smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them

This patch does two things: 1) For SMB close requests, tear down any associated DCE-RPC analyzer if one exists. 2) Protect from fid_to_analyzer_map growing unbounded by introducing a new SMB::max_dce_rpc_analyzers limit and forcefully wipe the analyzers if exceeded. Propagate this to script land as event smb_discarded_dce_rpc_analyzers() for additional cleanup. This is mostly to fix how the binpac SMB analyzer tracks individual DCE-RPC analyzers per open fid. Connections that re-open the same or different pipe may currently allocate unbounded number of analyzers. Closes #3145.
2025-10-02 06:38:20 +00:00 · 2023-06-30 14:27:13 +02:00 · 2023-06-30 14:27:13 +02:00 · 6517ed94f2
commit 6517ed94f2
parent 1c9038f38d
7 changed files with 61 additions and 1 deletions
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@ -216,6 +216,15 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
 		}
 	}

+event smb_discarded_dce_rpc_analyzers(c: connection)
+	{
+	# This event is raised when the DCE-RPC analyzers table
+	# grew too large. Assume things are broken and wipe
+	# the backing table.
+	delete c$dce_rpc_backing;
+	Reporter::conn_weird("SMB_discarded_dce_rpc_analyzers", c, "", "SMB");
+	}
+
 hook finalize_dce_rpc(c: connection)
 	{
 	if ( ! c?$dce_rpc )