dce-rpc: Test cases for unbounded state growth

Pcaps produced as shown in #3145 using a samba container and rpcclient.

testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out

@@ -0,0 +1,66 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
+smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
+smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
+smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5

testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.1	38016	172.17.0.2	445	SMB_discarded_dce_rpc_analyzers	-	F	zeek	SMB
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out

@@ -0,0 +1,103 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1

testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek

@@ -0,0 +1,19 @@
+# @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark)
+# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/smb
+@load base/protocols/dce-rpc
+
+redef SMB::max_dce_rpc_analyzers = 5;
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
+	{
+	print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
+	}
+
+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	print "smb_discarded_dce_rpc_analyzers", c$uid;
+	}

testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek

@@ -0,0 +1,19 @@
+# @TEST-DOC: Ensure dce_rpc_backing state stays bounded when pipes are closed properly.
+# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/smb
+@load base/protocols/dce-rpc
+
+redef SMB::max_dce_rpc_analyzers = 5;
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
+	{
+	print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
+	}
+
+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	print "UNEXPECTED", "smb_discarded_dce_rpc_analyzers", c$uid;
+	}