Stream-depth of smb (and modbus)

Developers
1

I’m wondering if the code for setting these is intentional/correct… (running 6.0.2 code, but also seen in master)

What I see is that AppLayerParserPostStreamSetup() sets all the stream depths to the reassembly depth config by default.

But then some protocols, namely smb and modbus, have their own stream_depth configs, and override this value.

This seems fine if the value is actually explicitly set in the yaml config… but if it’s not, I feel like the default (using the reassembly depth) is actually better.

Instead, though, if the config value is omitted from the yaml, then these stream depths get overwritten with 0 (unlimited).

I’m wondering if these protocols should be changed to only override the stream_depth if it’s explicitly provided in the yaml config?

Thanks,
Jeff

1 Like
2

I’d agree, can you open a ticket for this?

3

Sounds good; will do.

4

@Jeff_Lucovsky i think you told me about SMB being intentionnally unlimited because it has usually long lived connections. Or was it someone else ?

5

@catenacyber We probably discussed the issue in general terms.

6

That was in fact @ish who said

With SMB connections lasting days/weeks it didn’t seem to make sense to limit inspection to just some arbitrary length.

Jeff, you were for putting a limit to it…

7

I think some of the ICS protocols are like this as well. Very long lived connections.

8

But does it make sense to save all the context into a stream buffer?
In my case, I found this in a core file, and it appeared as though 2Gb has been saved into memory.