Merge remote-tracking branch 'origin/topic/awelzel/smb2-state-handling'

* origin/topic/awelzel/smb2-state-handling: NEWS: Add entry about SMB::max_pending_messages and state discarding scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state() smb2: Limit per-connection read/ioctl/tree state
2025-10-12 03:28:19 +00:00 · 2023-05-04 09:30:18 +02:00 · 2023-05-04 09:30:18 +02:00 · 12252743b1
commit 12252743b1
parent 8e49c87912 042aa1383b
17 changed files with 183 additions and 2 deletions
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -210,6 +210,7 @@ export {
 		["spontaneous_FIN"]                     = ACTION_IGNORE,
 		["spontaneous_RST"]                     = ACTION_IGNORE,
 		["SMB_parsing_error"]                   = ACTION_LOG,
+		["SMB_discarded_messages_state"]        = ACTION_LOG,
 		["no_smb_session_using_parsesambamsg"]  = ACTION_LOG,
 		["smb_andx_command_failed_to_parse"]    = ACTION_LOG,
 		["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN,
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -2988,6 +2988,16 @@ export {
 	##
 	## .. zeek:see:: smb_pipe_connect_heuristic
 	const SMB::pipe_filenames: set[string] &redef;
+
+	## The maximum number of messages for which to retain state
+	## about offsets, fids, or tree ids within the parser. When
+	## the limit is reached, internal parser state is discarded
+	## and :zeek:see:`smb2_discarded_messages_state` raised.
+	##
+	## Setting this to zero will disable the functionality.
+	##
+	## .. zeek:see:: smb2_discarded_messages_state
+	const SMB::max_pending_messages = 1000 &redef;
 }

 module SMB1;
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@ -44,6 +44,13 @@ export {
 		PRINT_CLOSE,
 	};

+	## Whether to reset a connection's SMB script state whenever a
+	## :zeek:see:`smb2_discarded_messages_state` event is raised.
+	##
+	## This setting protects from unbounded script state growth in
+	## environments with high capture loss or traffic anomalies.
+	option enable_clear_script_state = T;
+
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
--- a/scripts/base/protocols/smb/smb2-main.zeek
+++ b/scripts/base/protocols/smb/smb2-main.zeek
@ -1,3 +1,5 @@
+@load base/frameworks/notice/weird
+
@load ./main

 module SMB2;
@ -344,3 +346,25 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
 		#Reporter::warning("attempting to close an unknown file!");
 		}
 	}
+
+event smb2_discarded_messages_state(c: connection, state: string)
+	{
+	if ( ! c?$smb_state )
+		return;
+
+	local addl = fmt("state=%s fid_map=%s tid_map=%s pending_cmds=%s pipe_map=%s",
+	                 state, |c$smb_state$fid_map|, |c$smb_state$tid_map|,
+	                 |c$smb_state$pending_cmds|, |c$smb_state$pipe_map|);
+	Reporter::conn_weird("SMB_discarded_messages_state", c, addl, "SMB2");
+
+	if ( ! SMB::enable_clear_script_state )
+		return;
+
+	# Wipe out script-level state for this connection.
+	c$smb_state$fid_map = table();
+	c$smb_state$pending_cmds = table();
+	# Not expected to grow overly large and the original
+	# zeek-smb-clear-state package didn't reset these either.
+	# c$smb_state$tid_map = table();
+	# c$smb_state$pipe_map = table();
+	}