Project

General

Profile

Actions
Copy link

Bug #200

closed

smb/dcerpc attack traffic not parsed properly

Added by Victor Julien over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
Kirby Kuehl
Target version:
1.0.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

The attached pcap contains traffic generated by metasploit for ms08-067. In wireshark we can see that there is quite a bit of DCERPC traffic present, but our SMB parser never invokes the DCERPC parser.

Files

Download all files
rpcoversmbtraffic.pcap (20 KB) rpcoversmbtraffic.pcap Victor Julien, 07/01/2010 04:58 AM
0001-properly-handle-bytecount-of-0.patch (6.63 KB) 0001-properly-handle-bytecount-of-0.patch Kirby Kuehl, 07/09/2010 12:03 PM
Actions
Copy link
 #1

Updated by Kirby Kuehl over 14 years ago

Properly handle ByteCount of 0.

Actions
Copy link
 #2

Updated by Will Metcalf over 14 years ago

seems that we still don't alert on sid 7209 as we should given the pcap.

Actions
Copy link
 #3

Updated by Kirby Kuehl over 14 years ago

The patch correctly addresses the problem where the smb parser was not correctly invoking the DCERPC parser, so I believe that this ticket should be closed. The problem with the alert not firing is probably closely related to the bug reported in Bug #206. I will look into that next.

Actions
Copy link
 #4

Updated by Victor Julien over 14 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 90 to 100

Patch applied, thanks Kirby.

Actions
Copy link

Also available in: Atom PDF