From: Bhumika Sachdeva (bsachdev) <bsachdev@cisco.com>
Date: Thu, 20 Feb 2025 15:51:13 +0000 (+0000)
Subject: Pull request #4628: appid: added publishing of domain fronting event
X-Git-Tag: 3.7.1.0~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e621c0258a9fac610fb6ef2726614a36e99f03c;p=thirdparty%2Fsnort3.git

Pull request #4628: appid: added publishing of domain fronting event

Merge in SNORT/snort3 from ~BSACHDEV/snort3:domain_fronting_publish to master

Squashed commit of the following:

commit 3d1ae6604b0870ae73795193030a0d9a488e819a
Author: bsachdev <bsachdev@cisco.com>
Date:   Wed Feb 19 17:13:54 2025 -0500

    appid: added publishing of domain fronting event
---

diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 72ff15bbc..ae3db22f7 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -1365,8 +1365,11 @@ void AppIdSession::check_domain_fronting_status()
         if (hsession) 
         { 
             const char* host = hsession->get_cfield(REQ_HOST_FID); 
-            if (host)
-                TLSDomainFrontCheckEvent(p, api.asd->get_cert_key(), host); 
+            if (host) 
+            {
+                TLSDomainFrontCheckEvent domain_front_event(p, api.asd->get_cert_key(), host);
+		        DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event, p->flow);
+	        }
         } 
     } 
 } 
diff --git a/src/pub_sub/appid_event_ids.h b/src/pub_sub/appid_event_ids.h
index c42efb88a..66c48fd61 100644
--- a/src/pub_sub/appid_event_ids.h
+++ b/src/pub_sub/appid_event_ids.h
@@ -34,6 +34,7 @@ struct AppIdEventIds
     DHCP_DATA,
     DHCP_INFO,
     FP_SMB_DATA,
+    DOMAIN_FRONTING,
 
     num_ids
 }; };