Stream-depth of smb (and modbus)

I’m wondering if the code for setting these is intentional/correct… (running 6.0.2 code, but also seen in master)

What I see is that AppLayerParserPostStreamSetup() sets all the stream depths to the reassembly depth config by default.

But then some protocols, namely smb and modbus, have their own stream_depth configs, and override this value.

This seems fine if the value is actually explicitly set in the yaml config… but if it’s not, I feel like the default (using the reassembly depth) is actually better.

Instead, though, if the config value is omitted from the yaml, then these stream depths get overwritten with 0 (unlimited).

I’m wondering if these protocols should be changed to only override the stream_depth if it’s explicitly provided in the yaml config?

Thanks,
Jeff

I’d agree, can you open a ticket for this?

Sounds good; will do.

@Jeff_Lucovsky i think you told me about SMB being intentionnally unlimited because it has usually long lived connections. Or was it someone else ?

@catenacyber We probably discussed the issue in general terms.

That was in fact @ish who said

With SMB connections lasting days/weeks it didn’t seem to make sense to limit inspection to just some arbitrary length.

Jeff, you were for putting a limit to it…

I think some of the ICS protocols are like this as well. Very long lived connections.

But does it make sense to save all the context into a stream buffer?
In my case, I found this in a core file, and it appeared as though 2Gb has been saved into memory.

Is this issue fixed in latest releases? I am using 6.0.10 and I see the issue. If there was a ticket raised for this, could someone please share its details?

There were many fixes addressing SMB in 7.0, some too intrusive to backport. I’d recommend upgrading to the latest 7.0.6 release.

6.0 is no longer maintained.

Sure, Thanks @ish. Will check the same in 7.0.6