From 042aa1383ba1681a38ac12516eb4a30cda7a1e7f Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 3 May 2023 10:58:37 +0200 Subject: [PATCH] NEWS: Add entry about SMB::max_pending_messages and state discarding --- NEWS | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/NEWS b/NEWS index 806a43eac4..aa4f4a14d2 100644 --- a/NEWS +++ b/NEWS @@ -306,6 +306,16 @@ Changed Functionality - Libpcap based packet source now avoids the 32bit wraparound of link and dropped packet counters as reported by users. +- When per-connection SMB parser state (read offsets, tree ids, ...) exceeds + ``SMB::max_pending_messages`` (default 1000), Zeek discards such per-connection + state and raises a new ``smb2_discarded_messages_state()`` event. This event is + used to reset script-layer SMB state. This change provides protection against + unbounded state growth due to partial or one-sided SMB connections. + + Setting ``SMB::max_pending_messages`` to 0 can be used to switch back to the + previous behavior of not discarding state. Setting ``SMB::enable_state_clear`` + to ``F`` skips the script-layer state clearing logic. + Removed Functionality ---------------------