Skip to content

Commit

Permalink
doc/userguide: document smb cache size limit options
Browse files Browse the repository at this point in the history
Ticket: OISF#5672.
  • Loading branch information
victorjulien committed Nov 6, 2024
1 parent 543429f commit 278dc24
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions doc/userguide/configuration/suricata-yaml.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1686,6 +1686,38 @@ the limits are exceeded, and an event will be raised.
`max-write-queue-size` and `max-write-queue-cnt` are as the READ variants,
but then for WRITEs.

Cache limits
^^^^^^^^^^^^

The SMB parser uses several per flow caches to track data between different records
and transactions. These caches have a size ceiling. When the size limit is reached,
new additions will automatically evict the oldest entries.

::

smb:
max-guid-cache-size: 1024
max-rec-offset-cache-size: 128
max-tree-cache-size: 512
max-dcerpc-frag-cache-size: 128
max-session-cache-size: 512

The `max-guid-cache-size` setting controls the size of the hash that maps the GUID to
filenames. These are added through CREATE commands and removed by CLOSE commands.

`max-rec-offset-cache-size` controls the size of the hash that maps the READ offset
from READ commands to the READ responses.

The `max-tree-cache-size` option contols the size of the SMB session to SMB tree hash.

`max-dcerpc-frag-cache-size` controls the size of the hash that tracks partial DCERPC
over SMB records. These are buffered in this hash to only parse the DCERPC record when
it is fully reassembled.

The `max-session-cache-size` setting controls the size of a generic hash table that maps
SMB session to filenames, GUIDs and share names.


Configure HTTP2
~~~~~~~~~~~~~~~

Expand Down

0 comments on commit 278dc24

Please sign in to comment.