base64_decode[:[bytes <bytes_to_decode>][, ][offset <offset>[, relative]]];
| Option | Description |
| bytes | Number of base64 encoded bytes to decode. This argument takes positive and non-zero values only. When this option is not specified we look for base64 encoded data till either the end of header line is reached or end of packet payload is reached. |
| offset | Determines the offset relative to the doe_ptr when the option relative is specified or relative to the start of the packet payload to begin inspection of base64 encoded data. This argument takes positive and non-zero values only. |
| relative | Specifies the inspection for base64 encoded data is relative to the doe_ptr. |
The above arguments to base64_decode are optional.
|
Note:
This option can be extended to protocols with folding similar to HTTP. If folding is not present the search for base64 encoded data will end when we see a carriage return or line feed or both without a following space or tab. This option needs to be used in conjunction with base64_data for any other payload detecting rule options to work on base64 decoded buffer. |