Project

General

Profile

Actions

Bug #3699

closed

smb: post-GAP file handling

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 4.1, Needs backport to 5.0

Description

The issue addressed in #3400 is not completely fixed. The transactions are cleaned up properly, however the files are not.

As the files list and the transactions are only loosely connected, the files need to be explicitly handled. Transactions are freed based on their "progress", files based on their "state". If the "state" stays "FILE_STATE_OPEN", the file won't be freed until the end of the flow. The post-GAP handling doesn't explicitly change the file state and therefore the file is not freed. This can lead to a situation where the file list contains an ever increasing amount of "open" files that are never freed or otherwise used, but do consume memory and slow down various operations that walk the file list.

Making things worse is the feedback loop of these smb sessions becoming ever more expensive, leading the pkt loss, contributing to more of these "dangling" files, leading to more loss, etc.


Related issues 5 (1 open4 closed)

Related to Suricata - Bug #3375: tracking: file tracking/inspection performance issuesAssignedVictor JulienActions
Related to Suricata - Bug #3400: smb: post-GAP file tx handlingClosedVictor JulienActions
Copied to Suricata - Bug #3700: nfs: post-GAP file handlingClosedVictor JulienActions
Copied to Suricata - Bug #4077: smb: post-GAP file handlingClosedVictor JulienActions
Copied to Suricata - Bug #4078: smb: post-GAP file handlingClosedVictor JulienActions
Actions

Also available in: Atom PDF