From: Umang Sharma (umasharm) Date: Fri, 22 Aug 2025 18:38:53 +0000 (+0000) Subject: Pull request #4867: appid: first packet API fixes for using asd instead of odp X-Git-Tag: 3.9.5.0~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12a831a98a8f415503c6045f254e618818077ca8;p=thirdparty%2Fsnort3.git Pull request #4867: appid: first packet API fixes for using asd instead of odp Merge in SNORT/snort3 from ~UMASHARM/snort3:firstpktapi_microsoftintune to master Squashed commit of the following: commit 5fab9921282122a75757f7deca5a70235e8790c9 Author: Umang Sharma Date: Fri Aug 15 11:06:40 2025 -0400 appid: first packet API fixes for using asd instead of odp --- diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index ad8ea25b6..10e83554b 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -388,6 +388,13 @@ void AppInfoManager::load_odp_config(OdpContext& odp_ctxt, const char* path) odp_ctxt.allow_port_wildcard_host_cache = true; } } + else if (!(strcasecmp(conf_key, "allow_port_wildcard_firstpkt_cache"))) + { + if (!(strcasecmp(conf_val, "enabled"))) + { + odp_ctxt.allow_port_wildcard_firstpkt_cache = true; + } + } else if (!(strcasecmp(conf_key, "recheck_for_portservice_appid"))) { if (!(strcasecmp(conf_val, "enabled"))) diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index 0f7de4284..6404abb73 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -222,6 +222,7 @@ void OdpContext::dump_appid_config() APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: host_port_app_cache_lookup_interval %d\n", host_port_app_cache_lookup_interval); APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: host_port_app_cache_lookup_range %d\n", host_port_app_cache_lookup_range); APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: allow_port_wildcard_host_cache %s\n", (allow_port_wildcard_host_cache ? "True" : "False")); + APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: allow_port_wildcard_firstpkt_cache %s\n", (allow_port_wildcard_firstpkt_cache ? "True" : "False")); APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: recheck_for_portservice_appid %s\n", (recheck_for_portservice_appid ? "True" : "False")); APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: max_bytes_before_service_fail %" PRIu64" \n", max_bytes_before_service_fail); APPID_LOG(nullptr, TRACE_INFO_LEVEL, "Appid Config: max_packet_before_service_fail %" PRIu16" \n", max_packet_before_service_fail); diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index dfe91df0e..a08701067 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -144,6 +144,7 @@ public: bool need_reinspection = false; bool tp_allow_probes = false; bool allow_port_wildcard_host_cache = false; + bool allow_port_wildcard_firstpkt_cache = false; bool recheck_for_portservice_appid = false; bool eve_http_client = true; bool appid_cpu_profiler = true; @@ -151,18 +152,13 @@ public: uint8_t brute_force_inprocess_threshold = DEFAULT_BRUTE_FORCE_INPROCESS_STATE_THRESHOLD; uint16_t max_packet_before_service_fail = DEFAULT_MAX_PKTS_BEFORE_SERVICE_FAIL; uint16_t max_packet_service_fail_ignore_bytes = DEFAULT_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES; - AppId first_pkt_service_id = 0; - AppId first_pkt_payload_id = 0; - AppId first_pkt_client_id = 0; uint32_t chp_body_collection_max = 0; uint32_t rtmp_max_packets = 15; uint32_t max_tp_flow_depth = 5; uint32_t failed_state_expiration_secs = DEFAULT_FAILED_STATE_EXPIRATION_SECS; uint32_t host_port_app_cache_lookup_interval = 10; uint32_t host_port_app_cache_lookup_range = 100000; - uint64_t max_bytes_before_service_fail = DEFAULT_MAX_BYTES_BEFORE_SERVICE_FAIL; - FirstPktAppIdDiscovered first_pkt_appid_prefix = NO_APPID_FOUND; - + uint64_t max_bytes_before_service_fail = DEFAULT_MAX_BYTES_BEFORE_SERVICE_FAIL; OdpContext(const AppIdConfig&, snort::SnortConfig*); void initialize(AppIdInspector& inspector); diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index f1636737b..0c8c71b96 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -580,76 +580,76 @@ bool AppIdDiscovery::detect_on_first_pkt(Packet* p, AppIdSession& asd, if (hv) { const char *service_app_name = nullptr, *client_app_name = nullptr, *payload_app_name = nullptr; - asd.get_odp_ctxt().first_pkt_appid_prefix = NO_APPID_FOUND; + asd.first_pkt_appid_prefix = NO_APPID_FOUND; if (hv->client_appId) { client_id = hv->client_appId; client_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(client_id); - asd.get_odp_ctxt().first_pkt_client_id = client_id; - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_CLIENT_APPID_FOUND; + asd.first_pkt_client_id = client_id; + asd.first_pkt_appid_prefix = FIRST_CLIENT_APPID_FOUND; } if (hv->protocol_appId) { service_id = hv->protocol_appId; service_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); - asd.get_odp_ctxt().first_pkt_service_id = service_id; + asd.first_pkt_service_id = service_id; - if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND) + if (asd.first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND) { - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_CLIENT_APPID_FOUND; + asd.first_pkt_appid_prefix = FIRST_SERVICE_CLIENT_APPID_FOUND; } else { - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_APPID_FOUND; + asd.first_pkt_appid_prefix = FIRST_SERVICE_APPID_FOUND; } } if (hv->web_appId) { payload_id = hv->web_appId; payload_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(payload_id); - asd.get_odp_ctxt().first_pkt_payload_id = payload_id; + asd.first_pkt_payload_id = payload_id; - if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND) + if (asd.first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND) { - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_CLIENT_PAYLOAD_APPID_FOUND; + asd.first_pkt_appid_prefix = FIRST_CLIENT_PAYLOAD_APPID_FOUND; } - else if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_SERVICE_APPID_FOUND) + else if (asd.first_pkt_appid_prefix == FIRST_SERVICE_APPID_FOUND) { - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_PAYLOAD_APPID_FOUND; + asd.first_pkt_appid_prefix = FIRST_SERVICE_PAYLOAD_APPID_FOUND; } - else if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_SERVICE_CLIENT_APPID_FOUND) + else if (asd.first_pkt_appid_prefix == FIRST_SERVICE_CLIENT_APPID_FOUND) { - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_ALL_APPID_FOUND; + asd.first_pkt_appid_prefix = FIRST_ALL_APPID_FOUND; } else { - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_PAYLOAD_APPID_FOUND; + asd.first_pkt_appid_prefix = FIRST_PAYLOAD_APPID_FOUND; } } asd.get_odp_ctxt().need_reinspection = hv->reinspect; - switch (asd.get_odp_ctxt().first_pkt_appid_prefix) + switch (asd.first_pkt_appid_prefix) { case FIRST_PAYLOAD_APPID_FOUND : service_id = payload_id; service_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_PAYLOAD_APPID_FOUND; - asd.get_odp_ctxt().first_pkt_service_id = service_id; + asd.first_pkt_appid_prefix = FIRST_SERVICE_PAYLOAD_APPID_FOUND; + asd.first_pkt_service_id = service_id; break; case FIRST_CLIENT_APPID_FOUND : service_id = client_id; service_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_CLIENT_APPID_FOUND; - asd.get_odp_ctxt().first_pkt_service_id = service_id; + asd.first_pkt_appid_prefix = FIRST_SERVICE_CLIENT_APPID_FOUND; + asd.first_pkt_service_id = service_id; break; case FIRST_CLIENT_PAYLOAD_APPID_FOUND : service_id = client_id; service_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); - asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_ALL_APPID_FOUND; - asd.get_odp_ctxt().first_pkt_service_id = service_id; + asd.first_pkt_appid_prefix = FIRST_ALL_APPID_FOUND; + asd.first_pkt_service_id = service_id; break; case NO_APPID_FOUND : diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 3059e2582..3fd686e8c 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -826,13 +826,13 @@ AppId AppIdSession::pick_service_app_id() const { if ((rval = api.service.get_id()) > APP_ID_NONE) return rval; - else if (odp_ctxt.first_pkt_service_id > APP_ID_NONE) - return odp_ctxt.first_pkt_service_id; + else if (first_pkt_service_id > APP_ID_NONE) + return first_pkt_service_id; else rval = APP_ID_UNKNOWN; } - else if (odp_ctxt.first_pkt_service_id > APP_ID_NONE) - return odp_ctxt.first_pkt_service_id; + else if (first_pkt_service_id > APP_ID_NONE) + return first_pkt_service_id; } else { @@ -842,8 +842,8 @@ AppId AppIdSession::pick_service_app_id() const if (api.service.get_id() > APP_ID_NONE and !deferred) return api.service.get_id(); - if (odp_ctxt.first_pkt_service_id > APP_ID_NONE) - return odp_ctxt.first_pkt_service_id; + if (first_pkt_service_id > APP_ID_NONE) + return first_pkt_service_id; if (is_tp_appid_available()) { @@ -859,8 +859,8 @@ AppId AppIdSession::pick_service_app_id() const } else if (tp_app_id > APP_ID_NONE) return tp_app_id; - else if (odp_ctxt.first_pkt_service_id > APP_ID_NONE) - return odp_ctxt.first_pkt_service_id; + else if (first_pkt_service_id > APP_ID_NONE) + return first_pkt_service_id; } if (client_inferred_service_id > APP_ID_NONE) @@ -927,10 +927,10 @@ AppId AppIdSession::pick_ss_client_app_id() const return api.client.get_id(); } - if (odp_ctxt.first_pkt_client_id > APP_ID_NONE) + if (first_pkt_client_id > APP_ID_NONE) { api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_APPID); - return odp_ctxt.first_pkt_client_id; + return first_pkt_client_id; } api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_APPID); @@ -942,7 +942,7 @@ AppId AppIdSession::check_first_pkt_tp_payload_app_id() const if (get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and (api.payload.get_id() <= APP_ID_NONE)) { - if ((odp_ctxt.first_pkt_payload_id > APP_ID_NONE) and (tp_payload_app_id > APP_ID_NONE)) + if ((first_pkt_payload_id > APP_ID_NONE) and (tp_payload_app_id > APP_ID_NONE)) { return tp_payload_app_id; } @@ -973,8 +973,8 @@ AppId AppIdSession::pick_ss_payload_app_id(AppId service_id) const return api.payload.get_id(); else if (tp_payload_app_id > APP_ID_NONE) return tp_payload_app_id; - else if (odp_ctxt.first_pkt_payload_id > APP_ID_NONE) - return odp_ctxt.first_pkt_payload_id; + else if (first_pkt_payload_id > APP_ID_NONE) + return first_pkt_payload_id; } else return tmp_id; @@ -993,8 +993,8 @@ AppId AppIdSession::pick_ss_payload_app_id(AppId service_id) const if (encrypted.payload_id > APP_ID_NONE) return encrypted.payload_id; - if (odp_ctxt.first_pkt_payload_id > APP_ID_NONE) - return odp_ctxt.first_pkt_payload_id; + if (first_pkt_payload_id > APP_ID_NONE) + return first_pkt_payload_id; // APP_ID_UNKNOWN is valid only for HTTP type services if (tmp_id == APP_ID_UNKNOWN) diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 2d136a20f..e5c4f3546 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -282,6 +282,11 @@ public: uint16_t session_packet_count = 0; uint16_t init_pkts_without_reply = 0; uint64_t init_bytes_without_reply = 0; + AppId first_pkt_service_id = 0; + AppId first_pkt_payload_id = 0; + AppId first_pkt_client_id = 0; + FirstPktAppIdDiscovered first_pkt_appid_prefix = NO_APPID_FOUND; + IpProtocol protocol = IpProtocol::PROTO_NOT_SET; uint8_t previous_tcp_flags = 0; diff --git a/src/network_inspectors/appid/host_port_app_cache.cc b/src/network_inspectors/appid/host_port_app_cache.cc index b7d4d2b29..f443aca8d 100644 --- a/src/network_inspectors/appid/host_port_app_cache.cc +++ b/src/network_inspectors/appid/host_port_app_cache.cc @@ -145,7 +145,7 @@ bool HostPortCache::add(const SnortConfig* sc, const SfIp* ip, uint16_t port, Ip const HostAppIdsVal* HostPortCache::find_on_first_pkt(const SfIp* ip, uint16_t port, IpProtocol protocol, const OdpContext& odp_ctxt) { - uint16_t lookup_port = (odp_ctxt.allow_port_wildcard_host_cache)? 0 : port; + uint16_t lookup_port = (odp_ctxt.allow_port_wildcard_firstpkt_cache)? 0 : port; if (!cache_first_ip.empty()) { @@ -186,7 +186,7 @@ bool HostPortCache::add_host(const SnortConfig* sc, const SfIp* ip, uint32_t* ne assert(inspector); const AppIdContext& ctxt = inspector->get_ctxt(); - hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port; + hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_firstpkt_cache)? 0 : port; hk.proto = proto; hv.protocol_appId = protocol_appId; @@ -212,7 +212,7 @@ bool HostPortCache::add_host(const SnortConfig* sc, const SfIp* ip, uint32_t* ne assert(inspector); const AppIdContext& ctxt = inspector->get_ctxt(); - hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_host_cache)? 0 : port; + hk.port = (ctxt.get_odp_ctxt().allow_port_wildcard_firstpkt_cache)? 0 : port; hk.proto = proto; hv.protocol_appId = protocol_appId; diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 43b50c3f5..0f0f25858 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -829,7 +829,7 @@ int ServiceDiscovery::fail_service(AppIdSession& asd, const Packet* pkt, AppidSe /* If we're still working on a port/pattern list of detectors, then ignore * individual fails until we're done looking at everything. */ - if ((asd.get_odp_ctxt().first_pkt_service_id > APP_ID_NONE) or (!asd.service_detector && !asd.service_candidates.empty())) + if ((asd.first_pkt_service_id > APP_ID_NONE) or (!asd.service_detector && !asd.service_candidates.empty())) return APPID_SUCCESS; asd.set_service_id(APP_ID_NONE, asd.get_odp_ctxt());