Suricata

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/033d32cc-88f9-4483-9bf2-b273055038ce

"Payload (variable): A byte array that contains the data referred to by the LmChallengeResponseBufferOffset, NtChallengeResponseBufferOffset, DomainNameBufferOffset, UserNameBufferOffset, WorkstationBufferOffset, and EncryptedRandomSessionKeyBufferOffset message fields. Payload data can be present in any order within the Payload field, with variable-length padding before or after the data. The data that can be present in the Payload field of this message, in no particular order, are:"

Currently we assume a strict ordering.