Pull request #4628: appid: added publishing of domain fronting event

Merge in SNORT/snort3 from ~BSACHDEV/snort3:domain_fronting_publish to master

Squashed commit of the following:

commit 3d1ae6604b0870ae73795193030a0d9a488e819a
Author: bsachdev <bsachdev@cisco.com>
Date:   Wed Feb 19 17:13:54 2025 -0500

    appid: added publishing of domain fronting event

diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 72ff15bbcbac74cc097ea3e8599ab64181705e7f..ae3db22f719fa63ab70310d35a644ca32ce6c8a3 100644 (file)
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -1365,8 +1365,11 @@ void AppIdSession::check_domain_fronting_status()
         if (hsession) 
         { 
             const char* host = hsession->get_cfield(REQ_HOST_FID); 
-            if (host)
-                TLSDomainFrontCheckEvent(p, api.asd->get_cert_key(), host); 
+            if (host) 
+            {
+                TLSDomainFrontCheckEvent domain_front_event(p, api.asd->get_cert_key(), host);
+                       DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event, p->flow);
+               }
         } 
     } 
 } 

diff --git a/src/pub_sub/appid_event_ids.h b/src/pub_sub/appid_event_ids.h
index c42efb88a4f45c88e62eb4e1c6ccdafbfce3c48c..66c48fd6110f2acd1e9c2ae87da4cd49c32f21bb 100644 (file)
--- a/src/pub_sub/appid_event_ids.h
+++ b/src/pub_sub/appid_event_ids.h
@@ -34,6 +34,7 @@ struct AppIdEventIds
     DHCP_DATA,
     DHCP_INFO,
     FP_SMB_DATA,
+    DOMAIN_FRONTING,
 
     num_ids
 }; };