[Oisf-users] dcerpc protocol analyzer seems not to work

Federico Foschini undicizeri at gmail.com
Mon Sep 16 14:21:18 UTC 2019 

Hello,
I’m using suricata 4.1.2 and testing dcerpc protocol analyzer, this is the
snipped of my suricata.yaml:

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443, 8443
    dcerpc:
      enabled: yes
      detection-ports:
        dp: 139, 445
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      mime:
        decode-mime: yes
        decode-base64: yes
        decode-quoted-printable: yes
        header-value-depth: 2000
        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    modbus:
      enabled: no
      detection-ports:
        dp: 502
    dns:
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      libhtp:
         default-config:
           personality: IDS
           request-body-limit: 100kb
           response-body-limit: 100kb
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb
           http-body-inline: auto
           double-decode-path: no
           double-decode-query: no

         server-config:

Running the pcap attached to this mail I’m getting the following data:

{"timestamp":"2019-09-11T21:56:11.403635+0000","flow_id":1292031077230563,"pcap_cnt":3484,"event_type":"fileinfo","src_ip":"10.100.100.11","src_port":59771,"dest_ip":"10.100.100.254","dest_port":445,"proto":"TCP","smb":{"id":28,"dialect":"3.11","command":"SMB2_COMMAND_WRITE","status":"STATUS_SUCCESS","status_code":"0x0","session_id":219922659541061,"tree_id":1,"filename":"powershell.exe","share":"","fuid":"0000903b-0032-0000-0011-000000000032"},"app_proto":"smb","fileinfo":{"filename":"powershell.exe","gaps":false,"state":"CLOSED","stored":false,"size":447488,"tx_id":27}}
{"timestamp":"2019-09-11T21:56:11.403635+0000","flow_id":1292031077230563,"pcap_cnt":3484,"event_type":"fileinfo","src_ip":"10.100.100.254","src_port":445,"dest_ip":"10.100.100.11","dest_port":59771,"proto":"TCP","smb":{"id":29,"dialect":"3.11","command":"SMB2_COMMAND_READ","status":"STATUS_SUCCESS","status_code":"0x0","session_id":219922659541061,"tree_id":1,"filename":"powershell.exe","share":"\\\\10.100.100.254\\ADMIN$","fuid":"0000903b-0032-0000-0011-000000000032"},"app_proto":"smb","fileinfo":{"filename":"powershell.exe","gaps":false,"state":"CLOSED","stored":false,"size":447488,"tx_id":28}}

It looks like the smb protocol analyzer is working fine but there is no
dcerpc data.
Am I doing something wrong?
-- 
Federico Foschini.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190916/43aeaa30/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: psexec_powershell_over_smb.pcapng
Type: application/x-pcapng
Size: 1736348 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190916/43aeaa30/attachment-0001.bin>

More information about the Oisf-users mailing list