In my notice.log files i frequently find the following two error messages:
run-time error: string with embedded NUL
run-time error: string without NUL terminator
I cannot give specific information about what packets trigger these errors, but it seems that often it is NetBios. I am running Bro 1.4.
What could be the problem that causes the errors, and how could I avoid them? Do these errors have an impact on signature matching (or other Bro functionality)?
I noticed that my question was quite undetailled. I'll try to make it clearer. My code looks like this:
event signature_match( state: signature_state, msg: string, data: string)
local token: pattern;
token = string_to_pattern( "abcde", F );
match_pattern( data, token );
When running this code i get the mentioned error messages. They come from the match_pattern call. As mentioned before, it doesn't happen for every packet, only for some, and these are often NetBios.
Do i need to somehow preprocess the data string before matching it? How can I make Bro successfully match such payloads?
Peter Wurzinger wrote:
I think match_pattern() does indeed not deal well with strings
containing null bytes. Not sure how easy it would be to fix that.
Depending, on what exactly you want to do, you could try to work
- ignore the warnings if you aren't interested in these particular
- use the "/pattern/ in data" operator if that's sufficient
- see if one of the other string functions in string.bif provide
enough functionality and work better (likely not)
- escape the data with string_escape() and adjust the regexp if
All not very nice, admitably.