scripts/smb2-main: Reset script-level state upon smb2_discarded_messages_state()

This is similar to what the external corelight/zeek-smb-clear-state script does, but leverages the smb2_discarded_messages_state() event instead of regularly checking on the state of SMB connections. The pcap was created using the dperson/samba container image and mounting a share with Linux's CIFS filesystem, then copying the content of a directory with 100 files. The test uses a BPF filter to imitate mostly "half-duplex" traffic.
2025-10-02 06:38:20 +00:00 · 2023-04-25 17:19:14 +02:00 · 2023-04-25 17:19:14 +02:00 · 3ac877e20d
commit 3ac877e20d
parent 5caab1a667
8 changed files with 89 additions and 0 deletions
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@ -44,6 +44,13 @@ export {
 		PRINT_CLOSE,
 	};

+	## Whether to reset a connection's SMB script state whenever a
+	## :zeek:see:`smb2_discarded_messages_state` event is raised.
+	##
+	## This setting protects from unbounded script state growth in
+	## environments with high capture loss or traffic anomalies.
+	option enable_clear_script_state = T;
+
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
--- a/scripts/base/protocols/smb/smb2-main.zeek
+++ b/scripts/base/protocols/smb/smb2-main.zeek
@ -1,3 +1,5 @@
+@load base/frameworks/notice/weird
+
@load ./main

 module SMB2;
@ -344,3 +346,25 @@ event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
 		#Reporter::warning("attempting to close an unknown file!");
 		}
 	}
+
+event smb2_discarded_messages_state(c: connection, state: string)
+	{
+	if ( ! c?$smb_state )
+		return;
+
+	local addl = fmt("state=%s fid_map=%s tid_map=%s pending_cmds=%s pipe_map=%s",
+	                 state, |c$smb_state$fid_map|, |c$smb_state$tid_map|,
+	                 |c$smb_state$pending_cmds|, |c$smb_state$pipe_map|);
+	Reporter::conn_weird("SMB_discarded_messages_state", c, addl, "SMB2");
+
+	if ( ! SMB::enable_clear_script_state )
+		return;
+
+	# Wipe out script-level state for this connection.
+	c$smb_state$fid_map = table();
+	c$smb_state$pending_cmds = table();
+	# Not expected to grow overly large and the original
+	# zeek-smb-clear-state package didn't reset these either.
+	# c$smb_state$tid_map = table();
+	# c$smb_state$pipe_map = table();
+	}