Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

dce-rpc: Handle smb2_close_request() in scripts

Browse source 
If there's a request to close a fid and it's in the dce_rpc_backing
table, remove it from there.
This commit is contained in:
Arne Welzel 2023-06-30 14:28:29 +02:00
parent 6517ed94f2
commit 097b7a2e96
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
scripts/base/protocols/dce-rpc/main.zeek
View file

@ -225,6 +225,14 @@ event smb_discarded_dce_rpc_analyzers(c: connection)
Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
}
# If a fid representing a pipe was closed, remove it from dce_rpc_backing.
event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=-5
{
local fid = file_id$persistent + file_id$volatile;
if ( c?$dce_rpc_backing )
delete c$dce_rpc_backing[fid];
}
hook finalize_dce_rpc(c: connection)
{
if ( ! c?$dce_rpc )