From 097b7a2e962f4b7c0e07d649e2d04e02429ffe72 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Fri, 30 Jun 2023 14:28:29 +0200
Subject: [PATCH] dce-rpc: Handle smb2_close_request() in scripts

If there's a request to close a fid and it's in the dce_rpc_backing
table, remove it from there.
---
 scripts/base/protocols/dce-rpc/main.zeek | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scripts/base/protocols/dce-rpc/main.zeek b/scripts/base/protocols/dce-rpc/main.zeek
index a98314f8fb..6c385acc22 100644
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@@ -225,6 +225,14 @@ event smb_discarded_dce_rpc_analyzers(c: connection)
 	Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
 	}
 
+# If a fid representing a pipe was closed, remove it from dce_rpc_backing.
+event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=-5
+	{
+	local fid = file_id$persistent + file_id$volatile;
+	if ( c?$dce_rpc_backing )
+		delete c$dce_rpc_backing[fid];
+	}
+
 hook finalize_dce_rpc(c: connection)
 	{
 	if ( ! c?$dce_rpc )