From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Mon, 2 Mar 2020 15:50:11 +0000 (+0000)
Subject: Merge pull request #2041 in SNORT/snort3 from ~OZAIKA/snort3:ozaika_asproxy to master
X-Git-Tag: 3.0.0-269~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f6b0b0dba70efb59134fa4725f5b4b1561194f0;p=thirdparty%2Fsnort3.git

Merge pull request #2041 in SNORT/snort3 from ~OZAIKA/snort3:ozaika_asproxy to master

Squashed commit of the following:

commit 57ea30912d8b864caf6f17cd0dda03d771db595d
Author: Oleksii Zaika <ozaika@cisco.com>
Date:   Thu Feb 27 08:24:06 2020 -0500

    appid: detect apps using x-working-with http field in response header
---

diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc
index 8d8d3724e..190650583 100644
--- a/src/network_inspectors/appid/appid_http_event_handler.cc
+++ b/src/network_inspectors/appid/appid_http_event_handler.cc
@@ -86,8 +86,6 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow)
         hsession->set_field(REQ_COOKIE_FID, header_start, header_length, change_bits);
         header_start = http_event->get_referer(header_length);
         hsession->set_field(REQ_REFERER_FID, header_start, header_length, change_bits);
-        header_start = http_event->get_x_working_with(header_length);
-        hsession->set_field(MISC_XWW_FID, header_start, header_length, change_bits);
         hsession->set_is_webdav(http_event->contains_webdav_method());
 
         // FIXIT-M: Should we get request body (may be expensive to copy)?
@@ -119,6 +117,13 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow)
         //      third-party.
     }
 
+    header_start = http_event->get_x_working_with(header_length);
+    if (header_length > 0)
+    {
+        hsession->set_field(MISC_XWW_FID, header_start, header_length, change_bits);
+        asd->scan_flags |= SCAN_HTTP_XWORKINGWITH_FLAG;
+    }
+
     //  The Via header can be in both the request and response.
     header_start = http_event->get_via(header_length);
     if (header_length > 0)
diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc
index acd5cfb18..c54f52184 100644
--- a/src/network_inspectors/appid/test/appid_http_event_test.cc
+++ b/src/network_inspectors/appid/test/appid_http_event_test.cc
@@ -342,7 +342,7 @@ TEST(appid_http_event, handle_msg_header_user_agent)
 TEST(appid_http_event, handle_msg_header_x_working_with)
 {
     TestData test_data;
-    test_data.scan_flags = 0;
+    test_data.scan_flags = SCAN_HTTP_XWORKINGWITH_FLAG;
     test_data.x_working_with = X_WORKING_WITH;
 
     run_event_handler(test_data);