From ed5173866841526ee1b32adddf85f616057a10bc Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 6 Jun 2025 14:06:07 -0700
Subject: [PATCH] Move netbios_ssn_session_timeout to a script-level constant

---
 scripts/base/init-bare.zeek                 |  4 ++++
 src/analyzer/protocol/netbios/NetbiosSSN.cc | 12 ++++++------
 src/const.bif                               |  1 +
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 178b0e9cd4..b47899d2f6 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -579,6 +579,10 @@ const io_poll_interval_live = 10 &redef;
 ## while testing, but should be used sparingly.
 const running_under_test: bool = F &redef;
 
+## The amount of time before a connection created by the netbios analyzer times
+## out and is removed.
+const netbios_ssn_session_timeout: interval = 15 sec &redef;
+
 module EventMetadata;
 
 export {
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc
index 33ef723531..4fddffc85d 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@@ -10,8 +10,6 @@
 #include "zeek/analyzer/protocol/netbios/events.bif.h"
 #include "zeek/session/Manager.h"
 
-static constexpr double netbios_ssn_session_timeout = 15.0;
-
 static constexpr void MAKE_INT16(uint16_t& dest, const u_char*& src) {
     dest = *src;
     dest <= 8;
@@ -397,8 +395,9 @@ NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
         AddSupportAnalyzer(resp_netbios);
     }
     else {
-        ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, run_state::network_time + netbios_ssn_session_timeout,
-                           true, zeek::detail::TIMER_NB_EXPIRE);
+        ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,
+                           run_state::network_time + BifConst::netbios_ssn_session_timeout, true,
+                           zeek::detail::TIMER_NB_EXPIRE);
     }
 }
 
@@ -446,12 +445,13 @@ void NetbiosSSN_Analyzer::ExpireTimer(double t) {
     // The - 1.0 in the following is to allow 1 second for the
     // common case of a single request followed by a single reply,
     // so we don't needlessly set the timer twice in that case.
-    if ( run_state::terminating || run_state::network_time - Conn()->LastTime() >= netbios_ssn_session_timeout - 1.0 ) {
+    if ( run_state::terminating ||
+         run_state::network_time - Conn()->LastTime() >= BifConst::netbios_ssn_session_timeout - 1.0 ) {
         Event(connection_timeout);
         session_mgr->Remove(Conn());
     }
     else
-        ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, t + netbios_ssn_session_timeout, true,
+        ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer, t + BifConst::netbios_ssn_session_timeout, true,
                            zeek::detail::TIMER_NB_EXPIRE);
 }
 
diff --git a/src/const.bif b/src/const.bif
index 7874352d6d..48f1e07ee9 100644
--- a/src/const.bif
+++ b/src/const.bif
@@ -12,6 +12,7 @@ const report_gaps_for_partial: bool;
 const exit_only_after_terminate: bool;
 const digest_salt: string;
 const max_analyzer_violations: count;
+const netbios_ssn_session_timeout: interval;
 
 const io_poll_interval_default: count;
 const io_poll_interval_live: count;