Cisco Cisco Firepower Management Center 4000

These keywords are particularly useful for decoding and inspecting Base64 data in HTTP requests. 
However, you can also use them with any protocol such as SMTP that uses the space and tab characters 
the same way HTTP uses these characters to extend a lengthy header line over multiple lines. When this 
line extension, which is known as folding, is not present in a protocol that uses it, inspection ends at any 
carriage return or line feed that is not followed with a space or tab.

See the following sections for more information:

Protection

The 

base64_decode

 keyword instructs the rules engine to decode packet data as Base64 data. Optional 

arguments let you specify the number of bytes to decode and where in the data to begin decoding.

You can use the 

base64_decode

 keyword once in a rule; it must precede at least one instance of the 

base64_data

 keyword. See 

 for more information.

Before decoding Base64 data, the rules engine unfolds lengthy headers that are folded across multiple 
lines. Decoding ends when the rules engine encounters any the following:

the end of a header line

the specified number of bytes to decode

the end of the packet

The following table describes the arguments you can use with the 

base64_decode

 keyword.

Admin/Intrusion Admin

On the Create Rule page, select 

 from the drop-down list and click 

The 

base64_decode

 keyword appears.

Optionally, select any of the arguments described in the 

 table.

Bytes

Specifies the number of bytes to decode. When not specified, decoding continues to 
the end of a header line or the end of the packet payload, whichever comes first. You 
can specify a positive, non-zero value.

Offset

Determines the offset relative to the start of the packet payload or, when you also 
specify 

, relative to the current inspection location. You can specify a positive, 

non-zero value.

Relative

Specifies inspection relative to the current inspection location.