[Oisf-users] dcerpc protocol analyzer seems not to work

Andreas Herz aherz at oisf.net
Mon Sep 23 21:10:56 UTC 2019


On 16/09/19 at 16:21, Federico Foschini wrote:
> Hello,
> I’m using suricata 4.1.2 and testing dcerpc protocol analyzer, this is the
> snipped of my suricata.yaml:

How do you run suricata?

> Running the pcap attached to this mail I’m getting the following data:

{"timestamp":"2019-09-11T23:56:09.419148+0200","flow_id":122709051740650,"event_type":"flow","src_ip":"10.100.100.11","src_port":59775,"dest_ip":"10.100.100.254","dest_port":49667,"proto":"TCP","app_proto":"dcerpc","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":3357,"bytes_toclient":1478,"start":"2019-09-11T23:56:00.102890+0200","end":"2019-09-11T23:56:00.153885+0200","age":0,"state":"established","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"1a","tcp_flags_ts":"1a","tcp_flags_tc":"1a","syn":true,"psh":true,"ack":true,"state":"established"}}

Is what I get for example

-- 
Andreas Herz


More information about the Oisf-users mailing list