I use docker image jasonish/suricata:7.0.6-profiling to test and develop some signatures, today I notice that some of them dont work even though they should
I run it something like this
docker run --rm -it \
jasonish/suricata:7.0.6-profiling \
-c /nsm/suricata.yaml \
-s /nsm/dev.rules \
-r /nsm/data.pcap \
--runmode autofp \
-k none \
-vvvv
I have all protos enabled but i get only this 2 entries in eve log
{"timestamp":"2025-02-19T14:51:47.906432+0000","flow_id":1072026764468789,"pcap_cnt":6,"event_type":"dcerpc","src_ip":"10.3.132.180","src_port":57144,"dest_ip":"10.3.132.154","dest_port":49668,"proto":"TCP","pkt_src":"wire/pcap","dcerpc":{"request":"BIND","interfaces":[{"uuid":"f309ad18-d86a-11d0-a075-00c04fb68820","version":"0.0","ack_result":0}],"response":"BINDACK","call_id":1,"rpc_version":"5.0"},"pcap_filename":"/nsm/data.pcap"}
{"timestamp":"2025-02-19T14:51:47.904960+0000","flow_id":1072026764468789,"event_type":"flow","src_ip":"10.3.132.180","src_port":57144,"dest_ip":"10.3.132.154","dest_port":49668,"proto":"TCP","app_proto":"dcerpc","flow":{"pkts_toserver":29,"pkts_toclient":25,"bytes_toserver":5678,"bytes_toclient":28170,"start":"2025-02-19T14:51:47.904960+0000","end":"2025-02-19T14:51:48.688078+0000","age":1,"state":"closed","reason":"shutdown","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed","ts_max_regions":1,"tc_max_regions":1},"pcap_filename":"/nsm/data.pcap"}
Unfortunately I cant upload pcap yet, but traffic is basically
- Bind to IWbemLevel1Login
- Call Opnum 6 - NTLMLogin
- Alter_context to IRemUnknown
- Call Opnum 5 - RemRelease
- Alter_context to IWbemServices
- Call Opnum 20 - ExecQuery
With that amount of traffic i expect to see way more events
