diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek index 919f683123..0511fc1e22 100644 --- a/scripts/base/frameworks/notice/weird.zeek +++ b/scripts/base/frameworks/notice/weird.zeek @@ -211,6 +211,7 @@ export { ["spontaneous_RST"] = ACTION_IGNORE, ["SMB_parsing_error"] = ACTION_LOG, ["SMB_discarded_messages_state"] = ACTION_LOG, + ["SMB_discarded_dce_rpc_analyzers"] = ACTION_LOG, ["no_smb_session_using_parsesambamsg"] = ACTION_LOG, ["smb_andx_command_failed_to_parse"] = ACTION_LOG, ["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN, diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index fb15bea8dd..cbc6c74da4 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3006,6 +3006,12 @@ export { ## ## .. zeek:see:: smb2_discarded_messages_state const SMB::max_pending_messages = 1000 &redef; + + ## Maximum number of DCE-RPC analyzers per connection + ## before discarding them to avoid unbounded state growth. + ## + ## .. zeek:see:: smb_discarded_dce_rpc_analyzers + const max_dce_rpc_analyzers = 1000 &redef; } module SMB1; diff --git a/scripts/base/protocols/dce-rpc/main.zeek b/scripts/base/protocols/dce-rpc/main.zeek index b5b9f77e72..6c385acc22 100644 --- a/scripts/base/protocols/dce-rpc/main.zeek +++ b/scripts/base/protocols/dce-rpc/main.zeek @@ -88,8 +88,6 @@ function set_state(c: connection, state_x: BackingState) c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid]; if ( c$dce_rpc_state?$named_pipe ) c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe; - - Conn::register_removal_hook(c, finalize_dce_rpc); } function set_session(c: connection, fid: count) @@ -97,7 +95,9 @@ function set_session(c: connection, fid: count) if ( ! c?$dce_rpc_backing ) { c$dce_rpc_backing = table(); + Conn::register_removal_hook(c, finalize_dce_rpc); } + if ( fid !in c$dce_rpc_backing ) { local info = Info($ts=network_time(),$id=c$id,$uid=c$uid); @@ -216,6 +216,23 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s } } +event smb_discarded_dce_rpc_analyzers(c: connection) + { + # This event is raised when the DCE-RPC analyzers table + # grew too large. Assume things are broken and wipe + # the backing table. + delete c$dce_rpc_backing; + Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB"); + } + +# If a fid representing a pipe was closed, remove it from dce_rpc_backing. +event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=-5 + { + local fid = file_id$persistent + file_id$volatile; + if ( c?$dce_rpc_backing ) + delete c$dce_rpc_backing[fid]; + } + hook finalize_dce_rpc(c: connection) { if ( ! c?$dce_rpc ) diff --git a/src/analyzer/protocol/smb/consts.bif b/src/analyzer/protocol/smb/consts.bif index 6acd464f6a..6da0f83f3c 100644 --- a/src/analyzer/protocol/smb/consts.bif +++ b/src/analyzer/protocol/smb/consts.bif @@ -1,2 +1,3 @@ const SMB::pipe_filenames: string_set; const SMB::max_pending_messages: count; +const SMB::max_dce_rpc_analyzers: count; diff --git a/src/analyzer/protocol/smb/events.bif b/src/analyzer/protocol/smb/events.bif index 77746c2a09..fce37d9440 100644 --- a/src/analyzer/protocol/smb/events.bif +++ b/src/analyzer/protocol/smb/events.bif @@ -8,3 +8,13 @@ ## ## c: The connection. event smb_pipe_connect_heuristic%(c: connection%); + +## Generated for :abbr:`SMB (Server Message Block)` when the number of +## :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` +## analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`. +## Occurrence of this event may indicate traffic loss, traffic load-balancing +## issues or abnormal SMB protocol usage. +## +## c: The connection. +## +event smb_discarded_dce_rpc_analyzers%(c: connection%); diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac index c1500cdbb8..b7d7bb8aeb 100644 --- a/src/analyzer/protocol/smb/smb-pipe.pac +++ b/src/analyzer/protocol/smb/smb-pipe.pac @@ -10,7 +10,7 @@ refine connection SMB_Conn += { %cleanup{ // Iterate all of the analyzers and destroy them. - for ( auto kv : fid_to_analyzer_map ) + for ( const auto& kv : fid_to_analyzer_map ) { if ( kv.second ) { @@ -49,6 +49,22 @@ refine connection SMB_Conn += { if ( it == fid_to_analyzer_map.end() ) { + // Too many analyzers? + if ( zeek::BifConst::SMB::max_dce_rpc_analyzers > 0 && + fid_to_analyzer_map.size() >= zeek::BifConst::SMB::max_dce_rpc_analyzers ) + { + if ( smb_discarded_dce_rpc_analyzers ) + zeek::BifEvent::enqueue_smb_discarded_dce_rpc_analyzers(zeek_analyzer(), zeek_analyzer()->Conn()); + + for ( const auto& kv : fid_to_analyzer_map ) + { + kv.second->Done(); + delete kv.second; + } + + fid_to_analyzer_map.clear(); + } + auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn()); pipe_dcerpc = static_cast(tmp_analyzer); @@ -68,4 +84,19 @@ refine connection SMB_Conn += { return true; %} + + function forward_dce_rpc_close(fid: uint64): bool + %{ + auto it = fid_to_analyzer_map.find(fid); + + if ( it != fid_to_analyzer_map.end() ) + { + it->second->Done(); + delete it->second; + fid_to_analyzer_map.erase(it); + return true; + } + + return false; + %} }; diff --git a/src/analyzer/protocol/smb/smb2-com-close.pac b/src/analyzer/protocol/smb/smb2-com-close.pac index 1efc7ec4e7..e7e6f5a6f5 100644 --- a/src/analyzer/protocol/smb/smb2-com-close.pac +++ b/src/analyzer/protocol/smb/smb2-com-close.pac @@ -46,7 +46,9 @@ type SMB2_close_request(header: SMB2_Header) = record { reserved : uint32; file_id : SMB2_guid; } &let { + fid: uint64 = file_id.persistent + file_id._volatile; proc: bool = $context.connection.proc_smb2_close_request(header, this); + maybe_pipe_close: bool = $context.connection.forward_dce_rpc_close(fid); }; type SMB2_close_response(header: SMB2_Header) = record { diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out new file mode 100644 index 0000000000..63c9346e2c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out @@ -0,0 +1,66 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5 +smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5 +smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5 +smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5 diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log new file mode 100644 index 0000000000..b544657b9e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path weird +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source +#types time string addr port addr port string string bool string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.1 38016 172.17.0.2 445 SMB_discarded_dce_rpc_analyzers - F zeek SMB +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out new file mode 100644 index 0000000000..46f303a0a3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out @@ -0,0 +1,103 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1 +dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1 diff --git a/testing/btest/Traces/dce-rpc/20-fids-no-close.pcap b/testing/btest/Traces/dce-rpc/20-fids-no-close.pcap new file mode 100644 index 0000000000..108d246fdd Binary files /dev/null and b/testing/btest/Traces/dce-rpc/20-fids-no-close.pcap differ diff --git a/testing/btest/Traces/dce-rpc/20-fids.pcap b/testing/btest/Traces/dce-rpc/20-fids.pcap new file mode 100644 index 0000000000..25abdd354d Binary files /dev/null and b/testing/btest/Traces/dce-rpc/20-fids.pcap differ diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek new file mode 100644 index 0000000000..05b7fb39f9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek @@ -0,0 +1,19 @@ +# @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark) +# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: btest-diff weird.log + +@load base/protocols/smb +@load base/protocols/dce-rpc + +redef SMB::max_dce_rpc_analyzers = 5; + +event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) + { + print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|; + } + +event smb_discarded_dce_rpc_analyzers(c: connection) + { + print "smb_discarded_dce_rpc_analyzers", c$uid; + } diff --git a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek new file mode 100644 index 0000000000..8b5dbb6432 --- /dev/null +++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek @@ -0,0 +1,19 @@ +# @TEST-DOC: Ensure dce_rpc_backing state stays bounded when pipes are closed properly. +# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out +# @TEST-EXEC: btest-diff out +# @TEST-EXEC: test ! -f weird.log + +@load base/protocols/smb +@load base/protocols/dce-rpc + +redef SMB::max_dce_rpc_analyzers = 5; + +event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count) + { + print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|; + } + +event smb_discarded_dce_rpc_analyzers(c: connection) + { + print "UNEXPECTED", "smb_discarded_dce_rpc_analyzers", c$uid; + }