Bug #4
closedDetectBytetestMatch: Error extracting 8 bytes of string data: 0 on web responses
Description
Constantly get this error when running with the full rule-set. It appears as if these sigs trigger this printf on pretty much all web responses. I think that for some tests it will be expected behavior that we won't match as we don't always know the field length maybe we should just convert to a SCLogDebug message? ;-)...
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.pls.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CyberLink PowerDVD playlist file handling stack overflow attempt"; flow:to_client, established; content:"Content-Length|3A| "; nocase; byte_test:8,>,516284,0,relative,dec,string; flowbits:isset, http.m3u.download; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,30341; classtype:attempted-user; sid:14019; rev:1;)