Suricata

Windows computers made a heavy use of the dcerpc protocol. I being working with a Windows Server 2019 and observed that, probably for optimization purposes, using DCERPC over SMB it sends a bind message, and then it submits a request without receiving the bind_ack, which is returned later. This behaviour can be appreciated in the following capture:

A bind is submit, then an OpenAlias request, and finally, the client requests for the bind_ack (in SMB the bind_ack needs to be requested by the client).

To match requests in this cases, I propose to create a flag for the dcerpc.iface, that allows users to choose if they want to match dcerpc requests (over smb) after the bind is issued and before the bind_ack is received.

I let pacp with SMB traffic that shows this behaviour. In this case the traffic was created by executing the tool Bloodhound over a Windows Server 2019 (joined to a domain). The same tool executed over Windows 10 creates a different traffic where the bind_ack is received always before any dcerpc request.