Pull request #4442: appid: Early SSH detection brute-force fix

Merge in SNORT/snort3 from ~VIIZHYK/snort3:viizhyk_CSCwm05155_master to master

Squashed commit of the following:

commit 1ce5264a30bcbf5ff4ac3068b489599521e8c255
Author: viizhyk <viizhyk@cisco.com>
Date:   Wed Sep 11 08:44:12 2024 -0400

    appid: Early SSH detection brute-force fix

diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index 93a3f9b7cd161444666bb499c05ed1eae5f814db..030ac2646d0d4b8cf5161af3a637c8c71eb9fa81 100644 (file)
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -355,6 +355,10 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec
                 asd->client_disco_state = APPID_DISCO_STATE_FINISHED;
                 asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED |
                     APPID_SESSION_CLIENT_DETECTED);
+                    if ((asd->get_service_id() <= APP_ID_NONE) and (asd->expected_external_app_id > APP_ID_NONE))
+                    {
+                        asd->set_service_id(asd->expected_external_app_id, odp_ctxt);
+                    }
                 appid_log(p, TRACE_DEBUG_LEVEL, "stopped service/client discovery\n");
             }
         }

diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 867e99ca901296a571edaa2a2704f651c2ef4e2b..fce06c554a1cd6319104a58885a50ad946091af7 100644 (file)
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -300,6 +300,9 @@ public:
     // this field is maintained inside AppIdHttpSession.
     AppId misc_app_id = APP_ID_NONE;
 
+    // Following field stores AppID detection of which is delegated to external module.
+    AppId expected_external_app_id = APP_ID_NONE;
+
     // AppId matching client side
     APPID_DISCOVERY_STATE client_disco_state = APPID_DISCO_STATE_NONE;
     AppId client_inferred_service_id = APP_ID_NONE;

diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index aee2f93a9f9efcdf44f1579851e56f80d767c01f..f5bf28bfccf48443cc5a96426de83bdafeb1ed8d 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -93,7 +93,7 @@ namespace snort
 #define APPID_SESSION_OPPORTUNISTIC_TLS     (1ULL << 44)
 #define APPID_SESSION_FIRST_PKT_CACHE_MATCHED    (1ULL << 45)
 #define APPID_SESSION_DO_NOT_DECRYPT        (1ULL << 46)
-#define APPID_SESSION_EARLY_SSH_DETECTED        (1ULL << 47)
+#define APPID_SESSION_WAIT_FOR_EXTERNAL       (1ULL << 47)
 #define APPID_SESSION_IGNORE_ID_FLAGS \
     (APPID_SESSION_FUTURE_FLOW | \
     APPID_SESSION_NOT_A_SERVICE | \

diff --git a/src/network_inspectors/appid/appid_ssh_event_handler.cc b/src/network_inspectors/appid/appid_ssh_event_handler.cc
index d4a195a03c4c26a0b282a6ce69290dd88a4c97e9..87d3fb51d152c58fd2186016d97b62150a907958 100644 (file)
--- a/src/network_inspectors/appid/appid_ssh_event_handler.cc
+++ b/src/network_inspectors/appid/appid_ssh_event_handler.cc
@@ -201,12 +201,13 @@ void SshEventHandler::handle(DataEvent& event, Flow* flow)
     case SSH_VERSION_STRING:
         if (handle_protocol(ssh_event, fd))
         {
-            if (asd->get_session_flags(APPID_SESSION_EARLY_SSH_DETECTED))
+            if ( asd->get_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL) and
+                ((ssh_event.get_direction() == PKT_FROM_CLIENT) or data->client_info.vendor.size()) )
             {
                 appid_log(p, TRACE_DEBUG_LEVEL, "Early detection of SSH\n");
                 handle_success(*data, ssh_event, *asd, change_bits);
                 asd->publish_appid_event(change_bits, *ssh_event.get_packet());
-                asd->clear_session_flags(APPID_SESSION_EARLY_SSH_DETECTED);
+                asd->clear_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL);
             }
         }
         else

diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc
index 3f4390e79e0c920a25d29f398fabf7fbab20104c..23ee797b21622d6bb409823f7e9725fde39abed7 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_discovery.cc
+++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc
@@ -435,6 +435,14 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p,
         sds->set_reset_time(0);
         ServiceState sds_state = sds->get_state();
 
+        if ( ((sds_state == ServiceState::FAILED) or (sds_state == ServiceState::SEARCHING_BRUTE_FORCE)) and
+            asd.get_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL))
+        {
+            if (appidDebug->is_active())
+                LogMessage("AppIdDbg %s No service match, waiting for external detection\n", appidDebug->get_debug_session());
+            return APPID_INPROCESS;
+        }
+
         if ( sds_state == ServiceState::FAILED )
         {
             appid_log(p, TRACE_DEBUG_LEVEL, "No service match, failed state\n");

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index daa70ac90197cff6dfeb5dd381eb4fc31b8d5118..cd87f16cabddec7e27a850c4b20dc2b51596f56c 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -601,7 +601,8 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
     {
         appid_log(p, TRACE_DEBUG_LEVEL, "Setting the ignore and early detection flag\n");
          asd.get_odp_ctxt().get_app_info_mgr().set_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE);
-         asd.set_session_flags(APPID_SESSION_EARLY_SSH_DETECTED);
+         asd.set_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL);
+         asd.expected_external_app_id = tp_app_id;
     }
 
     unsigned app_info_flags = asd.get_odp_ctxt().get_app_info_mgr().get_app_info_flags(tp_app_id,