From 278dc24cd06a37c18b69ef3e1801a98b8a7c127c Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 25 Oct 2024 15:47:50 +0200 Subject: [PATCH] doc/userguide: document smb cache size limit options Ticket: #5672. --- doc/userguide/configuration/suricata-yaml.rst | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 3dfc950ec641..b6488b09f197 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -1686,6 +1686,38 @@ the limits are exceeded, and an event will be raised. `max-write-queue-size` and `max-write-queue-cnt` are as the READ variants, but then for WRITEs. +Cache limits +^^^^^^^^^^^^ + +The SMB parser uses several per flow caches to track data between different records +and transactions. These caches have a size ceiling. When the size limit is reached, +new additions will automatically evict the oldest entries. + +:: + + smb: + max-guid-cache-size: 1024 + max-rec-offset-cache-size: 128 + max-tree-cache-size: 512 + max-dcerpc-frag-cache-size: 128 + max-session-cache-size: 512 + +The `max-guid-cache-size` setting controls the size of the hash that maps the GUID to +filenames. These are added through CREATE commands and removed by CLOSE commands. + +`max-rec-offset-cache-size` controls the size of the hash that maps the READ offset +from READ commands to the READ responses. + +The `max-tree-cache-size` option contols the size of the SMB session to SMB tree hash. + +`max-dcerpc-frag-cache-size` controls the size of the hash that tracks partial DCERPC +over SMB records. These are buffered in this hash to only parse the DCERPC record when +it is fully reassembled. + +The `max-session-cache-size` setting controls the size of a generic hash table that maps +SMB session to filenames, GUIDs and share names. + + Configure HTTP2 ~~~~~~~~~~~~~~~