Suricata

alert dcerpc any any -> any any (flow:to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_stub_data; pcre:/one/R; sid:7;)

{
  "raw": "alert dcerpc any any -> any any (flow:to_server; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_stub_data; pcre:/one/R; sid:7;)",
  "id": 7,
  "gid": 1,
  "rev": 0,
  "app_proto": "dcerpc",
  "requirements": [
    "flow",
    "dcerpc" 
  ],
  "flags": [
    "src_any",
    "dst_any",
    "sp_any",
    "dp_any",
    "applayer",
    "toserver" 
  ],
  "pkt_engines": [],
  "frame_engines": [],
  "engines": [
    {
      "name": "dce_generic",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "dcerpc",
      "progress": 0,
      "matches": [
        {
          "name": "dcerpc.iface" 
        }
      ]
    },
    {
      "name": "dce_generic",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "smb",
      "progress": 0,
      "matches": [
        {
          "name": "dcerpc.iface" 
        }
      ]
    },
    {
      "name": "dce_stub_data",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "smb",
      "progress": 0,
      "matches": [
        {
          "name": "pcre",
          "pcre": {
            "relative": true,
            "relative_next": false,
            "nocase": false,
            "negated": false
          }
        }
      ]
    },
    {
      "name": "dce_stub_data",
      "direction": "toserver",
      "is_mpm": false,
      "app_proto": "dcerpc",
      "progress": 0,
      "matches": [
        {
          "name": "pcre",
          "pcre": {
            "relative": true,
            "relative_next": false,
            "nocase": false,
            "negated": false
          }
        }
      ]
    }
  ],
  "lists": {}
}