{
asd.sync_with_snort_protocol_id(service_id, p, change_bits);
}
+
+ if (asd.get_odp_ctxt().get_appid_shadow_traffic_status())
+ {
+ if (asd.get_shadow_traffic_bits() != 0)
+ {
+ uint32_t shadow_bits = asd.get_shadow_traffic_bits();
+ asd.publish_shadow_traffic_event(shadow_bits, asd.flow);
+ }
+ }
asd.publish_appid_event(change_bits, *p);
}
}
}
+void AppIdHttpSession::check_domain_fronting(HttpFieldIds id)
+{
+ if (id == REQ_HOST_FID)
+ {
+ if (asd.get_session_flags(APPID_SESSION_DECRYPTED) or asd.get_session_flags(APPID_SESSION_APP_REINSPECT))
+ {
+ if (asd.get_odp_ctxt().get_appid_shadow_traffic_status())
+ asd.check_domain_fronting_status(*meta_data[id]);
+ }
+ }
+}
+
void AppIdHttpSession::set_field(HttpFieldIds id, const std::string* str,
AppidChangeBits& change_bits)
{
set_http_change_bits(change_bits, id);
set_scan_flags(id);
+ check_domain_fronting(id);
print_field(id, str);
}
else if (str)
set_http_change_bits(change_bits, id);
set_scan_flags(id);
+ check_domain_fronting(id);
print_field(id, meta_data[id]);
}
}
HttpPatternMatchers& http_matchers);
void update_url(AppidChangeBits& change_bits);
+ void check_domain_fronting(HttpFieldIds id);
void set_field(HttpFieldIds id, const std::string* str, AppidChangeBits& change_bits);
void set_field(HttpFieldIds id, const uint8_t* str, int32_t len, AppidChangeBits& change_bits);
void set_req_body_field(HttpFieldIds id, const uint8_t* str, int32_t len,
{
api.asd->get_odp_ctxt().get_appid_cpu_profiler_mgr().check_appid_cpu_profiler_table_entry(api.asd, api.get_service_app_id(), api.get_client_app_id(), api.get_payload_app_id(), api.get_misc_app_id());
}
-
- if ((pkt_thread_odp_ctxt->get_version() == api.asd->get_odp_ctxt_version()) and api.asd->get_odp_ctxt().get_appid_shadow_traffic_status())
- {
- check_domain_fronting_status();
- if (api.asd->appid_shadow_traffic_bits != 0)
- api.asd->publish_shadow_traffic_event(api.asd->appid_shadow_traffic_bits, api.asd->flow);
- }
if (!in_expected_cache)
{
}
}
-void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_bits, snort::Flow *) const
+void AppIdSession::publish_shadow_traffic_event(const uint32_t& shadow_traffic_bits, snort::Flow* flow)
{
- if (shadow_traffic_bits == 0)
+ if (shadow_traffic_bits == appid_previous_shadow_traffic_bits)
return;
-
+
const char* app_name;
unsigned shadow_traffic_pub_id = 0;
std::string str_print;
Packet* curr_packet = nullptr;
+ if (shadow_traffic_bits & ShadowTraffic_Type_Domain_Fronting)
+ {
+ AppId payload_id = api.asd->get_api().get_payload_app_id();
+ set_shadow_traffic_publishing_appid(payload_id);
+ }
+
AppId publishing_appid = get_shadow_traffic_publishing_appid();
app_name = api.asd->get_odp_ctxt().get_app_info_mgr().get_app_name(publishing_appid);
}
else
{
- APPID_LOG(curr_packet, TRACE_DEBUG_LEVEL,"Appname is invalid, not publishing shadow traffic event without appname\n");
+ APPID_LOG(curr_packet, TRACE_DEBUG_LEVEL, "Appname is invalid, not publishing shadow traffic event without appname\n");
return;
}
}
APPID_LOG(curr_packet, TRACE_DEBUG_LEVEL,
"AppID: ShadowTraffic Published event for: %s, application_name: %s(%d)\n",
str_print.c_str(), app_name, publishing_appid);
-}
+
+ set_previous_shadow_traffic_bits(shadow_traffic_bits);
+ reset_shadow_traffic_bits();
+}
void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p,
bool is_httpx, uint32_t httpx_stream_index)
}
}
-void AppIdSession::check_domain_fronting_status()
+void AppIdSession::check_domain_fronting_status(const std::string& host)
{
- if (api.asd->get_session_flags(APPID_SESSION_DECRYPTED) or api.asd->get_session_flags(APPID_SESSION_APP_REINSPECT))
- {
- AppIdHttpSession* hsession = api.asd->get_http_session();
- if (hsession)
- {
- const std::string* host = hsession->get_field(REQ_HOST_FID);
- if (host)
- {
- TLSDomainFrontCheckEvent domain_front_event(api.asd->get_cert_key(), *host);
- DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event);
- if (DomainFrontingStatus::MISMATCH == domain_front_event.get_cert_lookup_verdict())
- {
- uint32_t shadow_bits = get_shadow_traffic_bits();
- shadow_bits |= ShadowTraffic_Type_Domain_Fronting;
- set_shadow_traffic_bits(shadow_bits);
- AppId payload_id = api.asd->get_api().get_payload_app_id();
- set_shadow_traffic_publishing_appid(payload_id);
- }
- }
- }
- }
-}
+ TLSDomainFrontCheckEvent domain_front_event(api.asd->get_cert_key(), host);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event);
+ if (DomainFrontingStatus::MISMATCH == domain_front_event.get_cert_lookup_verdict())
+ {
+ uint32_t shadow_bits = get_shadow_traffic_bits();
+ shadow_bits |= ShadowTraffic_Type_Domain_Fronting;
+ set_shadow_traffic_bits(shadow_bits);
+ }
+}
AppidChangeBits& change_bits);
void publish_appid_event(AppidChangeBits&, const snort::Packet&, bool is_httpx = false,
uint32_t httpx_stream_index = 0);
- void publish_shadow_traffic_event(const uint32_t& shadow_traffic_bits,snort::Flow*)const;
+ void publish_shadow_traffic_event(const uint32_t& shadow_traffic_bits,snort::Flow*);
void process_shadow_traffic_appids();
void check_shadow_traffic_bits(AppId id, uint32_t& shadow_bits, AppId &publishing_appid, bool& is_publishing_set);
- void check_domain_fronting_status();
+ void check_domain_fronting_status(const std::string& host);
+
bool need_to_delete_tp_conn(ThirdPartyAppIdContext*) const;
void set_shadow_traffic_bits(uint32_t lv_bits)
{
- appid_shadow_traffic_bits = lv_bits;
+ appid_shadow_traffic_bits = lv_bits;
+ }
+
+ void reset_shadow_traffic_bits()
+ {
+ appid_shadow_traffic_bits = 0;
}
uint32_t get_shadow_traffic_bits()
return ssl_cert_key;
}
+ void set_previous_shadow_traffic_bits(uint32_t lv_bits)
+ {
+ appid_previous_shadow_traffic_bits = lv_bits;
+ }
+
+ uint32_t get_previous_shadow_traffic_bits()
+ {
+ return appid_previous_shadow_traffic_bits;
+ }
+
private:
uint16_t prev_httpx_raw_packet = 0;
bool client_info_unpublished = false;
string ssl_cert_key;
uint32_t appid_shadow_traffic_bits = 0;
+ uint32_t appid_previous_shadow_traffic_bits = 0;
AppId shadow_traffic_appid = APP_ID_NONE;
};
DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow);
}
+void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_bits, snort::Flow *)
+{
+ ShadowTrafficEvent shadow_event(shadow_traffic_bits, "", "", nullptr);
+ DataBus::publish(0, ShadowTrafficEventIds::SHADOWTRAFFIC_FLOW_DETECTED, shadow_event, flow);
+}
+
void AppIdHttpSession::set_tun_dest(){}
// Stubs for ServiceDiscovery
bool OdpContext::is_appid_cpu_profiler_enabled() { return false; }
bool OdpContext::is_appid_cpu_profiler_running() { return false; }
+void AppIdSession::check_domain_fronting_status(const std::string&) {}
AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, AppidSessionDirection,
AppIdInspector&, OdpContext&)
{
}
+void AppIdSession::check_domain_fronting_status(const std::string&) {}
+
void AppIdModule::reset_stats() {}
// AppIdDebug mock functions
projects / thirdparty / snort3.git / commitdiff
