Bug #4: DetectBytetestMatch: Error extracting 8 bytes of string data: 0 on web responses - Suricata - Open Information Security Foundation

Actions

Copy link

#1

Updated by Will Metcalf over 14 years ago

hmmm makes me wonder, maybe flowbits should be checked before anything else if it is not already this way?

Actions

Copy link

#2

Updated by Gurvinder Singh over 14 years ago

Status changed from New to Assigned

Will Metcalf wrote:

Constantly get this error when running with the full rule-set. It appears as if these sigs trigger this printf on pretty much all web responses. I think that for some tests it will be expected behavior that we won't match as we don't always know the field length maybe we should just convert to a SCLogDebug message? ;-)...

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.pls.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.m3u.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:1;)

Actions

Copy link

#3

Updated by Gurvinder Singh over 14 years ago

Assignee changed from OISF Dev to Gurvinder Singh

If flowbits is check first, then using the given sigs (by will), no DetectBytesMatch statement is printed. But the bug is caused as the function strtoull() makes both "endptr" and "ptr" equals and return 0 as result, when there is no numeric value in the data.

Actions

Copy link

#4