<div dir="ltr"><div>Hi Andreas,</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
> Running the pcap attached to this mail I’m getting the following data:<br>
{"timestamp":"2019-09-11T23:56:09.419148+0200","flow_id":122709051740650,"event_type":"flow","src_ip":"10.100.100.11","src_port":59775,"dest_ip":"10.100.100.254","dest_port":49667,"proto":"TCP","app_proto":"dcerpc","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":3357,"bytes_toclient":1478,"start":"2019-09-11T23:56:00.102890+0200","end":"2019-09-11T23:56:00.153885+0200","age":0,"state":"established","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"1a","tcp_flags_ts":"1a","tcp_flags_tc":"1a","syn":true,"psh":true,"ack":true,"state":"established"}}<br>
Is what I get for example</blockquote><div> </div><div>At the moment we are not interested in FLOW log for this protocol.</div><div>We are testing rules on DCERPC protocol and we expected there would be a logger for it, like those for DNS/HTTP(S) etc, which could help us to refine our rules and to better understand how Suricata interprets this protocol.</div><div><br></div>What we expected was something like this in suricata YAML:<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font face="monospace">output:<br></font><font face="monospace"> - eve-log:<br></font><font face="monospace"> ...<br></font><font face="monospace"> types:<br></font><font face="monospace"> - dcerpc</font></blockquote><div><br></div><div>But this does not seem to work, as Federico said nothing gets logged on eve-log.</div><div>Is there a way to log DCERPC protocol data?</div><div><br></div><div>Regards,</div><div>Davide<br>-- <br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius:0px"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">Security Platform Lead Engineer, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div></div></div></div></div></div></div></div>