Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/awelzel/3145-dcerpc-state-clean'

Browse source 
* origin/topic/awelzel/3145-dcerpc-state-clean:
  dce-rpc: Test cases for unbounded state growth
  dce-rpc: Handle smb2_close_request() in scripts
  smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them
  dce-rpc: Do not repeatedly register removal hooks

(cherry picked from commit f9904511ab)
This commit is contained in:
Tim Wojtulewicz 2023-07-11 16:16:56 -07:00
parent c19069acdb
commit 5811e58139
14 changed files with 289 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/frameworks/notice/weird.zeek
View file

@ -211,6 +211,7 @@ export {
["spontaneous_RST"] = ACTION_IGNORE, ["spontaneous_RST"] = ACTION_IGNORE,
["SMB_parsing_error"] = ACTION_LOG, ["SMB_parsing_error"] = ACTION_LOG,
["SMB_discarded_messages_state"] = ACTION_LOG, ["SMB_discarded_messages_state"] = ACTION_LOG,
["SMB_discarded_dce_rpc_analyzers"] = ACTION_LOG,
["no_smb_session_using_parsesambamsg"] = ACTION_LOG, ["no_smb_session_using_parsesambamsg"] = ACTION_LOG,
["smb_andx_command_failed_to_parse"] = ACTION_LOG, ["smb_andx_command_failed_to_parse"] = ACTION_LOG,
["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN, ["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN,

6
scripts/base/init-bare.zeek
View file

@ -3006,6 +3006,12 @@ export {
## ##
## .. zeek:see:: smb2_discarded_messages_state ## .. zeek:see:: smb2_discarded_messages_state
const SMB::max_pending_messages = 1000 &redef; const SMB::max_pending_messages = 1000 &redef;
## Maximum number of DCE-RPC analyzers per connection
## before discarding them to avoid unbounded state growth.
##
## .. zeek:see:: smb_discarded_dce_rpc_analyzers
const max_dce_rpc_analyzers = 1000 &redef;
} }
module SMB1; module SMB1;

21
scripts/base/protocols/dce-rpc/main.zeek
View file

@ -88,8 +88,6 @@ function set_state(c: connection, state_x: BackingState)
c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid]; c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid];
if ( c$dce_rpc_state?$named_pipe ) if ( c$dce_rpc_state?$named_pipe )
c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe; c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe;
Conn::register_removal_hook(c, finalize_dce_rpc);
} }
function set_session(c: connection, fid: count) function set_session(c: connection, fid: count)
@ -97,7 +95,9 @@ function set_session(c: connection, fid: count)
if ( ! c?$dce_rpc_backing ) if ( ! c?$dce_rpc_backing )
{ {
c$dce_rpc_backing = table(); c$dce_rpc_backing = table();
Conn::register_removal_hook(c, finalize_dce_rpc);
} }
if ( fid !in c$dce_rpc_backing ) if ( fid !in c$dce_rpc_backing )
{ {
local info = Info($ts=network_time(),$id=c$id,$uid=c$uid); local info = Info($ts=network_time(),$id=c$id,$uid=c$uid);
@ -216,6 +216,23 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
} }
} }
event smb_discarded_dce_rpc_analyzers(c: connection)
{
# This event is raised when the DCE-RPC analyzers table
# grew too large. Assume things are broken and wipe
# the backing table.
delete c$dce_rpc_backing;
Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
}
# If a fid representing a pipe was closed, remove it from dce_rpc_backing.
event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=-5
{
local fid = file_id$persistent + file_id$volatile;
if ( c?$dce_rpc_backing )
delete c$dce_rpc_backing[fid];
}
hook finalize_dce_rpc(c: connection) hook finalize_dce_rpc(c: connection)
{ {
if ( ! c?$dce_rpc ) if ( ! c?$dce_rpc )

1
src/analyzer/protocol/smb/consts.bif
View file

@ -1,2 +1,3 @@
const SMB::pipe_filenames: string_set; const SMB::pipe_filenames: string_set;
const SMB::max_pending_messages: count; const SMB::max_pending_messages: count;
const SMB::max_dce_rpc_analyzers: count;

10
src/analyzer/protocol/smb/events.bif
View file

@ -8,3 +8,13 @@
## ##
## c: The connection. ## c: The connection.
event smb_pipe_connect_heuristic%(c: connection%); event smb_pipe_connect_heuristic%(c: connection%);
## Generated for :abbr:`SMB (Server Message Block)` when the number of
## :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
## analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
## Occurrence of this event may indicate traffic loss, traffic load-balancing
## issues or abnormal SMB protocol usage.
##
## c: The connection.
##
event smb_discarded_dce_rpc_analyzers%(c: connection%);

33
src/analyzer/protocol/smb/smb-pipe.pac
View file

@ -10,7 +10,7 @@ refine connection SMB_Conn += {
%cleanup{ %cleanup{
// Iterate all of the analyzers and destroy them. // Iterate all of the analyzers and destroy them.
for ( auto kv : fid_to_analyzer_map ) for ( const auto& kv : fid_to_analyzer_map )
{ {
if ( kv.second ) if ( kv.second )
{ {
@ -49,6 +49,22 @@ refine connection SMB_Conn += {
if ( it == fid_to_analyzer_map.end() ) if ( it == fid_to_analyzer_map.end() )
{ {
// Too many analyzers?
if ( zeek::BifConst::SMB::max_dce_rpc_analyzers > 0 &&
fid_to_analyzer_map.size() >= zeek::BifConst::SMB::max_dce_rpc_analyzers )
{
if ( smb_discarded_dce_rpc_analyzers )
zeek::BifEvent::enqueue_smb_discarded_dce_rpc_analyzers(zeek_analyzer(), zeek_analyzer()->Conn());
for ( const auto& kv : fid_to_analyzer_map )
{
kv.second->Done();
delete kv.second;
}
fid_to_analyzer_map.clear();
}
auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn()); auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn());
pipe_dcerpc = static_cast<zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer); pipe_dcerpc = static_cast<zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);
@ -68,4 +84,19 @@ refine connection SMB_Conn += {
return true; return true;
%} %}
function forward_dce_rpc_close(fid: uint64): bool
%{
auto it = fid_to_analyzer_map.find(fid);
if ( it != fid_to_analyzer_map.end() )
{
it->second->Done();
delete it->second;
fid_to_analyzer_map.erase(it);
return true;
}
return false;
%}
}; };

2
src/analyzer/protocol/smb/smb2-com-close.pac
View file

@ -46,7 +46,9 @@ type SMB2_close_request(header: SMB2_Header) = record {
reserved : uint32; reserved : uint32;
file_id : SMB2_guid; file_id : SMB2_guid;
} &let { } &let {
fid: uint64 = file_id.persistent + file_id._volatile;
proc: bool = $context.connection.proc_smb2_close_request(header, this); proc: bool = $context.connection.proc_smb2_close_request(header, this);
maybe_pipe_close: bool = $context.connection.forward_dce_rpc_close(fid);
}; };
type SMB2_close_response(header: SMB2_Header) = record { type SMB2_close_response(header: SMB2_Header) = record {

66
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out Normal file
View file

@ -0,0 +1,66 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5

11
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.17.0.1 38016 172.17.0.2 445 SMB_discarded_dce_rpc_analyzers - F zeek SMB
#close XXXX-XX-XX-XX-XX-XX

103
testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out Normal file
View file

@ -0,0 +1,103 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1

BIN
testing/btest/Traces/dce-rpc/20-fids-no-close.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/dce-rpc/20-fids.pcap Normal file
View file

Binary file not shown.

19
testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek Normal file
View file

@ -0,0 +1,19 @@
# @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark)
# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff weird.log
@load base/protocols/smb
@load base/protocols/dce-rpc
redef SMB::max_dce_rpc_analyzers = 5;
event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
{
print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
}
event smb_discarded_dce_rpc_analyzers(c: connection)
{
print "smb_discarded_dce_rpc_analyzers", c$uid;
}

19
testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek Normal file
View file

@ -0,0 +1,19 @@
# @TEST-DOC: Ensure dce_rpc_backing state stays bounded when pipes are closed properly.
# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: test ! -f weird.log
@load base/protocols/smb
@load base/protocols/dce-rpc
redef SMB::max_dce_rpc_analyzers = 5;
event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
{
print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
}
event smb_discarded_dce_rpc_analyzers(c: connection)
{
print "UNEXPECTED", "smb_discarded_dce_rpc_analyzers", c$uid;
}