Suricata

Similar to https://redmine.openinfosecfoundation.org/issues/4175 , and maybe some ideas can be taken from this issue for how this also can be achieved with dcerpc.

As a POC to add share and named_pipe field to other logs the only Tree connect:

diff --git a/rust/src/smb/log.rs b/rust/src/smb/log.rs
index 162dbe3..bc5611f 100644
--- a/rust/src/smb/log.rs
+++ b/rust/src/smb/log.rs
@@ -191,6 +191,18 @@ fn smb_common_header(jsb: &mut JsonBuilder, state: &SMBState, tx: &SMBTransactio
 Some(SMBTransactionTypeData::CREATE(ref x)) => {
   let mut name_raw = x.filename.to_vec();
   name_raw.retain(|&i|i != 0x00);
+  let tree_key = SMBCommonHdr::new(SMBHDR_TYPE_SHARE,
+    tx.hdr.ssn_id as u64, tx.hdr.tree_id as u32, 0);
+  let (tmp_share_name, is_pipe) = match state.ssn2tree_map.get(&tree_key) {
+    Some(n) => (n.name.to_vec(), n.is_pipe),
+    _ => { (Vec::new(), false) },
+   };
+  let share_name = String::from_utf8_lossy(&tmp_share_name);
+  if is_pipe {
+   jsb.set_string("named_pipe", &share_name)?;
+  } else {
+   jsb.set_string("share", &share_name)?;
+  }
   if name_raw.len() > 0 {
    let name = String::from_utf8_lossy(&name_raw);
   if x.directory {

This is one way of doing this, and helps a lot for post analysis in SIEM tools, as we now if the CREATE request is related to an IPC event or on which share the filename is related to.