guard mres

scripts/main.zeek

@@ -71,6 +71,8 @@ event dce_rpc_request_stub(c: connection, fid: count, ctx_id: count,
 function correct_frag_length(data: string, regex: pattern): bool
 {
 	local mres = match_pattern(data, regex);
+	if ( ! mres$matched )
+		return F;
 	print data[mres$off - 1:];
 	# mres$off - 1 is the offset to the start of the DCERPC section
 	# 8 bytes until we hit frag length