cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cwayres
Engager
Member since: ‎12-02-2016
‎02-01-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 9
Member Since ‎12-02-2016
Activity Feed
Topics I've Started
No posts to display.
View All

Re: base64 decoding in search

by in Splunk Search
‎01-23-2019 12:53 PM
9 Karma
‎01-23-2019 12:53 PM
9 Karma
Running with this concept to decode base64 without an app Create lookup used as a converstion matrix with fields: ascii base64bin base64char bin dec hex | makeresults | fields - _time | eval bin="0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111" | makemv delim=" " bin | mvexpand bin | map [| makeresults | fields - _time | eval bin="$bin$0000 $bin$0001 $bin$0010 $bin$0011 $bin$0100 $bin$0101 $bin$0110 $bin$0111 $bin$1000 $bin$1001 $bin$1010 $bin$1011 $bin$1100 $bin$1101 $bin$1110 $bin$1111" | makemv delim=" " bin | mvexpand bin ] maxsearches=16 | mvcombine bin | eval dec=mvrange(0,256) | eval data=mvzip(bin,dec) | fields - bin,dec | mvexpand data | rex field=data "(?<bin>\d+),(?<dec>\d+)" | fields - data | eval ascii=printf("%c",dec), hex=printf("%02X",dec) | join type=outer dec [ makeresults | fields - _time | eval base64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" | rex field=base64 mode=sed "s/./& /g" | makemv delim=" " base64 | eval dec=mvrange(0,64) | eval data=mvzip(base64,dec) | fields - base64,dec | mvexpand data | rex field=data "(?<base64char>[^,]+),(?<dec>[^,]+)" | fields - data ] | eval base64bin=if(isnotnull(base64char),substr(bin,3,6),NULL()) | append [| makeresults | eval base64bin="000000" | eval base64char="=" | fields - _time ] | outputlookup converstionmatrix.csv Coded the above table. It is way more useful than just for this example _* Note a duplicate base64bin for 000000 = "=" is added for decoding Create Macro to Decode base64dec(1): arg1 will be your arguments eval b64x_split=split($arg1$,"") | lookup converstionmatrix.csv base64char as b64x_split OUTPUT base64bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,"") | rex field=b64x_join "(?<b64x_by8>.{8})" max_match=0 | lookup converstionmatrix.csv bin as b64x_by8 output ascii as b64x_out | eval $arg1$_ascii=mvjoin(b64x_out,"") | fields - b64x_* Create Macro to Encode base64enc(1): arg1 will be your arguments eval b64x_split=split($arg1$,"") | lookup converstionmatrix.csv ascii as b64x_split output bin as b64x_bin | eval b64x_join=mvjoin(b64x_bin,""),b64x_join=if(len(b64x_join)%6>0,b64x_join."000000",b64x_join) | rex field=b64x_join "(?<b64x_by6>.{6})" max_match=0 | lookup converstionmatrix.csv base64bin as b64x_by6 output base64char as b64x_out | eval $arg1$_base64=mvjoin(b64x_out,"") | fields - b64x_* Usage: | makeresults | eval cs1="MTAxMDEwMTAxCg==~VGhpcyBpcyBhbm90aGVyCg==" | makemv delim=~ cs1 | mvexpand cs1 | `base64dec(cs1)` | makeresults | eval cs1="splunk" | `base64enc(cs1)` | `base64dec(cs1_base64)` Christopher Ayres 2019 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-01-2023 05:22 PM
Karma from