<div dir="ltr"><div class="markdown-here-wrapper" style=""><p style="margin:0px 0px 1.2em!important">Hello,<br>I’m using suricata 4.1.2 and testing dcerpc protocol analyzer, this is the snipped of my <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">suricata.yaml</code>:</p>
<pre style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline;white-space:pre;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block!important">app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443, 8443
    dcerpc:
      enabled: yes
      detection-ports:
        dp: 139, 445
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    modbus:
      enabled: no
      detection-ports:
        dp: 502
    dns:
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      libhtp:
         default-config:
           personality: IDS
           request-body-limit: 100kb
           response-body-limit: 100kb
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb
           http-body-inline: auto
           double-decode-path: no
           double-decode-query: no

         server-config:
</code></pre><p style="margin:0px 0px 1.2em!important">Running the pcap attached to this mail I’m getting the following data:</p>
<pre style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline;white-space:pre;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block!important">{"timestamp":"2019-09-11T21:56:11.403635+0000","flow_id":1292031077230563,"pcap_cnt":3484,"event_type":"fileinfo","src_ip":"10.100.100.11","src_port":59771,"dest_ip":"10.100.100.254","dest_port":445,"proto":"TCP","smb":{"id":28,"dialect":"3.11","command":"SMB2_COMMAND_WRITE","status":"STATUS_SUCCESS","status_code":"0x0","session_id":219922659541061,"tree_id":1,"filename":"powershell.exe","share":"","fuid":"0000903b-0032-0000-0011-000000000032"},"app_proto":"smb","fileinfo":{"filename":"powershell.exe","gaps":false,"state":"CLOSED","stored":false,"size":447488,"tx_id":27}}
{"timestamp":"2019-09-11T21:56:11.403635+0000","flow_id":1292031077230563,"pcap_cnt":3484,"event_type":"fileinfo","src_ip":"10.100.100.254","src_port":445,"dest_ip":"10.100.100.11","dest_port":59771,"proto":"TCP","smb":{"id":29,"dialect":"3.11","command":"SMB2_COMMAND_READ","status":"STATUS_SUCCESS","status_code":"0x0","session_id":219922659541061,"tree_id":1,"filename":"powershell.exe","share":"\\\\10.100.100.254\\ADMIN$","fuid":"0000903b-0032-0000-0011-000000000032"},"app_proto":"smb","fileinfo":{"filename":"powershell.exe","gaps":false,"state":"CLOSED","stored":false,"size":447488,"tx_id":28}}
</code></pre><p style="margin:0px 0px 1.2em!important">It looks like the smb protocol analyzer is working fine but there is no <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline">dcerpc</code> data.<br>Am I doing something wrong?</p>
<div title="MDH:SGVsbG8sPGRpdj5JJ20gdGVzdGluZyBkY2VycGMgcHJvdG9jb2wgYW5hbHl6ZXIsIHRoaXMgaXMg
dGhlIHNuaXBwZWQgb2YgbXkgYHN1cmljYXRhLnlhbWxgOjwvZGl2PjxkaXY+PGJyIGNsZWFyPSJh
bGwiPjxkaXY+YGBgPC9kaXY+PGRpdj5hcHAtbGF5ZXI6PGJyPiZuYnNwOyBwcm90b2NvbHM6PGJy
PiZuYnNwOyAmbmJzcDsgdGxzOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBlbmFibGVkOiB5ZXM8
YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZGV0ZWN0aW9uLXBvcnRzOjxicj4mbmJzcDsgJm5ic3A7
ICZuYnNwOyAmbmJzcDsgZHA6IDQ0MywgODQ0Mzxicj4mbmJzcDsgJm5ic3A7IGRjZXJwYzo8YnI+
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZW5hYmxlZDogeWVzPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7
IGRldGVjdGlvbi1wb3J0czo8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGRwOiAxMzks
IDQ0NTxicj4mbmJzcDsgJm5ic3A7IGZ0cDo8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZW5hYmxl
ZDogeWVzPGJyPiZuYnNwOyAmbmJzcDsgc3NoOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBlbmFi
bGVkOiB5ZXM8YnI+Jm5ic3A7ICZuYnNwOyBzbXRwOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBl
bmFibGVkOiB5ZXM8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgbWltZTo8YnI+Jm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7IGRlY29kZS1taW1lOiB5ZXM8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsg
Jm5ic3A7IGRlY29kZS1iYXNlNjQ6IHllczxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsg
ZGVjb2RlLXF1b3RlZC1wcmludGFibGU6IHllczxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz
cDsgaGVhZGVyLXZhbHVlLWRlcHRoOiAyMDAwPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OyBleHRyYWN0LXVybHM6IHllczxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgYm9keS1t
ZDU6IG5vPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7IGluc3BlY3RlZC10cmFja2VyOjxicj4mbmJz
cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgY29udGVudC1saW1pdDogMTAwMDAwPGJyPiZuYnNwOyAm
bmJzcDsgJm5ic3A7ICZuYnNwOyBjb250ZW50LWluc3BlY3QtbWluLXNpemU6IDMyNzY4PGJyPiZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBjb250ZW50LWluc3BlY3Qtd2luZG93OiA0MDk2PGJy
PiZuYnNwOyAmbmJzcDsgaW1hcDo8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZW5hYmxlZDogZGV0
ZWN0aW9uLW9ubHk8YnI+Jm5ic3A7ICZuYnNwOyBtc246PGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7
IGVuYWJsZWQ6IGRldGVjdGlvbi1vbmx5PGJyPiZuYnNwOyAmbmJzcDsgc21iOjxicj4mbmJzcDsg
Jm5ic3A7ICZuYnNwOyBlbmFibGVkOiB5ZXM8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZGV0ZWN0
aW9uLXBvcnRzOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZHA6IDEzOSwgNDQ1PGJy
PiZuYnNwOyAmbmJzcDsgbW9kYnVzOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBlbmFibGVkOiBu
bzxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyBkZXRlY3Rpb24tcG9ydHM6PGJyPiZuYnNwOyAmbmJz
cDsgJm5ic3A7ICZuYnNwOyBkcDogNTAyPGJyPiZuYnNwOyAmbmJzcDsgZG5zOjxicj4mbmJzcDsg
Jm5ic3A7ICZuYnNwOyB0Y3A6PGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBlbmFibGVk
OiB5ZXM8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGRldGVjdGlvbi1wb3J0czo8YnI+
Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBkcDogNTM8YnI+Jm5ic3A7ICZuYnNw
OyAmbmJzcDsgdWRwOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZW5hYmxlZDogeWVz
PGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBkZXRlY3Rpb24tcG9ydHM6PGJyPiZuYnNw
OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgZHA6IDUzPGJyPiZuYnNwOyAmbmJzcDsgaHR0
cDo8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgZW5hYmxlZDogeWVzPGJyPiZuYnNwOyAmbmJzcDsg
Jm5ic3A7IGxpYmh0cDo8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2RlZmF1
bHQtY29uZmlnOjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3Bl
cnNvbmFsaXR5OiBJRFM8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz
cDtyZXF1ZXN0LWJvZHktbGltaXQ6IDEwMGtiPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7cmVzcG9uc2UtYm9keS1saW1pdDogMTAwa2I8YnI+Jm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtyZXF1ZXN0LWJvZHktbWluaW1hbC1pbnNwZWN0
LXNpemU6IDMya2I8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDty
ZXF1ZXN0LWJvZHktaW5zcGVjdC13aW5kb3c6IDRrYjxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAm
bmJzcDsgJm5ic3A7ICZuYnNwO3Jlc3BvbnNlLWJvZHktbWluaW1hbC1pbnNwZWN0LXNpemU6IDQw
a2I8YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtyZXNwb25zZS1i
b2R5LWluc3BlY3Qtd2luZG93OiAxNmtiPGJyPiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm
bmJzcDsgJm5ic3A7aHR0cC1ib2R5LWlubGluZTogYXV0bzxicj4mbmJzcDsgJm5ic3A7ICZuYnNw
OyAmbmJzcDsgJm5ic3A7ICZuYnNwO2RvdWJsZS1kZWNvZGUtcGF0aDogbm88YnI+Jm5ic3A7ICZu
YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtkb3VibGUtZGVjb2RlLXF1ZXJ5OiBubzxi
cj48YnI+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3NlcnZlci1jb25maWc6PGJy
PjwvZGl2PjxkaXY+YGBgPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5SdW5uaW5nIHRoZSBwY2Fw
IGF0dGFjaGVkIHRvIHRoaXMgbWFpbCBJJ20gZ2V0dGluZyB0aGUgZm9sbG93aW5nIGRhdGE6PC9k
aXY+PGRpdj48YnI+PC9kaXY+PGRpdj5gYGA8L2Rpdj48ZGl2PnsidGltZXN0YW1wIjoiMjAxOS0w
OS0xMVQyMTo1NjoxMS40MDM2MzUrMDAwMCIsImZsb3dfaWQiOjEyOTIwMzEwNzcyMzA1NjMsInBj
YXBfY250IjozNDg0LCJldmVudF90eXBlIjoiZmlsZWluZm8iLCJzcmNfaXAiOiIxMC4xMDAuMTAw
LjExIiwic3JjX3BvcnQiOjU5NzcxLCJkZXN0X2lwIjoiMTAuMTAwLjEwMC4yNTQiLCJkZXN0X3Bv
cnQiOjQ0NSwicHJvdG8iOiJUQ1AiLCJzbWIiOnsiaWQiOjI4LCJkaWFsZWN0IjoiMy4xMSIsImNv
bW1hbmQiOiJTTUIyX0NPTU1BTkRfV1JJVEUiLCJzdGF0dXMiOiJTVEFUVVNfU1VDQ0VTUyIsInN0
YXR1c19jb2RlIjoiMHgwIiwic2Vzc2lvbl9pZCI6MjE5OTIyNjU5NTQxMDYxLCJ0cmVlX2lkIjox
LCJmaWxlbmFtZSI6InBvd2Vyc2hlbGwuZXhlIiwic2hhcmUiOiIiLCJmdWlkIjoiMDAwMDkwM2It
MDAzMi0wMDAwLTAwMTEtMDAwMDAwMDAwMDMyIn0sImFwcF9wcm90byI6InNtYiIsImZpbGVpbmZv
Ijp7ImZpbGVuYW1lIjoicG93ZXJzaGVsbC5leGUiLCJnYXBzIjpmYWxzZSwic3RhdGUiOiJDTE9T
RUQiLCJzdG9yZWQiOmZhbHNlLCJzaXplIjo0NDc0ODgsInR4X2lkIjoyN319PGJyPnsidGltZXN0
YW1wIjoiMjAxOS0wOS0xMVQyMTo1NjoxMS40MDM2MzUrMDAwMCIsImZsb3dfaWQiOjEyOTIwMzEw
NzcyMzA1NjMsInBjYXBfY250IjozNDg0LCJldmVudF90eXBlIjoiZmlsZWluZm8iLCJzcmNfaXAi
OiIxMC4xMDAuMTAwLjI1NCIsInNyY19wb3J0Ijo0NDUsImRlc3RfaXAiOiIxMC4xMDAuMTAwLjEx
IiwiZGVzdF9wb3J0Ijo1OTc3MSwicHJvdG8iOiJUQ1AiLCJzbWIiOnsiaWQiOjI5LCJkaWFsZWN0
IjoiMy4xMSIsImNvbW1hbmQiOiJTTUIyX0NPTU1BTkRfUkVBRCIsInN0YXR1cyI6IlNUQVRVU19T
VUNDRVNTIiwic3RhdHVzX2NvZGUiOiIweDAiLCJzZXNzaW9uX2lkIjoyMTk5MjI2NTk1NDEwNjEs
InRyZWVfaWQiOjEsImZpbGVuYW1lIjoicG93ZXJzaGVsbC5leGUiLCJzaGFyZSI6IlxcXFwxMC4x
MDAuMTAwLjI1NFxcQURNSU4kIiwiZnVpZCI6IjAwMDA5MDNiLTAwMzItMDAwMC0wMDExLTAwMDAw
MDAwMDAzMiJ9LCJhcHBfcHJvdG8iOiJzbWIiLCJmaWxlaW5mbyI6eyJmaWxlbmFtZSI6InBvd2Vy
c2hlbGwuZXhlIiwiZ2FwcyI6ZmFsc2UsInN0YXRlIjoiQ0xPU0VEIiwic3RvcmVkIjpmYWxzZSwi
c2l6ZSI6NDQ3NDg4LCJ0eF9pZCI6Mjh9fTxicj48L2Rpdj48ZGl2PmBgYDwvZGl2PjxkaXY+PGJy
PjwvZGl2PjxkaXY+SXQgbG9va3MgbGlrZSB0aGUgc21iIHByb3RvY29sIGFuYWx5emVyIGlzIHdv
cmtpbmcgZmluZSBidXQgdGhlcmUgaXMgbm8gYGRjZXJwY2AgZGF0YS48L2Rpdj48ZGl2PkFtIEkg
ZG9pbmcgc29tZXRoaW5nIHdyb25nPzwvZGl2PjxkaXY+PGJyPjwvZGl2PjwvZGl2Pg==" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0"></div></div><div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Federico Foschini.</div></div></div>