mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 19:48:20 +00:00
6517ed94f2
This patch does two things: 1) For SMB close requests, tear down any associated DCE-RPC analyzer if one exists. 2) Protect from fid_to_analyzer_map growing unbounded by introducing a new SMB::max_dce_rpc_analyzers limit and forcefully wipe the analyzers if exceeded. Propagate this to script land as event smb_discarded_dce_rpc_analyzers() for additional cleanup. This is mostly to fix how the binpac SMB analyzer tracks individual DCE-RPC analyzers per open fid. Connections that re-open the same or different pipe may currently allocate unbounded number of analyzers. Closes #3145. |
||
|---|---|---|
| .. | ||
| actions | ||
| __load__.zeek | ||
| main.zeek | ||
| README | ||
| weird.zeek | ||
The notice framework enables Zeek to "notice" things which are odd or potentially bad, leaving it to the local configuration to define which of them are actionable. This decoupling of detection and reporting allows Zeek to be customized to the different needs that sites have.