Added by Victor Julien almost 16 years ago. Updated almost 16 years ago.
Description
The attached pcap contains traffic generated by metasploit for ms08-067. In wireshark we can see that there is quite a bit of DCERPC traffic present, but our SMB parser never invokes the DCERPC parser.
Files
| rpcoversmbtraffic.pcap (20 KB) rpcoversmbtraffic.pcap | Victor Julien, 07/01/2010 04:58 AM | ||
| 0001-properly-handle-bytecount-of-0.patch (6.63 KB) 0001-properly-handle-bytecount-of-0.patch | Kirby Kuehl, 07/09/2010 12:03 PM |
Properly handle ByteCount of 0.
seems that we still don't alert on sid 7209 as we should given the pcap.
The patch correctly addresses the problem where the smb parser was not correctly invoking the DCERPC parser, so I believe that this ticket should be closed. The problem with the alert not firing is probably closely related to the bug reported in Bug #206. I will look into that next.
Patch applied, thanks Kirby.