In Suricata 6.0.0 release, I noticed that the url_decode rule keyword is added. And why url_decode supported in transformation while base64_decode implemented in another way? For example, it needs base64_decode combining with base64_data to alert? It seems more reasonable to design the base64_decode in transformation like url_decode.
I agree. base64_decode is however an old keyword.
I don’t know for sure, but snort had it since atleast 2011 and suricata got the keyword in 2015
That was before transformations became a thing.