From fea8ee22600864561c5f34d86d8b133bb82a5259 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 15 Dec 2023 16:43:11 +0100 Subject: [PATCH] smb: Fix &read_expire not in effect due to &default=string_set() usage The SMB::State$recent_files field is meant to have expiring entries. However, due to usage of &default=string_set(), the &read_expire attribute is not respected causing unbounded state growth. Replace &default=string_set() with &default=set(). Thanks to ya-sato on Slack for reporting! Related: zeek/zeek-docs#179, #3513. --- scripts/base/protocols/smb/main.zeek | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/base/protocols/smb/main.zeek b/scripts/base/protocols/smb/main.zeek index 91e27acffa..9d37312862 100644 --- a/scripts/base/protocols/smb/main.zeek +++ b/scripts/base/protocols/smb/main.zeek @@ -157,7 +157,7 @@ export { ## A set of recent files to avoid logging the same ## files over and over in the smb files log. ## This only applies to files seen in a single connection. - recent_files : set[string] &default=string_set() &read_expire=3min; + recent_files : set[string] &default=set() &read_expire=3min; }; ## Everything below here is used internally in the SMB scripts.