Smb hashmap/v9 #12036
Smb hashmap/v9 #12036
Conversation
Don't tag the session as gap'd when the GAP is in a precise location: 1. in "skip" data, where the GAP just fits the skip data 2. in file data, where we pass the GAP on to the file This reduces load of GAP post-processing that is unnecessary in these case.
Ticket: OISF#5672.
Use `lru` crate. Rename to reflect this. Add `app-layer.protocols.smb.max-guid-cache-size` to control the max size of the LRU cache. Ticket: OISF#5672.
Rename to read_offset_cache. Add `app-layer.protocols.smb.max-read-offset-cache-size` option to control the limit. Ticket: OISF#5672.
Turn the map mapping the smb session key to smb tree into a lru cache, limited to 1024 by default. Add `app-layer.protocols.smb.max-tree-cache-size` option to control the limit. Ticket: OISF#5672.
Reimplement the ssnguid2vec_map HashMap as a LruCache. Since this is a DCERPC record cache, name it as such. Default size is 128. Can be controlled by `app-layer.protocols.smb.max-dcerpc-frag-cache-size`. Ticket: OISF#5672.
Generic ssn2vec_map was a HashMap used for mapping session key to different types of vector data: - GUID - filename - share name Turn this into a bounded LruCache. Rename to ssn2vec_cache. Size of the cache is 512 by default, and can be configured using: `app-layer.protocols.smb.max-session-cache-size` Ticket: OISF#5672.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12036 +/- ##
==========================================
- Coverage 83.42% 83.40% -0.02%
==========================================
Files 910 910
Lines 257642 257671 +29
==========================================
- Hits 214934 214922 -12
- Misses 42708 42749 +41
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 23185 |
| SCLogError!("Invalid max-guid-cache-size value"); | ||
| } | ||
| } | ||
| let retval = conf_get("app-layer.protocols.smb.max-read-offset-cache-size"); |
There was a problem hiding this comment.
Looks like some get_as_usize could be useful here :)
There was a problem hiding this comment.
Can be done as a future optimization.
| @@ -80,6 +81,16 @@ pub static mut SMB_CFG_MAX_READ_QUEUE_CNT: u32 = 64; | |||
| pub static mut SMB_CFG_MAX_WRITE_SIZE: u32 = 16777216; | |||
| pub static mut SMB_CFG_MAX_WRITE_QUEUE_SIZE: u32 = 67108864; | |||
| pub static mut SMB_CFG_MAX_WRITE_QUEUE_CNT: u32 = 64; | |||
| /// max size of the per state guid2name cache | |||
| pub static mut SMB_CFG_MAX_GUID_CACHE_SIZE: usize = 1024; | |||
There was a problem hiding this comment.
side note, but it would be good to have something like lazy_static to say, yes this is a global variable, but once initialization is done, it is a constant and it can be read safely...
There was a problem hiding this comment.
Can be done as a future optimization.
| @@ -28,13 +28,14 @@ | |||
| use std; | |||
| use std::str; | |||
| use std::ffi::{self, CString}; | |||
|
|
|||
| use std::collections::HashMap; | |||
There was a problem hiding this comment.
This looks great overall
| pub struct SMBState<> { | ||
| pub state_data: AppLayerStateData, | ||
|
|
||
| /// map ssn/tree/msgid to vec (guid/name/share) | ||
| pub ssn2vec_map: HashMap<SMBCommonHdr, Vec<u8>>, | ||
| pub ssn2vec_cache: LruCache<SMBCommonHdr, Vec<u8>>, |
There was a problem hiding this comment.
Next question after this work :
So, this work bounds the number of elements by flow (great), but is the size of each element bounded ? Can this Vec and other ones like guid2name_cache: LruCache<Vec<u8>, Vec<u8>> have arbitrary big vectors ?
There was a problem hiding this comment.
Good question for a follow up ticket.
|
This looks great overall. |
|
|
||
| :: | ||
|
|
||
| smb: | ||
| max-guid-cache-size: 1024 | ||
| max-rec-offset-cache-size: 128 | ||
| max-tree-cache-size: 512 | ||
| max-dcerpc-frag-cache-size: 128 | ||
| max-session-cache-size: 512 | ||
|
|
||
| The `max-guid-cache-size` setting controls the size of the hash that maps the GUID to | ||
| filenames. These are added through CREATE commands and removed by CLOSE commands. | ||
|
|
||
| `max-rec-offset-cache-size` controls the size of the hash that maps the READ offset | ||
| from READ commands to the READ responses. | ||
|
|
||
| The `max-tree-cache-size` option contols the size of the SMB session to SMB tree hash. | ||
|
|
||
| `max-dcerpc-frag-cache-size` controls the size of the hash that tracks partial DCERPC | ||
| over SMB records. These are buffered in this hash to only parse the DCERPC record when | ||
| it is fully reassembled. | ||
|
|
||
| The `max-session-cache-size` setting controls the size of a generic hash table that maps | ||
| SMB session to filenames, GUIDs and share names. |
There was a problem hiding this comment.
Any additional comments here on the suitability of the defaults would be great.. Conservative? Good for average use? etc. Why they were chosen?
There was a problem hiding this comment.
Fairly random. I don't have a good env to test this stuff with. Want to make some ways to observe the sizes.
Large pcaps with a debug print to see the sizes, and it stays in bounds. |
|
Replaced by #12087 |
LruCache use for all hashmaps in smb state. This will bound each of them.
https://redmine.openinfosecfoundation.org/issues/5672
Replaces #12028.