Merge remote-tracking branch 'origin/topic/awelzel/3145-dcerpc-state-clean'

* origin/topic/awelzel/3145-dcerpc-state-clean: dce-rpc: Test cases for unbounded state growth dce-rpc: Handle smb2_close_request() in scripts smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them dce-rpc: Do not repeatedly register removal hooks (cherry picked from commit f9904511ab)
2025-10-13 03:58:20 +00:00 · 2023-07-11 16:16:56 -07:00 · 2023-07-11 16:16:56 -07:00 · 5811e58139
commit 5811e58139
parent c19069acdb
14 changed files with 289 additions and 3 deletions
--- a/scripts/base/frameworks/notice/weird.zeek
+++ b/scripts/base/frameworks/notice/weird.zeek
@ -211,6 +211,7 @@ export {
 		["spontaneous_RST"]                     = ACTION_IGNORE,
 		["SMB_parsing_error"]                   = ACTION_LOG,
 		["SMB_discarded_messages_state"]        = ACTION_LOG,
+		["SMB_discarded_dce_rpc_analyzers"]     = ACTION_LOG,
 		["no_smb_session_using_parsesambamsg"]  = ACTION_LOG,
 		["smb_andx_command_failed_to_parse"]    = ACTION_LOG,
 		["smb_tree_connect_andx_response_without_tree"] = ACTION_LOG_PER_CONN,
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -3006,6 +3006,12 @@ export {
 	##
 	## .. zeek:see:: smb2_discarded_messages_state
 	const SMB::max_pending_messages = 1000 &redef;
+
+	## Maximum number of DCE-RPC analyzers per connection
+	## before discarding them to avoid unbounded state growth.
+	##
+	## .. zeek:see:: smb_discarded_dce_rpc_analyzers
+	const max_dce_rpc_analyzers = 1000 &redef;
 }

 module SMB1;
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@ -88,8 +88,6 @@ function set_state(c: connection, state_x: BackingState)
 		c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid];
 	if ( c$dce_rpc_state?$named_pipe )
 		c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe;
-
-	Conn::register_removal_hook(c, finalize_dce_rpc);
 	}

 function set_session(c: connection, fid: count)
@ -97,7 +95,9 @@ function set_session(c: connection, fid: count)
 	if ( ! c?$dce_rpc_backing )
 		{
 		c$dce_rpc_backing = table();
+		Conn::register_removal_hook(c, finalize_dce_rpc);
 		}
+
 	if ( fid !in c$dce_rpc_backing )
 		{
 		local info = Info($ts=network_time(),$id=c$id,$uid=c$uid);
@ -216,6 +216,23 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
 		}
 	}

+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	# This event is raised when the DCE-RPC analyzers table
+	# grew too large. Assume things are broken and wipe
+	# the backing table.
+	delete c$dce_rpc_backing;
+	Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
+	}
+
+# If a fid representing a pipe was closed, remove it from dce_rpc_backing.
+event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID) &priority=-5
+	{
+	local fid = file_id$persistent + file_id$volatile;
+	if ( c?$dce_rpc_backing )
+		delete c$dce_rpc_backing[fid];
+	}
+
 hook finalize_dce_rpc(c: connection)
 	{
 	if ( ! c?$dce_rpc )
--- a/src/analyzer/protocol/smb/consts.bif
+++ b/src/analyzer/protocol/smb/consts.bif
@ -1,2 +1,3 @@
 const SMB::pipe_filenames: string_set;
 const SMB::max_pending_messages: count;
+const SMB::max_dce_rpc_analyzers: count;
--- a/src/analyzer/protocol/smb/events.bif
+++ b/src/analyzer/protocol/smb/events.bif
@ -8,3 +8,13 @@
 ##
 ## c: The connection.
 event smb_pipe_connect_heuristic%(c: connection%);
+
+## Generated for :abbr:`SMB (Server Message Block)` when the number of
+## :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+## analyzers exceeds :zeek:see:`SMB::max_dce_rpc_analyzers`.
+## Occurrence of this event may indicate traffic loss, traffic load-balancing
+## issues or abnormal SMB protocol usage.
+##
+## c: The connection.
+##
+event smb_discarded_dce_rpc_analyzers%(c: connection%);
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@ -10,7 +10,7 @@ refine connection SMB_Conn += {

 	%cleanup{
 		// Iterate all of the analyzers and destroy them.
-		for ( auto kv : fid_to_analyzer_map )
+		for ( const auto& kv : fid_to_analyzer_map )
 			{
 			if ( kv.second )
 				{
@ -49,6 +49,22 @@ refine connection SMB_Conn += {

 		if ( it == fid_to_analyzer_map.end() )
 			{
+			// Too many analyzers?
+			if ( zeek::BifConst::SMB::max_dce_rpc_analyzers > 0 &&
+			     fid_to_analyzer_map.size() >= zeek::BifConst::SMB::max_dce_rpc_analyzers )
+				{
+				if ( smb_discarded_dce_rpc_analyzers )
+					zeek::BifEvent::enqueue_smb_discarded_dce_rpc_analyzers(zeek_analyzer(), zeek_analyzer()->Conn());
+
+				for ( const auto& kv : fid_to_analyzer_map )
+					{
+					kv.second->Done();
+					delete kv.second;
+					}
+
+				fid_to_analyzer_map.clear();
+				}
+
 			auto tmp_analyzer = zeek::analyzer_mgr->InstantiateAnalyzer("DCE_RPC", zeek_analyzer()->Conn());
 			pipe_dcerpc = static_cast<zeek::analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);

@ -68,4 +84,19 @@ refine connection SMB_Conn += {

 		return true;
 		%}
+
+	function forward_dce_rpc_close(fid: uint64): bool
+		%{
+		auto it = fid_to_analyzer_map.find(fid);
+
+		if ( it != fid_to_analyzer_map.end() )
+			{
+			it->second->Done();
+			delete it->second;
+			fid_to_analyzer_map.erase(it);
+			return true;
+			}
+
+		return false;
+		%}
 };
--- a/src/analyzer/protocol/smb/smb2-com-close.pac
+++ b/src/analyzer/protocol/smb/smb2-com-close.pac
@ -46,7 +46,9 @@ type SMB2_close_request(header: SMB2_Header) = record {
 	reserved            : uint32;
 	file_id             : SMB2_guid;
 } &let {
+	fid: uint64 = file_id.persistent + file_id._volatile;
 	proc: bool = $context.connection.proc_smb2_close_request(header, this);
+	maybe_pipe_close: bool = $context.connection.forward_dce_rpc_close(fid);
 };

 type SMB2_close_response(header: SMB2_Header) = record {
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/out
@ -0,0 +1,66 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 5
+smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 5
+smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 5
+smb_discarded_dce_rpc_analyzers, CHhAvVGS1DHFjwGM9
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 2
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 3
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 4
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 5
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-discard/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.17.0.1	38016	172.17.0.2	445	SMB_discarded_dce_rpc_analyzers	-	F	zeek	SMB
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.dce-rpc-backing-size/out
@ -0,0 +1,103 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2775301094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2780179611, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5622680288, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 770495516, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3230398483, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3404240006, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 581185132, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 1419732663, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 6525719129, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7865351196, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 7808965122, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5744501780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4423347481, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2572299628, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 3551409164, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4758761704, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 5174655977, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 2565910467, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4869689094, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
+dce_rpc_request, CHhAvVGS1DHFjwGM9, fid, 4356815780, backing, 1
--- a/testing/btest/Traces/dce-rpc/20-fids-no-close.pcap
+++ b/testing/btest/Traces/dce-rpc/20-fids-no-close.pcap
--- a/testing/btest/Traces/dce-rpc/20-fids.pcap
+++ b/testing/btest/Traces/dce-rpc/20-fids.pcap
--- a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-discard.zeek
@ -0,0 +1,19 @@
+# @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark)
+# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/smb
+@load base/protocols/dce-rpc
+
+redef SMB::max_dce_rpc_analyzers = 5;
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
+	{
+	print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
+	}
+
+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	print "smb_discarded_dce_rpc_analyzers", c$uid;
+	}
--- a/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/dce-rpc-backing-size.zeek
@ -0,0 +1,19 @@
+# @TEST-DOC: Ensure dce_rpc_backing state stays bounded when pipes are closed properly.
+# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/smb
+@load base/protocols/dce-rpc
+
+redef SMB::max_dce_rpc_analyzers = 5;
+
+event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
+	{
+	print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
+	}
+
+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	print "UNEXPECTED", "smb_discarded_dce_rpc_analyzers", c$uid;
+	}