mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 16:18:19 +00:00
5811e58139
* origin/topic/awelzel/3145-dcerpc-state-clean:
dce-rpc: Test cases for unbounded state growth
dce-rpc: Handle smb2_close_request() in scripts
smb/dce-rpc: Cleanup DCE-RPC analyzers when fid is closed and limit them
dce-rpc: Do not repeatedly register removal hooks
(cherry picked from commit f9904511ab)
19 lines
623 B
Text
19 lines
623 B
Text
# @TEST-DOC: Pcap does not contain close requests for the involved fids (filtered out with wireshark)
|
|
# @TEST-EXEC: zeek -C -r $TRACES/dce-rpc/20-fids-no-close.pcap %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
# @TEST-EXEC: btest-diff weird.log
|
|
|
|
@load base/protocols/smb
|
|
@load base/protocols/dce-rpc
|
|
|
|
redef SMB::max_dce_rpc_analyzers = 5;
|
|
|
|
event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)
|
|
{
|
|
print "dce_rpc_request", c$uid, "fid", fid, "backing", |c$dce_rpc_backing|;
|
|
}
|
|
|
|
event smb_discarded_dce_rpc_analyzers(c: connection)
|
|
{
|
|
print "smb_discarded_dce_rpc_analyzers", c$uid;
|
|
}
|