Suricata

Reproduced with suricata -r input2.pcap -k none -c suricata.yaml -l log. with enip activated in suricata.yaml
Then jq '.app_proto' log/eve.json

To produce the pcaps, I used this script

#!/usr/bin/env python
from scapy.all import *
import binascii

pktsTCP3WHS = []

pktsTCP3WHS += Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='S',seq=1000)
pktsTCP3WHS += Ether(src='00:01:02:03:04:07', dst='00:01:02:03:04:05')/ \
    IP(src='1.2.3.4', dst='5.6.7.8')/TCP(dport=44818, sport=445, flags='S''A', seq=2000, ack=1001)
pktsTCP3WHS += Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='A',seq=1001, ack=2001)

payloadSMB = "FF534D42202020202020" 
payloadBase = "04002020202020206A0000002020202020202020202020202020" 
pktSMB = [Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='P''A',seq=1001, ack=2001)/binascii.unhexlify(payloadBase+payloadSMB)]
pktsSMB = pktsTCP3WHS + pktSMB

wrpcap('input.pcap', pktsSMB)

pktENIP = [Ether(dst='00:01:02:03:04:07', src='00:01:02:03:04:05')/ \
    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=44818, dport=445, flags='P''A',seq=1001, ack=2001)/binascii.unhexlify(payloadBase)]
pktsENIP = pktsTCP3WHS + pktENIP

wrpcap('input2.pcap', pktsENIP)

Fix may be that rs_smb_probe_tcp should use the flag to check if they have STREAM_MIDSTREAM or STREAM_START

Also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29919 is a problem against rs_smb_probe_tcp