Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 03:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/awelzel/3145-dcerpc-state-clean'

Browse source 
* origin/topic/awelzel/3145-dcerpc-state-clean:
  dce-rpc: Test cases for unbounded state growth
  dce-rpc: Handle smb2_close_request() in scripts
  smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them
  dce-rpc: Do not repeatedly register removal hooks

(cherry picked from commit f9904511ab)
This commit is contained in:
Tim Wojtulewicz 2023-07-11 16:16:56 -07:00
parent c19069acdb
commit 5811e58139
14 changed files with 289 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

21
scripts/base/protocols/dce-rpc/main.zeek
View file

@ -88,8 +88,6 @@ function set_state(c: connection, state_x: BackingState)
c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid];
if ( c$dce_rpc_state?$named_pipe )
c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe;
Conn::register_removal_hook(c, finalize_dce_rpc);
}
function set_session(c: connection, fid: count)
@ -97,7 +95,9 @@ function set_session(c: connection, fid: count)
if ( ! c?$dce_rpc_backing )
{
c$dce_rpc_backing = table();
Conn::register_removal_hook(c, finalize_dce_rpc);
}
if ( fid !in c$dce_rpc_backing )
{
local info = Info($ts=network_time(),$id=c$id,$uid=c$uid);
@ -216,6 +216,23 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
}
}
event smb_discarded_dce_rpc_analyzers(c: connection)
{
# This event is raised when the DCE-RPC analyzers table
# grew too large. Assume things are broken and wipe
# the backing table.
delete c$dce_rpc_backing;
Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
}
# If a fid representing a pipe was closed, remove it from dce_rpc_backing.
event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=-5
{
local fid = file_id$persistent + file_id$volatile;
if ( c?$dce_rpc_backing )
delete c$dce_rpc_backing[fid];
}
hook finalize_dce_rpc(c: connection)
{
if ( ! c?$dce_rpc )