Bug #200
closed
smb/dcerpc attack traffic not parsed properly
Added by Victor Julien over 14 years ago.
Updated over 14 years ago.
Description
The attached pcap contains traffic generated by metasploit for ms08-067. In wireshark we can see that there is quite a bit of DCERPC traffic present, but our SMB parser never invokes the DCERPC parser.
Files
Properly handle ByteCount of 0.
seems that we still don't alert on sid 7209 as we should given the pcap.
The patch correctly addresses the problem where the smb parser was not correctly invoking the DCERPC parser, so I believe that this ticket should be closed. The problem with the alert not firing is probably closely related to the bug reported in Bug #206. I will look into that next.
- Status changed from Assigned to Closed
- % Done changed from 90 to 100
Patch applied, thanks Kirby.
Also available in: Atom
PDF