From: Vitalii Izhyk -X (viizhyk - SOFTSERVE INC at Cisco) Date: Fri, 20 Sep 2024 14:03:35 +0000 (+0000) Subject: Pull request #4442: appid: Early SSH detection brute-force fix X-Git-Tag: 3.3.7.0~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1c9c142286fdec985650801b69a72e2606c338b;p=thirdparty%2Fsnort3.git Pull request #4442: appid: Early SSH detection brute-force fix Merge in SNORT/snort3 from ~VIIZHYK/snort3:viizhyk_CSCwm05155_master to master Squashed commit of the following: commit 1ce5264a30bcbf5ff4ac3068b489599521e8c255 Author: viizhyk Date: Wed Sep 11 08:44:12 2024 -0400 appid: Early SSH detection brute-force fix --- diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 93a3f9b7c..030ac2646 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -355,6 +355,10 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec asd->client_disco_state = APPID_DISCO_STATE_FINISHED; asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CLIENT_DETECTED); + if ((asd->get_service_id() <= APP_ID_NONE) and (asd->expected_external_app_id > APP_ID_NONE)) + { + asd->set_service_id(asd->expected_external_app_id, odp_ctxt); + } appid_log(p, TRACE_DEBUG_LEVEL, "stopped service/client discovery\n"); } } diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 867e99ca9..fce06c554 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -300,6 +300,9 @@ public: // this field is maintained inside AppIdHttpSession. AppId misc_app_id = APP_ID_NONE; + // Following field stores AppID detection of which is delegated to external module. + AppId expected_external_app_id = APP_ID_NONE; + // AppId matching client side APPID_DISCOVERY_STATE client_disco_state = APPID_DISCO_STATE_NONE; AppId client_inferred_service_id = APP_ID_NONE; diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index aee2f93a9..f5bf28bfc 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -93,7 +93,7 @@ namespace snort #define APPID_SESSION_OPPORTUNISTIC_TLS (1ULL << 44) #define APPID_SESSION_FIRST_PKT_CACHE_MATCHED (1ULL << 45) #define APPID_SESSION_DO_NOT_DECRYPT (1ULL << 46) -#define APPID_SESSION_EARLY_SSH_DETECTED (1ULL << 47) +#define APPID_SESSION_WAIT_FOR_EXTERNAL (1ULL << 47) #define APPID_SESSION_IGNORE_ID_FLAGS \ (APPID_SESSION_FUTURE_FLOW | \ APPID_SESSION_NOT_A_SERVICE | \ diff --git a/src/network_inspectors/appid/appid_ssh_event_handler.cc b/src/network_inspectors/appid/appid_ssh_event_handler.cc index d4a195a03..87d3fb51d 100644 --- a/src/network_inspectors/appid/appid_ssh_event_handler.cc +++ b/src/network_inspectors/appid/appid_ssh_event_handler.cc @@ -201,12 +201,13 @@ void SshEventHandler::handle(DataEvent& event, Flow* flow) case SSH_VERSION_STRING: if (handle_protocol(ssh_event, fd)) { - if (asd->get_session_flags(APPID_SESSION_EARLY_SSH_DETECTED)) + if ( asd->get_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL) and + ((ssh_event.get_direction() == PKT_FROM_CLIENT) or data->client_info.vendor.size()) ) { appid_log(p, TRACE_DEBUG_LEVEL, "Early detection of SSH\n"); handle_success(*data, ssh_event, *asd, change_bits); asd->publish_appid_event(change_bits, *ssh_event.get_packet()); - asd->clear_session_flags(APPID_SESSION_EARLY_SSH_DETECTED); + asd->clear_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL); } } else diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 3f4390e79..23ee797b2 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -435,6 +435,14 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, sds->set_reset_time(0); ServiceState sds_state = sds->get_state(); + if ( ((sds_state == ServiceState::FAILED) or (sds_state == ServiceState::SEARCHING_BRUTE_FORCE)) and + asd.get_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL)) + { + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s No service match, waiting for external detection\n", appidDebug->get_debug_session()); + return APPID_INPROCESS; + } + if ( sds_state == ServiceState::FAILED ) { appid_log(p, TRACE_DEBUG_LEVEL, "No service match, failed state\n"); diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index daa70ac90..cd87f16ca 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -601,7 +601,8 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I { appid_log(p, TRACE_DEBUG_LEVEL, "Setting the ignore and early detection flag\n"); asd.get_odp_ctxt().get_app_info_mgr().set_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE); - asd.set_session_flags(APPID_SESSION_EARLY_SSH_DETECTED); + asd.set_session_flags(APPID_SESSION_WAIT_FOR_EXTERNAL); + asd.expected_external_app_id = tp_app_id; } unsigned app_info_flags = asd.get_odp_ctxt().get_app_info_mgr().get_app_info_flags(tp_app_id,