Pull request #3891: appid: Early detection of ssh and ignoring NAVL detection

Merge in SNORT/snort3 from ~UMASHARM/snort3:ssh to master

Squashed commit of the following:

commit 4e2f347496653738e8aaac683b157664ce24fceb
Author: Umang Sharma <umasharm@cisco.com>
Date:   Wed Jun 21 22:14:38 2023 -0400

    appid: Early detection of ssh and ignoring NAVL detection

diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index c516feb8f45031d2e5751e68f72fc3d3533e6abb..684feda22c97c204fd55414bba2b5476ac020475 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -93,6 +93,7 @@ namespace snort
 #define APPID_SESSION_OPPORTUNISTIC_TLS     (1ULL << 44)
 #define APPID_SESSION_FIRST_PKT_CACHE_MATCHED    (1ULL << 45)
 #define APPID_SESSION_DO_NOT_DECRYPT        (1ULL << 46)
+#define APPID_SESSION_EARLY_SSH_DETECTED        (1ULL << 47)
 #define APPID_SESSION_IGNORE_ID_FLAGS \
     (APPID_SESSION_FUTURE_FLOW | \
     APPID_SESSION_NOT_A_SERVICE | \

diff --git a/src/network_inspectors/appid/appid_ssh_event_handler.cc b/src/network_inspectors/appid/appid_ssh_event_handler.cc
index 693928a8b29770ae6caf92c57ea3867a2a4eeaa6..a59930fd9e4912e8f03a59f59a4b10ff61eb5207 100644 (file)
--- a/src/network_inspectors/appid/appid_ssh_event_handler.cc
+++ b/src/network_inspectors/appid/appid_ssh_event_handler.cc
@@ -197,16 +197,29 @@ void SshEventHandler::handle(DataEvent& event, Flow* flow)
     if (fd->finished)
         return;
 
+    AppidChangeBits change_bits;
+
     switch(ssh_event.get_event_type())
     {
     case SSH_VERSION_STRING:
-        if (!handle_protocol(ssh_event, fd) and appidDebug->is_active())
+        if (handle_protocol(ssh_event, fd)) 
+        {
+            if (asd->get_session_flags(APPID_SESSION_EARLY_SSH_DETECTED))
+            {
+                if (appidDebug->is_active())
+                    LogMessage("AppIdDbg %s Early detection of SSH\n", appidDebug->get_debug_session());
+                handle_success(*data, ssh_event, *asd, change_bits);
+                asd->publish_appid_event(change_bits, *ssh_event.get_packet());
+                asd->clear_session_flags(APPID_SESSION_EARLY_SSH_DETECTED);
+            }
+        }
+        else if (appidDebug->is_active())
             LogMessage("AppIdDbg %s SSH event handler received unsupported protocol %s\n",
                 appidDebug->get_debug_session(), ssh_event.get_version_str().c_str());
+
         break;
 
     case SSH_VALIDATION:
-        AppidChangeBits change_bits;
         switch (ssh_event.get_validation_result())
         {
         case SSH_VALID_KEXINIT:

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index 3f24dcc84d9f32ecb98a97a07c353efdce9ca2b4..42f64b9dd48af0846a5c73259ddf56ddceb99b24 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -522,7 +522,7 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
 {
     AppId tp_app_id = asd.get_tp_app_id();
 
-    if (tp_app_id == APP_ID_SSH && asd.get_payload_id() != APP_ID_SFTP &&
+    if ((tp_app_id == APP_ID_SSH or asd.get_service_id() == APP_ID_SSH) && asd.get_payload_id() != APP_ID_SFTP &&
         asd.session_packet_count >= MIN_SFTP_PACKET_COUNT &&
         asd.session_packet_count < MAX_SFTP_PACKET_COUNT)
     {
@@ -601,6 +601,15 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
         assert(hsession);
     }
 
+    if (tp_app_id == APP_ID_SSH) 
+    {
+        if (appidDebug->is_active())
+            LogMessage("AppIdDbg %s Setting the ignore and early detection flag\n",
+                    appidDebug->get_debug_session());
+         asd.get_odp_ctxt().get_app_info_mgr().set_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE);
+         asd.set_session_flags(APPID_SESSION_EARLY_SSH_DETECTED);
+    }
+
     unsigned app_info_flags = asd.get_odp_ctxt().get_app_info_mgr().get_app_info_flags(tp_app_id,
         APPINFO_FLAG_TP_CLIENT | APPINFO_FLAG_IGNORE );