#include "file_cache.h"
+#include "flow/flow_key.h"
#include "hash/hash_defs.h"
#include "hash/xhash.h"
#include "log/messages.h"
FileHashKey hashKey;
hashKey.dip = flow->client_ip;
hashKey.sip = flow->server_ip;
- hashKey.padding = 0;
+ hashKey.dgroup = flow->client_group;
+ hashKey.sgroup = flow->server_group;
hashKey.file_id = file_id;
+ hashKey.asid = flow->key->addressSpaceId;
+ hashKey.padding[0] = hashKey.padding[1] = hashKey.padding[2] = 0;
FileContext* file = find(hashKey, timeout);
if (to_create and !file)
file = add(hashKey, timeout);
struct FileHashKey
{
snort::SfIp sip;
+ int16_t sgroup;
snort::SfIp dip;
- uint32_t padding;
+ int16_t dgroup;
uint64_t file_id;
+ uint16_t asid;
+ uint16_t padding[3];
};
PADDING_GUARD_END
14,
PktType::TCP,
14,
+ 0,
0
};
else
appHA->appId[6] = asd->get_client_id();
appHA->appId[7] = asd->misc_app_id;
+ appHA->asid = asd->asid;
}
else
memset(appHA, 0, sizeof(*appHA));
AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true);
if (inspector)
{
- asd = new AppIdSession(proto, ip, port, *inspector, inspector->get_ctxt().get_odp_ctxt());
+ asd = new AppIdSession(proto, ip, port, *inspector,
+ inspector->get_ctxt().get_odp_ctxt(), appHA->asid);
flow.set_flow_data(asd);
asd->set_service_id(appHA->appId[1], asd->get_odp_ctxt());
if (asd->get_service_id() == APP_ID_FTP_CONTROL)
struct AppIdSessionHA
{
uint16_t flags;
+ uint16_t asid;
AppId appId[APPID_HA_SESSION_APP_NUM_MAX];
};
void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1,
uint16_t port2, IpProtocol protocol, const int version, uint16_t address_space_id,
- const AppIdSession* session, bool log_all_sessions)
+ const AppIdSession* session, bool log_all_sessions, int16_t group1, int16_t group2,
+ bool inter_group_flow)
{
if (!( log_all_sessions or
( info.proto_match(protocol) and
const ip::snort_in6_addr* dip;
uint16_t sport = 0;
uint16_t dport = 0;
+ int16_t sgroup;
+ int16_t dgroup;
char sipstr[INET6_ADDRSTRLEN];
char dipstr[INET6_ADDRSTRLEN];
dip = (const ip::snort_in6_addr*)ip2;
sport = port1;
dport = port2;
+ sgroup = group1;
+ dgroup = group2;
}
else if (session->initiator_port)
{
dip = (const ip::snort_in6_addr*)ip2;
sport = port1;
dport = port2;
+ sgroup = group1;
+ dgroup = group2;
}
else
{
dip = (const ip::snort_in6_addr*)ip1;
sport = port2;
dport = port1;
+ sgroup = group2;
+ dgroup = group1;
}
}
else if (memcmp(session->get_initiator_ip().get_ip6_ptr(),
dip = (const ip::snort_in6_addr*)ip2;
sport = port1;
dport = port2;
+ sgroup = group1;
+ dgroup = group2;
}
else
{
dip = (const ip::snort_in6_addr*)ip1;
sport = port2;
dport = port1;
+ sgroup = group2;
+ dgroup = group1;
}
snort_inet_ntop(af, &sip->u6_addr32[(af == AF_INET)? 3 : 0], sipstr, sizeof(sipstr));
snort_inet_ntop(af, &dip->u6_addr32[(af == AF_INET)? 3 : 0], dipstr, sizeof(dipstr));
- snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%hu ID=%u",
+ char gr_buf[32] = {0};
+ if (inter_group_flow)
+ snprintf(gr_buf, sizeof(gr_buf), " GR=%hd-%hd", sgroup, dgroup);
+
+ snprintf(debug_session, sizeof(debug_session),
+ "%s %hu -> %s %hu %hhu AS=%hu ID=%u%s",
sipstr, sport, dipstr, dport, static_cast<uint8_t>(protocol),
- address_space_id, get_instance_id());
+ address_space_id, get_instance_id(), gr_buf);
}
void AppIdDebug::activate(const Flow *flow, const AppIdSession* session, bool log_all_sessions)
// (e.g., IPv4 src and IPv6 dst, or vice-versa). Once it is supported, we need to pass
// two key->version here to create the proper debug_session string.
activate(key->ip_l, key->ip_h, key->port_l, key->port_h, (IpProtocol)(key->ip_protocol),
- key->version, key->addressSpaceId, session, log_all_sessions);
+ key->version, key->addressSpaceId, session, log_all_sessions,
+ key->group_l, key->group_h, key->flags.group_used);
}
void AppIdDebug::set_constraints(const char *desc,
#include <string.h>
+#include <daq_common.h>
+
#include "protocols/ipv6.h"
#include "protocols/protocol_ids.h"
#include "main/thread.h"
class Flow;
}
-// %s %u -> %s %u %u AS=%u ID=%u
-// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum
-#define APPID_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10)+1)
+// %s %u -> %s %u %u AS=%u ID=%u [GR=%hd-%hd]
+// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum [GR=SrcGroupNum-DstGroupNum]
+#define APPID_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10+32)+1)
struct AppIdDebugSessionConstraints
{
void activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1, uint16_t port2,
IpProtocol protocol, const int version, uint16_t address_space_id,
- const AppIdSession* session, bool log_all_sessions);
+ const AppIdSession* session, bool log_all_sessions, int16_t group1 = DAQ_PKTHDR_UNKNOWN,
+ int16_t group2 = DAQ_PKTHDR_UNKNOWN, bool inter_group_flow = false);
void activate(const snort::Flow *flow, const AppIdSession* session, bool log_all_sessions);
void set_constraints(const char *desc, const AppIdDebugSessionConstraints* constraints);
{
uint16_t port = 0;
const SfIp* ip = nullptr;
+ int16_t group;
asd->set_session_flags(APPID_SESSION_SYN_RST);
- if (asd->service_ip.is_set())
- {
- ip = &asd->service_ip;
- port = asd->service_port;
- }
+ if (asd->is_service_ip_set())
+ std::tie(ip, port, group) = asd->get_service_info();
else
{
ip = p->ptrs.ip_api.get_src();
port = p->ptrs.sp;
+ group = p->get_ingress_group();
}
- AppIdServiceState::check_reset(*asd, ip, port);
+ AppIdServiceState::check_reset(*asd, ip, port, group, asd->asid);
return false;
}
asd->previous_tcp_flags = p->ptrs.tcph->th_flags;
(p->ptrs.sp != p->ptrs.dp))
port = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp;
- AppIdSession* asd = new AppIdSession(proto, ip, port, *inspector, odp_context);
+ AppIdSession* asd = new AppIdSession(proto, ip, port, *inspector, odp_context,
+ p->pkth->address_space_id);
asd->flow = p->flow;
asd->stats.first_packet_second = p->pkth->ts.tv_sec;
asd->snort_protocol_id = asd->config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED];
}
AppIdSession::AppIdSession(IpProtocol proto, const SfIp* ip, uint16_t port,
- AppIdInspector& inspector, OdpContext& odp_ctxt)
+ AppIdInspector& inspector, OdpContext& odp_ctxt, uint16_t asid)
: FlowData(inspector_id, &inspector), config(inspector.get_ctxt().config),
- protocol(proto), api(*(new AppIdSessionApi(this, *ip))),
- odp_ctxt(odp_ctxt), tp_appid_ctxt(inspector.get_ctxt().get_tp_appid_ctxt())
+ initiator_port(port), asid(asid), protocol(proto),
+ api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(odp_ctxt),
+ odp_ctxt_version(odp_ctxt.get_version()),
+ tp_appid_ctxt(inspector.get_ctxt().get_tp_appid_ctxt())
{
service_ip.clear();
- initiator_port = port;
- odp_ctxt_version = odp_ctxt.get_version();
appid_stats.total_sessions++;
}
APPID_SESSION_OOO) and flow)
{
ServiceDiscoveryState* sds =
- AppIdServiceState::get(&service_ip, protocol, service_port, is_decrypted());
+ AppIdServiceState::get(&service_ip, protocol, service_port, service_group,
+ asid, is_decrypted());
if (sds)
{
if (flow->server_ip.fast_eq6(service_ip))
// FIXIT-RC - port parameter passed in as 0 since we may not know client port, verify
AppIdSession* asd = new AppIdSession(proto, cliIp, 0, *inspector,
- inspector->get_ctxt().get_odp_ctxt());
+ inspector->get_ctxt().get_odp_ctxt(), ctrlPkt->pkth->address_space_id);
if (Stream::set_snort_protocol_id_expected(ctrlPkt, type, proto, cliIp,
cliPort, srvIp, srvPort, snort_protocol_id, asd, swap_app_direction))
#include <map>
#include <mutex>
#include <string>
+#include <tuple>
#include <unordered_map>
+#include <daq_common.h>
#include "pub_sub/appid_events.h"
#include "app_info_table.h"
class AppIdSession : public snort::FlowData
{
public:
- AppIdSession(IpProtocol, const snort::SfIp*, uint16_t port,
- AppIdInspector&, OdpContext&);
+ AppIdSession(IpProtocol, const snort::SfIp*, uint16_t port, AppIdInspector&,
+ OdpContext&, uint16_t asid = 0);
~AppIdSession() override;
static AppIdSession* allocate_session(const snort::Packet*, IpProtocol,
std::unordered_map<unsigned, AppIdFlowData*> flow_data;
uint64_t flags = 0;
uint16_t initiator_port = 0;
+ uint16_t asid = 0;
uint16_t session_packet_count = 0;
uint16_t init_pkts_without_reply = 0;
uint64_t init_bytes_without_reply = 0;
- snort::SfIp service_ip;
- uint16_t service_port = 0;
IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
uint8_t previous_tcp_flags = 0;
return tp_appid_ctxt;
}
+ void set_service_info(const snort::SfIp& ip, uint16_t port, int16_t group = DAQ_PKTHDR_UNKNOWN)
+ {
+ service_ip = ip;
+ service_port = port;
+ service_group = group;
+ }
+
+ std::tuple<const snort::SfIp*, uint16_t, int16_t> get_service_info() const
+ {
+ return std::make_tuple(&service_ip, service_port, service_group);
+ }
+
+ uint16_t get_service_port() const
+ {
+ return service_port;
+ }
+
+ bool is_service_ip_set() const
+ {
+ return service_ip.is_set();
+ }
+
private:
uint16_t prev_http2_raw_packet = 0;
AppId tp_app_id = APP_ID_NONE;
AppId tp_payload_app_id = APP_ID_NONE;
+ snort::SfIp service_ip;
+ uint16_t service_port = 0;
+ int16_t service_group = DAQ_PKTHDR_UNKNOWN;
+
uint16_t my_inferred_svcs_ver = 0;
snort::AppIdSessionApi& api;
static uint16_t inferred_svcs_ver;
AppIdContext stub_ctxt(stub_config);
OdpContext stub_odp_ctxt(stub_config, nullptr);
AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& inspector,
- OdpContext&) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector), config(stub_config),
+ OdpContext&, uint16_t) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector), config(stub_config),
api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
AppIdSession::~AppIdSession() = default;
AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, uint32_t http2_stream_id)
asd.get_session_flags(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED))
return APPID_SUCCESS;
- if (!asd.service_ip.is_set())
+ if (!asd.is_service_ip_set())
{
- asd.service_ip = *(pkt->ptrs.ip_api.get_src());
- if (!asd.service_port)
- asd.service_port = pkt->ptrs.sp;
+ uint16_t port = asd.get_service_port();
+ asd.set_service_info(*(pkt->ptrs.ip_api.get_src()),
+ port ? port : pkt->ptrs.sp, pkt->get_ingress_group());
}
-
return APPID_SUCCESS;
}
{
uint16_t port = 0;
const SfIp* ip = nullptr;
+ int16_t group;
asd.service_detector = this;
asd.set_service_vendor(vendor, change_bits);
{
ip = pkt->ptrs.ip_api.get_dst();
port = pkt->ptrs.dp;
+ group = pkt->get_egress_group();
}
else
{
ip = pkt->ptrs.ip_api.get_src();
port = pkt->ptrs.sp;
+ group = pkt->get_ingress_group();
}
- if (asd.service_port)
- port = asd.service_port;
+ if (asd.get_service_port())
+ port = asd.get_service_port();
}
else
{
{
ip = pkt->ptrs.ip_api.get_src();
port = pkt->ptrs.sp;
+ group = pkt->get_ingress_group();
}
else
{
ip = pkt->ptrs.ip_api.get_dst();
port = pkt->ptrs.dp;
+ group = pkt->get_egress_group();
}
}
- asd.service_ip = *ip;
- asd.service_port = port;
- ServiceDiscoveryState* sds = AppIdServiceState::add(ip, asd.protocol, port, asd.is_decrypted());
+ asd.set_service_info(*ip, port, group);
+
+ ServiceDiscoveryState* sds = AppIdServiceState::add(ip, asd.protocol, port,
+ group, asd.asid, asd.is_decrypted());
sds->set_service_id_valid(this);
return APPID_SUCCESS;
{
asd.tried_reverse_service = true;
ServiceDiscoveryState* rsds = AppIdServiceState::get(p->ptrs.ip_api.get_src(),
- proto, p->ptrs.sp, asd.is_decrypted());
+ proto, p->ptrs.sp, p->get_ingress_group(), p->pkth->address_space_id,
+ asd.is_decrypted());
std::unordered_map<uint16_t, std::vector<ServiceDetector*>>::iterator urs_iterator;
if ( rsds && rsds->get_service() )
asd.service_candidates.emplace_back(rsds->get_service());
bool got_brute_force = false;
const SfIp* ip;
uint16_t port;
+ int16_t group;
/* Get packet info. */
auto proto = asd.protocol;
- if ( asd.service_ip.is_set() )
- {
- ip = &asd.service_ip;
- port = asd.service_port;
- }
+ if ( asd.is_service_ip_set() )
+ std::tie(ip, port, group) = asd.get_service_info();
else
{
if ( dir == APP_ID_FROM_RESPONDER )
{
ip = p->ptrs.ip_api.get_src();
port = p->ptrs.sp;
+ group = p->get_ingress_group();
}
else
{
ip = p->ptrs.ip_api.get_dst();
port = p->ptrs.dp;
+ group = p->get_egress_group();
}
- asd.service_ip = *ip;
- asd.service_port = port;
+ asd.set_service_info(*ip, port, group);
}
if ( asd.service_search_state == SESSION_SERVICE_SEARCH_STATE::START )
{
asd.service_search_state = SESSION_SERVICE_SEARCH_STATE::PORT;
- sds = AppIdServiceState::add(ip, proto, port, asd.is_decrypted(), true);
+ sds = AppIdServiceState::add(ip, proto, port, group, asd.asid,
+ asd.is_decrypted(), true);
sds->set_reset_time(0);
ServiceState sds_state = sds->get_state();
!asd.service_detector and ( dir == APP_ID_FROM_RESPONDER ) ) )
{
if (!sds)
- sds = AppIdServiceState::add(ip, proto, port, asd.is_decrypted(), true);
+ sds = AppIdServiceState::add(ip, proto, port, group, asd.asid,
+ asd.is_decrypted(), true);
// Don't log this if fail service is not due to empty list
if (appidDebug->is_active() and !(got_fail_service and asd.service_detector))
LogMessage("AppIdDbg %s No service %s\n", appidDebug->get_debug_session(),
tmp_ip = p->ptrs.ip_api.get_src();
if (!sds)
- sds = AppIdServiceState::add(ip, proto, port, asd.is_decrypted(), true);
+ sds = AppIdServiceState::add(ip, proto, port, group, asd.asid,
+ asd.is_decrypted(), true);
if (got_incompatible_service)
sds->update_service_incompatiable(tmp_ip);
}
const SfIp* ip = pkt->ptrs.ip_api.get_src();
- uint16_t port = asd.service_port ? asd.service_port : pkt->ptrs.sp;
+ int16_t group = pkt->get_ingress_group();
+ uint16_t port = asd.get_service_port();
+ if (!port)
+ port = pkt->ptrs.sp;
+
ServiceDiscoveryState* sds = AppIdServiceState::add(ip, asd.protocol, port,
- asd.is_decrypted()); // do not touch here
+ group, pkt->pkth->address_space_id, asd.is_decrypted()); // do not touch here
sds->set_service(service);
sds->set_reset_time(0);
- if ( !asd.service_ip.is_set() )
- {
- asd.service_ip = *ip;
- asd.service_port = port;
- }
+ if ( !asd.is_service_ip_set() )
+ asd.set_service_info(*ip, port, group);
+
return APPID_SUCCESS;
}
}
const SfIp* ip = pkt->ptrs.ip_api.get_src();
- uint16_t port = asd.service_port ? asd.service_port : pkt->ptrs.sp;
- if (!asd.service_ip.is_set())
- {
- asd.service_ip = *ip;
- asd.service_port = port;
- }
+ uint16_t port = asd.get_service_port();
+ int16_t group = pkt->get_ingress_group();
+
+ if (!port)
+ port = pkt->ptrs.sp;
+
+ if (!asd.is_service_ip_set())
+ asd.set_service_info(*ip, port, group);
if ( !sds )
{
- sds = AppIdServiceState::add(ip, asd.protocol, port, asd.is_decrypted());
+ sds = AppIdServiceState::add(ip, asd.protocol, port, group,
+ asd.asid, asd.is_decrypted());
sds->set_service(service);
}
sds->set_reset_time(0);
static OdpContext stub_odp_ctxt(stub_config, nullptr);
OdpContext* AppIdContext::odp_ctxt = &stub_odp_ctxt;
AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& inspector,
- OdpContext&) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector),
+ OdpContext&, uint16_t) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector),
config(stub_config), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
AppIdSession::~AppIdSession() = default;
void AppIdSession::free_flow_data()
{
return true;
}
-ServiceDiscoveryState* AppIdServiceState::add(SfIp const*, IpProtocol, unsigned short, bool, bool)
+ServiceDiscoveryState* AppIdServiceState::add(SfIp const*, IpProtocol,
+ unsigned short, int16_t, uint16_t, bool, bool)
{
return nullptr;
}
}
ServiceDiscoveryState* AppIdServiceState::add(const SfIp* ip, IpProtocol proto, uint16_t port,
- bool decrypted, bool do_touch)
+ int16_t group, uint16_t asid, bool decrypted, bool do_touch)
{
- return service_state_cache->add( AppIdServiceStateKey(ip, proto, port, decrypted), do_touch );
+ return service_state_cache->add( AppIdServiceStateKey(ip, proto, port, group,
+ asid, decrypted), do_touch );
}
ServiceDiscoveryState* AppIdServiceState::get(const SfIp* ip, IpProtocol proto, uint16_t port,
- bool decrypted, bool do_touch)
+ int16_t group, uint16_t asid, bool decrypted, bool do_touch)
{
- return service_state_cache->get( AppIdServiceStateKey(ip, proto, port, decrypted), do_touch);
+ return service_state_cache->get( AppIdServiceStateKey(ip, proto, port, group,
+ asid, decrypted), do_touch);
}
-void AppIdServiceState::remove(const SfIp* ip, IpProtocol proto, uint16_t port, bool decrypted)
+void AppIdServiceState::remove(const SfIp* ip, IpProtocol proto, uint16_t port,
+ int16_t group, uint16_t asid, bool decrypted)
{
- AppIdServiceStateKey ssk(ip, proto, port, decrypted);
+ AppIdServiceStateKey ssk(ip, proto, port, group, asid, decrypted);
Map_t::iterator it = service_state_cache->find(ssk);
if ( !service_state_cache->remove(it) )
}
}
-void AppIdServiceState::check_reset(AppIdSession& asd, const SfIp* ip, uint16_t port)
+void AppIdServiceState::check_reset(AppIdSession& asd, const SfIp* ip, uint16_t port,
+ int16_t group, uint16_t asid)
{
ServiceDiscoveryState* sds = AppIdServiceState::get(ip, IpProtocol::TCP, port,
- asd.is_decrypted());
+ group, asid, asd.is_decrypted());
if ( sds )
{
if ( !sds->get_reset_time() )
sds->set_reset_time(packet_time() );
else if ( ( packet_time() - sds->get_reset_time() ) >= 60 )
{
- AppIdServiceState::remove(ip, IpProtocol::TCP, port, asd.is_decrypted());
+ AppIdServiceState::remove(ip, IpProtocol::TCP, port, group,
+ asid, asd.is_decrypted());
// FIXIT-RC - Remove if this flag not used anywhere
asd.set_session_flags(APPID_SESSION_SERVICE_DELETED);
}
public:
static bool initialize(size_t memcap);
static void clean();
- static ServiceDiscoveryState* add(const snort::SfIp*, IpProtocol, uint16_t port, bool decrypted, bool do_touch = false);
- static ServiceDiscoveryState* get(const snort::SfIp*, IpProtocol, uint16_t port, bool decrypted, bool do_touch = false);
- static void remove(const snort::SfIp*, IpProtocol, uint16_t port, bool decrypted);
- static void check_reset(AppIdSession& asd, const snort::SfIp* ip, uint16_t port);
+ static ServiceDiscoveryState* add(const snort::SfIp*, IpProtocol, uint16_t port,
+ int16_t group, uint16_t asid, bool decrypted, bool do_touch = false);
+ static ServiceDiscoveryState* get(const snort::SfIp*, IpProtocol, uint16_t port,
+ int16_t group, uint16_t asid, bool decrypted, bool do_touch = false);
+ static void remove(const snort::SfIp*, IpProtocol, uint16_t port,
+ int16_t group, uint16_t asid, bool decrypted);
+ static void check_reset(AppIdSession& asd, const snort::SfIp* ip, uint16_t port,
+ int16_t group, uint16_t asid);
static bool prune(size_t max_memory = 0, size_t num_items = -1u);
};
class AppIdServiceStateKey
{
public:
- AppIdServiceStateKey()
- {
- ip.clear();
- port = 0;
- level = 0;
- proto = IpProtocol::PROTO_NOT_SET;
- padding[0] = padding[1] = padding[2] = 0;
- }
-
- AppIdServiceStateKey(const snort::SfIp* ip_in,
- IpProtocol proto_in, uint16_t port_in, bool decrypted)
- {
- ip = *ip_in;
- port = port_in;
- level = decrypted != 0;
- proto = proto_in;
- padding[0] = padding[1] = padding[2] = 0;
- }
+ AppIdServiceStateKey(const snort::SfIp* ip,
+ IpProtocol proto, uint16_t port, int16_t group, uint16_t asid, bool decrypted) :
+ ip(*ip), port(port), group(group), asid(asid), decrypted(decrypted), proto(proto)
+ { }
bool operator<(const AppIdServiceStateKey& right) const
{
private:
snort::SfIp ip;
uint16_t port;
- uint32_t level;
+ int16_t group;
+ uint16_t asid;
+ bool decrypted;
IpProtocol proto;
- uint8_t padding[3];
};
PADDING_GUARD_END
AppIdConfig stub_config;
AppIdContext stub_ctxt(stub_config);
OdpContext stub_odp_ctxt(stub_config, nullptr);
-AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector&, OdpContext&)
- : FlowData(0), config(stub_config), api(*(new AppIdSessionApi(this, *ip))),
- odp_ctxt(stub_odp_ctxt) { }
+AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector&,
+ OdpContext&, uint16_t) : FlowData(0), config(stub_config),
+ api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
AppIdSession::~AppIdSession() = default;
// Utility functions
{
return nullptr;
}
-void AppIdServiceState::check_reset(AppIdSession&, const SfIp*, uint16_t) {}
+void AppIdServiceState::check_reset(AppIdSession&, const SfIp*, uint16_t,
+ int16_t, uint16_t) {}
int dns_host_scan_hostname(const uint8_t*, size_t, AppId*, AppId*)
{
return 0;
OdpContext* AppIdContext::odp_ctxt = &stub_odp_ctxt;
// AppIdSession mock functions
-AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& inspector, OdpContext&)
- : FlowData(inspector_id, &inspector), config(stub_config),
+AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& inspector,
+ OdpContext&, uint16_t) : FlowData(inspector_id, &inspector), config(stub_config),
api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt)
{}
// AppIdDebug mock functions
void AppIdDebug::activate(const uint32_t*, const uint32_t*, uint16_t,
- uint16_t, IpProtocol, const int, uint16_t, const AppIdSession*, bool)
+ uint16_t, IpProtocol, const int, uint16_t, const AppIdSession*, bool,
+ int16_t, int16_t, bool)
{
}
{ return false; }
// Stubs for service_state.h
-ServiceDiscoveryState* AppIdServiceState::get(SfIp const*, IpProtocol, unsigned short, bool, bool)
+ServiceDiscoveryState* AppIdServiceState::get(SfIp const*, IpProtocol,
+ unsigned short, int16_t, uint16_t, bool, bool)
{
return nullptr;
}
-ServiceDiscoveryState* AppIdServiceState::add(SfIp const*, IpProtocol, unsigned short, bool, bool)
+ServiceDiscoveryState* AppIdServiceState::add(SfIp const*, IpProtocol,
+ unsigned short, int16_t, uint16_t, bool, bool)
{
return nullptr;
}
static OdpContext stub_odp_ctxt(stub_config, nullptr);
OdpContext* AppIdContext::odp_ctxt = &stub_odp_ctxt;
AppIdSession::AppIdSession(IpProtocol proto, const SfIp* ip, uint16_t, AppIdInspector& inspector,
- OdpContext&) : FlowData(inspector_id, &inspector), config(stub_config),
+ OdpContext&, uint16_t) : FlowData(inspector_id, &inspector), config(stub_config),
protocol(proto), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt)
{
odp_ctxt_version = odp_ctxt.get_version();
AppIdConfig stub_config;
AppIdContext stub_ctxt(stub_config);
OdpContext stub_odp_ctxt(stub_config, nullptr);
-AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector&, OdpContext&)
- : FlowData(0), config(stub_config), api(*(new AppIdSessionApi(this, *ip))),
- odp_ctxt(stub_odp_ctxt) { }
+AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector&,
+ OdpContext&, uint16_t) : FlowData(0), config(stub_config),
+ api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
AppIdSession::~AppIdSession() = default;
AppIdDiscovery::~AppIdDiscovery() {}
void ClientDiscovery::initialize() { }
IpProtocol proto = IpProtocol::TCP;
uint16_t port=3000;
- AppIdServiceStateKey A(&ip4, proto, port, 0);
- AppIdServiceStateKey B(&ip6, proto, port, 0);
+ AppIdServiceStateKey A(&ip4, proto, port, 0, DAQ_PKTHDR_UNKNOWN, 0);
+ AppIdServiceStateKey B(&ip6, proto, port, 0, DAQ_PKTHDR_UNKNOWN, 0);
// We must never be in a situation where !( A<B ) and !( B<A ),
// because then map will consider A=B.
for( size_t i = 1; i <= num_entries; i++, port++ )
{
const SfIp* ip = ( i%2 == 1 ? &ip4 : &ip6 );
- ss = ServiceCache.add( AppIdServiceStateKey(ip, proto, port, 0) );
+ ss = ServiceCache.add( AppIdServiceStateKey(ip, proto, port, 0, DAQ_PKTHDR_UNKNOWN, 0) );
CHECK_TRUE(ServiceCache.size() == ( i <= max_entries ? i : max_entries));
ssvec.push_back(ss);
}
APPID_SESSION_SERVICE_DETECTED);
asd.clear_session_flags(APPID_SESSION_CONTINUE);
if (direction == APP_ID_FROM_INITIATOR)
- {
- asd.service_ip = *p->ptrs.ip_api.get_dst();
- asd.service_port = p->ptrs.dp;
- }
+ asd.set_service_info(*(p->ptrs.ip_api.get_dst()), p->ptrs.dp,
+ p->get_egress_group());
else
- {
- asd.service_ip = *p->ptrs.ip_api.get_src();
- asd.service_port = p->ptrs.sp;
- }
+ asd.set_service_info(*(p->ptrs.ip_api.get_src()), p->ptrs.sp,
+ p->get_ingress_group());
}
}
else if (asd.get_session_flags(APPID_SESSION_SSL_SESSION) && asd.tsession)
int protocol;
SfIp scanner;
SfIp scanned;
+ int16_t group;
+ uint16_t asid;
};
PADDING_GUARD_END
return false;
ps_pkt->proto = key.protocol;
+ key.asid = p->pkth->address_space_id;
/*
** Let's lookup the host that is being scanned, taking into account
key.scanner.clear();
if (ps_pkt->reverse_pkt)
+ {
key.scanned = *p->ptrs.ip_api.get_src();
+ key.group = p->get_ingress_group();
+ }
else
+ {
key.scanned = *p->ptrs.ip_api.get_dst();
+ key.group = p->get_egress_group();
+ }
*scanned = ps_tracker_get(&key);
}
key.scanned.clear();
if (ps_pkt->reverse_pkt)
+ {
key.scanner = *p->ptrs.ip_api.get_dst();
+ key.group = p->get_egress_group();
+ }
else
+ {
key.scanner = *p->ptrs.ip_api.get_src();
+ key.group = p->get_ingress_group();
+ }
*scanner = ps_tracker_get(&key);
}
uint16_t get_flow_vlan_id() const;
+ int16_t get_ingress_group() const
+ {
+ if (is_inter_group_flow())
+ return pkth->ingress_group;
+
+ return DAQ_PKTHDR_UNKNOWN;
+ }
+
+ int16_t get_egress_group() const
+ {
+ if (is_inter_group_flow())
+ return pkth->egress_group;
+
+ return DAQ_PKTHDR_UNKNOWN;
+ }
+
private:
bool allocated;
};
key.mplsLabel = flow_key->mplsLabel;
key.port_l = flow_key->port_l;
key.port_h = flow_key->port_h;
+ key.group_l = flow_key->group_l;
+ key.group_h = flow_key->group_h;
key.vlan_tag = flow_key->vlan_tag;
key.addressSpaceId = flow_key->addressSpaceId;
key.ip_protocol = flow_key->ip_protocol;
uint32_t cip[4];
uint32_t sip[4];
uint64_t sid;
- uint64_t padding;
+ int16_t cgroup;
+ int16_t sgroup;
+ uint16_t asid;
+ uint16_t padding;
bool operator== (const Smb2SidHashKey &other) const
{
sip[0] == other.sip[0] and
sip[1] == other.sip[1] and
sip[2] == other.sip[2] and
- sip[3] == other.sip[3]);
+ sip[3] == other.sip[3] and
+ cgroup == other.cgroup and
+ sgroup == other.sgroup and
+ asid == other.asid);
}
};
uint32_t mplsLabel;
uint16_t port_l; /* Low Port - 0 if ICMP */
uint16_t port_h; /* High Port - 0 if ICMP */
+ int16_t group_l;
+ int16_t group_h;
uint16_t vlan_tag;
uint16_t addressSpaceId;
uint8_t ip_protocol;
mplsLabel == other.mplsLabel and
port_l == other.port_l and
port_h == other.port_h and
+ group_l == other.group_l and
+ group_h == other.group_h and
vlan_tag == other.vlan_tag and
addressSpaceId == other.addressSpaceId and
ip_protocol == other.ip_protocol and
{
size_t operator() (const SmbFlowKey& key) const
{
- return do_hash((const uint32_t*)&key);
+ return do_hash_flow_key((const uint32_t*)&key);
}
size_t operator() (const Smb2SidHashKey& key) const
return c;
}
+ size_t do_hash_flow_key(const uint32_t* d) const
+ {
+ uint32_t a, b, c;
+ a = b = c = SMB_KEY_HASH_HARDENER;
+ a += d[0]; b += d[1]; c += d[2]; mix(a, b, c);
+ a += d[3]; b += d[4]; c += d[5]; mix(a, b, c);
+ a += d[6]; b += d[7]; c += d[8]; mix(a, b, c);
+ a += d[9]; b += d[10]; c += d[11]; mix(a, b, c);
+ a += d[12]; finalize(a, b, c);
+ return c;
+ }
+
inline uint32_t rot(uint32_t x, unsigned k) const
{ return (x << k) | (x >> (32 - k)); }
#include "dce_smb_utils.h"
#include "dce_smb2_utils.h"
#include "detection/detection_util.h"
+#include "flow/flow_key.h"
#include "main/snort_debug.h"
using namespace snort;
memcpy(key.cip, flow->client_ip.get_ip6_ptr(), 4*sizeof(uint32_t));
memcpy(key.sip, flow->server_ip.get_ip6_ptr(), 4*sizeof(uint32_t));
key.sid = sid;
+ key.cgroup = flow->client_group;
+ key.sgroup = flow->server_group;
+ key.asid = flow->key->addressSpaceId;
key.padding = 0;
return key;
}
projects / thirdparty / snort3.git / commitdiff
