I don't think fullword makes sense here, given that the base64 modifiers are
meant to work when the string you're searching for is embedded anywhere in a
base64 encoded string. This requires that it strip some leading and trailing
bytes. If you want to find it without this behavior just put the
Hi again,
I'm wondering if there is a way to match Base64 strings only when they are
'fullword', standalone.
For example:
rule base64_Example
{
strings:
$s = "setsockopt" base64 base64wide // c2V0c29ja29wdA==
condition:
$s
}
This rule will match anything containing the string
