Bug #4
closedDetectBytetestMatch: Error extracting 8 bytes of string data: 0 on web responses
Description
Constantly get this error when running with the full rule-set. It appears as if these sigs trigger this printf on pretty much all web responses. I think that for some tests it will be expected behavior that we won't match as we don't always know the field length maybe we should just convert to a SCLogDebug message? ;-)...
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.pls.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.m3u.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:1;)
Updated by Will Metcalf over 14 years ago
hmmm makes me wonder, maybe flowbits should be checked before anything else if it is not already this way?
Updated by Gurvinder Singh over 14 years ago
- Status changed from New to Assigned
Will Metcalf wrote:
Constantly get this error when running with the full rule-set. It appears as if these sigs trigger this printf on pretty much all web responses. I think that for some tests it will be expected behavior that we won't match as we don't always know the field length maybe we should just convert to a SCLogDebug message? ;-)...
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.pls.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.m3u.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:1;)
Updated by Gurvinder Singh over 14 years ago
- Assignee changed from OISF Dev to Gurvinder Singh
If flowbits is check first, then using the given sigs (by will), no DetectBytesMatch statement is printed. But the bug is caused as the function strtoull() makes both "endptr" and "ptr" equals and return 0 as result, when there is no numeric value in the data.
Updated by Victor Julien over 14 years ago
- Estimated time changed from 0.50 h to 1.50 h
Updated by Gurvinder Singh over 14 years ago
- Status changed from Assigned to Closed