From 3dc8ba0a9c526546148ade8bc9188728f734bb90 Mon Sep 17 00:00:00 2001 From: "Umang Sharma (umasharm)" Date: Mon, 23 Jun 2025 13:08:08 +0000 Subject: [PATCH] Pull request #4775: appid: fixed stash issue by fixing publishing shadow traffic Merge in SNORT/snort3 from ~UMASHARM/snort3:stash_fix_shadowtraffic to master Squashed commit of the following: commit 51998042ed5f314e18f32ebad0eb37638371cef2 Author: Umang Sharma Date: Mon Jun 16 09:38:41 2025 -0400 appid: fixed stash issue by fixing publishing shadow traffic --- .../appid/appid_discovery.cc | 9 +++ .../appid/appid_http_session.cc | 14 +++++ .../appid/appid_http_session.h | 1 + src/network_inspectors/appid/appid_session.cc | 59 ++++++++----------- src/network_inspectors/appid/appid_session.h | 23 +++++++- .../appid/test/appid_discovery_test.cc | 6 ++ .../appid/test/appid_http_event_test.cc | 1 + .../appid/test/appid_http_session_test.cc | 2 + 8 files changed, 77 insertions(+), 38 deletions(-) diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index c753c563c..f1636737b 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -908,6 +908,15 @@ void AppIdDiscovery::do_post_discovery(Packet* p, AppIdSession& asd, { asd.sync_with_snort_protocol_id(service_id, p, change_bits); } + + if (asd.get_odp_ctxt().get_appid_shadow_traffic_status()) + { + if (asd.get_shadow_traffic_bits() != 0) + { + uint32_t shadow_bits = asd.get_shadow_traffic_bits(); + asd.publish_shadow_traffic_event(shadow_bits, asd.flow); + } + } asd.publish_appid_event(change_bits, *p); } diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index 59e1c27a3..a40aec761 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -780,6 +780,18 @@ void AppIdHttpSession::clear_all_fields() } } +void AppIdHttpSession::check_domain_fronting(HttpFieldIds id) +{ + if (id == REQ_HOST_FID) + { + if (asd.get_session_flags(APPID_SESSION_DECRYPTED) or asd.get_session_flags(APPID_SESSION_APP_REINSPECT)) + { + if (asd.get_odp_ctxt().get_appid_shadow_traffic_status()) + asd.check_domain_fronting_status(*meta_data[id]); + } + } +} + void AppIdHttpSession::set_field(HttpFieldIds id, const std::string* str, AppidChangeBits& change_bits) { @@ -790,6 +802,7 @@ void AppIdHttpSession::set_field(HttpFieldIds id, const std::string* str, set_http_change_bits(change_bits, id); set_scan_flags(id); + check_domain_fronting(id); print_field(id, str); } else if (str) @@ -806,6 +819,7 @@ void AppIdHttpSession::set_field(HttpFieldIds id, const uint8_t* str, int32_t le set_http_change_bits(change_bits, id); set_scan_flags(id); + check_domain_fronting(id); print_field(id, meta_data[id]); } } diff --git a/src/network_inspectors/appid/appid_http_session.h b/src/network_inspectors/appid/appid_http_session.h index c775f4a20..34a0b62c2 100644 --- a/src/network_inspectors/appid/appid_http_session.h +++ b/src/network_inspectors/appid/appid_http_session.h @@ -72,6 +72,7 @@ public: HttpPatternMatchers& http_matchers); void update_url(AppidChangeBits& change_bits); + void check_domain_fronting(HttpFieldIds id); void set_field(HttpFieldIds id, const std::string* str, AppidChangeBits& change_bits); void set_field(HttpFieldIds id, const uint8_t* str, int32_t len, AppidChangeBits& change_bits); void set_req_body_field(HttpFieldIds id, const uint8_t* str, int32_t len, diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 78595f2cc..03490cced 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -156,13 +156,6 @@ AppIdSession::~AppIdSession() { api.asd->get_odp_ctxt().get_appid_cpu_profiler_mgr().check_appid_cpu_profiler_table_entry(api.asd, api.get_service_app_id(), api.get_client_app_id(), api.get_payload_app_id(), api.get_misc_app_id()); } - - if ((pkt_thread_odp_ctxt->get_version() == api.asd->get_odp_ctxt_version()) and api.asd->get_odp_ctxt().get_appid_shadow_traffic_status()) - { - check_domain_fronting_status(); - if (api.asd->appid_shadow_traffic_bits != 0) - api.asd->publish_shadow_traffic_event(api.asd->appid_shadow_traffic_bits, api.asd->flow); - } if (!in_expected_cache) { @@ -1216,16 +1209,22 @@ void AppIdSession::set_tp_payload_app_id(const Packet& p, AppidSessionDirection } } -void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_bits, snort::Flow *) const +void AppIdSession::publish_shadow_traffic_event(const uint32_t& shadow_traffic_bits, snort::Flow* flow) { - if (shadow_traffic_bits == 0) + if (shadow_traffic_bits == appid_previous_shadow_traffic_bits) return; - + const char* app_name; unsigned shadow_traffic_pub_id = 0; std::string str_print; Packet* curr_packet = nullptr; + if (shadow_traffic_bits & ShadowTraffic_Type_Domain_Fronting) + { + AppId payload_id = api.asd->get_api().get_payload_app_id(); + set_shadow_traffic_publishing_appid(payload_id); + } + AppId publishing_appid = get_shadow_traffic_publishing_appid(); app_name = api.asd->get_odp_ctxt().get_app_info_mgr().get_app_name(publishing_appid); @@ -1243,7 +1242,7 @@ void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_b } else { - APPID_LOG(curr_packet, TRACE_DEBUG_LEVEL,"Appname is invalid, not publishing shadow traffic event without appname\n"); + APPID_LOG(curr_packet, TRACE_DEBUG_LEVEL, "Appname is invalid, not publishing shadow traffic event without appname\n"); return; } } @@ -1259,7 +1258,10 @@ void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_b APPID_LOG(curr_packet, TRACE_DEBUG_LEVEL, "AppID: ShadowTraffic Published event for: %s, application_name: %s(%d)\n", str_print.c_str(), app_name, publishing_appid); -} + + set_previous_shadow_traffic_bits(shadow_traffic_bits); + reset_shadow_traffic_bits(); +} void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p, bool is_httpx, uint32_t httpx_stream_index) @@ -1378,27 +1380,14 @@ void AppIdSession::process_shadow_traffic_appids() } } -void AppIdSession::check_domain_fronting_status() +void AppIdSession::check_domain_fronting_status(const std::string& host) { - if (api.asd->get_session_flags(APPID_SESSION_DECRYPTED) or api.asd->get_session_flags(APPID_SESSION_APP_REINSPECT)) - { - AppIdHttpSession* hsession = api.asd->get_http_session(); - if (hsession) - { - const std::string* host = hsession->get_field(REQ_HOST_FID); - if (host) - { - TLSDomainFrontCheckEvent domain_front_event(api.asd->get_cert_key(), *host); - DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event); - if (DomainFrontingStatus::MISMATCH == domain_front_event.get_cert_lookup_verdict()) - { - uint32_t shadow_bits = get_shadow_traffic_bits(); - shadow_bits |= ShadowTraffic_Type_Domain_Fronting; - set_shadow_traffic_bits(shadow_bits); - AppId payload_id = api.asd->get_api().get_payload_app_id(); - set_shadow_traffic_publishing_appid(payload_id); - } - } - } - } -} + TLSDomainFrontCheckEvent domain_front_event(api.asd->get_cert_key(), host); + DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::DOMAIN_FRONTING, domain_front_event); + if (DomainFrontingStatus::MISMATCH == domain_front_event.get_cert_lookup_verdict()) + { + uint32_t shadow_bits = get_shadow_traffic_bits(); + shadow_bits |= ShadowTraffic_Type_Domain_Fronting; + set_shadow_traffic_bits(shadow_bits); + } +} diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 84ba6e67e..2d136a20f 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -418,10 +418,11 @@ public: AppidChangeBits& change_bits); void publish_appid_event(AppidChangeBits&, const snort::Packet&, bool is_httpx = false, uint32_t httpx_stream_index = 0); - void publish_shadow_traffic_event(const uint32_t& shadow_traffic_bits,snort::Flow*)const; + void publish_shadow_traffic_event(const uint32_t& shadow_traffic_bits,snort::Flow*); void process_shadow_traffic_appids(); void check_shadow_traffic_bits(AppId id, uint32_t& shadow_bits, AppId &publishing_appid, bool& is_publishing_set); - void check_domain_fronting_status(); + void check_domain_fronting_status(const std::string& host); + bool need_to_delete_tp_conn(ThirdPartyAppIdContext*) const; @@ -749,7 +750,12 @@ public: void set_shadow_traffic_bits(uint32_t lv_bits) { - appid_shadow_traffic_bits = lv_bits; + appid_shadow_traffic_bits = lv_bits; + } + + void reset_shadow_traffic_bits() + { + appid_shadow_traffic_bits = 0; } uint32_t get_shadow_traffic_bits() @@ -800,6 +806,16 @@ public: return ssl_cert_key; } + void set_previous_shadow_traffic_bits(uint32_t lv_bits) + { + appid_previous_shadow_traffic_bits = lv_bits; + } + + uint32_t get_previous_shadow_traffic_bits() + { + return appid_previous_shadow_traffic_bits; + } + private: uint16_t prev_httpx_raw_packet = 0; @@ -825,6 +841,7 @@ private: bool client_info_unpublished = false; string ssl_cert_key; uint32_t appid_shadow_traffic_bits = 0; + uint32_t appid_previous_shadow_traffic_bits = 0; AppId shadow_traffic_appid = APP_ID_NONE; }; diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index 66d0b1e87..d32534c8d 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -248,6 +248,12 @@ void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packe DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow); } +void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_bits, snort::Flow *) +{ + ShadowTrafficEvent shadow_event(shadow_traffic_bits, "", "", nullptr); + DataBus::publish(0, ShadowTrafficEventIds::SHADOWTRAFFIC_FLOW_DETECTED, shadow_event, flow); +} + void AppIdHttpSession::set_tun_dest(){} // Stubs for ServiceDiscovery diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index c29259bb3..0cc60b37d 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -87,6 +87,7 @@ FakeHttpMsgHeader* fake_msg_header = nullptr; bool OdpContext::is_appid_cpu_profiler_enabled() { return false; } bool OdpContext::is_appid_cpu_profiler_running() { return false; } +void AppIdSession::check_domain_fronting_status(const std::string&) {} AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, AppidSessionDirection, AppIdInspector&, OdpContext&) diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc index 9afe95b54..6df648fea 100644 --- a/src/network_inspectors/appid/test/appid_http_session_test.cc +++ b/src/network_inspectors/appid/test/appid_http_session_test.cc @@ -159,6 +159,8 @@ void AppIdSession::update_encrypted_app_id(AppId) { } +void AppIdSession::check_domain_fronting_status(const std::string&) {} + void AppIdModule::reset_stats() {} // AppIdDebug mock functions -- 2.47.3