AppInfoTableEntry* entry = new AppInfoTableEntry(app_id, app_name, service_id,
client_id, payload_id, attributes);
- // FIXIT-RC: Sometimes the token is "~". Should we ignore those?
- if (snort_service_key)
+ //Ignore "~" service key, which is used to indicate an empty service key
+ if (snort_service_key and (strcmp(snort_service_key, "~") != 0))
entry->snort_protocol_id = add_appid_protocol_reference(snort_service_key, sc);
if (!add_entry_to_app_info_name_table(entry->app_name_key, entry))
asd->pick_ss_referred_payload_app_id(), change_bits);
if (PacketTracer::is_daq_activated())
populate_trace_data(*asd);
+ change_bits.set(APPID_PROTOCOL_ID_BIT);
asd->publish_appid_event(change_bits, *p);
asd->set_session_flags(APPID_SESSION_FUTURE_FLOW_IDED);
asd.set_payload_id(hv->appId);
break;
default:
+ AppidChangeBits tmp_bits;
asd.set_service_id(hv->appId, asd.get_odp_ctxt());
- asd.sync_with_snort_protocol_id(hv->appId, p);
+ asd.sync_with_snort_protocol_id(hv->appId, p, tmp_bits);
asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
asd.set_session_flags(APPID_SESSION_SERVICE_DETECTED);
const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(ps_id);
APPID_LOG(p, TRACE_DEBUG_LEVEL, "Protocol service %s (%d) from protocol\n",
app_name ? app_name : "unknown", ps_id);
+
+ asd.sync_with_snort_protocol_id(id, p, change_bits);
}
asd.set_session_flags(APPID_SESSION_PORT_SERVICE_DONE);
+
}
else
{
service_id = asd.pick_service_app_id();
misc_id = asd.pick_ss_misc_app_id();
}
+ if (asd.tpsession)
+ asd.tpsession->set_state(TP_STATE_TERMINATED);
+ asd.set_session_flags(APPID_SESSION_NO_TPI);
+ asd.set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
+ asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
return true;
}
if (is_discovery_done and asd.get_shadow_traffic_bits() == 0 )
asd.process_shadow_traffic_appids();
+ if (change_bits.test(APPID_SERVICE_BIT))
+ {
+ asd.sync_with_snort_protocol_id(service_id, p, change_bits);
+ }
+
asd.publish_appid_event(change_bits, *p);
}
APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT);
}
-void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p)
+void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p, AppidChangeBits& change_bits)
{
if (newAppId <= APP_ID_NONE or newAppId >= SF_APPID_MAX)
return;
// A particular APP_ID_xxx may not be assigned a service_snort_key value
// in the appMapping.data file entry; so ignore the snort_protocol_id ==
// UNKNOWN_PROTOCOL_ID case.
- if (tmp_snort_protocol_id != snort_protocol_id)
+ if (tmp_snort_protocol_id)
{
- snort_protocol_id = tmp_snort_protocol_id;
- Stream::set_snort_protocol_id(p->flow, tmp_snort_protocol_id, true);
+ if (tmp_snort_protocol_id != snort_protocol_id)
+ {
+ if (tmp_snort_protocol_id != p->flow->ssn_state.snort_protocol_id)
+ change_bits.set(APPID_PROTOCOL_ID_BIT);
+ snort_protocol_id = tmp_snort_protocol_id;
+ Stream::set_snort_protocol_id(p->flow, tmp_snort_protocol_id, true);
+ }
}
}
bool AppIdSession::is_tp_appid_done() const
{
- if (get_session_flags(APPID_SESSION_FUTURE_FLOW) or !tp_appid_ctxt)
+ if (get_session_flags(APPID_SESSION_FUTURE_FLOW | APPID_SESSION_NO_TPI) or !tp_appid_ctxt)
return true;
if (!tpsession)
void check_tunnel_detection_restart();
void update_encrypted_app_id(AppId);
void examine_rtmp_metadata(AppidChangeBits& change_bits);
- void sync_with_snort_protocol_id(AppId, snort::Packet*);
+ void sync_with_snort_protocol_id(AppId, snort::Packet*, AppidChangeBits&);
void stop_service_inspection(snort::Packet*, AppidSessionDirection);
void clear_http_flags();
{
bool is_discovery_done = false;
AppInfoTableEntry* entry;
- bool was_service = asd.is_service_detected();
AppId tp_app_id = asd.get_tp_app_id();
if (asd.client_disco_state == APPID_DISCO_STATE_NONE and
}
}
- if ( !was_service && asd.is_service_detected() )
- asd.sync_with_snort_protocol_id(asd.get_service_id(), p);
-
return is_discovery_done;
}
asd.examine_rtmp_metadata(change_bits);
else if (asd.get_session_flags(APPID_SESSION_SSL_SESSION) and asd.tsession)
asd.examine_ssl_metadata(change_bits);
-
- if (tp_app_id <= APP_ID_NONE and asd.get_session_flags(
- APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE |
- APPID_SESSION_IGNORE_HOST) == APPID_SESSION_SERVICE_DETECTED)
- {
- asd.sync_with_snort_protocol_id(asd.get_service_id(), p);
- }
}
return is_discovery_done;
CHECK_EQUAL(service, APPID_UT_ID);
CHECK_EQUAL(client, APPID_UT_ID);
CHECK_EQUAL(payload, APPID_UT_ID);
- STRCMP_EQUAL("Published change_bits == 0000000000000000000000", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000000000000", test_log);
// Server name based detection
service = APP_ID_NONE;
STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_sni(), APPID_UT_TLS_HOST);
- STRCMP_EQUAL("Published change_bits == 0000000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log);
// Common name based detection
mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits);
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco");
- STRCMP_EQUAL("Published change_bits == 0000000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log);
// First alt name based detection
change_bits.reset();
CHECK_EQUAL(payload, APPID_UT_ID + 1);
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
- STRCMP_EQUAL("Published change_bits == 0000000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log);
// Org unit based detection
string host = "";
CHECK_EQUAL(client, APPID_UT_ID + 3);
CHECK_EQUAL(payload, APPID_UT_ID + 3);
STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), APPID_UT_ORG_UNIT);
- STRCMP_EQUAL("Published change_bits == 0000000000000000011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000000011000", test_log);
// Override client id found by SSL pattern matcher with the client id provided by
// Encrypted Visibility Engine if available
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
- STRCMP_EQUAL("Published change_bits == 0000000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log);
//check for sni mismatch being stored in sni field
change_bits.reset();
}
// Stubs for AppIdSession
-void AppIdSession::sync_with_snort_protocol_id(AppId, Packet*) {}
+void AppIdSession::sync_with_snort_protocol_id(AppId, Packet*,AppidChangeBits&) {}
void AppIdSession::check_app_detection_restart(AppidChangeBits&, ThirdPartyAppIdContext*) {}
void AppIdSession::set_client_appid_data(AppId, AppidChangeBits&, char*) {}
void AppIdSession::examine_rtmp_metadata(AppidChangeBits&) {}
AppIdDiscovery::do_application_discovery(&p, ins, app_ctxt.get_odp_ctxt(), nullptr);
- // Detect changes in service, client, payload, and misc appid
+ // Detect changes in service, client, payload, misc appid and snort protocol id
mock().checkExpectations();
- STRCMP_EQUAL("Published change_bits == 0000000000000001111100", test_log);
+ STRCMP_EQUAL("Published change_bits == 10000000000000001111100", test_log);
delete &asd->get_api();
delete asd;
// Detect changes in service, client, payload, and misc appid
mock().checkExpectations();
- STRCMP_EQUAL("Published change_bits == 0000000000000001111100", test_log);
+ STRCMP_EQUAL("Published change_bits == 00000000000000001111100", test_log);
delete &asd->get_api();
delete asd;
delete flow;
change_bits_to_string(change_bits, str);
STRCMP_EQUAL(str.c_str(), "created, reset, service, client, payload, misc, referred, host,"
" tls-host, url, user-agent, response, referrer, dns-host, dns-response-host, service-info, client-info,"
- " user-info, netbios-name, netbios-domain, finished, tls-version");
+ " user-info, netbios-name, netbios-domain, finished, tls-version, protocol-id");
// Failure of this test is a reminder that enum is changed, hence translator needs update
- CHECK_EQUAL(APPID_MAX_BIT, 22);
+ CHECK_EQUAL(APPID_MAX_BIT, 23);
}
int main(int argc, char** argv)
if ( tp_app_id > APP_ID_NONE )
{
- AppId snort_app_id = APP_ID_NONE;
-
if ( hsession )
{
- snort_app_id = APP_ID_HTTP;
//data should never be APP_ID_HTTP
if (tp_app_id != APP_ID_HTTP)
asd.set_tp_payload_app_id(*p, direction, tp_app_id, change_bits);
const char *tp_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(tp_app_id);
APPID_LOG(p, TRACE_DEBUG_LEVEL, "SSL is %s (%d)\n", tp_app_name ? tp_app_name : "unknown", tp_app_id);
}
- snort_app_id = APP_ID_SSL;
}
else if (asd.get_service_id() == APP_ID_QUIC)
asd.set_tp_payload_app_id(*p, direction, tp_app_id, change_bits);
- else
- {
- //for non-http protocols, tp id is treated like serviceId
- snort_app_id = tp_app_id;
- }
asd.set_tp_app_id(*p, direction, tp_app_id, change_bits);
- asd.sync_with_snort_protocol_id(snort_app_id, p);
}
if (direction == APP_ID_FROM_INITIATOR)
{
AppidEvent& appid_event = static_cast<AppidEvent&>(event);
- if(appid_event.get_change_bitset().test(APPID_SERVICE_BIT))
+ if(appid_event.get_change_bitset().test(APPID_PROTOCOL_ID_BIT))
{
- if ((appid_event.get_appid_session_api().get_service_app_id() <= 0)
- or (flow.ssn_state.snort_protocol_id == 0))
- return;
-
Stuff stuff;
const SnortConfig* sc = SnortConfig::get_conf();
const char* service = sc->proto_ref->get_name(flow.ssn_state.snort_protocol_id);
+
get_bindings(flow, stuff, service);
if(stuff.action == BindUse::BA_ALLOW)
APPID_NETBIOS_DOMAIN_BIT,
APPID_DISCOVERY_FINISHED_BIT,
APPID_TLS_VERSION_BIT,
+ APPID_PROTOCOL_ID_BIT,
APPID_MAX_BIT
};
--n? str.append("finished, ") : str.append("finished");
if (change_bits.test(APPID_TLS_VERSION_BIT))
--n? str.append("tls-version, ") : str.append("tls-version");
+ if (change_bits.test(APPID_PROTOCOL_ID_BIT))
+ --n? str.append("protocol-id, ") : str.append("protocol-id");
if (n != 0) // make sure all bits from AppidChangeBit enum get translated
str.append("change_bits_to_string error!");
}
projects / thirdparty / snort3.git / commitdiff
