<div dir="ltr">This is actually a really interesting feature idea for debugging and testing rules, maybe something like --dump-buffers in debug mode? feed suricata a pcap, dump out some sort of json structure that shows exactly how each buffer (normalized/raw/etc) is being populated? I've had a few times where this might've come in handy.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 26, 2017 at 4:16 PM, Francis Trudeau <span dir="ltr"><<a href="mailto:ftrudeau@emergingthreats.net" target="_blank">ftrudeau@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I don't have an answer to your question but would like to see what<br>
you're seeing.<br>
<br>
Do you have a pcap and/or an example of the rule you are using? Are<br>
you using the SMTP keywords or the base64 keywords?<br>
<br>
Offlist and/or sanitized is fine if anything is sensitive.<br>
<div><div class="h5"><br>
<br>
<br>
<br>
<br>
<br>
<br>
On Wed, Dec 20, 2017 at 7:56 AM, <<a href="mailto:secres@linuxmail.org">secres@linuxmail.org</a>> wrote:<br>
> I've been having issues with detecting data in MIME base64 encoded packets.<br>
> There seems to be an issue either with the depth in which Suricata can<br>
> inspect using file_data or it doens't seem to be able to decode the base64<br>
> properly. Some traffic I can detect elements in the file_data buffer but to<br>
> a certain limit and other times I can't even get anything from the first<br>
> part of the buffer.<br>
><br>
> I've enabled debugging but that only show me the base64 encoded packet int<br>
> he logs. I an decode the part myself but that doesn't tell me if Suricata<br>
> is seeing the same thing or not. Is there a way to dump file_data or any<br>
> other buffer either to a file or to the screen?<br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a></blockquote></div><br></div>