[Oisf-users] dcerpc protocol analyzer seems not to work

Davide Setti d.setti at certego.net
Tue Sep 24 07:04:09 UTC 2019


Hi Andreas,


> > Running the pcap attached to this mail I’m getting the following data:
>
> {"timestamp":"2019-09-11T23:56:09.419148+0200","flow_id":122709051740650,"event_type":"flow","src_ip":"10.100.100.11","src_port":59775,"dest_ip":"10.100.100.254","dest_port":49667,"proto":"TCP","app_proto":"dcerpc","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":3357,"bytes_toclient":1478,"start":"2019-09-11T23:56:00.102890+0200","end":"2019-09-11T23:56:00.153885+0200","age":0,"state":"established","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"1a","tcp_flags_ts":"1a","tcp_flags_tc":"1a","syn":true,"psh":true,"ack":true,"state":"established"}}
> Is what I get for example


At the moment we are not interested in FLOW log for this protocol.
We are testing rules on DCERPC protocol and we expected there would be a
logger for it, like those for DNS/HTTP(S) etc, which could help us to
refine our rules and to better understand how Suricata interprets this
protocol.

What we expected was something like this in suricata YAML:

output:
>   - eve-log:
>     ...
>     types:
>       - dcerpc


But this does not seem to work, as Federico said nothing gets logged on
eve-log.
Is there a way to log DCERPC protocol data?

Regards,
Davide
-- 
<http://www.certego.net/>
Davide Setti
Security Platform Lead Engineer, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190924/6ae30ee1/attachment.html>


More information about the Oisf-users mailing list