void AppIdApi::set_ssl_certificate_key(const Flow& flow, const std::string& cert_key)
{
AppIdSession* asd = get_appid_session(flow);
- if (asd != nullptr and !cert_key.empty())
+ if (asd != nullptr and asd->get_odp_ctxt().get_appid_shadow_traffic_status() and !cert_key.empty())
asd->set_cert_key(cert_key);
}
-
-void AppIdApi::ssl_hostname_cert_lookup_verdict(const snort::Flow &flow, DomainFrontingStatus status)
-{
- AppIdSession* asd = get_appid_session(flow);
- if (asd != nullptr and status == DomainFrontingStatus::MISMATCH)
- {
- uint32_t shadow_bits = asd->get_shadow_traffic_bits();
- shadow_bits |= ShadowTraffic_Type_Domain_Fronting;
- asd->set_shadow_traffic_bits(shadow_bits);
- AppId payload_id = asd->get_api().get_payload_app_id();
- asd->set_shadow_traffic_publishing_appid(payload_id);
- }
-}
void reset_appid_cpu_profiler_stats();
void update_shadow_traffic_status(bool status);
void set_ssl_certificate_key(const Flow& flow, const std::string& cert_key);
- void ssl_hostname_cert_lookup_verdict(const snort::Flow &flow, DomainFrontingStatus status);
bool is_service_http_type(AppId service_id) const
{
if ((pkt_thread_odp_ctxt->get_version() == api.asd->get_odp_ctxt_version()) and api.asd->get_odp_ctxt().get_appid_shadow_traffic_status())
{
check_domain_fronting_status();
-
- if (get_shadow_traffic_publishing_appid() > APP_ID_NONE)
- {
- if (api.asd->appid_shadow_traffic_bits != 0)
- api.asd->publish_shadow_traffic_event(api.asd->appid_shadow_traffic_bits, api.asd->flow);
- }
+ if (api.asd->appid_shadow_traffic_bits != 0)
+ api.asd->publish_shadow_traffic_event(api.asd->appid_shadow_traffic_bits, api.asd->flow);
}
if (!in_expected_cache)
app_name = api.asd->get_odp_ctxt().get_app_info_mgr().get_app_name(publishing_appid);
if (app_name == nullptr)
{
- APPID_LOG(nullptr, TRACE_ERROR_LEVEL, "Appname is invalid, not publishing shadow traffic event without appname\n");
+ APPID_LOG(CURRENT_PACKET, TRACE_DEBUG_LEVEL,"Appname is invalid, not publishing shadow traffic event without appname\n");
return;
}
if (api.asd->get_session_flags(APPID_SESSION_DECRYPTED) or api.asd->get_session_flags(APPID_SESSION_APP_REINSPECT))
{
AppIdHttpSession* hsession = api.asd->get_http_session();
- Packet* p = DetectionEngine::get_current_packet();
if (hsession)
- {
- const char* host = hsession->get_cfield(REQ_HOST_FID);
- if (host)
+ {
+ const std::string* host = hsession->get_field(REQ_HOST_FID);
+ if (host)
{
- TLSDomainFrontCheckEvent domain_front_event(p, api.asd->get_cert_key(), host);
- DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event, p->flow);
- }
+ TLSDomainFrontCheckEvent domain_front_event(api.asd->get_cert_key(), *host);
+ DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event);
+ if (DomainFrontingStatus::MISMATCH == domain_front_event.get_cert_lookup_verdict())
+ {
+ uint32_t shadow_bits = get_shadow_traffic_bits();
+ shadow_bits |= ShadowTraffic_Type_Domain_Fronting;
+ set_shadow_traffic_bits(shadow_bits);
+ AppId payload_id = api.asd->get_api().get_payload_app_id();
+ set_shadow_traffic_publishing_appid(payload_id);
+ }
+ }
}
}
}
delete &asd.get_api();
}
-TEST(appid_api, ssl_hostname_cert_lookup_verdict)
-{
- AppIdConfig config;
- OdpContext odpctxt(config, nullptr);
- SfIp ip{};
- AppIdSession asd(IpProtocol::TCP, &ip, 1492, dummy_appid_inspector, odpctxt, 0
-#ifndef DISABLE_TENANT_ID
- ,0
-#endif
- );
- AppidChangeBits change_bits;
- asd.set_ss_application_ids(APPID_UT_ID, APPID_UT_ID, APPID_UT_ID,
- APPID_UT_ID, APPID_UT_ID, change_bits);
- DomainFrontingStatus status = DomainFrontingStatus::MISMATCH;
- appid_api.ssl_hostname_cert_lookup_verdict(*flow, status);
-
- AppId id = asd.get_api().get_payload_app_id();
- asd.set_shadow_traffic_publishing_appid(id);
- CHECK_EQUAL(asd.get_shadow_traffic_publishing_appid(), APPID_UT_ID);
-
- uint32_t expected_shadow_bits = ShadowTraffic_Type_Domain_Fronting;
- asd.set_shadow_traffic_bits(expected_shadow_bits);
- CHECK_EQUAL(asd.get_shadow_traffic_bits(), expected_shadow_bits);
- delete &asd.get_api();
-}
-
TEST(appid_api, ssl_app_group_id_lookup)
{
mock().expectNCalls(7, "publish");
#define DOMAIN_FRONTING_H
#include "framework/data_bus.h"
+#include "pub_sub/appid_events.h"
#include <string>
enum class DomainFrontingStatus
{
+ UNDEFINED,
MISMATCH,
MATCHES,
CERT_NOT_IN_CACHE
};
-class TLSDomainFrontCheckEvent : public snort::DataEvent
+class SO_PUBLIC TLSDomainFrontCheckEvent : public snort::DataEvent
{
public:
- TLSDomainFrontCheckEvent(const snort::Packet& packet, const std::string& certificate_id,
- const std::string& hostname): cert_id(certificate_id), hostname(hostname), pkt(&packet) {}
+ TLSDomainFrontCheckEvent(const std::string& certificate_id,
+ const std::string& hostname)
+ : cert_id(certificate_id), hostname(hostname) {}
- const snort::Packet* get_packet() const override
- { return pkt; }
+ const std::string& get_cert_id() { return cert_id; }
+ const std::string& get_hostname () { return hostname; }
+ void set_cert_lookup_verdict(DomainFrontingStatus status) { this->df_status = status; }
+ DomainFrontingStatus get_cert_lookup_verdict() const { return df_status; }
private:
- const std::string cert_id;
- const std::string hostname;
- const snort::Packet* pkt;
+ const std::string &cert_id;
+ const std::string &hostname;
+ DomainFrontingStatus df_status = DomainFrontingStatus::UNDEFINED;
};
#endif
projects / thirdparty / snort3.git / commitdiff
