcre and the from_base64 transform. I’m trying to decode from a json response which contains a literal \n separated base64 block. The issue is if I use mode rfc4648, it will end the string after the first \n encountered as \ is a non base64 alphabet, resulting in a partial output.

Sample payload:

VGhpcyBpcyBhIHNhbXBsZSBibG9jayBvZiBiYXNlNjQgZGF0YSBzZXBhcmF0\nZWQgYnkgbGl0ZXJhbCBcbiBjaGFyYWN0ZXJzIGV2ZXJ5IDYwIGNoYXJhY3Rl\ncnMu

If I use rfc2045, it is supposed to decode line breaks but the problem is my response contains literal \n (2 bytes for the characters \ and n in text) instead of an actual newline character. If I try to use the base64_* buffers instead, that too will end the match after first \n is encountered. Any ideas on decoding this kind of payload?

I’ve also tried running a replace transform before passing to the from_base64 transform which doesn’t work:

http.response_body; pcre:"/<my regex selecting the entire base64 block separated by literal newline chars>/"; replace:"\\n",""; from_base64: mode rfc2045; content:"sample";

The docs mention the replacement should be same length, so I also tried replace:"\\n"," "; (2 spaces) to no avail.

I think replace is for modifying packet bytes in IPS mode and not for transformations that affect content matching.

Yea I’m probably outta luck then. Will have to work with a quick dirty signature with hardcoded base64 string match for now.

luaxform ( 8.9. Transformations — Suricata 8.0.1-dev documentation ) looks quite promising.

Thanks for your suggestion. While a lua script transform would work here, my current environment does not allow for using luaxform in suricata. I’m using it via Dalton in a docker container and require a standalone version of the signature to be able to fire the alerts without depending on external .lua scripts.

I suppose strip_whitespace could work if it is updated to include literals as well.