Project

General

Profile

Actions

Bug #4

closed

DetectBytetestMatch: Error extracting 8 bytes of string data: 0 on web responses

Added by Will Metcalf almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Constantly get this error when running with the full rule-set. It appears as if these sigs trigger this printf on pretty much all web responses. I think that for some tests it will be expected behavior that we won't match as we don't always know the field length maybe we should just convert to a SCLogDebug message? ;-)...

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.pls.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.m3u.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:1;)

Actions #1

Updated by Will Metcalf almost 12 years ago

hmmm makes me wonder, maybe flowbits should be checked before anything else if it is not already this way?

Actions #2

Updated by Gurvinder Singh almost 12 years ago

  • Status changed from New to Assigned

Will Metcalf wrote:

Constantly get this error when running with the full rule-set. It appears as if these sigs trigger this printf on pretty much all web responses. I think that for some tests it will be expected behavior that we won't match as we don't always know the field length maybe we should just convert to a SCLogDebug message? ;-)...

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.pls.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.m3u.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:1;)

Actions #3

Updated by Gurvinder Singh almost 12 years ago

  • Assignee changed from OISF Dev to Gurvinder Singh

If flowbits is check first, then using the given sigs (by will), no DetectBytesMatch statement is printed. But the bug is caused as the function strtoull() makes both "endptr" and "ptr" equals and return 0 as result, when there is no numeric value in the data.

Actions #4

Updated by Victor Julien almost 12 years ago

  • Estimated time changed from 0.50 h to 1.50 h
Actions #5

Updated by Gurvinder Singh almost 12 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF