]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
appid: restart inspection for ssl session inside http tunnel
authorSreeja Athirkandathil Narayanan <sathirka@cisco.com>
Thu, 7 Jul 2022 17:29:33 +0000 (13:29 -0400)
committerSreeja Athirkandathil Narayanan <sathirka@cisco.com>
Tue, 26 Jul 2022 17:43:56 +0000 (13:43 -0400)
src/network_inspectors/appid/appid_http_session.h
src/network_inspectors/appid/appid_session.cc
src/network_inspectors/appid/tp_appid_utils.cc

index 2c7d80bacb79b63d01962712f925cf82db98ae79..2697b5280c59a398535e974644ba9788b982d24a 100644 (file)
@@ -147,6 +147,15 @@ public:
         return rcvd_full_req_body;
     }
 
+    void set_tunnel(bool tunnel)
+    {
+        is_tunnel = tunnel;
+    }
+
+    bool get_tunnel()
+    {
+        return is_tunnel;
+    }
 protected:
 
     void init_chp_match_descriptor(ChpMatchDescriptor& cmd);
@@ -187,6 +196,7 @@ protected:
     uint32_t http2_stream_id = 0;
     bool is_payload_processed = false;
     bool rcvd_full_req_body = false;
+    bool is_tunnel = false;
 };
 
 #endif
index 07130602b07c9367710b812837b937e21eb21815..c58def34bbd276db0d9e689de99ff72b6ee82468 100644 (file)
@@ -411,6 +411,10 @@ void AppIdSession::check_tunnel_detection_restart()
     if (tp_payload_app_id != APP_ID_HTTP_TUNNEL or get_session_flags(APPID_SESSION_HTTP_TUNNEL))
         return;
 
+    AppIdHttpSession* hsession = get_http_session();
+    if (!hsession or !hsession->get_tunnel())
+        return;
+
     if (appidDebug->is_active())
         LogMessage("AppIdDbg %s Found HTTP Tunnel, restarting app Detection\n",
             appidDebug->get_debug_session());
@@ -880,8 +884,13 @@ AppId AppIdSession::pick_ss_payload_app_id(AppId service_id) const
         tmp_id = api.hsessions[0]->payload.get_id();
     if (tmp_id > APP_ID_NONE)
     {
-        if (tmp_id == APP_ID_HTTP_TUNNEL and tp_payload_app_id > APP_ID_NONE)
-            return tp_payload_app_id;
+        if (tmp_id == APP_ID_HTTP_TUNNEL)
+        {
+            if (api.payload.get_id() > APP_ID_NONE)
+                return api.payload.get_id();
+            else if (tp_payload_app_id > APP_ID_NONE)
+                return tp_payload_app_id;
+        }
         else
             return tmp_id;
     }
index 9133bd81e8417b217a38397bda8a9f9936461d7e..b0119bf5871352a2dc7247442aabaaf30232ee8d 100644 (file)
@@ -42,6 +42,8 @@
 #include "tp_appid_utils.h"
 #include "tp_lib_handler.h"
 
+#define HTTP_CONNECT_RESPONSE_LEN 13
+
 using namespace std;
 using namespace snort;
 
@@ -655,6 +657,14 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
 
             hsession->process_http_packet(direction, change_bits, asd.get_odp_ctxt().get_http_matchers());
 
+            if (!hsession->get_tunnel() and (direction == APP_ID_FROM_RESPONDER)
+                and asd.get_tp_payload_app_id() == APP_ID_HTTP_TUNNEL)
+            {
+                if ((p->dsize >= HTTP_CONNECT_RESPONSE_LEN) and
+                    !strncasecmp((const char*)p->data, "HTTP/1.1 200 ", HTTP_CONNECT_RESPONSE_LEN))
+                    hsession->set_tunnel(true);
+            }
+
             if (asd.get_tp_app_id() == APP_ID_HTTP and
                 !asd.get_session_flags(APPID_SESSION_APP_REINSPECT) and
                 asd.is_tp_appid_available())