#define STREAM_STATE_IGNORE 0x1000
#define STREAM_STATE_NO_PICKUP 0x2000
-// FIXIT-L: move to appid class if/when the application ids array
+// FIXIT-L move to appid class if/when the application ids array
// is moved
typedef int32_t AppId;
enum AppProtoIdIndex
#define UNIFIED2_IDS_EVENT_VLAN 104
#define UNIFIED2_IDS_EVENT_IPV6_VLAN 105
#define UNIFIED2_EXTRA_DATA 110
+#define UNIFIED2_IDS_EVENT_APPSTAT 113
/* Data structure used for serialization of Unified2 Records */
typedef struct _Serial_Unified2_Header
#include "hash/sfxhash.h"
#include "time/packet_time.h"
#include "log/messages.h"
-
#include "application_ids.h"
static AFActKey master_key;
ErrorMessage("LuaDetectorApi:Failed to add AFElement for appId %d", indicator);
}
-static inline void rekeyMasterAFActKey(Packet* p, int dir, ApplicationId forecast)
+static inline void rekey_master_AF_key(Packet* p, int dir, ApplicationId forecast)
{
const sfip_t* src = dir ? p->ptrs.ip_api.get_dst() : p->ptrs.ip_api.get_src();
master_key.forecast = forecast;
}
-void checkSessionForAFIndicator(Packet* p, int dir, ApplicationId indicator)
+void check_session_for_AF_indicator(Packet* p, int dir, ApplicationId indicator)
{
AFElement* ind_element;
if (!(ind_element = (AFElement*)sfxhash_find(AF_indicators, &indicator)))
return;
- rekeyMasterAFActKey(p, dir, ind_element->forecast);
+ rekey_master_AF_key(p, dir, ind_element->forecast);
AFActVal* test_active_value;
if ((test_active_value = (AFActVal*)sfxhash_find(AF_actives, &master_key)))
sfxhash_add(AF_actives, &master_key, &new_active_value);
}
-AppId checkSessionForAFForecast(AppIdSession* session, Packet* p, int dir, ApplicationId forecast)
+AppId check_session_for_AF_forecast(AppIdSession* asd, Packet* p, int dir, ApplicationId forecast)
{
AFActVal* check_act_val;
- rekeyMasterAFActKey(p, dir, forecast);
+ rekey_master_AF_key(p, dir, forecast);
//get out if there is no value
if (!(check_act_val = (AFActVal*)sfxhash_find(AF_actives, &master_key)))
return APP_ID_UNKNOWN;
}
- session->payload_app_id = check_act_val->target;
+ asd->payload_app_id = check_act_val->target;
return forecast;
}
#include <time.h>
#include "appid_api.h"
-#include "appid_config.h"
#include "protocols/packet.h"
#include "appid_session.h"
int init_appid_forecast();
void clean_appid_forecast();
-void add_af_indicator(ApplicationId indicator, ApplicationId forecast, ApplicationId target );
-
-void checkSessionForAFIndicator(Packet*, int, ApplicationId);
-AppId checkSessionForAFForecast(AppIdSession*, Packet*, int, ApplicationId);
+void add_af_indicator(ApplicationId, ApplicationId, ApplicationId);
+void check_session_for_AF_indicator(Packet*, int, ApplicationId);
+AppId check_session_for_AF_forecast(AppIdSession*, Packet*, int, ApplicationId);
#endif
#endif
#include "application_ids.h"
-
#include "log/messages.h"
-#include "hash/sfghash.h"
#include "main/snort_debug.h"
-#include "target_based/snort_protocols.h"
#include "utils/util.h"
+#include "service_plugins/service_util.h"
#define MAX_TABLE_LINE_LEN 1024
#define CONF_SEPARATORS "\t\n\r"
#define MIN_MAX_TP_FLOW_DEPTH 1
#define MAX_MAX_TP_FLOW_DEPTH 1000000
-struct DynamicArray
-{
- AppInfoTableEntry** table;
- size_t indexStart;
- size_t indexCurrent;
- size_t usedCount;
- size_t allocatedCount;
- size_t stepSize;
-};
-
-static AppInfoTableEntry* AppInfoList = nullptr;
-static AppInfoTableEntry* AppInfoTable[SF_APPID_MAX] = { nullptr };
-static AppInfoTableEntry* AppInfoTableByService[SF_APPID_MAX] = { nullptr };
-static AppInfoTableEntry* AppInfoTableByClient[SF_APPID_MAX] = { nullptr };
-static AppInfoTableEntry* AppInfoTableByPayload[SF_APPID_MAX] = { nullptr };
-static SFGHASH* AppNameHash = nullptr;
-static THREAD_LOCAL DynamicArray* AppInfoTableDyn = nullptr;
-
-static inline DynamicArray* dynamicArrayCreate(unsigned indexStart)
-{
- DynamicArray* array;
-
- array = (DynamicArray*)snort_calloc(sizeof(DynamicArray));
- array->stepSize = 1;
- array->indexStart = indexStart;
- return array;
-}
-
-static inline void dynamicArrayDestroy(DynamicArray* array)
-{
- unsigned i;
- AppInfoTableEntry* entry;
-
- if (!array)
- return;
- for (i = 0; i < array->usedCount; i++)
- {
- entry = array->table[i];
- snort_free(entry->appName);
- snort_free(entry);
- }
-
- // FIXIT - array table is still alloc'ed with calloc/realloc
- free(array->table);
- snort_free(array);
-}
-
-static inline void dynamicArraySetIndex(DynamicArray* array, unsigned index,
- AppInfoTableEntry* data)
-{
- if (index >= array->indexStart && index < (array->indexStart + array->usedCount))
- array->table[index - array->indexStart] = data;
-}
-
-static inline AppInfoTableEntry* dynamicArrayGetIndex(DynamicArray* array, unsigned index)
-{
- // FIXIT-H: appid stats dumped from main thread at snort exit happens after the array has been
- // freed
- if(!array)
- return nullptr;
-
- if (index >= array->indexStart && index < (array->indexStart + array->usedCount))
- return array->table[index - array->indexStart];
- return nullptr;
-}
-
-static inline bool dynamicArrayCreateIndex(DynamicArray* array, unsigned* index)
-{
- if (array->usedCount == array->allocatedCount)
- {
- AppInfoTableEntry** tmp =
- (AppInfoTableEntry**)realloc(array->table,
- (array->allocatedCount + array->stepSize) * sizeof(*tmp));
- if (!tmp)
- {
- return false;
- }
- array->table = tmp;
- array->allocatedCount += array->stepSize;
- }
- *index = array->indexStart + (array->usedCount++);
- return true;
-}
-
-static inline void* dynamicArrayGetFirst(DynamicArray* array)
-{
- AppInfoTableEntry* entry;
- for (array->indexCurrent = 0; array->indexCurrent < array->usedCount; array->indexCurrent++)
- {
- if ((entry = array->table[array->indexCurrent]))
- return entry;
- }
- return nullptr;
-}
-
-static inline void* dynamicArrayGetNext(DynamicArray* array)
-{
- AppInfoTableEntry* entry;
- for (array->indexCurrent++; array->indexCurrent < array->usedCount; array->indexCurrent++)
- {
- if ((entry = array->table[array->indexCurrent]))
- return entry;
- }
- return nullptr;
-}
-
-static SFGHASH* appNameHashInit()
-{
- SFGHASH* appNameHash;
- appNameHash = sfghash_new(65, 0, 0 /* alloc copies of lowercased keys */, nullptr);
- return appNameHash;
-}
-
-void appNameHashFini()
-{
- if (AppNameHash)
- sfghash_delete(AppNameHash);
-}
+static AppInfoTable app_info_table;
+static AppInfoTable app_info_service_table;
+static AppInfoTable app_info_client_table;
+static AppInfoTable app_info_payload_table;
+static AppInfoNameTable app_info_name_table;
+static AppId next_custom_appid = SF_APPID_DYNAMIC_MIN;
+static AppInfoTable custom_app_info_table;
static inline char* strdupToLower(const char* source)
{
return dest;
}
-static void appNameHashAdd(SFGHASH* appNameHash, const char* appName, void* data)
+static bool is_existing_entry(AppInfoTableEntry* entry)
{
- char* searchName;
- int errCode;
+ AppInfoNameTable::iterator app;
- if (!appName || !appNameHash)
- return;
-
- searchName = strdupToLower(appName);
- if (SFGHASH_OK == (errCode = sfghash_add(appNameHash, searchName, data)))
- {
- DebugFormat(DEBUG_INSPECTOR, "App name added for %s\n", appName);
- }
- else if (SFGHASH_INTABLE == errCode)
- {
- /* Note that, although this entry is not placed in the hash table,
- being a duplicate, it remains in the list of allocated entries
- for cleanup by appInfoTableFini() */
-
- // Rediscover the existing, hashed entry for the purpose of a complete error message.
- AppInfoTableEntry* tableEntry = (AppInfoTableEntry*)sfghash_find(appNameHash, searchName);
-
- if (tableEntry)
- {
- ErrorMessage("App name, \"%s\", is a duplicate of \"%s\" and has been ignored.\n",
- appName, tableEntry->appName);
- }
- else
- {
- ErrorMessage("App name, \"%s\", has been ignored. Hash key \"%s\" is not unique.\n",
- appName, searchName);
- }
- }
- snort_free(searchName);
+ app = app_info_name_table.find(entry->app_name_key);
+ return app != app_info_name_table.end();
}
-static void* appNameHashFind(SFGHASH* appNameHash, const char* appName)
+static AppInfoTableEntry* find_app_info_by_name(const char* app_name)
{
- void* data;
- char* searchName;
-
- if (!appName || !appNameHash)
- return nullptr;
+ AppInfoTableEntry* entry = nullptr;
+ AppInfoNameTable::iterator app;
+ const char* search_name = strdupToLower(app_name);
- searchName = strdupToLower(appName);
- data = sfghash_find(appNameHash, searchName);
- snort_free(searchName);
+ app = app_info_name_table.find(search_name);
+ if( app != app_info_name_table.end() )
+ entry = app->second;
- return data;
+ snort_free((void*)search_name);
+ return entry;
}
-// End of appName hash
-
-static void load_appid_config(const char* path);
+static void add_entry_to_app_info_hash(const char* app_name, AppInfoTableEntry* entry)
+{
+ if( !is_existing_entry(entry) )
+ app_info_name_table[app_name] = entry;
+ else
+ WarningMessage("App name, \"%s\"is a duplicate existing entry will be shared by each detector.\n",
+ app_name);
+}
-static AppId getAppIdStaticIndex(AppId appid)
+static AppId get_static_app_info_entry(AppId appid)
{
if (appid > 0 && appid < SF_APPID_BUILDIN_MAX)
return appid;
return 0;
}
-AppInfoTableEntry* appInfoEntryGet(AppId appId)
+AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId appId, const AppInfoTable& lookup_table)
{
AppId tmp;
- if ((tmp = getAppIdStaticIndex(appId)))
- return AppInfoTable[tmp];
- return dynamicArrayGetIndex(AppInfoTableDyn, appId);
-}
+ AppInfoTable::const_iterator app;
-AppInfoTableEntry* appInfoEntryCreate(const char* appName)
-{
- AppId appId;
- AppInfoTableEntry* entry;
-
- if (!appName || strlen(appName) >= MAX_EVENT_APPNAME_LEN)
+ if ((tmp = get_static_app_info_entry(appId)))
{
- ErrorMessage("Appname invalid or too long: %s\n", appName);
- return nullptr;
+ app = lookup_table.find(tmp);
+ if( app != lookup_table.end() )
+ return app->second;
+ else
+ return nullptr;
}
-
- entry = static_cast<decltype(entry)>(appNameHashFind(AppNameHash, appName));
-
- if (!entry)
+ else
{
- if (!dynamicArrayCreateIndex(AppInfoTableDyn, (uint32_t*)&appId))
+ app = custom_app_info_table.find(appId);
+ if( app != custom_app_info_table.end() )
+ return app->second;
+ else
return nullptr;
-
- entry = static_cast<decltype(entry)>(snort_calloc(sizeof(AppInfoTableEntry)));
- entry->appId = appId;
- entry->serviceId = entry->appId;
- entry->clientId = entry->appId;
- entry->payloadId = entry->appId;
- entry->appName = snort_strdup(appName);
- dynamicArraySetIndex(AppInfoTableDyn, appId, entry);
}
- return entry;
}
-void init_dynamic_app_info_table()
+AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId appId)
{
- AppInfoTableDyn = dynamicArrayCreate(SF_APPID_DYNAMIC_MIN);
+ return get_app_info_entry(appId, app_info_table);
}
-void free_dynamic_app_info_table()
+AppInfoTableEntry* AppInfoManager::add_dynamic_app_entry(const char* app_name)
{
- dynamicArrayDestroy(AppInfoTableDyn);
- AppInfoTableDyn = nullptr;
-}
-
-void init_appid_info_table(const char* path)
-{
- FILE* tableFile;
- const char* token;
- char buf[MAX_TABLE_LINE_LEN];
- AppInfoTableEntry* entry;
- AppId appId;
- uint32_t clientId, serviceId, payloadId;
- char filepath[PATH_MAX];
- char* appName;
- char* snortName = nullptr;
- char* context;
-
- snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_MAPPING_FILE);
-
- tableFile = fopen(filepath, "r");
- if (tableFile == nullptr)
+ if (!app_name || strlen(app_name) >= MAX_EVENT_APPNAME_LEN)
{
- ErrorMessage("Could not open RnaAppMapping Table file: %s\n", filepath);
- return;
+ ErrorMessage("Appname invalid or too long: %s\n", app_name);
+ return nullptr;
}
- DebugFormat(DEBUG_INSPECTOR, "AppInfo read from %s\n", filepath);
-
- while (fgets(buf, sizeof(buf), tableFile))
+ custom_app_mutex.lock();
+ AppInfoTableEntry* entry = find_app_info_by_name(app_name);
+ if (!entry)
{
- token = strtok_r(buf, CONF_SEPARATORS, &context);
- if (!token)
- {
- ErrorMessage("Could not read id for Rna Id\n");
- continue;
- }
-
- appId = strtol(token, nullptr, 10);
-
- token = strtok_r(nullptr, CONF_SEPARATORS, &context);
- if (!token)
- {
- ErrorMessage("Could not read appName. Line %s\n", buf);
- continue;
- }
-
- appName = snort_strdup(token);
- token = strtok_r(nullptr, CONF_SEPARATORS, &context);
- if (!token)
- {
- ErrorMessage("Could not read service id for Rna Id\n");
- snort_free(appName);
- continue;
- }
-
- serviceId = strtol(token, nullptr, 10);
-
- token = strtok_r(nullptr, CONF_SEPARATORS, &context);
- if (!token)
- {
- ErrorMessage("Could not read client id for Rna Id\n");
- snort_free(appName);
- continue;
- }
-
- clientId = strtol(token, nullptr, 10);
-
- token = strtok_r(nullptr, CONF_SEPARATORS, &context);
- if (!token)
- {
- ErrorMessage("Could not read payload id for Rna Id\n");
- snort_free(appName);
- continue;
- }
-
- payloadId = strtol(token, nullptr, 10);
-
- /* snort service key, if it exists */
- token = strtok_r(nullptr, CONF_SEPARATORS, &context);
- if (token)
- snortName = snort_strdup(token);
-
- entry = static_cast<decltype(entry)>(snort_calloc(sizeof(AppInfoTableEntry)));
- entry->next = AppInfoList;
- AppInfoList = entry;
- entry->snortId = AddProtocolReference(snortName);
- snort_free(snortName);
- snortName = nullptr;
- entry->appName = appName;
- entry->appId = appId;
- entry->serviceId = serviceId;
- entry->clientId = clientId;
- entry->payloadId = payloadId;
- entry->priority = APP_PRIORITY_DEFAULT;
-
- if ((appId = getAppIdStaticIndex(entry->appId)))
- AppInfoTable[appId] = entry;
- if ((appId = getAppIdStaticIndex(entry->serviceId)))
- AppInfoTableByService[appId] = entry;
- if ((appId = getAppIdStaticIndex(entry->clientId)))
- AppInfoTableByClient[appId] = entry;
- if ((appId = getAppIdStaticIndex(entry->payloadId)))
- AppInfoTableByPayload[appId] = entry;
-
- if (!AppNameHash)
- AppNameHash = appNameHashInit();
-
- appNameHashAdd(AppNameHash, appName, entry);
+ entry = new AppInfoTableEntry(next_custom_appid++, snort_strdup(app_name));
+ entry->app_name_key = strdupToLower(app_name);
+ entry->serviceId = entry->appId;
+ entry->clientId = entry->appId;
+ entry->payloadId = entry->appId;
+ custom_app_info_table[entry->appId] = entry;
+ add_entry_to_app_info_hash(entry->app_name_key, entry);
}
- fclose(tableFile);
-
- /* Configuration defaults. */
- pAppidActiveConfig->mod_config->rtmp_max_packets = 15;
- pAppidActiveConfig->mod_config->mdns_user_reporting = 1;
- pAppidActiveConfig->mod_config->dns_host_reporting = 1;
- pAppidActiveConfig->mod_config->max_tp_flow_depth = 5;
- pAppidActiveConfig->mod_config->http2_detection_enabled = false;
- snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_CONFIG_FILE);
- load_appid_config (filepath);
- snprintf(filepath, sizeof(filepath), "%s/custom/%s", path, USR_CONFIG_FILE);
- load_appid_config (filepath);
+ custom_app_mutex.unlock();
+ return entry;
}
-void cleanup_appid_info_table()
+void AppInfoManager::cleanup_appid_info_table()
{
- AppInfoTableEntry* entry;
+ for (auto& kv: app_info_table)
+ delete(kv.second);
- while ((entry = AppInfoList))
- {
- AppInfoList = entry->next;
- snort_free(entry->appName);
- snort_free(entry);
- }
+ app_info_table.erase(app_info_table.begin(), app_info_table.end());
+
+ for (auto& kv: custom_app_info_table)
+ delete(kv.second);
- appNameHashFini();
+ custom_app_info_table.erase(custom_app_info_table.begin(), custom_app_info_table.end());
+ app_info_name_table.erase(app_info_name_table.begin(), app_info_name_table.end());
}
-void dump_app_info_table()
+void AppInfoManager::dump_app_info_table()
{
- AppInfoTableEntry* entry;
- AppId appId;
-
LogMessage("Cisco provided detectors:\n");
- for (appId = 1; appId < SF_APPID_MAX; appId++)
- {
- entry = AppInfoTable[appId];
- if (entry)
- LogMessage("%s\t%d\t%s\n", entry->appName, entry->appId, (entry->flags &
- APPINFO_FLAG_ACTIVE) ? "active" : "inactive");
- }
+ for (auto& kv: app_info_table)
+ LogMessage("%s\t%d\t%s\n", kv.second->app_name, kv.second->appId,
+ (kv.second->flags & APPINFO_FLAG_ACTIVE) ? "active" : "inactive");
LogMessage("User provided detectors:\n");
- for (entry = (decltype(entry))dynamicArrayGetFirst(AppInfoTableDyn);
- entry;
- entry = (decltype(entry))dynamicArrayGetNext(AppInfoTableDyn))
- {
- LogMessage("%s\t%d\t%s\n", entry->appName, entry->appId, (entry->flags &
- APPINFO_FLAG_ACTIVE) ? "active" : "inactive");
- }
+ for (auto& kv: custom_app_info_table)
+ LogMessage("%s\t%d\t%s\n", kv.second->app_name, kv.second->appId,
+ (kv.second->flags & APPINFO_FLAG_ACTIVE) ? "active" : "inactive");
}
-AppId get_appid_by_service_id(uint32_t appId)
+AppId AppInfoManager::get_appid_by_service_id(uint32_t id)
{
- AppInfoTableEntry* entry;
- AppId tmp;
-
- if ((tmp = getAppIdStaticIndex(appId)))
- entry = AppInfoTableByService[tmp];
- else
- entry = dynamicArrayGetIndex(AppInfoTableDyn, appId);
-
+ AppInfoTableEntry* entry = get_app_info_entry(id, app_info_service_table);
return entry ? entry->appId : APP_ID_NONE;
}
-AppId get_appid_by_client_id(uint32_t appId)
+AppId AppInfoManager::get_appid_by_client_id(uint32_t id)
{
- AppInfoTableEntry* entry;
- AppId tmp;
-
- if ((tmp = getAppIdStaticIndex(appId)))
- entry = AppInfoTableByClient[tmp];
- else
- entry = dynamicArrayGetIndex(AppInfoTableDyn, appId);
-
+ AppInfoTableEntry* entry = get_app_info_entry(id, app_info_client_table);
return entry ? entry->appId : APP_ID_NONE;
}
-AppId get_appid_by_payload_id(uint32_t appId)
+AppId AppInfoManager::get_appid_by_payload_id(uint32_t id)
{
- AppInfoTableEntry* entry;
- AppId tmp;
-
- if ((tmp = getAppIdStaticIndex(appId)))
- entry = AppInfoTableByPayload[tmp];
- else
- entry = dynamicArrayGetIndex(AppInfoTableDyn, appId);
-
+ AppInfoTableEntry* entry = get_app_info_entry(id, app_info_payload_table);
return entry ? entry->appId : APP_ID_NONE;
}
-const char* get_app_name(int32_t appId)
+const char* AppInfoManager::get_app_name(int32_t id)
{
- AppInfoTableEntry* entry;
- AppId tmp;
-
- if ((tmp = getAppIdStaticIndex(appId)))
- entry = AppInfoTable[tmp];
- else
- entry = dynamicArrayGetIndex(AppInfoTableDyn, appId);
-
- return entry ? entry->appName : nullptr;
+ AppInfoTableEntry* entry = get_app_info_entry(id);
+ return entry ? entry->app_name : nullptr;
}
-int32_t get_appid_by_name(const char* appName)
+int32_t AppInfoManager::get_appid_by_name(const char* app_name)
{
- AppInfoTableEntry* entry = (decltype(entry))appNameHashFind(AppNameHash, appName);
- return entry ? entry->appId : 0;
+ AppInfoTableEntry* entry = find_app_info_by_name(app_name);
+ return entry ? entry->appId : APP_ID_NONE;
}
-void set_app_info_active(AppId appId)
+void AppInfoManager::set_app_info_active(AppId appId)
{
- AppInfoTableEntry* entry = nullptr;
- AppId tmp;
-
if (appId == APP_ID_NONE)
return;
- if ((tmp = getAppIdStaticIndex(appId)))
- entry = AppInfoTable[tmp];
- else
- entry = dynamicArrayGetIndex(AppInfoTableDyn, appId);
-
+ AppInfoTableEntry* entry = get_app_info_entry(appId);
if (entry)
entry->flags |= APPINFO_FLAG_ACTIVE;
else
ErrorMessage("AppInfo: AppId %d is UNKNOWN\n", appId);
}
-static void load_appid_config(const char* path)
+void AppInfoManager::load_appid_config(const char* path)
{
FILE* config_file;
char* token;
DebugFormat(DEBUG_INSPECTOR,
"AppId: setting max thirdparty inspection flow depth to %d packets.\n",
max_tp_flow_depth);
- pAppidActiveConfig->mod_config->max_tp_flow_depth = max_tp_flow_depth;
+ AppIdConfig::get_appid_config()->mod_config->max_tp_flow_depth = max_tp_flow_depth;
}
}
else if (!(strcasecmp(conf_key, "tp_allow_probes")))
DebugMessage(DEBUG_INSPECTOR,
"AppId: TCP probes will be analyzed by NAVL.\n");
- pAppidActiveConfig->mod_config->tp_allow_probes = 1;
+ AppIdConfig::get_appid_config()->mod_config->tp_allow_probes = 1;
}
}
else if (!(strcasecmp(conf_key, "tp_client_app")))
DebugFormat(DEBUG_INSPECTOR,
"AppId: if thirdparty reports app %d, we will use it as a client.\n",
atoi(conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_TP_CLIENT);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_TP_CLIENT);
}
else if (!(strcasecmp(conf_key, "ssl_reinspect")))
{
DebugFormat(DEBUG_INSPECTOR,
"AppId: adding app %d to list of SSL apps that get more granular inspection.\n",
atoi(conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_SSL_INSPECT);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_INSPECT);
}
else if (!(strcasecmp(conf_key, "disable_safe_search")))
{
{
DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR,
"AppId: disabling safe search enforcement.\n"); );
- pAppidActiveConfig->mod_config->disable_safe_search = 1;
+ AppIdConfig::get_appid_config()->mod_config->disable_safe_search = 1;
}
}
else if (!(strcasecmp(conf_key, "ssl_squelch")))
DebugFormat(DEBUG_INSPECTOR,
"AppId: adding app %d to list of SSL apps that may open a second SSL connection.\n",
atoi(conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_SSL_SQUELCH);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_SQUELCH);
}
else if (!(strcasecmp(conf_key, "defer_to_thirdparty")))
{
DebugFormat(DEBUG_INSPECTOR,
"AppId: adding app %d to list of apps where we should take thirdparty ID over the NDE's.\n",
atoi(conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_DEFER);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_DEFER);
}
else if (!(strcasecmp(conf_key, "defer_payload_to_thirdparty")))
{
"AppId: adding app %d to list of apps where we should take "
"thirdparty payload ID over the NDE's.\n",
atoi(conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_DEFER_PAYLOAD);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_DEFER_PAYLOAD);
}
else if (!(strcasecmp(conf_key, "chp_userid")))
{
{
DebugMessage(DEBUG_INSPECTOR,
"AppId: HTTP UserID collection disabled.\n");
- pAppidActiveConfig->mod_config->chp_userid_disabled = 1;
+ AppIdConfig::get_appid_config()->mod_config->chp_userid_disabled = 1;
continue;
}
}
{
DebugMessage(DEBUG_INSPECTOR,
"AppId: HTTP Body header reading disabled.\n");
- pAppidActiveConfig->mod_config->chp_body_collection_disabled = 1;
+ AppIdConfig::get_appid_config()->mod_config->chp_body_collection_disabled = 1;
continue;
}
}
{
DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR,
"AppId: HTTP future flow creation disabled.\n"); );
- pAppidActiveConfig->mod_config->chp_fflow_disabled = 1;
+ AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled = 1;
continue;
}
}
if (!(strcasecmp(conf_val, "disabled")))
{
DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, "AppId: FTP userID disabled.\n"); );
- pAppidActiveConfig->mod_config->ftp_userid_disabled = 1;
+ AppIdConfig::get_appid_config()->mod_config->ftp_userid_disabled = 1;
continue;
}
}
conf_val = token;
uint8_t temp_val;
temp_val = strtol(conf_val, nullptr, 10);
- appInfoEntryPrioritySet (temp_appid, temp_val);
+ set_app_info_priority (temp_appid, temp_val);
DebugFormat(DEBUG_INSPECTOR,"AppId: %d Setting priority bit %d .\n",
temp_appid, temp_val);
}
{
if (!(strcasecmp(conf_val, "disabled")))
{
- pAppidActiveConfig->mod_config->referred_appId_disabled = 1;
+ AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled = 1;
continue;
}
- else if (!pAppidActiveConfig->mod_config->referred_appId_disabled)
+ else if (!AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled)
{
referred_app_index=0;
referred_app_index += sprintf(referred_app_list, "%d ", atoi(conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_REFERRED);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_REFERRED);
while ((token = strtok_r(nullptr, CONF_SEPARATORS, &context)) != nullptr)
{
referred_app_index += sprintf(referred_app_list+referred_app_index, "%d ",
atoi(token));
- appInfoEntryFlagSet(atoi(token), APPINFO_FLAG_REFERRED);
+ set_app_info_flags(atoi(token), APPINFO_FLAG_REFERRED);
}
DebugFormat(DEBUG_INSPECTOR,
"AppId: adding appIds to list of referred web apps: %s\n",
}
else if (!(strcasecmp(conf_key, "rtmp_max_packets")))
{
- pAppidActiveConfig->mod_config->rtmp_max_packets = atoi(conf_val);
+ AppIdConfig::get_appid_config()->mod_config->rtmp_max_packets = atoi(conf_val);
}
else if (!(strcasecmp(conf_key, "mdns_user_report")))
{
- pAppidActiveConfig->mod_config->mdns_user_reporting = atoi(conf_val);
+ AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting = atoi(conf_val);
}
else if (!(strcasecmp(conf_key, "dns_host_report")))
{
- pAppidActiveConfig->mod_config->dns_host_reporting = atoi(conf_val);
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting = atoi(conf_val);
}
else if (!(strcasecmp(conf_key, "chp_body_max_bytes")))
{
- pAppidActiveConfig->mod_config->chp_body_collection_max = atoi(conf_val);
+ AppIdConfig::get_appid_config()->mod_config->chp_body_collection_max = atoi(conf_val);
}
else if (!(strcasecmp(conf_key, "ignore_thirdparty_appid")))
{
LogMessage("AppId: adding app %d to list of ignore thirdparty apps.\n", atoi(
conf_val));
- appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_IGNORE);
+ set_app_info_flags(atoi(conf_val), APPINFO_FLAG_IGNORE);
}
else if (!(strcasecmp(conf_key, "http2_detection")))
{
if (!(strcasecmp(conf_val, "disabled")))
{
LogMessage("AppId: disabling internal HTTP/2 detection.\n");
- pAppidActiveConfig->mod_config->http2_detection_enabled = false;
+ AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = false;
}
else if (!(strcasecmp(conf_val, "enabled")))
{
LogMessage("AppId: enabling internal HTTP/2 detection.\n");
- pAppidActiveConfig->mod_config->http2_detection_enabled = true;
+ AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = true;
}
else
{
fclose(config_file);
}
+void AppInfoManager::init_appid_info_table(const char* path)
+{
+ FILE* tableFile;
+ const char* token;
+ char buf[MAX_TABLE_LINE_LEN];
+ AppInfoTableEntry* entry;
+ AppId appId;
+ uint32_t clientId, serviceId, payloadId;
+ char filepath[PATH_MAX];
+ char* app_name;
+ char* snortName = nullptr;
+ char* context;
+
+ snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_MAPPING_FILE);
+
+ tableFile = fopen(filepath, "r");
+ if (tableFile == nullptr)
+ {
+ ErrorMessage("Could not open RnaAppMapping Table file: %s\n", filepath);
+ return;
+ }
+
+ DebugFormat(DEBUG_INSPECTOR, "AppInfo read from %s\n", filepath);
+
+ while (fgets(buf, sizeof(buf), tableFile))
+ {
+ token = strtok_r(buf, CONF_SEPARATORS, &context);
+ if (!token)
+ {
+ ErrorMessage("Could not read id for Rna Id\n");
+ continue;
+ }
+
+ appId = strtol(token, nullptr, 10);
+
+ token = strtok_r(nullptr, CONF_SEPARATORS, &context);
+ if (!token)
+ {
+ ErrorMessage("Could not read app_name. Line %s\n", buf);
+ continue;
+ }
+
+ app_name = snort_strdup(token);
+ token = strtok_r(nullptr, CONF_SEPARATORS, &context);
+ if (!token)
+ {
+ ErrorMessage("Could not read service id for Rna Id\n");
+ snort_free(app_name);
+ continue;
+ }
+
+ serviceId = strtol(token, nullptr, 10);
+
+ token = strtok_r(nullptr, CONF_SEPARATORS, &context);
+ if (!token)
+ {
+ ErrorMessage("Could not read client id for Rna Id\n");
+ snort_free(app_name);
+ continue;
+ }
+
+ clientId = strtol(token, nullptr, 10);
+
+ token = strtok_r(nullptr, CONF_SEPARATORS, &context);
+ if (!token)
+ {
+ ErrorMessage("Could not read payload id for Rna Id\n");
+ snort_free(app_name);
+ continue;
+ }
+
+ payloadId = strtol(token, nullptr, 10);
+
+ /* snort service key, if it exists */
+ token = strtok_r(nullptr, CONF_SEPARATORS, &context);
+ if (token)
+ snortName = snort_strdup(token);
+
+ entry = new AppInfoTableEntry(appId, app_name);
+ entry->snortId = add_appid_protocol_reference(snortName);
+ snort_free(snortName);
+ snortName = nullptr;
+ entry->app_name_key = strdupToLower(app_name);
+ entry->serviceId = serviceId;
+ entry->clientId = clientId;
+ entry->payloadId = payloadId;
+
+ if ((appId = get_static_app_info_entry(entry->appId)))
+ app_info_table[appId] = entry;
+ if ((appId = get_static_app_info_entry(entry->serviceId)))
+ app_info_service_table[appId] = entry;
+ if ((appId = get_static_app_info_entry(entry->clientId)))
+ app_info_client_table[appId] = entry;
+ if ((appId = get_static_app_info_entry(entry->payloadId)))
+ app_info_payload_table[appId] = entry;
+
+ add_entry_to_app_info_hash(entry->app_name_key, entry);
+ }
+ fclose(tableFile);
+
+ /* Configuration defaults. */
+ AppIdConfig::get_appid_config()->mod_config->rtmp_max_packets = 15;
+ AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting = 1;
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting = 1;
+ AppIdConfig::get_appid_config()->mod_config->max_tp_flow_depth = 5;
+ AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = false;
+
+ snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_CONFIG_FILE);
+ load_appid_config (filepath);
+ snprintf(filepath, sizeof(filepath), "%s/custom/%s", path, USR_CONFIG_FILE);
+ load_appid_config (filepath);
+}
+
#define APP_INFO_TABLE_H
#include <cstdint>
+#include <map>
+#include <mutex>
+#include "application_ids.h"
#include "appid_api.h"
#include "appid_config.h"
+#include "utils/util.h"
#define APP_PRIORITY_DEFAULT 2
APPINFO_FLAG_SUPPORTED_SEARCH = (1<<14)
};
-struct AppInfoTableEntry
+class AppInfoTableEntry
{
- AppInfoTableEntry* next;
- AppId appId;
- uint32_t serviceId;
- uint32_t clientId;
- uint32_t payloadId;
- int16_t snortId;
- uint32_t flags;
- const RNAClientAppModule* clntValidator;
- const RNAServiceElement* svrValidator;
- uint32_t priority;
- char* appName;
+public:
+ AppInfoTableEntry(AppId id, char* name)
+ : appId(id), app_name(name)
+ {
+
+ }
+
+ ~AppInfoTableEntry()
+ {
+ if( app_name )
+ snort_free(app_name);
+ if( app_name_key )
+ snort_free(app_name_key);
+ }
+
+ AppId appId = APP_ID_NONE;
+ uint32_t serviceId = APP_ID_NONE;
+ uint32_t clientId = APP_ID_NONE;
+ uint32_t payloadId = APP_ID_NONE;
+ int16_t snortId = 0;
+ uint32_t flags = 0;
+ uint32_t priority = APP_PRIORITY_DEFAULT;
+ const RNAClientAppModule* clntValidator = nullptr;
+ const RNAServiceElement* svrValidator = nullptr;
+ char* app_name = nullptr;
+ char* app_name_key = nullptr;
};
-void appNameHashFini();
-
-void init_appid_info_table(const char* path);
-void cleanup_appid_info_table();
-void init_dynamic_app_info_table();
-void free_dynamic_app_info_table();
-
-AppInfoTableEntry* appInfoEntryGet(AppId);
-AppInfoTableEntry* appInfoEntryCreate(const char* appName);
-AppId appGetSnortIdFromAppId(AppId);
-AppId get_appid_by_service_id(uint32_t appId);
-AppId get_appid_by_client_id(uint32_t appId);
-AppId get_appid_by_payload_id(uint32_t appId);
-void AppIdDumpStats(int exit_flag);
-void dump_app_info_table();
-void set_app_info_active(AppId);
-const char* get_app_name(int32_t appId);
-int32_t get_appid_by_name(const char* appName);
-
-inline void appInfoEntryFlagSet(AppId appId, unsigned flags)
-{
- AppInfoTableEntry* entry = appInfoEntryGet(appId);
- if ( entry )
- entry->flags |= flags;
-}
-
-inline void appInfoEntryFlagClear(AppId appId, unsigned flags)
-{
- AppInfoTableEntry* entry = appInfoEntryGet(appId);
- if ( entry )
- entry->flags &= (~flags);
-}
+typedef std::map<AppId, AppInfoTableEntry*> AppInfoTable;
+typedef std::map<std::string, AppInfoTableEntry*> AppInfoNameTable;
-inline unsigned appInfoEntryFlagGet(AppId app_id, unsigned flags)
+class AppInfoManager
{
- AppInfoTableEntry* entry = appInfoEntryGet(app_id);
- return entry ? entry->flags & flags : 0;
-}
+public:
+ ~AppInfoManager() {}
+
+ static AppInfoManager& get_instance()
+ {
+ static AppInfoManager instance;
+ return instance;
+ }
+
+ AppInfoTableEntry* get_app_info_entry(AppId);
+ AppInfoTableEntry* add_dynamic_app_entry(const char* app_name);
+ AppId get_appid_by_service_id(uint32_t);
+ AppId get_appid_by_client_id(uint32_t);
+ AppId get_appid_by_payload_id(uint32_t);
+ void set_app_info_active(AppId);
+ const char* get_app_name(AppId);
+ int32_t get_appid_by_name(const char* app_name);
+
+ void set_app_info_flags(AppId appId, unsigned flags)
+ {
+ AppInfoTableEntry* entry = get_app_info_entry(appId);
+ if ( entry )
+ entry->flags |= flags;
+ }
+
+ void clear_app_info_flags(AppId appId, unsigned flags)
+ {
+ AppInfoTableEntry* entry = get_app_info_entry(appId);
+ if ( entry )
+ entry->flags &= (~flags);
+ }
+
+ unsigned get_app_info_flags(AppId app_id, unsigned flags)
+ {
+ AppInfoTableEntry* entry = get_app_info_entry(app_id);
+ return entry ? entry->flags & flags : 0;
+ }
+
+ void set_app_info_priority(AppId appId, unsigned priority)
+ {
+ AppInfoTableEntry* entry = get_app_info_entry(appId);
+ if ( entry )
+ entry->priority |= priority;
+ }
+
+ unsigned get_app_info_priority(AppId app_id)
+ {
+ AppInfoTableEntry* entry = get_app_info_entry(app_id);
+ return entry ? entry->priority : 0;
+ }
+
+ void init_appid_info_table(const char* path);
+ void cleanup_appid_info_table();
+ void dump_app_info_table();
+
+private:
+ AppInfoManager() {}
+ void load_appid_config(const char* path);
+ AppInfoTableEntry* get_app_info_entry(AppId appId, const AppInfoTable& lookup_table);
+ std::mutex custom_app_mutex;
-inline void appInfoEntryPrioritySet(AppId appId, unsigned priority)
-{
- AppInfoTableEntry* entry = appInfoEntryGet(appId);
- if ( entry )
- entry->priority |= priority;
-}
-
-inline unsigned appInfoEntryPriorityGet(AppId app_id)
-{
- AppInfoTableEntry* entry = appInfoEntryGet(app_id);
- return entry ? entry->priority : 0;
-}
+};
#endif
#ifndef APPID_H
#define APPID_H
-#include "thirdparty_appid_types.h"
-
#define SF_APPID_MAX 40000
#define SF_APPID_BUILDIN_MAX 30000
#define APPID_MAX_PRIORITY 3
#define SF_APPID_CSD_MIN 1000000
#define SF_APPID_DYNAMIC_MIN 2000000
-#define NUMBER_OF_PTYPES 9
+#define NUMBER_OF_PTYPES 9
-// FIXIT-H J stuff like this needs to be defined in config.h
#define RESPONSE_CODE_PACKET_THRESHHOLD 0
-// FIXIT-L J properly scoped enum would be more appropriate
enum APPID_SESSION_DIRECTION
{
APP_ID_FROM_INITIATOR,
APP_ID_APPID_SESSION_DIRECTION_MAX // Maximum value of a direction (must be last in the list)
};
-// FIXIT-M J this doesn't seem appropriate for an enum
enum SERVICE_HOST_INFO_CODE
{
SERVICE_HOST_INFO_NETBIOS_NAME = 1
};
-// FIXIT-M J this should go in a separate header
-#define DHCP_OPTION55_LEN_MAX 255
-
#define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800
#define FINGERPRINT_UDP_FLAGS_NT 0x00001000
#define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT)
#include "appid_api.h"
+#include "app_info_table.h"
#include "appid.h"
#include "service_plugins/service_base.h"
#include "app_info_table.h"
const char* AppIdApi::get_application_name(int32_t app_id)
{
- return get_app_name(app_id);
+ return AppInfoManager::get_instance().get_app_name(app_id);
}
AppId AppIdApi::get_application_id(const char* appName)
{
- return get_appid_by_name(appName);
+ return AppInfoManager::get_instance().get_appid_by_name(appName);
}
-AppId AppIdApi::get_service_app_id(AppIdSession* session)
+AppId AppIdApi::get_service_app_id(AppIdSession* asd)
{
- if (session)
- return session->pick_service_app_id();
+ if (asd)
+ return asd->pick_service_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_port_service_app_id(AppIdSession* session)
+AppId AppIdApi::get_port_service_app_id(AppIdSession* asd)
{
- if (session)
- return session->portServiceAppId;
+ if (asd)
+ return asd->portServiceAppId;
return APP_ID_NONE;
}
-AppId AppIdApi::get_only_service_app_id(AppIdSession* session)
+AppId AppIdApi::get_only_service_app_id(AppIdSession* asd)
{
- if (session)
- return session->pick_only_service_app_id();
+ if (asd)
+ return asd->pick_only_service_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_misc_app_id(AppIdSession* session)
+AppId AppIdApi::get_misc_app_id(AppIdSession* asd)
{
- if (session)
- return session->pick_misc_app_id();
+ if (asd)
+ return asd->pick_misc_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_client_app_id(AppIdSession* session)
+AppId AppIdApi::get_client_app_id(AppIdSession* asd)
{
- if (session)
- return session->pick_client_app_id();
+ if (asd)
+ return asd->pick_client_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_payload_app_id(AppIdSession* session)
+AppId AppIdApi::get_payload_app_id(AppIdSession* asd)
{
- if (session)
- return session->pick_payload_app_id();
+ if (asd)
+ return asd->pick_payload_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_referred_app_id(AppIdSession* session)
+AppId AppIdApi::get_referred_app_id(AppIdSession* asd)
{
- if (session)
- return session->pick_referred_payload_app_id();
+ if (asd)
+ return asd->pick_referred_payload_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_fw_service_app_id(AppIdSession* session)
+AppId AppIdApi::get_fw_service_app_id(AppIdSession* asd)
{
- if (session)
- return session->fw_pick_service_app_id();
+ if (asd)
+ return asd->fw_pick_service_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_fw_misc_app_id(AppIdSession* session)
+AppId AppIdApi::get_fw_misc_app_id(AppIdSession* asd)
{
- if (session)
- return session->fw_pick_misc_app_id();
+ if (asd)
+ return asd->fw_pick_misc_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_fw_client_app_id(AppIdSession* session)
+AppId AppIdApi::get_fw_client_app_id(AppIdSession* asd)
{
- if (session)
- return session->fw_pick_client_app_id();
+ if (asd)
+ return asd->fw_pick_client_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_fw_payload_app_id(AppIdSession* session)
+AppId AppIdApi::get_fw_payload_app_id(AppIdSession* asd)
{
- if (session)
- return session->fw_pick_payload_app_id();
+ if (asd)
+ return asd->fw_pick_payload_app_id();
return APP_ID_NONE;
}
-AppId AppIdApi::get_fw_referred_app_id(AppIdSession* session)
+AppId AppIdApi::get_fw_referred_app_id(AppIdSession* asd)
{
- if (session)
- return session->fw_pick_referred_payload_app_id();
+ if (asd)
+ return asd->fw_pick_referred_payload_app_id();
return APP_ID_NONE;
}
-bool AppIdApi::is_ssl_session_decrypted(AppIdSession* session)
+bool AppIdApi::is_ssl_session_decrypted(AppIdSession* asd)
{
- if (session)
- return session->is_ssl_session_decrypted();
+ if (asd)
+ return asd->is_ssl_session_decrypted();
return false;
}
AppIdSession* AppIdApi::get_appid_data(Flow* flow)
{
- AppIdSession* session = (AppIdSession*) flow->get_flow_data(AppIdSession::flow_id);
+ AppIdSession* asd = (AppIdSession*) flow->get_flow_data(AppIdSession::flow_id);
- return (session && session->common.fsf_type.flow_type == APPID_SESSION_TYPE_NORMAL) ?
- session : nullptr;
+ return (asd && asd->common.flow_type == APPID_FLOW_TYPE_NORMAL) ?
+ asd : nullptr;
}
bool AppIdApi::is_appid_inspecting_session(AppIdSession* appIdSession)
{
- if (appIdSession && appIdSession->common.fsf_type.flow_type == APPID_SESSION_TYPE_NORMAL)
+ if (appIdSession && appIdSession->common.flow_type == APPID_FLOW_TYPE_NORMAL)
{
if (appIdSession->rnaServiceState != RNA_STATE_FINISHED ||
!TPIsAppIdDone(appIdSession->tpsession) ||
- appIdSession->getAppIdFlag(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) ||
- (appIdSession->getAppIdFlag(APPID_SESSION_ENCRYPTED) &&
- (appIdSession->getAppIdFlag(APPID_SESSION_DECRYPTED) ||
+ appIdSession->get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) ||
+ (appIdSession->get_session_flags(APPID_SESSION_ENCRYPTED) &&
+ (appIdSession->get_session_flags(APPID_SESSION_DECRYPTED) ||
appIdSession->session_packet_count < SSL_WHITELIST_PKT_LIMIT)))
{
return true;
}
if (appIdSession->rna_client_state != RNA_STATE_FINISHED &&
- (!appIdSession->getAppIdFlag(APPID_SESSION_CLIENT_DETECTED) ||
+ (!appIdSession->get_session_flags(APPID_SESSION_CLIENT_DETECTED) ||
(appIdSession->rnaServiceState != RNA_STATE_STATEFUL
- && appIdSession->getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))))
+ && appIdSession->get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))))
{
return true;
}
return false;
}
-char* AppIdApi::get_user_name(AppIdSession* session, AppId* service, bool* isLoginSuccessful)
+char* AppIdApi::get_user_name(AppIdSession* asd, AppId* service, bool* isLoginSuccessful)
{
char* userName = nullptr;
- if (session)
+ if (asd)
{
- userName = session->username;
- *service = session->username_service;
- *isLoginSuccessful = session->getAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED) ? true : false;
- session->username = nullptr; //transfer ownership to caller.
+ userName = asd->username;
+ *service = asd->username_service;
+ *isLoginSuccessful = asd->get_session_flags(APPID_SESSION_LOGIN_SUCCEEDED) ? true : false;
+ asd->username = nullptr; //transfer ownership to caller.
return userName;
}
return nullptr;
}
-bool AppIdApi::is_appid_available(AppIdSession* session)
+bool AppIdApi::is_appid_available(AppIdSession* asd)
{
- if (session)
+ if (asd)
{
- if (session->getAppIdFlag(APPID_SESSION_NO_TPI))
+ if (asd->get_session_flags(APPID_SESSION_NO_TPI))
return true;
- return TPIsAppIdAvailable(session->tpsession);
+ return TPIsAppIdAvailable(asd->tpsession);
}
return false;
}
-char* AppIdApi::get_client_version(AppIdSession* session)
+char* AppIdApi::get_client_version(AppIdSession* asd)
{
- return session ? session->client_version : nullptr;
+ return asd ? asd->client_version : nullptr;
}
-uint64_t AppIdApi::get_appid_session_attribute(AppIdSession* session, uint64_t flags)
+uint64_t AppIdApi::get_appid_session_attribute(AppIdSession* asd, uint64_t flags)
{
- return session ? session->getAppIdFlag(flags) : 0;
+ return asd ? asd->get_session_flags(flags) : 0;
}
-APPID_FLOW_TYPE AppIdApi::get_flow_type(AppIdSession* session)
+APPID_FLOW_TYPE AppIdApi::get_flow_type(AppIdSession* asd)
{
- return session ? session->common.fsf_type.flow_type : APPID_FLOW_TYPE_IGNORE;
+ return asd ? asd->common.flow_type : APPID_FLOW_TYPE_IGNORE;
}
-void AppIdApi::get_service_info(AppIdSession* session, char** serviceVendor, char** serviceVersion,
+void AppIdApi::get_service_info(AppIdSession* asd, char** serviceVendor, char** serviceVersion,
RNAServiceSubtype** serviceSubtype)
{
- if (session)
+ if (asd)
{
- *serviceVendor = session->serviceVendor;
- *serviceVersion = session->serviceVersion;
- *serviceSubtype = session->subtype;
+ *serviceVendor = asd->serviceVendor;
+ *serviceVersion = asd->serviceVersion;
+ *serviceSubtype = asd->subtype;
}
else
{
}
}
-short AppIdApi::get_service_port(AppIdSession* session)
+short AppIdApi::get_service_port(AppIdSession* asd)
{
- if (session)
- return session->service_port;
+ if (asd)
+ return asd->service_port;
return 0;
}
-char* AppIdApi::get_http_user_agent(AppIdSession* session)
+char* AppIdApi::get_http_user_agent(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->useragent;
+ if (asd && asd->hsession)
+ return asd->hsession->useragent;
return nullptr;
}
-char* AppIdApi::get_http_host(AppIdSession* session)
+char* AppIdApi::get_http_host(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->host;
+ if (asd && asd->hsession)
+ return asd->hsession->host;
return nullptr;
}
-char* AppIdApi::get_http_url(AppIdSession* session)
+char* AppIdApi::get_http_url(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->url;
+ if (asd && asd->hsession)
+ return asd->hsession->url;
return nullptr;
}
-char* AppIdApi::get_http_referer(AppIdSession* session)
+char* AppIdApi::get_http_referer(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->referer;
+ if (asd && asd->hsession)
+ return asd->hsession->referer;
return nullptr;
}
-char* AppIdApi::get_http_new_url(AppIdSession* session)
+char* AppIdApi::get_http_new_url(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->new_field[REQ_URI_FID];
+ if (asd && asd->hsession)
+ return asd->hsession->new_field[REQ_URI_FID];
return nullptr;
}
-char* AppIdApi::get_http_uri(AppIdSession* session)
+char* AppIdApi::get_http_uri(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->uri;
+ if (asd && asd->hsession)
+ return asd->hsession->uri;
return nullptr;
}
-char* AppIdApi::get_http_response_code(AppIdSession* session)
+char* AppIdApi::get_http_response_code(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->response_code;
+ if (asd && asd->hsession)
+ return asd->hsession->response_code;
return nullptr;
}
-char* AppIdApi::get_http_cookie(AppIdSession* session)
+char* AppIdApi::get_http_cookie(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->cookie;
+ if (asd && asd->hsession)
+ return asd->hsession->cookie;
return nullptr;
}
-char* AppIdApi::get_http_new_cookie(AppIdSession* session)
+char* AppIdApi::get_http_new_cookie(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->new_field[REQ_COOKIE_FID];
+ if (asd && asd->hsession)
+ return asd->hsession->new_field[REQ_COOKIE_FID];
return nullptr;
}
-char* AppIdApi::get_http_new_field(AppIdSession* session, HTTP_FIELD_ID fieldId)
+char* AppIdApi::get_http_new_field(AppIdSession* asd, HTTP_FIELD_ID fieldId)
{
- if (session && session->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX)
- return session->hsession->new_field[fieldId];
+ if (asd && asd->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX)
+ return asd->hsession->new_field[fieldId];
return nullptr;
}
-void AppIdApi::free_http_new_field(AppIdSession* session, HTTP_FIELD_ID fieldId)
+void AppIdApi::free_http_new_field(AppIdSession* asd, HTTP_FIELD_ID fieldId)
{
- if (session && session->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX &&
- nullptr != session->hsession->new_field[fieldId])
+ if (asd && asd->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX &&
+ nullptr != asd->hsession->new_field[fieldId])
{
- snort_free(session->hsession->new_field[fieldId]);
- session->hsession->new_field[fieldId] = nullptr;
+ snort_free(asd->hsession->new_field[fieldId]);
+ asd->hsession->new_field[fieldId] = nullptr;
}
}
-char* AppIdApi::get_http_content_type(AppIdSession* session)
+char* AppIdApi::get_http_content_type(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->content_type;
+ if (asd && asd->hsession)
+ return asd->hsession->content_type;
return nullptr;
}
-char* AppIdApi::get_http_location(AppIdSession* session)
+char* AppIdApi::get_http_location(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->location;
+ if (asd && asd->hsession)
+ return asd->hsession->location;
return nullptr;
}
-char* AppIdApi::get_http_body(AppIdSession* session)
+char* AppIdApi::get_http_body(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->body;
+ if (asd && asd->hsession)
+ return asd->hsession->body;
return nullptr;
}
-char* AppIdApi::get_http_request_body(AppIdSession* session)
+char* AppIdApi::get_http_request_body(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->req_body;
+ if (asd && asd->hsession)
+ return asd->hsession->req_body;
return nullptr;
}
-uint16_t AppIdApi::get_http_uri_offset(AppIdSession* session)
+uint16_t AppIdApi::get_http_uri_offset(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->uriOffset;
+ if (asd && asd->hsession)
+ return asd->hsession->uriOffset;
return 0;
}
-uint16_t AppIdApi::get_http_uri_end_offset(AppIdSession* session)
+uint16_t AppIdApi::get_http_uri_end_offset(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->uriEndOffset;
+ if (asd && asd->hsession)
+ return asd->hsession->uriEndOffset;
return 0;
}
-uint16_t AppIdApi::get_http_cookie_offset(AppIdSession* session)
+uint16_t AppIdApi::get_http_cookie_offset(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->cookieOffset;
+ if (asd && asd->hsession)
+ return asd->hsession->cookieOffset;
return 0;
}
-uint16_t AppIdApi::get_http_cookie_end_offset(AppIdSession* session)
+uint16_t AppIdApi::get_http_cookie_end_offset(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->cookieEndOffset;
+ if (asd && asd->hsession)
+ return asd->hsession->cookieEndOffset;
return 0;
}
-SEARCH_SUPPORT_TYPE AppIdApi::get_http_search(AppIdSession* session)
+SEARCH_SUPPORT_TYPE AppIdApi::get_http_search(AppIdSession* asd)
{
- if (session)
- return (session->search_support_type != SEARCH_SUPPORT_TYPE_UNKNOWN) ?
- session->search_support_type : NOT_A_SEARCH_ENGINE;
+ if (asd)
+ return (asd->search_support_type != UNKNOWN_SEARCH_ENGINE) ?
+ asd->search_support_type : NOT_A_SEARCH_ENGINE;
return NOT_A_SEARCH_ENGINE;
}
-// FIXIT used to be sfaddr_t
-sfip_t* AppIdApi::get_http_xff_addr(AppIdSession* session)
+sfip_t* AppIdApi::get_http_xff_addr(AppIdSession* asd)
{
- if (session && session->hsession)
- return session->hsession->xffAddr;
+ if (asd && asd->hsession)
+ return asd->hsession->xffAddr;
return nullptr;
}
-char* AppIdApi::get_tls_host(AppIdSession* session)
+char* AppIdApi::get_tls_host(AppIdSession* asd)
{
- if (session && session->tsession)
- return session->tsession->tls_host;
+ if (asd && asd->tsession)
+ return asd->tsession->tls_host;
return nullptr;
}
-// FIXIT used to be sfaddr_t
-sfip_t* AppIdApi::get_service_ip(AppIdSession* session)
+sfip_t* AppIdApi::get_service_ip(AppIdSession* asd)
{
- if (session)
- return &session->service_ip;
+ if (asd)
+ return &asd->service_ip;
return nullptr;
}
-// FIXIT used to be sfaddr_t
-sfip_t* AppIdApi::get_initiator_ip(AppIdSession* session)
+sfip_t* AppIdApi::get_initiator_ip(AppIdSession* asd)
{
- return session ? &session->common.initiator_ip : nullptr;
+ return asd ? &asd->common.initiator_ip : nullptr;
}
-DhcpFPData* AppIdApi::get_dhcp_fp_data(AppIdSession* session)
+DHCPData* AppIdApi::get_dhcp_fp_data(AppIdSession* asd)
{
- if (session && session->getAppIdFlag(APPID_SESSION_HAS_DHCP_FP))
- return static_cast<DhcpFPData*>(
- session->remove_flow_data(APPID_SESSION_DATA_DHCP_FP_DATA));
+ if (asd && asd->get_session_flags(APPID_SESSION_HAS_DHCP_FP))
+ return static_cast<DHCPData*>(
+ asd->remove_flow_data(APPID_SESSION_DATA_DHCP_FP_DATA));
return nullptr;
}
-void AppIdApi::free_dhcp_fp_data(AppIdSession* session, DhcpFPData* data)
+void AppIdApi::free_dhcp_fp_data(AppIdSession* asd, DHCPData* data)
{
- if (session)
+ if (asd)
{
- session->clearAppIdFlag(APPID_SESSION_HAS_DHCP_FP);
+ asd->clear_session_flags(APPID_SESSION_HAS_DHCP_FP);
AppIdFreeDhcpData(data);
}
}
-DHCPInfo* AppIdApi::get_dhcp_info(AppIdSession* session)
+DHCPInfo* AppIdApi::get_dhcp_info(AppIdSession* asd)
{
- if (session && session->getAppIdFlag(APPID_SESSION_HAS_DHCP_INFO))
+ if (asd && asd->get_session_flags(APPID_SESSION_HAS_DHCP_INFO))
return static_cast<DHCPInfo*>(
- session->remove_flow_data(APPID_SESSION_DATA_DHCP_INFO));
+ asd->remove_flow_data(APPID_SESSION_DATA_DHCP_INFO));
return nullptr;
}
-void AppIdApi::free_dhcp_info(AppIdSession* session, DHCPInfo* data)
+void AppIdApi::free_dhcp_info(AppIdSession* asd, DHCPInfo* data)
{
- if (session)
+ if (asd)
{
- session->clearAppIdFlag(APPID_SESSION_HAS_DHCP_INFO);
+ asd->clear_session_flags(APPID_SESSION_HAS_DHCP_INFO);
AppIdFreeDhcpInfo(data);
}
}
-FpSMBData* AppIdApi::get_smb_fp_data(AppIdSession* session)
+FpSMBData* AppIdApi::get_smb_fp_data(AppIdSession* asd)
{
- if (session && session->getAppIdFlag(APPID_SESSION_HAS_SMB_INFO))
+ if (asd && asd->get_session_flags(APPID_SESSION_HAS_SMB_INFO))
return static_cast<FpSMBData*>(
- session->remove_flow_data(APPID_SESSION_DATA_SMB_DATA));
+ asd->remove_flow_data(APPID_SESSION_DATA_SMB_DATA));
return nullptr;
}
-void AppIdApi::free_smb_fp_data(AppIdSession* session, FpSMBData* data)
+void AppIdApi::free_smb_fp_data(AppIdSession* asd, FpSMBData* data)
{
- if (session)
+ if (asd)
{
- session->clearAppIdFlag(APPID_SESSION_HAS_SMB_INFO);
+ asd->clear_session_flags(APPID_SESSION_HAS_SMB_INFO);
AppIdFreeSMBData(data);
}
}
-char* AppIdApi::get_netbios_name(AppIdSession* session)
+char* AppIdApi::get_netbios_name(AppIdSession* asd)
{
- if (session)
+ if (asd)
{
- char* netbiosName = session->netbios_name;
- session->netbios_name = nullptr; //transfer ownership to caller.
+ char* netbiosName = asd->netbios_name;
+ asd->netbios_name = nullptr; //transfer ownership to caller.
return netbiosName;
}
return nullptr;
#define APPID_HA_FLAGS_SVC_DONE (1<<2)
#define APPID_HA_FLAGS_HTTP (1<<3)
-uint32_t AppIdApi::produce_ha_state(void* lwssn, uint8_t* buf)
+uint32_t AppIdApi::produce_ha_state(Flow* flow, uint8_t* buf)
{
AppIdSessionHA* appHA = (AppIdSessionHA*)buf;
- AppIdSession* session = (AppIdSession*)(((Flow*)lwssn)->get_flow_data(AppIdSession::flow_id));
+ AppIdSession* asd = (AppIdSession*)(flow->get_flow_data(AppIdSession::flow_id));
- // FIXIT - getFlowType should be a class member
- if (session && get_flow_type(session) != APPID_FLOW_TYPE_NORMAL)
- session = nullptr;
- if (session)
+ if ( get_flow_type(asd) != APPID_FLOW_TYPE_NORMAL )
+ asd = nullptr;
+ if ( asd )
{
appHA->flags = APPID_HA_FLAGS_APP;
- if (TPIsAppIdAvailable(session->tpsession))
+ if (TPIsAppIdAvailable(asd->tpsession))
appHA->flags |= APPID_HA_FLAGS_TP_DONE;
- if (session->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
appHA->flags |= APPID_HA_FLAGS_SVC_DONE;
- if (session->getAppIdFlag(APPID_SESSION_HTTP_SESSION))
+ if (asd->get_session_flags(APPID_SESSION_HTTP_SESSION))
appHA->flags |= APPID_HA_FLAGS_HTTP;
- appHA->appId[0] = session->tp_app_id;
- appHA->appId[1] = session->serviceAppId;
- appHA->appId[2] = session->client_service_app_id;
- appHA->appId[3] = session->portServiceAppId;
- appHA->appId[4] = session->payload_app_id;
- appHA->appId[5] = session->tp_payload_app_id;
- appHA->appId[6] = session->client_app_id;
- appHA->appId[7] = session->misc_app_id;
+ appHA->appId[0] = asd->tp_app_id;
+ appHA->appId[1] = asd->serviceAppId;
+ appHA->appId[2] = asd->client_service_app_id;
+ appHA->appId[3] = asd->portServiceAppId;
+ appHA->appId[4] = asd->payload_app_id;
+ appHA->appId[5] = asd->tp_payload_app_id;
+ appHA->appId[6] = asd->client_app_id;
+ appHA->appId[7] = asd->misc_app_id;
}
else
{
return sizeof(*appHA);
}
-// FIXIT last arg used to be sfaddr_t
-uint32_t AppIdApi::consume_ha_state(void* lwssn, const uint8_t* buf, uint8_t, IpProtocol proto,
+uint32_t AppIdApi::consume_ha_state(Flow* flow, const uint8_t* buf, uint8_t, IpProtocol proto,
sfip_t* ip)
{
AppIdSessionHA* appHA = (AppIdSessionHA*)buf;
if (appHA->flags & APPID_HA_FLAGS_APP)
{
- AppIdSession* session = (AppIdSession*)(((Flow*)lwssn)->get_flow_data(
- AppIdSession::flow_id));
+ AppIdSession* asd =
+ (AppIdSession*)(flow->get_flow_data(AppIdSession::flow_id));
- if (!session)
+ if (!asd)
{
- session = new AppIdSession(proto, ip);
- ((Flow*)lwssn)->set_flow_data(session);
- if (session->serviceAppId == APP_ID_FTP_CONTROL)
+ asd = new AppIdSession(proto, ip);
+ flow->set_flow_data(asd);
+ if (asd->serviceAppId == APP_ID_FTP_CONTROL)
{
- session->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED |
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED |
APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_SERVICE_DETECTED);
- if (!AddFTPServiceState(session))
+ if (!AddFTPServiceState(asd))
{
- session->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
}
- session->rnaServiceState = RNA_STATE_STATEFUL;
+ asd->rnaServiceState = RNA_STATE_STATEFUL;
}
else
- session->rnaServiceState = RNA_STATE_FINISHED;
- session->rna_client_state = RNA_STATE_FINISHED;
+ asd->rnaServiceState = RNA_STATE_FINISHED;
+ asd->rna_client_state = RNA_STATE_FINISHED;
if (thirdparty_appid_module)
- thirdparty_appid_module->session_state_set(session->tpsession, TP_STATE_HA);
+ thirdparty_appid_module->session_state_set(asd->tpsession, TP_STATE_HA);
}
if ( ( appHA->flags & APPID_HA_FLAGS_TP_DONE ) && thirdparty_appid_module )
{
- thirdparty_appid_module->session_state_set(session->tpsession, TP_STATE_TERMINATED);
- session->setAppIdFlag(APPID_SESSION_NO_TPI);
+ thirdparty_appid_module->session_state_set(asd->tpsession, TP_STATE_TERMINATED);
+ asd->set_session_flags(APPID_SESSION_NO_TPI);
}
if (appHA->flags & APPID_HA_FLAGS_SVC_DONE)
- session->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
if (appHA->flags & APPID_HA_FLAGS_HTTP)
- session->setAppIdFlag(APPID_SESSION_HTTP_SESSION);
-
- session->tp_app_id = appHA->appId[0];
- session->serviceAppId = appHA->appId[1];
- session->client_service_app_id = appHA->appId[2];
- session->portServiceAppId = appHA->appId[3];
- session->payload_app_id = appHA->appId[4];
- session->tp_payload_app_id = appHA->appId[5];
- session->client_app_id = appHA->appId[6];
- session->misc_app_id = appHA->appId[7];
+ asd->set_session_flags(APPID_SESSION_HTTP_SESSION);
+
+ asd->tp_app_id = appHA->appId[0];
+ asd->serviceAppId = appHA->appId[1];
+ asd->client_service_app_id = appHA->appId[2];
+ asd->portServiceAppId = appHA->appId[3];
+ asd->payload_app_id = appHA->appId[4];
+ asd->tp_payload_app_id = appHA->appId[5];
+ asd->client_app_id = appHA->appId[6];
+ asd->misc_app_id = appHA->appId[7];
}
return sizeof(*appHA);
}
-char* AppIdApi::get_dns_query(AppIdSession* session, uint8_t* query_len)
+char* AppIdApi::get_dns_query(AppIdSession* asd, uint8_t* query_len)
{
- if (session && session->dsession)
+ if (asd && asd->dsession)
{
if (query_len)
{
- if (session->dsession->host)
- *query_len = session->dsession->host_len;
+ if (asd->dsession->host)
+ *query_len = asd->dsession->host_len;
else
*query_len = 0;
}
- return session->dsession->host;
+ return asd->dsession->host;
}
if (query_len)
*query_len = 0;
return nullptr;
}
-uint16_t AppIdApi::get_dns_query_offset(AppIdSession* session)
+uint16_t AppIdApi::get_dns_query_offset(AppIdSession* asd)
{
- if (session && session->dsession)
- return session->dsession->host_offset;
+ if (asd && asd->dsession)
+ return asd->dsession->host_offset;
return 0;
}
-uint16_t AppIdApi::get_dns_record_type(AppIdSession* session)
+uint16_t AppIdApi::get_dns_record_type(AppIdSession* asd)
{
- if (session && session->dsession)
- return session->dsession->record_type;
+ if (asd && asd->dsession)
+ return asd->dsession->record_type;
return 0;
}
-uint8_t AppIdApi::get_dns_response_type(AppIdSession* session)
+uint8_t AppIdApi::get_dns_response_type(AppIdSession* asd)
{
- if (session && session->dsession)
- return session->dsession->response_type;
+ if (asd && asd->dsession)
+ return asd->dsession->response_type;
return 0;
}
-uint32_t AppIdApi::get_dns_ttl(AppIdSession* session)
+uint32_t AppIdApi::get_dns_ttl(AppIdSession* asd)
{
- if (session && session->dsession)
- return session->dsession->ttl;
+ if (asd && asd->dsession)
+ return asd->dsession->ttl;
return 0;
}
#define DHCP_OP55_MAX_SIZE 64
#define DHCP_OP60_MAX_SIZE 64
-struct DhcpFPData
+struct DHCPData
{
- DhcpFPData *next;
+ DHCPData *next;
unsigned op55_len;
unsigned op60_len;
uint8_t op55[DHCP_OP55_MAX_SIZE];
uint8_t op60[DHCP_OP60_MAX_SIZE];
- // FIXIT-L J should be using eth address type here
- uint8_t mac[6];
+ uint8_t eth_addr[6];
} ;
-// FIXIT-L J inconsistently named structs (DHCPInfo vs DhcpFPData, note the "DHCP")
struct DHCPInfo
{
DHCPInfo *next;
uint32_t ipAddr;
- // FIXIT-L J should be using eth address type here
- // FIXIT-L J inconsistently named fields (macAddr here, mac in DhcpFPData)
- uint8_t macAddr[6];
+ uint8_t eth_addr[6];
uint32_t subnetmask;
uint32_t leaseSecs;
uint32_t router;
enum SEARCH_SUPPORT_TYPE
{
- // FIXIT-L J enums are inconsistently named
NOT_A_SEARCH_ENGINE,
SUPPORTED_SEARCH_ENGINE,
UNSUPPORTED_SEARCH_ENGINE,
- SEARCH_SUPPORT_TYPE_UNKNOWN,
+ UNKNOWN_SEARCH_ENGINE,
};
-// FIXIT-M J probable duplication from new http_inspect
enum HTTP_FIELD_ID
{
REQ_AGENT_FID = 0,
SEARCH_SUPPORT_TYPE get_http_search(AppIdSession*);
sfip_t* get_http_xff_addr(AppIdSession*);
char* get_tls_host(AppIdSession*);
- DhcpFPData* get_dhcp_fp_data(AppIdSession*);
- void free_dhcp_fp_data(AppIdSession*, DhcpFPData*);
+ DHCPData* get_dhcp_fp_data(AppIdSession*);
+ void free_dhcp_fp_data(AppIdSession*, DHCPData*);
DHCPInfo* get_dhcp_info(AppIdSession*);
void free_dhcp_info(AppIdSession*, DHCPInfo*);
FpSMBData* get_smb_fp_data(AppIdSession*);
void free_smb_fp_data(AppIdSession*, FpSMBData*);
char* get_netbios_name(AppIdSession*);
- uint32_t produce_ha_state(void* lwssn, uint8_t* buf);
- uint32_t consume_ha_state(void* lwssn, const uint8_t* buf, uint8_t length, IpProtocol proto, sfip_t* ip);
+ uint32_t produce_ha_state(Flow* flow, uint8_t* buf);
+ uint32_t consume_ha_state(Flow* flow, const uint8_t* buf, uint8_t length,
+ IpProtocol proto, sfip_t* ip);
AppIdSession* get_appid_data(Flow* flow);
char* get_dns_query(AppIdSession*, uint8_t* query_len);
uint16_t get_dns_query_offset(AppIdSession*);
#define ODP_PORT_DETECTORS "odp/port/*"
#define CUSTOM_PORT_DETECTORS "custom/port/*"
+#define MAX_DISPLAY_SIZE 65536
-// FIXIT - M this global needs to go asap... just here now to compile while doing some major config
-// refactoring
-AppIdConfig* pAppidActiveConfig = nullptr;
-
+static AppIdConfig* appid_config = nullptr;
unsigned appIdPolicyId;
uint32_t app_id_netmasks[33];
snort_free((void*)conf_file);
snort_free((void*)app_detector_dir);
snort_free((void*)thirdparty_appid_dir);
- pAppidActiveConfig = nullptr;
+ appid_config = nullptr;
+
+}
+
+AppIdConfig::AppIdConfig( AppIdModuleConfig* config )
+ : mod_config( config ), app_info_mgr(AppInfoManager::get_instance())
+{
+
+}
+
+AppIdConfig::~AppIdConfig()
+{
+ cleanup();
+}
+AppIdConfig* AppIdConfig::get_appid_config()
+{
+ return appid_config;
}
void AppIdConfig::add_generic_config_element(const char* name, void* pData)
pConfigItem = (AppidGenericConfigItem*)sflist_next(&next))
{
if (strcmp(pConfigItem->name, name) == 0)
- {
return pConfigItem->pData;
- }
}
return nullptr;
}
}
}
+
if (port && proto && appId > APP_ID_NONE)
{
while ((tmp_port = port))
udp_port_only[tmp_port->port] = appId;
snort_free(tmp_port);
- set_app_info_active(appId);
+ app_info_mgr.set_app_info_active(appId);
}
- set_app_info_active(appId);
+ app_info_mgr.set_app_info_active(appId);
}
else
ErrorMessage("Missing parameter(s) in port service '%s'\n",globs.gl_pathv[n]);
bool AppIdConfig::init_appid( )
{
+ appid_config = this;
map_app_names_to_snort_ids();
-
appIdPolicyId = 53;
- // FIXIT - active config must be per Inspector instance...not this global...
- pAppidActiveConfig = this;
InitNetmasks(app_id_netmasks);
- init_appid_info_table(mod_config->app_detector_dir);
- sflist_init(&pAppidActiveConfig->client_app_args);
+ app_info_mgr.init_appid_info_table(mod_config->app_detector_dir);
+ sflist_init(&appid_config->client_app_args);
load_analysis_config(mod_config->conf_file, 0, mod_config->instance_id);
read_port_detectors(ODP_PORT_DETECTORS);
read_port_detectors(CUSTOM_PORT_DETECTORS);
-
ThirdPartyAppIDInit(mod_config);
-
show();
if ( mod_config->dump_ports )
{
dumpPorts(stdout);
display_port_config();
- dump_app_info_table();
- exit(0);
+ app_info_mgr.dump_app_info_table();
+ exit(0); // FIXIT-L - implement better way to dump config and exit
}
return true;
thirdparty_appid_module->print_stats();
ThirdPartyAppIDFini();
- cleanup_appid_info_table();
+ app_info_mgr.cleanup_appid_info_table();
NetworkSet* net_list; ///< list of network sets
while ((net_list = net_list_list))
int first;
first = 1;
- for (i=0; i<sizeof(tcp_port_only)/sizeof(*tcp_port_only); i++)
+ for (i = 0; i < sizeof(tcp_port_only) / sizeof(AppId); i++)
{
if (tcp_port_only[i])
{
}
first = 1;
- for (i=0; i<sizeof(udp_port_only)/sizeof(*udp_port_only); i++)
+ for (i = 0; i<sizeof(udp_port_only) / sizeof(AppId); i++)
{
if (udp_port_only[i])
{
}
}
}
-
#ifndef APP_ID_CONFIG_H
#define APP_ID_CONFIG_H
-// AppId configuration data structures and access methods
-
+#include "appid.h"
#include "client_plugins/client_app_config.h"
#include "detector_plugins/detector_sip.h"
#include "service_plugins/service_config.h"
-#include "appid.h"
-#include "http_common.h"
-
-
#define APP_ID_MAX_DIRS 16
#define APP_ID_PORT_ARRAY_SIZE 65536
#define MAX_ZONES 1024
-
-// FIXIT - defined here but confirm where this is defined in 2.9.8
#define MAX_EVENT_APPNAME_LEN 64
struct NetworkSet;
-struct AppInfoTableEntry;
-struct DynamicArray;
-struct SFGHASH;
-struct SFXHASH;
+class AppInfoManager;
extern unsigned appIdPolicyId;
extern uint32_t app_id_netmasks[];
void* pData; ///< Module configuration data
};
+struct AppIdSessionLogFilter
+{
+ sfip_t sip;
+ bool sip_flag = false;
+ sfip_t dip;
+ bool dip_flag = false;
+ uint16_t sport = 0;
+ uint16_t dport = 0;
+ PktType protocol = PktType::NONE;
+ bool log_all_sessions = false;
+};
+
class AppIdModuleConfig
{
public:
- AppIdModuleConfig() {}
+ AppIdModuleConfig() { }
~AppIdModuleConfig();
const char* conf_file = nullptr;
uint32_t memcap = 0;
bool debug = false;
bool dump_ports = false;
+ AppIdSessionLogFilter session_log_filter;
- // FIXIT - configs below not set from appid preproc config...
+ // FIXIT-L configs below not set from appid preproc config, should they be?
uint32_t disable_safe_search = 0;
uint32_t dns_host_reporting = 0;
uint32_t referred_appId_disabled = 0;
class AppIdConfig
{
public:
- AppIdConfig( AppIdModuleConfig* config ) : mod_config( config ) { }
- ~AppIdConfig() { cleanup(); }
+ AppIdConfig( AppIdModuleConfig* config );
+ ~AppIdConfig();
bool init_appid();
void cleanup();
void show();
+ static AppIdConfig* get_appid_config();
void set_safe_search_enforcement(int enabled);
// add, find, remove generic config items...
void process_config_directive(char* toklist[], int /* reload */);
int load_analysis_config(const char* config_file, int reload, int instance_id);
void display_port_config();
-};
-// FIXIT - this global needs to go asap... just here now to compile while doing some major config refactoring
-extern AppIdConfig* pAppidActiveConfig;
+ AppInfoManager& app_info_mgr;
+};
#endif
if (thirdparty_appid_module)
thirdparty_appid_module->print_stats();
LogMessage(" Total packets ignored : %" PRIu64 "\n", appid_stats.ignored_packets);
- AppIdServiceStateDumpStats();
+ dump_service_state_stats();
}
AppIdInspector::AppIdInspector(const AppIdModuleConfig* pc)
show(nullptr);
return active_config->init_appid();
- // FIXIT some of this stuff may be needed in some fashion...
+ // FIXIT-M some of this stuff may be needed in some fashion...
#ifdef REMOVED_WHILE_NOT_IN_USE
_dpd.registerGeAppId(getOpenAppId);
if (!thirdparty_appid_module)
_dpd.streamAPI->register_http_header_callback(httpHeaderCallback);
_dpd.registerSslAppIdLookup(sslAppGroupIdLookup);
- // FIXIT AppID will need to register for SIP events for sip detection to work...
+ // FIXIT-M AppID will need to register for SIP events for sip detection to work...
if (_dpd.streamAPI->service_event_subscribe(PP_SIP, SIP_EVENT_TYPE_SIP_DIALOG,
SipSessionSnortCallback) == false)
DynamicPreprocessorFatalMessage("failed to subscribe to SIP_DIALOG\n");
{
init_appid_statistics(config);
hostPortAppCacheInit();
- init_dynamic_app_info_table();
init_appid_forecast();
init_http_detector();
init_service_plugins();
init_length_app_cache();
lua_detector_mgr = new LuaDetectorManager;
- lua_detector_mgr->LoadLuaModules(pAppidActiveConfig);
- lua_detector_mgr->luaModuleInitAllClients();
- lua_detector_mgr->luaModuleInitAllServices();
- lua_detector_mgr->FinalizeLuaModules();
+ lua_detector_mgr->load_lua_detectors(active_config);
+ lua_detector_mgr->activate_lua_detectors();
if(config->debug && list_lua_detectors)
{
lua_detector_mgr->list_lua_detectors();
void AppIdInspector::tterm()
{
+ cleanup_appid_statistics();
+
hostPortAppCacheFini();
clean_appid_forecast();
service_dns_host_clean();
clean_http_detector();
free_CHP_glossary();
free_length_app_cache();
- free_dynamic_app_info_table();
AppIdSession::release_free_list_flow_data();
delete lua_detector_mgr;
clean_service_state();
- cleanup_appid_statistics();
}
void AppIdInspector::eval(Packet* pkt)
#endif
#ifdef REMOVED_WHILE_NOT_IN_USE
-// FIXIT-M: This is to be replace with snort3 inspection events
+// FIXIT-M This is to be replace with snort3 inspection events
void httpHeaderCallback(Packet* p, HttpParsedHeaders* const headers)
{
- AppIdSession* session;
+ AppIdSession* asd;
int direction;
- AppIdConfig* pConfig = pAppidActiveConfig;
+ AppIdConfig* pConfig = AppIdConfig::get_appid_config();
if (thirdparty_appid_module)
return;
- if (!p || !(session = appid_api.get_appid_data(p->flow)))
+ if (!p || !(asd = appid_api.get_appid_data(p->flow)))
return;
direction = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
- if (!session->hsession)
- session->hsession = (decltype(session->hsession))snort_calloc(sizeof(httpSession));
+ if (!asd->hsession)
+ asd->hsession = (decltype(asd->hsession))snort_calloc(sizeof(httpSession));
if (direction == APP_ID_FROM_INITIATOR)
{
if (headers->host.start)
{
- snort_free(session->hsession->host);
- session->hsession->host = snort_strndup((char*)headers->host.start, headers->host.len);
- session->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
+ snort_free(asd->hsession->host);
+ asd->hsession->host = snort_strndup((char*)headers->host.start, headers->host.len);
+ asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
if (headers->url.start)
{
- snort_free(session->hsession->url);
- session->hsession->url = (char*)snort_calloc(sizeof(HTTP_PREFIX) +
+ snort_free(asd->hsession->url);
+ asd->hsession->url = (char*)snort_calloc(sizeof(HTTP_PREFIX) +
headers->host.len + headers->url.len);
- strcpy(session->hsession->url, HTTP_PREFIX);
- strncat(session->hsession->url, (char*)headers->host.start, headers->host.len);
- strncat(session->hsession->url, (char*)headers->url.start, headers->url.len);
- session->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
+ strcpy(asd->hsession->url, HTTP_PREFIX);
+ strncat(asd->hsession->url, (char*)headers->host.start, headers->host.len);
+ strncat(asd->hsession->url, (char*)headers->url.start, headers->url.len);
+ asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
}
}
if (headers->userAgent.start)
{
- snort_free(session->hsession->useragent);
- session->hsession->useragent = snort_strndup((char*)headers->userAgent.start,
+ snort_free(asd->hsession->useragent);
+ asd->hsession->useragent = snort_strndup((char*)headers->userAgent.start,
headers->userAgent.len);
- session->scan_flags |= SCAN_HTTP_USER_AGENT_FLAG;
+ asd->scan_flags |= SCAN_HTTP_USER_AGENT_FLAG;
}
if (headers->referer.start)
{
- snort_free(session->hsession->referer);
- session->hsession->referer = snort_strndup((char*)headers->referer.start,
+ snort_free(asd->hsession->referer);
+ asd->hsession->referer = snort_strndup((char*)headers->referer.start,
headers->referer.len);
}
if (headers->via.start)
{
- snort_free(session->hsession->via);
- session->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len);
- session->scan_flags |= SCAN_HTTP_VIA_FLAG;
+ snort_free(asd->hsession->via);
+ asd->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len);
+ asd->scan_flags |= SCAN_HTTP_VIA_FLAG;
}
}
else
{
if (headers->via.start)
{
- snort_free(session->hsession->via);
- session->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len);
- session->scan_flags |= SCAN_HTTP_VIA_FLAG;
+ snort_free(asd->hsession->via);
+ asd->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len);
+ asd->scan_flags |= SCAN_HTTP_VIA_FLAG;
}
if (headers->contentType.start)
{
- snort_free(session->hsession->content_type);
- session->hsession->content_type = snort_strndup((char*)headers->contentType.start,
+ snort_free(asd->hsession->content_type);
+ asd->hsession->content_type = snort_strndup((char*)headers->contentType.start,
headers->contentType.len);
}
if (headers->responseCode.start)
responseCodeNum = strtoul((char*)headers->responseCode.start, nullptr, 10);
if (responseCodeNum > 0 && responseCodeNum < 700)
{
- snort_free(session->hsession->response_code);
- session->hsession->response_code = snort_strndup((char*)headers->responseCode.start,
+ snort_free(asd->hsession->response_code);
+ asd->hsession->response_code = snort_strndup((char*)headers->responseCode.start,
headers->responseCode.len);
}
}
}
- session->processHTTPPacket(p, direction, headers, pConfig);
- session->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION);
- p->flow->set_application_ids(session->pick_service_app_id(), session->pick_client_app_id(),
- session->pick_payload_app_id(), session->pick_misc_app_id());
+ asd->processHTTPPacket(p, direction, headers, pConfig);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION);
+ p->flow->set_application_ids(asd->pick_service_app_id(), asd->pick_client_app_id(),
+ asd->pick_payload_app_id(), asd->pick_misc_app_id());
}
#endif
// AppId* serviceAppId, AppId* ClientAppId, AppId* payloadAppId)
int sslAppGroupIdLookup(void*, const char*, const char*, AppId*, AppId*, AppId*)
{
- // FIXIT-M: detemine need and proper location for this code when support for ssl is implemented
+ // FIXIT-M detemine need and proper location for this code when support for ssl is implemented
#ifdef REMOVED_WHILE_NOT_IN_USE
- AppIdSession* session;
+ AppIdSession* asd;
*serviceAppId = *ClientAppId = *payload_app_id = APP_ID_NONE;
if (commonName)
{
ssl_scan_cname((const uint8_t*)commonName, strlen(commonName), ClientAppId, payload_app_id,
- &pAppidActiveConfig->serviceSslConfig);
+ &AppIdConfig::get_appid_config()->serviceSslConfig);
}
if (serverName)
{
ssl_scan_hostname((const uint8_t*)serverName, strlen(serverName), ClientAppId,
- payload_app_id, &pAppidActiveConfig->serviceSslConfig);
+ payload_app_id, &AppIdConfig::get_appid_config()->serviceSslConfig);
}
- if (ssnptr && (session = appid_api.get_appid_data(ssnptr)))
+ if (ssnptr && (asd = appid_api.get_appid_data(ssnptr)))
{
- *serviceAppId = pick_service_app_id(session);
+ *serviceAppId = pick_service_app_id(asd);
if (*ClientAppId == APP_ID_NONE)
{
- *ClientAppId = pick_client_app_id(session);
+ *ClientAppId = pick_client_app_id(asd);
}
if (*payload_app_id == APP_ID_NONE)
{
- *payload_app_id = pick_payload_app_id(session);
+ *payload_app_id = pick_payload_app_id(asd);
}
}
if (*serviceAppId != APP_ID_NONE ||
AppId getOpenAppId(Flow* flow)
{
assert(flow);
- AppIdSession* session = appid_api.get_appid_data(flow);
- return session->payload_app_id;
+ AppIdSession* asd = appid_api.get_appid_data(flow);
+ return asd->payload_app_id;
}
return active_config;
}
-private:
+private:
const AppIdModuleConfig* config = nullptr;
AppIdConfig* active_config = nullptr;
bool list_lua_detectors = true;
#include <string>
+#include "sfip/sf_ip.h"
#include "appid_module.h"
#include "profiler/profiler.h"
#include "utils/util.h"
THREAD_LOCAL ProfileStats appidPerfStats;
-// FIXIT-M: define and implement a flexible solution for maintaining protocol specific stats
+// FIXIT-M define and implement a flexible solution for maintaining protocol specific stats
const PegInfo appid_pegs[] =
{
{ "packets", "count of packets received by appid inspector" },
{ nullptr, nullptr }
};
+static const Parameter session_log_filter[] =
+{
+ {"src_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
+ "source ip address in CIDR format" },
+ { "dst_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
+ "destination ip address in CIDR format" },
+ { "src_port", Parameter::PT_PORT, "1:", nullptr, "source port" },
+ { "dst_port", Parameter::PT_PORT, "1:", nullptr, "destination port" },
+ { "protocol", Parameter::PT_STRING, nullptr, nullptr,"ip protocol"},
+ { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false",
+ "enable logging for all appid sessions" },
+ { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
static const Parameter s_params[] =
{
{ "conf", Parameter::PT_STRING, nullptr, nullptr,
"enable dump of AppId port information" },
{ "thirdparty_appid_dir", Parameter::PT_STRING, nullptr, nullptr,
"directory to load thirdparty AppId detectors from" },
-
+ { "session_log_filter", Parameter::PT_TABLE, session_log_filter, nullptr,
+ "session log filter options" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
-// FIXIT-M: Add appid_rules back in once we start using it.
+// FIXIT-M Add appid_rules back in once we start using it.
#ifdef REMOVED_WHILE_NOT_IN_USE
static const RuleMap appid_rules[] =
{
config->debug = v.get_bool();
else if ( v.is("dump_ports") )
config->dump_ports = v.get_bool();
+ else if ( v.is("session_log_filter") )
+ config->session_log_filter.log_all_sessions = false; // FIXIT-L need to implement support for all log options
+ else if ( v.is("log_all_sessions") )
+ config->session_log_filter.log_all_sessions = v.get_bool();
+ else if (v.is("src_ip") )
+ sfip_pton(v.get_string(), &config->session_log_filter.sip);
+ else if (v.is("dst_ip") )
+ sfip_pton(v.get_string(), &config->session_log_filter.dip);
else
return false;
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// appid_flow_data.cc author Sourcefire Inc.
+// appid_session.cc author Sourcefire Inc.
+#include "appid_session.h"
#include "log/messages.h"
#include "protocols/tcp.h"
#include "time/packet_time.h"
#include "utils/util.h"
+#include "app_info_table.h"
+#include "appid_module.h"
+#include "fw_appid.h"
+#include "appid_stats.h"
+#include "app_forecast.h"
+#include "host_port_app_cache.h"
+#include "lua_detector_module.h"
#include "appid_utils/ip_funcs.h"
#include "client_plugins/client_app_base.h"
#include "detector_plugins/detector_http.h"
#include "service_plugins/service_ssl.h"
#include "service_plugins/service_util.h"
-#include "appid_session.h"
-#include "appid_module.h"
-#include "fw_appid.h"
-#include "appid_stats.h"
-#include "app_forecast.h"
-#include "host_port_app_cache.h"
-#include "lua_detector_module.h"
ProfileStats tpPerfStats;
ProfileStats tpLibPerfStats;
ProfileStats serviceMatchPerfStats;
unsigned AppIdSession::flow_id = 0;
-static THREAD_LOCAL AppIdFlowData* fd_free_list;
-
-static volatile int app_id_debug_flag;
-static FWDebugSessionConstraints app_id_debug_info;
-char app_id_debug_session[FW_DEBUG_SESSION_ID_SIZE];
-bool app_id_debug_session_flag;
-
-// FIXIT - should appid_flow_data_id be global to all threads?
-static THREAD_LOCAL uint32_t appid_flow_data_id = 0;
+THREAD_LOCAL AppIdFlowData* AppIdSession::fd_free_list = nullptr;
+THREAD_LOCAL uint32_t AppIdSession::appid_flow_data_id = 0;
+// FIXIT-L - determine reason for this mapping and whether we still need it snort3 or can harmonize the IDs used
static int16_t snortId_for_ftp;
static int16_t snortId_for_ftp_data;
static int16_t snortId_for_imap;
snortId_for_http2 = FindProtocolReference("http2");
}
-static inline bool fwAppIdDebugCheck(Flow* flow, AppIdSession* session, volatile int debug_flag,
- FWDebugSessionConstraints* info, char* debug_session, int direction)
+void AppIdSession::set_session_logging_state(const Packet* pkt, int direction)
{
- if (debug_flag)
+ if(config->mod_config->session_log_filter.log_all_sessions)
{
- assert(flow);
- const FlowKey* key = flow->key;
-
- if (((info->protocol == PktType::NONE) || info->protocol == key->pkt_type) &&
- (((!info->sport || info->sport == key->port_l) &&
- (!info->sip_flag || memcmp(&info->sip, key->ip_l, sizeof(info->sip)) == 0) &&
- (!info->dport || info->dport == key->port_h) &&
- (!info->dip_flag || memcmp(&info->dip, key->ip_h, sizeof(info->dip)) == 0)) ||
- ((!info->sport || info->sport == key->port_h) &&
- (!info->sip_flag || memcmp(&info->sip, key->ip_h, sizeof(info->sip)) == 0) &&
- (!info->dport || info->dport == key->port_l) &&
- (!info->dip_flag || memcmp(&info->dip, key->ip_l, sizeof(info->dip)) == 0))))
- {
- int af;
- sfip_t sip;
- sfip_t dip;
- unsigned offset;
- uint16_t sport;
- uint16_t dport;
- char sipstr[INET6_ADDRSTRLEN];
- char dipstr[INET6_ADDRSTRLEN];
-
- if (session && session->common.fsf_type.flow_type != APPID_SESSION_TYPE_IGNORE)
- {
- if (session->common.initiator_port)
- {
- if (session->common.initiator_port == key->port_l)
- {
- sfip_set_raw(&sip, key->ip_l, AF_INET);
- sfip_set_raw(&dip, key->ip_l, AF_INET);
- sport = key->port_l;
- dport = key->port_h;
- }
- else
- {
- sfip_set_raw(&sip, key->ip_l, AF_INET);
- sfip_set_raw(&dip, key->ip_l, AF_INET);
- sport = key->port_h;
- dport = key->port_l;
- }
- }
- else
- {
- // FIXIT-L: the key_ip var was added to be able to call sfip_fast_eq6, need to
- // verify this works... not tested as yet...
- sfip_t key_ip;
- memcpy(key_ip.ip32, key->ip_l, sizeof(key_ip.ip32));
- if (sfip_fast_eq6(&session->common.initiator_ip, &key_ip) == 0)
- {
- sfip_set_raw(&sip, key->ip_l, AF_INET);
- sfip_set_raw(&dip, key->ip_h, AF_INET);
- sport = key->port_l;
- dport = key->port_h;
- }
- else
- {
- sfip_set_raw(&sip, key->ip_l, AF_INET);
- sfip_set_raw(&dip, key->ip_h, AF_INET);
- sport = key->port_h;
- dport = key->port_l;
- }
- }
- }
- else
- {
- sfip_set_raw(&sip, key->ip_l, AF_INET);
- sfip_set_raw(&dip, key->ip_h, AF_INET);
- sport = key->port_l;
- dport = key->port_h;
- }
- sipstr[0] = 0;
- if ( sip.ip32[0] || sip.ip32[1] || sip.ip16[4] ||
- (sip.ip16[5] && sip.ip16[5] != 0xffff) )
- {
- af = AF_INET6;
- offset = 0;
- }
- else
- {
- af = AF_INET;
- offset = 12;
- }
-
- inet_ntop(af, &sip.ip8[offset], sipstr, sizeof(sipstr));
- dipstr[0] = 0;
- if ( dip.ip32[0] || dip.ip32[1] || dip.ip16[4] ||
- (dip.ip16[5] && dip.ip16[5] != 0xFFFF) )
- {
- af = AF_INET6;
- offset = 0;
- }
- else
- {
- af = AF_INET;
- offset = 12;
- }
-
- inet_ntop(af, &dip.ip8[offset], dipstr, sizeof(dipstr));
-#ifdef HAVE_DAQ_ADDRESS_SPACE_ID
- snprintf(debug_session, FW_DEBUG_SESSION_ID_SIZE, "%s-%u -> %s-%u %u%s AS %u I %u",
- sipstr, (unsigned)sport, dipstr, (unsigned)dport, (unsigned)key->pkt_type,
- (direction == APP_ID_FROM_INITIATOR) ? "" : " R",
- (unsigned)key->addressSpaceId, get_instance_id());
-#else
- snprintf(debug_session, FW_DEBUG_SESSION_ID_SIZE, "%s-%u -> %s-%u %u%s I %u",
- sipstr, (unsigned)sport, dipstr, (unsigned)dport, (unsigned)key->pkt_type,
- (direction == APP_ID_FROM_INITIATOR) ? "" : " R", get_instance_id());
-#endif
- return true;
- }
+ session_logging_enabled = true;
}
- return false;
-}
-
-#ifdef APPID_UNUSED_CODE
-static inline void appIdDebugParse(const char* desc, const uint8_t* data, uint32_t length,
- volatile int* debug_flag, FWDebugSessionConstraints* info)
-{
- *debug_flag = 0;
- memset(info, 0, sizeof(*info));
- do
+ else
{
- if (length >= sizeof(info->protocol))
- {
- info->protocol = static_cast<PktType>(*data);
- length -= sizeof(info->protocol);
- data += sizeof(info->protocol);
- }
- else
- break;
-
- if (length >= sizeof(info->sip))
- {
- memcpy(&info->sip, data, sizeof(info->sip));
- if (info->sip.u6_addr32[1] || info->sip.u6_addr32[2] || info->sip.u6_addr32[3])
- info->sip_flag = 1;
- else if (info->sip.u6_addr32[0])
- {
- info->sip.u6_addr32[3] = info->sip.u6_addr32[0];
- info->sip.u6_addr32[0] = 0;
- info->sip.u6_addr16[5] = 0xFFFF;
- info->sip_flag = 1;
- }
- length -= sizeof(info->sip);
- data += sizeof(info->sip);
- }
- else
- break;
+ if( !sfip_equals( pkt->ptrs.ip_api.get_src(), &config->mod_config->session_log_filter.sip) )
+ return;
- if (length >= sizeof(info->sport))
- {
- memcpy(&info->sport, data, sizeof(info->sport));
- length -= sizeof(info->sport);
- data += sizeof(info->sport);
- }
- else
- break;
+ if( !sfip_equals( pkt->ptrs.ip_api.get_dst(), &config->mod_config->session_log_filter.dip) )
+ return;
- if (length >= sizeof(info->dip))
- {
- memcpy(&info->dip, data, sizeof(info->dip));
- if (info->dip.u6_addr32[1] || info->dip.u6_addr32[2] || info->dip.u6_addr32[3])
- info->dip_flag = 1;
- else if (info->dip.u6_addr32[0])
- {
- info->dip.u6_addr32[3] = info->dip.u6_addr32[0];
- info->dip.u6_addr32[0] = 0;
- info->dip.u6_addr16[5] = 0xFFFF;
- info->dip_flag = 1;
- }
- length -= sizeof(info->dip);
- data += sizeof(info->dip);
- }
- else
- break;
+ if( !( pkt->ptrs.dp == config->mod_config->session_log_filter.dport ) )
+ return;
- if (length >= sizeof(info->dport))
- memcpy(&info->dport, data, sizeof(info->dport));
- else
- break;
- }
- while (0);
+ if( !( pkt->ptrs.dp == config->mod_config->session_log_filter.dport ) )
+ return;
- if (info->protocol != PktType::NONE || info->sip_flag || info->sport || info->dip_flag ||
- info->dport)
- {
- int saf;
- int daf;
- char sipstr[INET6_ADDRSTRLEN];
- char dipstr[INET6_ADDRSTRLEN];
+ if( !( pkt->ptrs.type == config->mod_config->session_log_filter.protocol ) )
+ return;
- if (!info->sip.u6_addr32[0] && !info->sip.u6_addr32[0] && !info->sip.u6_addr16[4] &&
- info->sip.u6_addr16[5] == 0xFFFF)
- {
- saf = AF_INET;
- }
- else
- saf = AF_INET6;
- if (!info->dip.u6_addr32[0] && !info->dip.u6_addr32[0] && !info->dip.u6_addr16[4] &&
- info->dip.u6_addr16[5] == 0xFFFF)
- {
- daf = AF_INET;
- }
- else
- daf = AF_INET6;
- if (!info->sip_flag)
- saf = daf;
- if (!info->dip_flag)
- daf = saf;
- sipstr[0] = 0;
- inet_ntop(saf, saf == AF_INET ? &info->sip.u6_addr32[3] : info->sip.u6_addr32, sipstr,
- sizeof(sipstr));
- dipstr[0] = 0;
- inet_ntop(daf, daf == AF_INET ? &info->dip.u6_addr32[3] : info->dip.u6_addr32, dipstr,
- sizeof(dipstr));
- LogMessage("Debugging %s with %s-%u and %s-%u %u\n", desc,
- sipstr, (unsigned)info->sport,
- dipstr, (unsigned)info->dport,
- (unsigned)info->protocol);
- *debug_flag = 1;
+ session_logging_enabled = true;
}
- else
- LogMessage("Debugging %s disabled\n", desc);
-}
-int AppIdDebug(uint16_t, const uint8_t* const data, uint32_t length, void**, char*, int)
-{
- appIdDebugParse("appId", data, length, &app_id_debug_flag, &app_id_debug_info);
- return 0;
+ if(session_logging_enabled)
+ snprintf(session_logging_id, MAX_SESSION_LOGGING_ID_LEN, "%s-%u -> %s-%u %u%s AS %u I %u",
+ sfip_to_str(pkt->ptrs.ip_api.get_src()), (unsigned)pkt->ptrs.sp,
+ sfip_to_str(pkt->ptrs.ip_api.get_dst()), (unsigned)pkt->ptrs.dp,
+ (unsigned)pkt->ptrs.type, (direction == APP_ID_FROM_INITIATOR) ? "" : " R",
+ (unsigned)pkt->pkth->address_space_id, get_instance_id());
+
+ return;
}
-#endif
-// FIXIT-M: this function does work that probably should be in http inspector, appid should leverage that if possible
+// FIXIT-M this function does work that probably should be in http inspector, appid should leverage that if possible
static inline void getOffsetsFromRebuilt(Packet* pkt, httpSession* hsession)
{
// size of "GET /\r\n\r\n"
-#define MIN_HTTP_REQ_HEADER_SIZE 9
+ constexpr auto MIN_HTTP_REQ_HEADER_SIZE = sizeof("GET /\r\n\r\n");
const uint8_t cookieStr[] = "Cookie: ";
unsigned cookieStrLen = sizeof(cookieStr)-1;
const uint8_t crlf[] = "\r\n";
hsession->cookieEndOffset = p - pkt->data;
}
-void AppIdSession::clear_app_id_data()
-{
- payload_app_id = APP_ID_UNKNOWN;
- serviceAppId = APP_ID_UNKNOWN;
- tp_payload_app_id = APP_ID_UNKNOWN;
- tp_app_id = APP_ID_UNKNOWN;
- if (payload_version)
- {
- snort_free(payload_version);
- payload_version = nullptr;
- }
- if (serviceVendor)
- {
- snort_free(serviceVendor);
- serviceVendor = nullptr;
- }
- if (serviceVersion)
- {
- snort_free(serviceVersion);
- serviceVersion = nullptr;
- }
-
- if (tsession)
- free_tls_session_data();
-
- if (hsession)
- free_http_session_data();
-
- if (dsession)
- free_dns_session_data();
-
- if (thirdparty_appid_module)
- thirdparty_appid_module->session_delete(tpsession, 1);
-}
AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, int direction)
{
(direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp;
data->flow = p->flow;
data->stats.firstPktsecond = p->pkth->ts.tv_sec;
+ data->set_session_logging_state(p, direction);
p->flow->set_flow_data(data);
return data;
}
-AppIdSession::AppIdSession(IpProtocol proto, const sfip_t* ip) : FlowData(flow_id)
+AppIdSession::AppIdSession(IpProtocol proto, const sfip_t* ip)
+ : FlowData(flow_id), protocol(proto)
{
service_ip.clear();
- id = ++appid_flow_data_id;
- common.fsf_type.flow_type = APPID_SESSION_TYPE_NORMAL;
- protocol = proto;
+ session_id = ++appid_flow_data_id;
+ common.flow_type = APPID_FLOW_TYPE_NORMAL;
common.initiator_ip = *ip;
-
+ config = AppIdConfig::get_appid_config();
+ app_info_mgr = &AppInfoManager::get_instance();
if (thirdparty_appid_module)
if (!(tpsession = thirdparty_appid_module->session_create()))
ErrorMessage("Could not allocate third party session data");
{
char src_ip[INET6_ADDRSTRLEN];
char dst_ip[INET6_ADDRSTRLEN];
- // FIXIT - not needed until ctrlPkt expectedSession is supported
+ // FIXIT-M not needed until crtlPkt expectedSession is supported
//struct _ExpectNode** node;
enum PktType type = get_pkt_type_from_ip_proto(proto);
assert(type != PktType::NONE);
- if (app_id_debug_session_flag)
- {
- sfip_ntop(cliIp, src_ip, sizeof(src_ip));
- sfip_ntop(srvIp, dst_ip, sizeof(dst_ip));
- }
-
- AppIdSession* session = new AppIdSession(proto, cliIp);
- session->common.policyId = appIdPolicyId;
+ AppIdSession* asd = new AppIdSession(proto, cliIp);
+ asd->common.policyId = appIdPolicyId;
- // FIXIT - expect session control packet support not ported to snort3 yet
+ // FIXIT-M expect session control packet support not ported to snort3 yet
//node = (flags & APPID_EARLY_SESSION_FLAG_FW_RULE) ? &ctrlPkt->expectedSession : nullptr;
- // FIXIT - 2.9.x set_application_protocol_id_expected has several new parameters, need to look
+ // FIXIT-M 2.9.x set_application_protocol_id_expected has several new parameters, need to look
// into what is required to support those here.
if ( Stream::set_application_protocol_id_expected(ctrlPkt, type, proto, cliIp, cliPort, srvIp, srvPort,
- app_id, session) )
+ app_id, asd) )
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n",
- app_id_debug_session, src_ip, (unsigned)cliPort, dst_ip,
+ sfip_ntop(cliIp, src_ip, sizeof(src_ip));
+ sfip_ntop(srvIp, dst_ip, sizeof(dst_ip));
+ WarningMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n",
+ asd->session_logging_id, src_ip, (unsigned)cliPort, dst_ip,
(unsigned)srvPort, (unsigned)proto);
- delete session;
- return nullptr;
+ delete asd;
+ asd = nullptr;
}
- else if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s created a related flow for %s-%u -> %s-%u %u\n",
- app_id_debug_session, src_ip, (unsigned)cliPort, dst_ip,
- (unsigned)srvPort, (unsigned)proto);
+ else
+ {
+ if (asd->session_logging_enabled)
+ {
+ sfip_ntop(cliIp, src_ip, sizeof(src_ip));
+ sfip_ntop(srvIp, dst_ip, sizeof(dst_ip));
+ LogMessage("AppIdDbg %s related flow %s for %s-%u -> %s-%u %u\n",
+ asd->session_logging_id, asd ? "created" : "creation failed",
+ src_ip, (unsigned)cliPort, dst_ip, (unsigned)srvPort, (unsigned)proto);
+ }
- session->in_expected_cache = true;
+ asd->in_expected_cache = true;
+ }
- return session;
+ return asd;
}
void AppIdSession::reinit_shared_data()
if (isSslServiceAppId(tp_app_id))
{
payload_app_id = referred_payload_app_id = tp_payload_app_id = APP_ID_NONE;
- clearAppIdFlag(APPID_SESSION_CONTINUE);
+ clear_session_flags(APPID_SESSION_CONTINUE);
if (payload_version)
{
snort_free(payload_version);
}
//service
- if (!getAppIdFlag(APPID_SESSION_STICKY_SERVICE))
+ if (!get_session_flags(APPID_SESSION_STICKY_SERVICE))
{
- clearAppIdFlag(APPID_SESSION_STICKY_SERVICE);
+ clear_session_flags(APPID_SESSION_STICKY_SERVICE);
tp_app_id = serviceAppId = portServiceAppId = APP_ID_NONE;
if (serviceVendor)
resp_tpPackets = 0;
scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG;
- clearAppIdFlag(APPID_SESSION_SERVICE_DETECTED |APPID_SESSION_CLIENT_DETECTED |
+ clear_session_flags(APPID_SESSION_SERVICE_DETECTED |APPID_SESSION_CLIENT_DETECTED |
APPID_SESSION_SSL_SESSION|APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT);
}
if (rna_client_data != nullptr)
{
ret = rna_client_data->validate(p->data, p->dsize, direction, this, p,
- rna_client_data->userData);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s %s client detector returned %d\n", app_id_debug_session,
+ rna_client_data->userData);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s %s client detector returned %d\n", session_logging_id,
rna_client_data->name ? rna_client_data->name : "UNKNOWN", ret);
}
else if ( (candidate_client_list != nullptr)
client = (RNAClientAppModule*)node->ndata;
result = client->validate(p->data, p->dsize, direction, this, p, client->userData);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s %s client detector returned %d\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s %s client detector returned %d\n", session_logging_id,
client->name ? client->name : "UNKNOWN", result);
node_tmp = node;
appid_stats.ignored_packets++;
return true;
}
- AppIdSession* session = appid_api.get_appid_data(p->flow);
+ AppIdSession* asd = appid_api.get_appid_data(p->flow);
// FIXIT-M - Need to convert this _dpd stream api call to the correct snort++ method
#ifdef REMOVED_WHILE_NOT_IN_USE
#endif
if (is_http2)
{
- if (session)
- session->is_http2 = true;
+ if (asd)
+ asd->is_http2 = true;
if ( !p->is_rebuilt() )
{
// For HTTP/2, we only want to look at the ones that are rebuilt from
{
if ( p->is_rebuilt() && !p->flow->is_proxied() )
{
- if (session && session->hsession && session->hsession->get_offsets_from_rebuilt)
+ if (asd && asd->hsession && asd->hsession->get_offsets_from_rebuilt)
{
- getOffsetsFromRebuilt(p, session->hsession);
- if (app_id_debug_session_flag)
+ getOffsetsFromRebuilt(p, asd->hsession);
+ if (asd->session_logging_enabled)
LogMessage(
"AppIdDbg %s offsets from rebuilt packet: uri: %u-%u cookie: %u-%u\n",
- app_id_debug_session, session->hsession->uriOffset,
- session->hsession->uriEndOffset, session->hsession->cookieOffset,
- session->hsession->cookieEndOffset);
+ asd->session_logging_id, asd->hsession->uriOffset,
+ asd->hsession->uriEndOffset, asd->hsession->cookieOffset,
+ asd->hsession->cookieEndOffset);
}
appid_stats.ignored_packets++;
return true;
if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list))
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s flow is HTTP\n", app_id_debug_session);
- setAppIdFlag(APPID_SESSION_HTTP_SESSION);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s flow is HTTP\n", session_logging_id);
+ set_session_flags(APPID_SESSION_HTTP_SESSION);
}
if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list))
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s flow is SPDY\n", app_id_debug_session);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s flow is SPDY\n", session_logging_id);
- setAppIdFlag(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION);
+ set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION);
}
- if (getAppIdFlag(APPID_SESSION_HTTP_SESSION))
+ if (get_session_flags(APPID_SESSION_HTTP_SESSION))
{
if (!hsession)
{
memset(ptype_scan_counts, 0, 7 * sizeof(ptype_scan_counts[0]));
}
- if (getAppIdFlag(APPID_SESSION_SPDY_SESSION))
+ if (get_session_flags(APPID_SESSION_SPDY_SESSION))
{
if (attribute_data->spdyRequesHost)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s SPDY host is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s SPDY host is %s\n", session_logging_id,
attribute_data->spdyRequesHost);
if (hsession->host)
{
}
if (attribute_data->spdyRequestPath)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s SPDY URI is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s SPDY URI is %s\n", session_logging_id,
attribute_data->spdyRequestPath);
if (hsession->uri)
{
snort_free(hsession->url);
hsession->chp_finished = 0;
}
- if (getAppIdFlag(APPID_SESSION_DECRYPTED)
+ if (get_session_flags(APPID_SESSION_DECRYPTED)
&& memcmp(attribute_data->spdyRequestScheme, httpScheme, sizeof(httpScheme)-
1) == 0)
{
{
if (attribute_data->httpRequesHost)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s HTTP host is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s HTTP host is %s\n", session_logging_id,
attribute_data->httpRequesHost);
if (hsession->host)
{
snort_free(hsession->host);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->host = attribute_data->httpRequesHost;
if (hsession->url)
{
snort_free(hsession->url);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
//change http to https if session was decrypted.
- if (getAppIdFlag(APPID_SESSION_DECRYPTED)
+ if (get_session_flags(APPID_SESSION_DECRYPTED)
&&
memcmp(attribute_data->httpRequesUrl, httpScheme, sizeof(httpScheme)-1) == 0)
{
if (hsession->uri)
{
snort_free(hsession->uri);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->uri = attribute_data->httpRequestUri;
attribute_data->httpRequestUri = nullptr;
attribute_data->httpRequestUriOffset = 0;
attribute_data->httpRequestUriEndOffset = 0;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", session_logging_id,
hsession->uriOffset, hsession->uriEndOffset,
hsession->uri);
}
if (hsession->via)
{
snort_free(hsession->via);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->via = attribute_data->httpRequestVia;
if (hsession->via)
{
snort_free(hsession->via);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->via = attribute_data->httpResponseVia;
if (hsession->useragent)
{
snort_free(hsession->useragent);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->useragent = attribute_data->httpRequestUserAgent;
// - once it supports it...
if (attribute_data->httpResponseVersion)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s HTTP response version is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s HTTP response version is %s\n", session_logging_id,
attribute_data->httpResponseVersion);
if (strncmp(attribute_data->httpResponseVersion, "HTTP/2", 6) == 0)
{
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
LogMessage("AppIdDbg %s 3rd party detected and parsed HTTP/2\n",
- app_id_debug_session);
+ session_logging_id);
is_http2 = true;
}
snort_free(attribute_data->httpResponseVersion);
}
if (attribute_data->httpResponseCode)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s HTTP response code is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s HTTP response code is %s\n", session_logging_id,
attribute_data->httpResponseCode);
if (hsession->response_code)
{
snort_free(hsession->response_code);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->response_code = attribute_data->httpResponseCode;
// asks the server to upgrade to HTTP/2).
if (attribute_data->httpResponseUpgrade)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", session_logging_id,
attribute_data->httpResponseUpgrade);
- if (pAppidActiveConfig->mod_config->http2_detection_enabled)
+ if (config->mod_config->http2_detection_enabled)
if (hsession->response_code && (strncmp(
hsession->response_code, "101", 3) == 0))
if (strncmp(attribute_data->httpResponseUpgrade, "h2c", 3) == 0)
{
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
LogMessage("AppIdDbg %s Got an upgrade to HTTP/2\n",
- app_id_debug_session);
+ session_logging_id);
is_http2 = true;
}
snort_free(attribute_data->httpResponseUpgrade);
attribute_data->httpResponseUpgrade = nullptr;
}
- if (!pAppidActiveConfig->mod_config->referred_appId_disabled &&
+ if (!config->mod_config->referred_appId_disabled &&
attribute_data->httpRequestReferer)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s referrer is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s referrer is %s\n", session_logging_id,
attribute_data->httpRequestReferer);
if (hsession->referer)
{
snort_free(hsession->referer);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->referer = attribute_data->httpRequestReferer;
if (hsession->cookie)
{
snort_free(hsession->cookie);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->cookie = attribute_data->httpRequestCookie;
attribute_data->httpRequestCookie = nullptr;
attribute_data->httpRequestCookieOffset = 0;
attribute_data->httpRequestCookieEndOffset = 0;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", session_logging_id,
hsession->cookieOffset, hsession->cookieEndOffset,
hsession->cookie);
}
if (hsession->content_type)
{
snort_free(hsession->content_type);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->content_type = attribute_data->httpResponseContent;
if (hsession->location)
{
snort_free(hsession->location);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->location = attribute_data->httpResponseLocation;
}
if (attribute_data->httpRequestBody)
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s got a request body %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s got a request body %s\n", session_logging_id,
attribute_data->httpRequestBody);
if (hsession->req_body)
{
snort_free(hsession->req_body);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->req_body = attribute_data->httpRequestBody;
if (hsession->body)
{
snort_free(hsession->body);
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->chp_finished = 0;
}
hsession->body = attribute_data->httpResponseBody;
}
if (!hsession->chp_finished || hsession->chp_hold_flow)
{
- setAppIdFlag(APPID_SESSION_CHP_INSPECTING);
+ set_session_flags(APPID_SESSION_CHP_INSPECTING);
if (thirdparty_appid_module)
thirdparty_appid_module->session_attr_set(tpsession,
TP_ATTR_CONTINUE_MONITORING);
}
}
- if (!pAppidActiveConfig->mod_config->referred_appId_disabled &&
+ if (!config->mod_config->referred_appId_disabled &&
!hsession->referer)
{
if (attribute_data->httpRequestReferer)
}
if (hsession->url || (confidence == 100 &&
- session_packet_count > pAppidActiveConfig->mod_config->rtmp_max_packets))
+ session_packet_count > config->mod_config->rtmp_max_packets))
{
if (hsession->url)
{
- if (((getAppIdFromUrl(nullptr, hsession->url, nullptr,
+ if (((get_appid_from_url(nullptr, hsession->url, nullptr,
hsession->referer, &client_app_id, &serviceAppId,
&payload_app_id, &referred_payload_app_id, 1)) ||
- (getAppIdFromUrl(nullptr, hsession->url, nullptr,
+ (get_appid_from_url(nullptr, hsession->url, nullptr,
hsession->referer, &client_app_id, &serviceAppId,
&payload_app_id, &referred_payload_app_id, 0))) == 1)
{
thirdparty_appid_module->session_delete(tpsession, 1);
}
tpsession = nullptr;
- clearAppIdFlag(APPID_SESSION_APP_REINSPECT);
+ clear_session_flags(APPID_SESSION_APP_REINSPECT);
}
}
else if (ThirdPartyAppIDFoundProto(APP_ID_SSL, proto_list))
if (thirdparty_appid_module && tpsession)
tmpAppId = thirdparty_appid_module->session_appid_get(tpsession);
- setAppIdFlag(APPID_SESSION_SSL_SESSION);
+ set_session_flags(APPID_SESSION_SSL_SESSION);
if (!tsession)
tsession = (tlsSession*)snort_calloc(sizeof(tlsSession));
}
else if (ThirdPartyAppIDFoundProto(APP_ID_FTP_CONTROL, proto_list))
{
- if (!pAppidActiveConfig->mod_config->ftp_userid_disabled && attribute_data->ftpCommandUser)
+ if (!config->mod_config->ftp_userid_disabled && attribute_data->ftpCommandUser)
{
if (username)
snort_free(username);
username = attribute_data->ftpCommandUser;
attribute_data->ftpCommandUser = nullptr;
username_service = APP_ID_FTP_CONTROL;
- setAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED);
+ set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
}
}
}
void AppIdSession::checkTerminateTpModule(uint16_t tpPktCount)
{
- if ((tpPktCount >= pAppidActiveConfig->mod_config->max_tp_flow_depth) ||
- (getAppIdFlag(APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT) ==
+ if ((tpPktCount >= config->mod_config->max_tp_flow_depth) ||
+ (get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT) ==
(APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT) &&
hsession && hsession->uri && (!hsession->chp_candidate || hsession->chp_finished)))
{
AppId* tp_proto_list;
int tp_confidence;
bool isTpAppidDiscoveryDone = false;
- AppIdConfig* pConfig = pAppidActiveConfig;
/*** Start of third-party processing. ***/
- if (thirdparty_appid_module && !getAppIdFlag(APPID_SESSION_NO_TPI)
+ if (thirdparty_appid_module && !get_session_flags(APPID_SESSION_NO_TPI)
&& (!TPIsAppIdDone(tpsession)
- || getAppIdFlag(APPID_SESSION_APP_REINSPECT | APPID_SESSION_APP_REINSPECT_SSL)))
+ || get_session_flags(APPID_SESSION_APP_REINSPECT | APPID_SESSION_APP_REINSPECT_SSL)))
{
// First SSL decrypted packet is now being inspected. Reset the flag so that SSL decrypted
// traffic
// gets processed like regular traffic from next packet onwards
- if (getAppIdFlag(APPID_SESSION_APP_REINSPECT_SSL))
- clearAppIdFlag(APPID_SESSION_APP_REINSPECT_SSL);
+ if (get_session_flags(APPID_SESSION_APP_REINSPECT_SSL))
+ clear_session_flags(APPID_SESSION_APP_REINSPECT_SSL);
- if (p->dsize || pAppidActiveConfig->mod_config->tp_allow_probes)
+ if (p->dsize || config->mod_config->tp_allow_probes)
{
if (protocol != IpProtocol::TCP || !p->dsize || (p->packet_flags & PKT_STREAM_ORDER_OK)
- || pAppidActiveConfig->mod_config->tp_allow_probes)
+ || config->mod_config->tp_allow_probes)
{
{
Profile tpLibPerfStats_profile_context(tpLibPerfStats);
}
isTpAppidDiscoveryDone = true;
if (thirdparty_appid_module->session_state_get(tpsession) == TP_STATE_CLASSIFIED)
- clearAppIdFlag(APPID_SESSION_APP_REINSPECT);
+ clear_session_flags(APPID_SESSION_APP_REINSPECT);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s 3rd party returned %d\n", app_id_debug_session, tp_app_id);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s 3rd party returned %d\n", session_logging_id, tp_app_id);
- if (appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_IGNORE))
+ if (app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE))
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s 3rd party ignored\n", app_id_debug_session);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s 3rd party ignored\n", session_logging_id);
- if (getAppIdFlag(APPID_SESSION_HTTP_SESSION))
+ if (get_session_flags(APPID_SESSION_HTTP_SESSION))
tp_app_id = APP_ID_HTTP;
else
tp_app_id = APP_ID_NONE;
// some cases. Treat it like HTTP w/ is_http2 flag set.
if ((tp_app_id == APP_ID_HTTP2) && (tp_confidence == 100))
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", app_id_debug_session);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", session_logging_id);
tp_app_id = APP_ID_HTTP;
is_http2 = true;
}
// if the third-party appId must be treated as a client, do it now
- if (appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_TP_CLIENT))
+ if (app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_TP_CLIENT))
client_app_id = tp_app_id;
ProcessThirdPartyResults(p, tp_confidence, tp_proto_list, tp_attribute_data);
else
{
tp_app_id = APP_ID_NONE;
- if (app_id_debug_session_flag && !getAppIdFlag(APPID_SESSION_TPI_OOO_LOGGED))
+ if (session_logging_enabled && !get_session_flags(APPID_SESSION_TPI_OOO_LOGGED))
{
- setAppIdFlag(APPID_SESSION_TPI_OOO_LOGGED);
- LogMessage("AppIdDbg %s 3rd party packet out-of-order\n", app_id_debug_session);
+ set_session_flags(APPID_SESSION_TPI_OOO_LOGGED);
+ LogMessage("AppIdDbg %s 3rd party packet out-of-order\n", session_logging_id);
}
}
if (thirdparty_appid_module->session_state_get(tpsession) == TP_STATE_MONITORING)
tp_app_id = APP_ID_NONE;
}
if (tp_app_id > APP_ID_NONE
- && (!getAppIdFlag(APPID_SESSION_APP_REINSPECT) || payload_app_id > APP_ID_NONE))
+ && (!get_session_flags(APPID_SESSION_APP_REINSPECT) || payload_app_id > APP_ID_NONE))
{
AppId snort_app_id;
// if the packet is HTTP, then search for via pattern
- if (getAppIdFlag(APPID_SESSION_HTTP_SESSION) && hsession)
+ if (get_session_flags(APPID_SESSION_HTTP_SESSION) && hsession)
{
snort_app_id = APP_ID_HTTP;
//data should never be APP_ID_HTTP
tp_app_id = APP_ID_HTTP;
processHTTPPacket(p, direction, nullptr);
if (TPIsAppIdAvailable(tpsession) && tp_app_id == APP_ID_HTTP
- && !getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ && !get_session_flags(APPID_SESSION_APP_REINSPECT))
{
rna_client_state = RNA_STATE_FINISHED;
- setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED);
+ set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED);
rnaServiceState = RNA_STATE_FINISHED;
- clearAppIdFlag(APPID_SESSION_CONTINUE);
+ clear_session_flags(APPID_SESSION_CONTINUE);
if (direction == APP_ID_FROM_INITIATOR)
{
ip = p->ptrs.ip_api.get_dst();
}
}
}
- else if (getAppIdFlag(APPID_SESSION_SSL_SESSION) && tsession)
+ else if (get_session_flags(APPID_SESSION_SSL_SESSION) && tsession)
{
examine_ssl_metadata(p);
uint16_t serverPort;
//SSL policy needs to determine IMAPS/POP3S etc before appId sees first
// server packet
portServiceAppId = porAppId;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s SSL is service %d, portServiceAppId %d\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s SSL is service %d, portServiceAppId %d\n", session_logging_id,
tp_app_id, portServiceAppId);
}
else
{
tp_payload_app_id = tp_app_id;
tp_app_id = porAppId;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s SSL is %d\n", app_id_debug_session, tp_app_id);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s SSL is %d\n", session_logging_id, tp_app_id);
}
snort_app_id = APP_ID_SSL;
}
{
AppInfoTableEntry* entry;
bool isTpAppidDiscoveryDone = false;
- AppIdConfig* pConfig = pAppidActiveConfig;
if (rnaServiceState != RNA_STATE_FINISHED)
{
if (protocol == IpProtocol::TCP && (p->ptrs.sp == 21 || p->ptrs.dp == 21)
&& !(p->ptrs.tcph->is_fin() || p->ptrs.tcph->is_rst()))
{
- setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_NOT_A_SERVICE
+ set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_NOT_A_SERVICE
| APPID_SESSION_SERVICE_DETECTED);
if (!AddFTPServiceState(this))
{
- setAppIdFlag(APPID_SESSION_CONTINUE);
+ set_session_flags(APPID_SESSION_CONTINUE);
if (p->ptrs.dp != 21)
- setAppIdFlag(APPID_SESSION_RESPONDER_SEEN);
+ set_session_flags(APPID_SESSION_RESPONDER_SEEN);
}
rnaServiceState = RNA_STATE_STATEFUL;
}
else
{
- setAppIdFlag(APPID_SESSION_MID | APPID_SESSION_SERVICE_DETECTED);
+ set_session_flags(APPID_SESSION_MID | APPID_SESSION_SERVICE_DETECTED);
rnaServiceState = RNA_STATE_FINISHED;
}
}
{
//tp has positively identified appId, Dig deeper only if sourcefire
// detector identifies additional information or flow is UDP reveresed.
- if ((entry = appInfoEntryGet(tp_app_id)) && entry->svrValidator
+ if ((entry = app_info_mgr->get_app_info_entry(tp_app_id)) && entry->svrValidator
&& ((entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL)
|| ((entry->flags & APPINFO_FLAG_SERVICE_UDP_REVERSED)
&& protocol == IpProtocol::UDP
- && getAppIdFlag(
+ && get_session_flags(
APPID_SESSION_INITIATOR_MONITORED
| APPID_SESSION_RESPONDER_MONITORED))))
{
//stop rna inspection as soon as tp has classified a valid AppId later in the session
if (rnaServiceState == RNA_STATE_STATEFUL&&
prevRnaServiceState == RNA_STATE_STATEFUL &&
- !getAppIdFlag(APPID_SESSION_NO_TPI) &&
+ !get_session_flags(APPID_SESSION_NO_TPI) &&
TPIsAppIdAvailable(tpsession) &&
tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX)
{
- entry = appInfoEntryGet(tp_app_id);
+ entry = app_info_mgr->get_app_info_entry(tp_app_id);
if (entry && entry->svrValidator && !(entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL))
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s Stop service detection\n", app_id_debug_session);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s Stop service detection\n", session_logging_id);
stop_rna_service_inspection(p, direction);
}
}
if (rnaServiceState == RNA_STATE_STATEFUL)
{
- AppIdDiscoverService(p, direction, this, pConfig);
+ AppIdDiscoverService(p, direction, this);
isTpAppidDiscoveryDone = true;
//to stop executing validator after service has been detected by RNA.
- if (getAppIdFlag(APPID_SESSION_SERVICE_DETECTED |
+ if (get_session_flags(APPID_SESSION_SERVICE_DETECTED |
APPID_SESSION_CONTINUE) == APPID_SESSION_SERVICE_DETECTED)
rnaServiceState = RNA_STATE_FINISHED;
- if (serviceAppId == APP_ID_DNS && pAppidActiveConfig->mod_config->dns_host_reporting
+ if (serviceAppId == APP_ID_DNS && config->mod_config->dns_host_reporting
&& dsession && dsession->host)
{
size_t size = dsession->host_len;
}
else if (serviceAppId == APP_ID_RTMP)
examine_rtmp_metadata();
- else if (getAppIdFlag(APPID_SESSION_SSL_SESSION) && tsession)
+ else if (get_session_flags(APPID_SESSION_SSL_SESSION) && tsession)
examine_ssl_metadata(p);
- if (tp_app_id <= APP_ID_NONE && getAppIdFlag(APPID_SESSION_SERVICE_DETECTED |
+ if (tp_app_id <= APP_ID_NONE && get_session_flags(APPID_SESSION_SERVICE_DETECTED |
APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_IGNORE_HOST) ==
APPID_SESSION_SERVICE_DETECTED)
{
Profile clientMatchPerfStats_profile_context(clientMatchPerfStats);
uint32_t prevRnaClientState = rna_client_state;
bool was_http2 = is_http2;
- bool was_service = getAppIdFlag(APPID_SESSION_SERVICE_DETECTED) ? true : false;
+ bool was_service = get_session_flags(APPID_SESSION_SERVICE_DETECTED) ? true : false;
//decision to directly call validator or go through elaborate service_state tracking
//is made once at the beginning of sesssion.
if (rna_client_state == RNA_STATE_NONE && p->dsize && direction == APP_ID_FROM_INITIATOR)
else if (TPIsAppIdAvailable(tpsession) && ( tp_app_id > APP_ID_NONE )
&& ( tp_app_id < SF_APPID_MAX ) )
{
- entry = appInfoEntryGet(tp_app_id);
+ entry = app_info_mgr->get_app_info_entry(tp_app_id);
if ( entry && entry->clntValidator
&& ( ( entry->flags & APPINFO_FLAG_CLIENT_ADDITIONAL )
|| ( ( entry->flags & APPINFO_FLAG_CLIENT_USER)
- && getAppIdFlag(APPID_SESSION_DISCOVER_USER) ) ) )
+ && get_session_flags(APPID_SESSION_DISCOVER_USER) ) ) )
{
//tp has positively identified appId, Dig deeper only if sourcefire
// detector identifies additional information
}
else
{
- setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ set_session_flags(APPID_SESSION_CLIENT_DETECTED);
rna_client_state = RNA_STATE_FINISHED;
}
}
- else if (getAppIdFlag(APPID_SESSION_HTTP_SESSION))
+ else if (get_session_flags(APPID_SESSION_HTTP_SESSION))
rna_client_state = RNA_STATE_FINISHED;
else
rna_client_state = RNA_STATE_STATEFUL;
}
//stop rna inspection as soon as tp has classified a valid AppId later in the session
if ((rna_client_state == RNA_STATE_STATEFUL || rna_client_state == RNA_STATE_DIRECT)
- && rna_client_state == prevRnaClientState && !getAppIdFlag(APPID_SESSION_NO_TPI)
+ && rna_client_state == prevRnaClientState && !get_session_flags(APPID_SESSION_NO_TPI)
&& TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX)
{
- entry = appInfoEntryGet(tp_app_id);
+ entry = app_info_mgr->get_app_info_entry(tp_app_id);
if (!(entry && entry->clntValidator && entry->clntValidator == rna_client_data
&& (entry->flags & (APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER))))
{
rna_client_state = RNA_STATE_FINISHED;
- setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ set_session_flags(APPID_SESSION_CLIENT_DETECTED);
}
}
if (rna_client_state == RNA_STATE_DIRECT)
if (direction == APP_ID_FROM_INITIATOR)
{
/* get out if we've already tried to validate a client app */
- if (!getAppIdFlag(APPID_SESSION_CLIENT_DETECTED))
+ if (!get_session_flags(APPID_SESSION_CLIENT_DETECTED))
{
ret = exec_client_detectors(p, direction);
}
}
else if (rnaServiceState != RNA_STATE_STATEFUL
- && getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))
+ && get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))
{
ret = exec_client_detectors(p, direction);
}
if (direction == APP_ID_FROM_INITIATOR)
{
/* get out if we've already tried to validate a client app */
- if (!getAppIdFlag(APPID_SESSION_CLIENT_DETECTED))
+ if (!get_session_flags(APPID_SESSION_CLIENT_DETECTED))
ret = exec_client_detectors(p, direction);
}
else if (rnaServiceState != RNA_STATE_STATEFUL
- && getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))
+ && get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))
ret = exec_client_detectors(p, direction);
if (ret < 0)
- setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ set_session_flags(APPID_SESSION_CLIENT_DETECTED);
}
else
- setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ set_session_flags(APPID_SESSION_CLIENT_DETECTED);
}
}
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
if (!was_http2 && is_http2)
- LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", app_id_debug_session);
+ LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", session_logging_id);
- if (!was_service && getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!was_service && get_session_flags(APPID_SESSION_SERVICE_DETECTED))
sync_with_snort_id(serviceAppId, p);
}
int direction;
const sfip_t* ip;
uint16_t port;
- AppIdConfig* pConfig = pAppidActiveConfig;
if( is_packet_ignored(p) )
return;
- AppIdSession* session = (AppIdSession*) p->flow->get_flow_data(AppIdSession::flow_id);
- if (session)
+ AppIdSession* asd = (AppIdSession*) p->flow->get_flow_data(AppIdSession::flow_id);
+ if (asd)
{
- if (session->common.fsf_type.flow_type == APPID_SESSION_TYPE_IGNORE)
+ if (asd->common.flow_type == APPID_FLOW_TYPE_IGNORE)
return;
- if (session->common.fsf_type.flow_type == APPID_SESSION_TYPE_NORMAL)
+ if (asd->common.flow_type == APPID_FLOW_TYPE_NORMAL)
{
- protocol = session->protocol;
- session->flow = p->flow;
+ protocol = asd->protocol;
+ asd->flow = p->flow;
}
else if (p->is_tcp())
protocol = IpProtocol::TCP;
protocol = IpProtocol::UDP;
ip = p->ptrs.ip_api.get_src();
- if (session->common.initiator_port)
- direction = (session->common.initiator_port == p->ptrs.sp) ? APP_ID_FROM_INITIATOR :
- APP_ID_FROM_RESPONDER;
+ if (asd->common.initiator_port)
+ direction = (asd->common.initiator_port == p->ptrs.sp) ?
+ APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
else
- direction = (sfip_fast_equals_raw(ip, &session->common.initiator_ip)) ?
+ direction = (sfip_fast_equals_raw(ip, &asd->common.initiator_ip)) ?
APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
- session->in_expected_cache = false;
+ asd->in_expected_cache = false;
}
else
{
else
return;
- // FIXIT - L Refactor to use direction symbols defined by snort proper
+ // FIXIT-L Refactor to use direction symbols defined by snort proper
direction = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
}
- app_id_debug_session_flag = fwAppIdDebugCheck(p->flow, session, app_id_debug_flag,
- &app_id_debug_info, app_id_debug_session, direction);
-
- flow_flags = AppIdSession::is_session_monitored(p, direction, session);
+ flow_flags = AppIdSession::is_session_monitored(p, direction, asd);
if (!(flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)))
{
- if (!session)
+ if (!asd)
{
- if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
- APPID_SESSION_BIDIRECTIONAL_CHECKED)
- {
- // FIXIT-M: This _dpd call needs to be convert to correct snort++ call
- // static THREAD_LOCAL APPID_SESSION_STRUCT_FLAG ignore_fsf
- // { APPID_SESSION_TYPE_IGNORE };
-
- // p->flow->set_flow_data(PP_APP_ID, &ignore_fsf, nullptr);
+ ip = (direction == APP_ID_FROM_INITIATOR) ?
+ p->ptrs.ip_api.get_src() : p->ptrs.ip_api.get_dst();
+ AppIdSession* tmp_session = new AppIdSession(protocol, ip);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s not monitored\n", app_id_debug_session);
- }
+ if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
+ APPID_SESSION_BIDIRECTIONAL_CHECKED)
+ tmp_session->common.flow_type = APPID_FLOW_TYPE_IGNORE;
else
+ tmp_session->common.flow_type = APPID_FLOW_TYPE_TMP;
+ tmp_session->common.flags = flow_flags;
+ tmp_session->common.initiator_ip = *ip;
+ if ((protocol == IpProtocol::TCP || protocol == IpProtocol::UDP)
+ && p->ptrs.sp != p->ptrs.dp)
{
- ip = (direction == APP_ID_FROM_INITIATOR) ?
- p->ptrs.ip_api.get_src() : p->ptrs.ip_api.get_dst();
- AppIdSession* tmp_session = new AppIdSession(protocol, ip);
-
- tmp_session->common.fsf_type.flow_type = APPID_SESSION_TYPE_TMP;
- tmp_session->common.flags = flow_flags;
- tmp_session->common.initiator_ip = *ip;
- if ( ( protocol == IpProtocol::TCP || protocol == IpProtocol::UDP ) &&
- p->ptrs.sp != p->ptrs.dp )
- {
- tmp_session->common.initiator_port =
- (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp;
- }
- else
- tmp_session->common.initiator_port = 0;
- tmp_session->common.policyId = appIdPolicyId;
- p->flow->set_flow_data(tmp_session);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s unknown monitoring\n", app_id_debug_session);
+ tmp_session->common.initiator_port =
+ (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp;
}
+ else
+ tmp_session->common.initiator_port = 0;
+ tmp_session->common.policyId = appIdPolicyId;
+ p->flow->set_flow_data(tmp_session);
}
else
{
- session->common.flags = flow_flags;
+ asd->common.flags = flow_flags;
if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
- APPID_SESSION_BIDIRECTIONAL_CHECKED)
- session->common.fsf_type.flow_type = APPID_SESSION_TYPE_IGNORE;
- session->common.policyId = appIdPolicyId;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s not monitored\n", app_id_debug_session);
+ APPID_SESSION_BIDIRECTIONAL_CHECKED)
+ asd->common.flow_type = APPID_FLOW_TYPE_IGNORE;
+ asd->common.policyId = appIdPolicyId;
}
+
return;
}
- if (!session || session->common.fsf_type.flow_type == APPID_SESSION_TYPE_TMP)
+ if (!asd || asd->common.flow_type == APPID_FLOW_TYPE_TMP)
{
/* This call will free the existing temporary session, if there is one */
- session = AppIdSession::allocate_session(p, protocol, direction);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s new session\n", app_id_debug_session);
+ asd = AppIdSession::allocate_session(p, protocol, direction);
+ if (asd->session_logging_enabled)
+ LogMessage("AppIdDbg %s new session\n", asd->session_logging_id);
}
appid_stats.processed_packets++;
- session->session_packet_count++;
+ asd->session_packet_count++;
if (direction == APP_ID_FROM_INITIATOR)
- session->stats.initiatorBytes += p->pkth->pktlen;
+ asd->stats.initiatorBytes += p->pkth->pktlen;
else
- session->stats.responderBytes += p->pkth->pktlen;
+ asd->stats.responderBytes += p->pkth->pktlen;
- session->common.flags = flow_flags;
- session->common.policyId = appIdPolicyId;
- session->common.policyId = appIdPolicyId;
+ asd->common.flags = flow_flags;
+ asd->common.policyId = appIdPolicyId;
+ asd->common.policyId = appIdPolicyId;
- if (session->getAppIdFlag(APPID_SESSION_IGNORE_FLOW))
+ if (asd->get_session_flags(APPID_SESSION_IGNORE_FLOW))
{
- if (app_id_debug_session_flag && !session->getAppIdFlag(APPID_SESSION_IGNORE_FLOW_LOGGED))
+ if (asd->session_logging_enabled && !asd->get_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED))
{
- session->setAppIdFlag(APPID_SESSION_IGNORE_FLOW_LOGGED);
+ asd->set_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED);
LogMessage("AppIdDbg %s Ignoring connection with service %d\n",
- app_id_debug_session, session->serviceAppId);
+ asd->session_logging_id, asd->serviceAppId);
}
+
return;
}
if (p->packet_flags & PKT_STREAM_ORDER_BAD)
- session->setAppIdFlag(APPID_SESSION_OOO);
+ asd->set_session_flags(APPID_SESSION_OOO);
else if ( p->is_tcp() && p->ptrs.tcph )
{
const auto* tcph = p->ptrs.tcph;
- if ( tcph->is_rst() && session->previous_tcp_flags == TH_SYN )
+ if ( tcph->is_rst() && asd->previous_tcp_flags == TH_SYN )
{
AppIdServiceIDState* id_state;
- session->setAppIdFlag(APPID_SESSION_SYN_RST);
- if (sfip_is_set(&session->service_ip))
+ asd->set_session_flags(APPID_SESSION_SYN_RST);
+ if (sfip_is_set(&asd->service_ip))
{
- ip = &session->service_ip;
- port = session->service_port;
+ ip = &asd->service_ip;
+ port = asd->service_port;
}
else
{
port = p->ptrs.sp;
}
- id_state = AppIdGetServiceIDState(ip, IpProtocol::TCP, port,
- AppIdServiceDetectionLevel(
- session));
+ id_state = get_service_id_state(ip, IpProtocol::TCP, port,
+ AppIdServiceDetectionLevel(asd));
if (id_state)
{
id_state->reset_time = packet_time();
else if ((packet_time() - id_state->reset_time) >= 60)
{
- // FIXIT-H ip's on the packet are const
- // AppIdRemoveServiceIDState(ip, IpProtocol::TCP, port,
- // AppIdServiceDetectionLevel(session));
- session->setAppIdFlag(APPID_SESSION_SERVICE_DELETED);
+ remove_service_id_state(ip, IpProtocol::TCP, port,
+ AppIdServiceDetectionLevel(asd));
+ asd->set_session_flags(APPID_SESSION_SERVICE_DELETED);
}
}
}
- session->previous_tcp_flags = p->ptrs.tcph->th_flags;
+ asd->previous_tcp_flags = p->ptrs.tcph->th_flags;
}
/*HostPort based AppId. */
- if (!(session->scan_flags & SCAN_HOST_PORT_FLAG))
+ if (!(asd->scan_flags & SCAN_HOST_PORT_FLAG))
{
HostPortVal* hv;
- session->scan_flags |= SCAN_HOST_PORT_FLAG;
+ asd->scan_flags |= SCAN_HOST_PORT_FLAG;
if (direction == APP_ID_FROM_INITIATOR)
{
ip = p->ptrs.ip_api.get_dst();
switch (hv->type)
{
case 1:
- session->client_app_id = hv->appId;
- session->rna_client_state = RNA_STATE_FINISHED;
+ asd->client_app_id = hv->appId;
+ asd->rna_client_state = RNA_STATE_FINISHED;
break;
case 2:
- session->payload_app_id = hv->appId;
+ asd->payload_app_id = hv->appId;
break;
default:
- session->serviceAppId = hv->appId;
- session->sync_with_snort_id(hv->appId, p);
- session->rnaServiceState = RNA_STATE_FINISHED;
- session->rna_client_state = RNA_STATE_FINISHED;
- session->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
+ asd->serviceAppId = hv->appId;
+ asd->sync_with_snort_id(hv->appId, p);
+ asd->rnaServiceState = RNA_STATE_FINISHED;
+ asd->rna_client_state = RNA_STATE_FINISHED;
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
if (thirdparty_appid_module)
- thirdparty_appid_module->session_delete(session->tpsession, 1);
- session->tpsession = nullptr;
+ thirdparty_appid_module->session_delete(asd->tpsession, 1);
+ asd->tpsession = nullptr;
}
}
}
- session->check_app_detection_restart();
+ asd->check_app_detection_restart();
//restart inspection by 3rd party
- if (!session->getAppIdFlag(APPID_SESSION_NO_TPI))
+ if (!asd->get_session_flags(APPID_SESSION_NO_TPI))
{
- if (TPIsAppIdDone(session->tpsession) && session->getAppIdFlag(
+ if (TPIsAppIdDone(asd->tpsession) && asd->get_session_flags(
APPID_SESSION_HTTP_SESSION) && p->dsize)
{
- if (session->tp_reinspect_by_initiator)
+ if (asd->tp_reinspect_by_initiator)
{
- session->clearAppIdFlag(APPID_SESSION_APP_REINSPECT);
+ asd->clear_session_flags(APPID_SESSION_APP_REINSPECT);
if (direction == APP_ID_FROM_RESPONDER)
- session->tp_reinspect_by_initiator = 0; //toggle at OK response
+ asd->tp_reinspect_by_initiator = 0; //toggle at OK response
}
else if (direction == APP_ID_FROM_INITIATOR)
{
- session->tp_reinspect_by_initiator = 1; //once per request
- session->setAppIdFlag(APPID_SESSION_APP_REINSPECT);
- if (app_id_debug_session_flag)
+ asd->tp_reinspect_by_initiator = 1; //once per request
+ asd->set_session_flags(APPID_SESSION_APP_REINSPECT);
+ if (asd->session_logging_enabled)
LogMessage("AppIdDbg %s 3rd party allow reinspect http\n",
- app_id_debug_session);
- session->clear_http_field();
+ asd->session_logging_id);
+ asd->clear_http_field();
}
}
}
- if (session->tp_app_id == APP_ID_SSH && session->payload_app_id != APP_ID_SFTP &&
- session->session_packet_count >= MIN_SFTP_PACKET_COUNT && session->session_packet_count <
- MAX_SFTP_PACKET_COUNT)
+ if (asd->tp_app_id == APP_ID_SSH && asd->payload_app_id != APP_ID_SFTP &&
+ asd->session_packet_count >= MIN_SFTP_PACKET_COUNT &&
+ asd->session_packet_count < MAX_SFTP_PACKET_COUNT)
{
if ( p->ptrs.ip_api.tos() == 8 )
{
- session->payload_app_id = APP_ID_SFTP;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s data is SFTP\n", app_id_debug_session);
+ asd->payload_app_id = APP_ID_SFTP;
+ if (asd->session_logging_enabled)
+ LogMessage("AppIdDbg %s data is SFTP\n", asd->session_logging_id);
}
}
#ifdef REMOVED_WHILE_NOT_IN_USE
// do third party detector processing
- isTpAppidDiscoveryDone = session->do_third_party_discovery(protocol, ip, p, direction);
+ isTpAppidDiscoveryDone = asd->do_third_party_discovery(protocol, ip, p, direction);
#endif
- if (direction == APP_ID_FROM_RESPONDER && !session->getAppIdFlag(
+ if (direction == APP_ID_FROM_RESPONDER && !asd->get_session_flags(
APPID_SESSION_PORT_SERVICE_DONE|APPID_SESSION_SYN_RST))
{
- session->setAppIdFlag(APPID_SESSION_PORT_SERVICE_DONE);
- session->portServiceAppId = getPortServiceId(protocol, p->ptrs.sp, pConfig);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s port service %d\n", app_id_debug_session,
- session->portServiceAppId);
+ asd->set_session_flags(APPID_SESSION_PORT_SERVICE_DONE);
+ asd->portServiceAppId = getPortServiceId(protocol, p->ptrs.sp, asd->config);
+ if (asd->session_logging_enabled)
+ LogMessage("AppIdDbg %s port service %d\n", asd->session_logging_id,
+ asd->portServiceAppId);
}
/* Length-based detectors. */
* - Port service didn't find anything (and we haven't yet either).
* - We haven't hit the max packets allowed for detector sequence matches.
* - Packet has data (we'll ignore 0-sized packets in sequencing). */
- if ( (session->portServiceAppId <= APP_ID_NONE)
- && (session->length_sequence.sequence_cnt < LENGTH_SEQUENCE_CNT_MAX)
+ if ( (asd->portServiceAppId <= APP_ID_NONE)
+ && (asd->length_sequence.sequence_cnt < LENGTH_SEQUENCE_CNT_MAX)
&& (p->dsize > 0))
{
- uint8_t index = session->length_sequence.sequence_cnt;
- session->length_sequence.proto = protocol;
- session->length_sequence.sequence_cnt++;
- session->length_sequence.sequence[index].direction = direction;
- session->length_sequence.sequence[index].length = p->dsize;
- session->portServiceAppId = find_length_app_cache(&session->length_sequence);
- if (session->portServiceAppId > APP_ID_NONE)
- session->setAppIdFlag(APPID_SESSION_PORT_SERVICE_DONE);
+ uint8_t index = asd->length_sequence.sequence_cnt;
+ asd->length_sequence.proto = protocol;
+ asd->length_sequence.sequence_cnt++;
+ asd->length_sequence.sequence[index].direction = direction;
+ asd->length_sequence.sequence[index].length = p->dsize;
+ asd->portServiceAppId = find_length_app_cache(&asd->length_sequence);
+ if (asd->portServiceAppId > APP_ID_NONE)
+ asd->set_session_flags(APPID_SESSION_PORT_SERVICE_DONE);
}
/* exceptions for rexec and any other service detector that needs to see SYN and SYN/ACK */
- if (session->getAppIdFlag(APPID_SESSION_REXEC_STDERR))
+ if (asd->get_session_flags(APPID_SESSION_REXEC_STDERR))
{
- AppIdDiscoverService(p, direction, session, pConfig);
- if (session->serviceAppId == APP_ID_DNS &&
- pAppidActiveConfig->mod_config->dns_host_reporting &&
- session->dsession && session->dsession->host )
+ AppIdDiscoverService(p, direction, asd);
+ if (asd->serviceAppId == APP_ID_DNS &&
+ asd->config->mod_config->dns_host_reporting &&
+ asd->dsession && asd->dsession->host )
{
- size_t size = session->dsession->host_len;
- dns_host_scan_hostname((const uint8_t*)session->dsession->host, size,
+ size_t size = asd->dsession->host_len;
+ dns_host_scan_hostname((const uint8_t*)asd->dsession->host, size,
&ClientAppId, &payloadAppId);
- session->set_client_app_id_data(ClientAppId, nullptr);
+ asd->set_client_app_id_data(ClientAppId, nullptr);
}
- else if (session->serviceAppId == APP_ID_RTMP)
- session->examine_rtmp_metadata();
- else if (session->getAppIdFlag(APPID_SESSION_SSL_SESSION) && session->tsession)
- session->examine_ssl_metadata(p);
+ else if (asd->serviceAppId == APP_ID_RTMP)
+ asd->examine_rtmp_metadata();
+ else if (asd->get_session_flags(APPID_SESSION_SSL_SESSION) && asd->tsession)
+ asd->examine_ssl_metadata(p);
}
else if (protocol != IpProtocol::TCP || !p->dsize || (p->packet_flags & PKT_STREAM_ORDER_OK))
{
// FIXIT-M commented out assignment causes analysis warning
/*isTpAppidDiscoveryDone = */
- session->do_service_discovery(protocol, direction, ClientAppId, payloadAppId, p);
- isTpAppidDiscoveryDone = session->do_client_discovery(direction, p);
- session->setAppIdFlag(APPID_SESSION_ADDITIONAL_PACKET);
+ asd->do_service_discovery(protocol, direction, ClientAppId, payloadAppId, p);
+ isTpAppidDiscoveryDone = asd->do_client_discovery(direction, p);
+ asd->set_session_flags(APPID_SESSION_ADDITIONAL_PACKET);
}
else
{
- if (app_id_debug_session_flag && p->dsize &&
- !session->getAppIdFlag(APPID_SESSION_OOO_LOGGED))
+ if (asd->session_logging_enabled && p->dsize &&
+ !asd->get_session_flags(APPID_SESSION_OOO_LOGGED))
{
- session->setAppIdFlag(APPID_SESSION_OOO_LOGGED);
- LogMessage("AppIdDbg %s packet out-of-order\n", app_id_debug_session);
+ asd->set_session_flags(APPID_SESSION_OOO_LOGGED);
+ LogMessage("AppIdDbg %s packet out-of-order\n", asd->session_logging_id);
}
}
- serviceAppId = session->pick_service_app_id();
- payloadAppId = session->pick_payload_app_id();
+ serviceAppId = asd->pick_service_app_id();
+ payloadAppId = asd->pick_payload_app_id();
if (serviceAppId > APP_ID_NONE)
{
- if (session->getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (asd->get_session_flags(APPID_SESSION_DECRYPTED))
{
- if (session->misc_app_id == APP_ID_NONE)
- session->update_encrypted_app_id(serviceAppId);
+ if (asd->misc_app_id == APP_ID_NONE)
+ asd->update_encrypted_app_id(serviceAppId);
}
-// FIXIT-M: Need to determine what api to use for this _dpd function
+// FIXIT-M Need to determine what api to use for this _dpd function
#if 1
UNUSED(isTpAppidDiscoveryDone);
#else
else if (isTpAppidDiscoveryDone && isSslServiceAppId(serviceAppId) &&
_dpd.isSSLPolicyEnabled(nullptr))
- session->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
#endif
}
- p->flow->set_application_ids(serviceAppId, session->pick_client_app_id(), payloadAppId, session->pick_misc_app_id());
+ p->flow->set_application_ids(serviceAppId, asd->pick_client_app_id(), payloadAppId, asd->pick_misc_app_id());
/* Set the field that the Firewall queries to see if we have a search engine. */
- if (session->search_support_type == SEARCH_SUPPORT_TYPE_UNKNOWN && payloadAppId > APP_ID_NONE)
+ if (asd->search_support_type == UNKNOWN_SEARCH_ENGINE && payloadAppId > APP_ID_NONE)
{
- uint flags = appInfoEntryFlagGet(payloadAppId, APPINFO_FLAG_SEARCH_ENGINE |
+ uint flags = AppInfoManager::get_instance().get_app_info_flags(payloadAppId, APPINFO_FLAG_SEARCH_ENGINE |
APPINFO_FLAG_SUPPORTED_SEARCH);
- session->search_support_type =
+ asd->search_support_type =
(flags & APPINFO_FLAG_SEARCH_ENGINE) ?
((flags & APPINFO_FLAG_SUPPORTED_SEARCH) ? SUPPORTED_SEARCH_ENGINE :
UNSUPPORTED_SEARCH_ENGINE )
: NOT_A_SEARCH_ENGINE;
- if (app_id_debug_session_flag)
+ if (asd->session_logging_enabled)
{
const char* typeString;
- switch ( session->search_support_type )
+ switch ( asd->search_support_type )
{
case NOT_A_SEARCH_ENGINE: typeString = "NOT_A_SEARCH_ENGINE"; break;
case SUPPORTED_SEARCH_ENGINE: typeString = "SUPPORTED_SEARCH_ENGINE"; break;
}
LogMessage("AppIdDbg %s appId: %u (safe)search_support_type=%s\n",
- app_id_debug_session, payloadAppId, typeString);
+ asd->session_logging_id, payloadAppId, typeString);
}
}
if ( serviceAppId != APP_ID_NONE )
{
- if ( payloadAppId != APP_ID_NONE && payloadAppId != session->pastIndicator)
+ if ( payloadAppId != APP_ID_NONE && payloadAppId != asd->pastIndicator)
{
- session->pastIndicator = payloadAppId;
- checkSessionForAFIndicator(p, direction, (ApplicationId)payloadAppId);
+ asd->pastIndicator = payloadAppId;
+ check_session_for_AF_indicator(p, direction, (ApplicationId)payloadAppId);
}
- if (session->payload_app_id == APP_ID_NONE && session->pastForecast != serviceAppId &&
- session->pastForecast != APP_ID_UNKNOWN)
+ if (asd->payload_app_id == APP_ID_NONE && asd->pastForecast != serviceAppId &&
+ asd->pastForecast != APP_ID_UNKNOWN)
{
- session->pastForecast = checkSessionForAFForecast(session, p, direction,
+ asd->pastForecast = check_session_for_AF_forecast(asd, p, direction,
(ApplicationId)serviceAppId);
}
}
&& ((pkt[3] & nm[3]) == peIP[3]));
}
-static inline int checkPortExclusion(const Packet* pkt, int reversed)
+static inline int check_port_exclusion(const Packet* pkt, bool reversed)
{
SF_LIST** src_port_exclusions;
SF_LIST** dst_port_exclusions;
PortExclusion* pe;
const sfip_t* s_ip;
uint16_t port;
- AppIdConfig* pConfig = pAppidActiveConfig;
+ AppIdConfig* config = AppIdConfig::get_appid_config();
if ( pkt->is_tcp() )
{
- src_port_exclusions = pConfig->tcp_port_exclusions_src;
- dst_port_exclusions = pConfig->tcp_port_exclusions_dst;
+ src_port_exclusions = config->tcp_port_exclusions_src;
+ dst_port_exclusions = config->tcp_port_exclusions_dst;
}
else if ( pkt->is_udp() )
{
- src_port_exclusions = pConfig->udp_port_exclusions_src;
- dst_port_exclusions = pConfig->udp_port_exclusions_dst;
+ src_port_exclusions = config->udp_port_exclusions_src;
+ dst_port_exclusions = config->udp_port_exclusions_dst;
}
else
return 0;
return 0;
}
-static inline unsigned isIPMonitored(const Packet* p, int dst)
+static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst)
{
const sfip_t* sf_ip;
NetworkSet* net_list;
unsigned flags;
int32_t zone;
NSIPv6Addr ip6;
- AppIdConfig* pConfig = pAppidActiveConfig;
+ AppIdConfig* config = AppIdConfig::get_appid_config();
if (!dst)
{
}
else
{
- zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? p->pkth->ingress_group
- :
- p->pkth->egress_group;
+ zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ?
+ p->pkth->ingress_group : p->pkth->egress_group;
if (zone == DAQ_PKTHDR_FLOOD)
return 0;
sf_ip = p->ptrs.ip_api.get_dst();
}
- if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone])
- net_list = pConfig->net_list_by_zone[zone];
+ if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone])
+ net_list = config->net_list_by_zone[zone];
else
- net_list = pConfig->net_list;
+ net_list = config->net_list;
if ( sf_ip->is_ip4() )
{
return flags | IPFUNCS_CHECKED;
}
-static inline bool isSpecialSessionMonitored(const Packet* p)
+static inline bool is_special_session_monitored(const Packet* p)
{
if ( p->is_ip4() )
{
bool AppIdSession::is_ssl_decryption_enabled()
{
- if (getAppIdFlag(APPID_SESSION_DECRYPTED))
- return 1;
-// FIXIT-M J bad bad bad
-// #ifdef UNIT_TEST
-// if (session_packet_count >= 12)
-// return 1;
-// return 0;
-// #else
+ if (get_session_flags(APPID_SESSION_DECRYPTED))
+ return true;
+
return flow->is_proxied();
-// #endif
}
-uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSession* session)
+uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSession* asd)
{
uint64_t flags;
uint64_t flow_flags = APPID_SESSION_DISCOVER_APP;
flow_flags |= (dir == APP_ID_FROM_INITIATOR) ?
APPID_SESSION_INITIATOR_SEEN : APPID_SESSION_RESPONDER_SEEN;
- if (session)
+ if (asd)
{
- flow_flags |= session->common.flags;
- if (session->common.policyId != appIdPolicyId)
+ flow_flags |= asd->common.flags;
+ if (asd->common.policyId != appIdPolicyId)
{
- if (checkPortExclusion(p, dir == APP_ID_FROM_RESPONDER))
+ if (check_port_exclusion(p, dir == APP_ID_FROM_RESPONDER))
{
flow_flags |= APPID_SESSION_INITIATOR_SEEN | APPID_SESSION_RESPONDER_SEEN |
APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED;
}
if (dir == APP_ID_FROM_INITIATOR)
{
- if (session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED))
+ if (asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
{
- flags = isIPMonitored(p, 0);
+ flags = get_ipfuncs_flags(p, false);
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
else
flow_flags &= ~APPID_SESSION_INITIATOR_MONITORED;
}
- if (session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED))
+ if (asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
{
- flags = isIPMonitored(p, 1);
+ flags = get_ipfuncs_flags(p, true);
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
else
}
else
{
- if (session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED))
+ if (asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
{
- flags = isIPMonitored(p, 0);
+ flags = get_ipfuncs_flags(p, false);
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
else
flow_flags &= ~APPID_SESSION_RESPONDER_MONITORED;
}
- if (session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED))
+ if (asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
{
- flags = isIPMonitored(p, 1);
+ flags = get_ipfuncs_flags(p, true);
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
else
}
}
- if (session->getAppIdFlag(APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
+ if (asd->get_session_flags(APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
APPID_SESSION_BIDIRECTIONAL_CHECKED)
return flow_flags;
if (dir == APP_ID_FROM_INITIATOR)
{
- if (!session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED))
+ if (!asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
{
- flags = isIPMonitored(p, 0);
+ flags = get_ipfuncs_flags(p, false);
flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
if (flags & IPFUNCS_APPLICATION)
flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (isSpecialSessionMonitored(p))
+ if (is_special_session_monitored(p))
{
flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
}
}
if (!(flow_flags & APPID_SESSION_DISCOVER_APP)
- && !session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED))
+ && !asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
{
- flags = isIPMonitored(p, 1);
+ flags = get_ipfuncs_flags(p, true);
if (flags & IPFUNCS_CHECKED)
flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
if (flags & IPFUNCS_APPLICATION)
flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (isSpecialSessionMonitored(p))
+ if (is_special_session_monitored(p))
{
flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
}
}
else
{
- if (!session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED))
+ if (!asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
{
- flags = isIPMonitored(p, 0);
+ flags = get_ipfuncs_flags(p, false);
flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
if (flags & IPFUNCS_APPLICATION)
flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (isSpecialSessionMonitored(p))
+ if (is_special_session_monitored(p))
{
flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
}
}
if (!(flow_flags & APPID_SESSION_DISCOVER_APP)
- && !session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED))
+ && !asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
{
- flags = isIPMonitored(p, 1);
+ flags = get_ipfuncs_flags(p, true);
if (flags & IPFUNCS_CHECKED)
flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_DISCOVER_USER;
if (flags & IPFUNCS_APPLICATION)
flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (isSpecialSessionMonitored(p))
+ if (is_special_session_monitored(p))
{
flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
}
}
}
}
- else if (checkPortExclusion(p, 0))
+ else if (check_port_exclusion(p, false))
{
flow_flags |= APPID_SESSION_INITIATOR_SEEN | APPID_SESSION_RESPONDER_SEEN |
APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED;
}
else if (dir == APP_ID_FROM_INITIATOR)
{
- flags = isIPMonitored(p, 0);
+ flags = get_ipfuncs_flags(p, false);
flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
flow_flags |= APPID_SESSION_DISCOVER_APP;
if (!(flow_flags & APPID_SESSION_DISCOVER_APP))
{
- flags = isIPMonitored(p, 1);
+ flags = get_ipfuncs_flags(p, true);
if (flags & IPFUNCS_CHECKED)
flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
if (flags & IPFUNCS_APPLICATION)
flow_flags |= APPID_SESSION_DISCOVER_APP;
}
- if (isSpecialSessionMonitored(p))
+ if (is_special_session_monitored(p))
{
flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
}
}
else
{
- flags = isIPMonitored(p, 0);
+ flags = get_ipfuncs_flags(p, false);
flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
flow_flags |= APPID_SESSION_DISCOVER_APP;
if (!(flow_flags & APPID_SESSION_DISCOVER_APP))
{
- flags = isIPMonitored(p, 1);
+ flags = get_ipfuncs_flags(p, true);
if (flags & IPFUNCS_CHECKED)
flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
if (flags & IPFUNCS_HOSTS_IP)
flow_flags |= APPID_SESSION_DISCOVER_APP;
}
- if (isSpecialSessionMonitored(p))
+ if (is_special_session_monitored(p))
{
flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
}
void AppIdSession::check_app_detection_restart()
{
- if (getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (get_session_flags(APPID_SESSION_DECRYPTED))
return;
if (!is_ssl_decryption_enabled())
AppId serviceAppId = pick_service_app_id();
bool isSsl = isSslServiceAppId(serviceAppId);
- // A session could either:
+ // A asd could either:
// 1. Start of as SSL - captured with isSsl flag, OR
- // 2. It could start of as a non-SSL session and later change to SSL. For example, FTP->FTPS.
+ // 2. It could start of as a non-SSL asd and later change to SSL. For example, FTP->FTPS.
// In this case APPID_SESSION_ENCRYPTED flag is set by the protocol state machine.
- if (getAppIdFlag(APPID_SESSION_ENCRYPTED) || isSsl)
+ if (get_session_flags(APPID_SESSION_ENCRYPTED) || isSsl)
{
- setAppIdFlag(APPID_SESSION_DECRYPTED);
+ set_session_flags(APPID_SESSION_DECRYPTED);
encrypted.serviceAppId = serviceAppId;
encrypted.payloadAppId = pick_payload_app_id();
encrypted.ClientAppId = pick_client_app_id();
encrypted.miscAppId = pick_misc_app_id();
encrypted.referredAppId = pick_referred_payload_app_id();
reinit_shared_data();
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
LogMessage("AppIdDbg %s SSL decryption is available, restarting app Detection\n",
- app_id_debug_session);
+ session_logging_id);
- // APPID_SESSION_ENCRYPTED is set upon receiving a command which upgrades the session to
+ // APPID_SESSION_ENCRYPTED is set upon receiving a command which upgrades the asd to
// SSL. Next packet after the command will have encrypted traffic. In the case of a
- // session which starts as SSL, current packet itself is encrypted. Set the special flag
+ // asd which starts as SSL, current packet itself is encrypted. Set the special flag
// APPID_SESSION_APP_REINSPECT_SSL which allows reinspection of this pcaket.
if (isSsl)
- setAppIdFlag(APPID_SESSION_APP_REINSPECT_SSL);
+ set_session_flags(APPID_SESSION_APP_REINSPECT_SSL);
}
}
if (client_app_id != clientAppId)
{
- unsigned prev_priority = appInfoEntryPriorityGet(client_app_id);
- unsigned curr_priority = appInfoEntryPriorityGet(clientAppId);
+ unsigned prev_priority = app_info_mgr->get_app_info_priority(client_app_id);
+ unsigned curr_priority = app_info_mgr->get_app_info_priority(clientAppId);
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (config->mod_config->instance_id)
checkSandboxDetection(clientAppId);
if ((client_app_id) && (prev_priority > curr_priority ))
int16_t tempSnortId = snort_id;
if (tempSnortId == UNSYNCED_SNORT_ID)
- {
tempSnortId = snort_id = p->flow->ssn_state.application_protocol;
- }
if (tempSnortId == snortId_for_ftp || tempSnortId == snortId_for_ftp_data ||
tempSnortId == snortId_for_imap || tempSnortId == snortId_for_pop3 ||
return; // These preprocessors, in snort proper, already know and expect these to remain
// unchanged.
}
- if ((entry = appInfoEntryGet(newAppId)) && (tempSnortId = entry->snortId))
+ if ((entry = app_info_mgr->get_app_info_entry(newAppId)) && (tempSnortId = entry->snortId))
{
// Snort has a separate protocol ID for HTTP/2. We don't. So, when we
// talk to them about it, we have to play by their rules.
if (tempSnortId != snort_id)
{
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
if (tempSnortId == snortId_for_http2)
LogMessage("AppIdDbg %s Telling Snort that it's HTTP/2\n",
- app_id_debug_session);
+ session_logging_id);
p->flow->ssn_state.application_protocol = tempSnortId;
snort_id = tempSnortId;
if (hsession->url)
{
- if (((getAppIdFromUrl(nullptr, hsession->url, &version,
+ if (((get_appid_from_url(nullptr, hsession->url, &version,
hsession->referer, &ClientAppId, &serviceAppId,
&payloadAppId, &referredPayloadAppId, 1)) ||
- (getAppIdFromUrl(nullptr, hsession->url, &version,
+ (get_appid_from_url(nullptr, hsession->url, &version,
hsession->referer, &ClientAppId, &serviceAppId,
&payloadAppId, &referredPayloadAppId, 0))) == 1)
{
if (referred_payload_app_id != id)
{
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (config->mod_config->instance_id)
checkSandboxDetection(id);
referred_payload_app_id = id;
void AppIdSession::set_payload_app_id_data(ApplicationId id, char** version)
{
-
if (id <= APP_ID_NONE)
return;
if (payload_app_id != id)
{
- unsigned prev_priority = appInfoEntryPriorityGet(payload_app_id);
- unsigned curr_priority = appInfoEntryPriorityGet(id);
+ unsigned prev_priority = app_info_mgr->get_app_info_priority(payload_app_id);
+ unsigned curr_priority = app_info_mgr->get_app_info_priority(id);
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (config->mod_config->instance_id)
checkSandboxDetection(id);
if ((payload_app_id ) && (prev_priority > curr_priority ))
{
serviceAppId = id;
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (config->mod_config->instance_id)
checkSandboxDetection(id);
/* Clear out previous values of vendor & version */
update_appid_statistics(this);
if (flow)
- FailInProcessService(this, pAppidActiveConfig);
+ FailInProcessService(this, config);
free_flow_data();
if (thirdparty_appid_module)
}
rnaServiceState = RNA_STATE_FINISHED;
- setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
- clearAppIdFlag(APPID_SESSION_CONTINUE);
+ set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ clear_session_flags(APPID_SESSION_CONTINUE);
}
AppId AppIdSession::is_appid_detection_done()
{
- return getAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
+ return get_session_flags(APPID_SESSION_SERVICE_DETECTED);
}
AppId AppIdSession::pick_service_app_id()
{
AppId rval;
- if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL )
+ if ( common.flow_type != APPID_FLOW_TYPE_NORMAL )
return APP_ID_NONE;
- if (getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- bool deferred = appInfoEntryFlagGet(serviceAppId, APPINFO_FLAG_DEFER)
- || appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_DEFER);
+ bool deferred = app_info_mgr->get_app_info_flags(serviceAppId, APPINFO_FLAG_DEFER)
+ || app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_DEFER);
if (serviceAppId > APP_ID_NONE && !deferred)
return serviceAppId;
AppId AppIdSession::pick_only_service_app_id()
{
- if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL )
+ if ( common.flow_type != APPID_FLOW_TYPE_NORMAL )
return APP_ID_NONE;
- bool deferred = appInfoEntryFlagGet(serviceAppId, APPINFO_FLAG_DEFER)
- || appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_DEFER);
+ bool deferred = app_info_mgr->get_app_info_flags(serviceAppId, APPINFO_FLAG_DEFER)
+ || app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_DEFER);
if (serviceAppId > APP_ID_NONE && !deferred)
return serviceAppId;
AppId AppIdSession::pick_misc_app_id()
{
- if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL )
+ if ( common.flow_type != APPID_FLOW_TYPE_NORMAL )
return APP_ID_NONE;
if (misc_app_id > APP_ID_NONE)
return misc_app_id;
AppId AppIdSession::pick_client_app_id()
{
- if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL )
+ if ( common.flow_type != APPID_FLOW_TYPE_NORMAL )
return APP_ID_NONE;
if (client_app_id > APP_ID_NONE)
return client_app_id;
AppId AppIdSession::pick_payload_app_id()
{
- if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL )
+ if ( common.flow_type != APPID_FLOW_TYPE_NORMAL )
return APP_ID_NONE;
// if we have a deferred payload, just use it.
// we are not worried about the APP_ID_UNKNOWN case here
- if (appInfoEntryFlagGet(tp_payload_app_id, APPINFO_FLAG_DEFER_PAYLOAD))
+ if (app_info_mgr->get_app_info_flags(tp_payload_app_id, APPINFO_FLAG_DEFER_PAYLOAD))
return tp_payload_app_id;
else if (payload_app_id > APP_ID_NONE)
return payload_app_id;
AppId AppIdSession::pick_referred_payload_app_id()
{
- if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL )
+ if ( common.flow_type != APPID_FLOW_TYPE_NORMAL )
return APP_ID_NONE;
if (referred_payload_app_id > APP_ID_NONE)
return referred_payload_app_id;
bool AppIdSession::is_ssl_session_decrypted()
{
- return getAppIdFlag(APPID_SESSION_DECRYPTED);
+ return get_session_flags(APPID_SESSION_DECRYPTED);
}
#ifdef REMOVED_WHILE_NOT_IN_USE
"body",
};
+void AppIdSession::clear_app_id_data()
+{
+ payload_app_id = APP_ID_UNKNOWN;
+ serviceAppId = APP_ID_UNKNOWN;
+ tp_payload_app_id = APP_ID_UNKNOWN;
+ tp_app_id = APP_ID_UNKNOWN;
+ if (payload_version)
+ {
+ snort_free(payload_version);
+ payload_version = nullptr;
+ }
+ if (serviceVendor)
+ {
+ snort_free(serviceVendor);
+ serviceVendor = nullptr;
+ }
+ if (serviceVersion)
+ {
+ snort_free(serviceVersion);
+ serviceVersion = nullptr;
+ }
+
+ if (tsession)
+ free_tls_session_data();
+
+ if (hsession)
+ free_http_session_data();
+
+ if (dsession)
+ free_dns_session_data();
+
+ if (thirdparty_appid_module)
+ thirdparty_appid_module->session_delete(tpsession, 1);
+}
+
int AppIdSession::initial_CHP_sweep(char** chp_buffers, MatchedCHPAction** ppmatches)
{
CHPApp* cah = nullptr;
int longest = 0;
int size, i;
- int scanKeyFoundSomething=0;
- CHPMatchTally* pTally = nullptr; // scanKeyCHP allocates a pointer, but we free it when ready
+ CHPTallyAndActions chp;
+ chp.matches = *ppmatches;
for (i = 0; i <= MAX_KEY_PATTERN; i++)
{
ppmatches[i] = nullptr;
- if (chp_buffers[i] && (size = strlen(chp_buffers[i])) &&
- scanKeyCHP((PatternType)i, chp_buffers[i], size, &pTally, &ppmatches[i]))
- scanKeyFoundSomething=1;
+ if (chp_buffers[i] && (size = strlen(chp_buffers[i])))
+ scan_key_chp((PatternType)i, chp_buffers[i], size, chp);
}
- if (!scanKeyFoundSomething)
+ if (chp.match_tally.empty())
return 0;
- for (i = 0; i < pTally->in_use_elements; i++)
+ for (auto& item: chp.match_tally)
{
// Only those items which have had their key_pattern_countdown field reduced to zero are a
// full match
- if (pTally->item[i].key_pattern_countdown)
+ if (item.key_pattern_countdown)
continue;
- if (longest < pTally->item[i].key_pattern_length_sum)
+ if (longest < item.key_pattern_length_sum)
{
// We've found a new longest pattern set
- longest = pTally->item[i].key_pattern_length_sum;
- cah = pTally->item[i].chpapp;
+ longest = item.key_pattern_length_sum;
+ cah = item.chpapp;
}
}
- // either we have a candidate or we don't so we can free the tally structure either way.
- free(pTally);
if (cah == nullptr)
{
{
if (ppmatches[i])
{
- FreeMatchedCHPActions(ppmatches[i]);
+ free_matched_chp_actions(ppmatches[i]);
ppmatches[i] = nullptr;
}
}
hsession->ptype_req_counts[i] = cah->ptype_req_counts[i] +
cah->ptype_rewrite_insert_used[i];
if (i > 3 && !cah->ptype_scan_counts[i]
- && !getAppIdFlag(APPID_SESSION_SPDY_SESSION))
+ && !get_session_flags(APPID_SESSION_SPDY_SESSION))
{
- clearAppIdFlag(APPID_SESSION_CHP_INSPECTING);
+ clear_session_flags(APPID_SESSION_CHP_INSPECTING);
if (thirdparty_appid_module)
thirdparty_appid_module->session_attr_clear(tpsession,
TP_ATTR_CONTINUE_MONITORING);
if (ptype_scan_counts[i] && chp_buffers[i] && (size = strlen(chp_buffers[i])) > 0)
{
found_in_buffer = 0;
- ret = scanCHP((PatternType)i, chp_buffers[i], size, chp_matches[i], version, &user,
+ ret = scan_chp((PatternType)i, chp_buffers[i], size, chp_matches[i], version, &user,
&chp_rewritten[i], &found_in_buffer, http_session, p);
chp_matches[i] = nullptr; // freed by scanCHP()
http_session->total_found += found_in_buffer;
if (http_session->fflow && http_session->fflow->flow_prepared)
{
- finalizeFflow(http_session->fflow, http_session->app_type_flags,
+ finalize_fflow(http_session->fflow, http_session->app_type_flags,
(http_session->fflow->appId ? http_session->fflow->appId : chp_final), p);
snort_free(http_session->fflow);
http_session->fflow = nullptr;
username_service = chp_final;
else
username_service = serviceAppId;
- setAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED);
+ set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
}
for (i = 0; i < NUMBER_OF_PTYPES; i++)
{
if (nullptr != chp_rewritten[i])
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s rewritten %s: %s\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s rewritten %s: %s\n", session_logging_id,
httpFieldName[i], chp_rewritten[i]);
if (http_session->new_field[i])
snort_free(http_session->new_field[i]);
void AppIdSession::clearMiscHttpFlags()
{
- if (!getAppIdFlag(APPID_SESSION_SPDY_SESSION))
+ if (!get_session_flags(APPID_SESSION_SPDY_SESSION))
{
- clearAppIdFlag(APPID_SESSION_CHP_INSPECTING);
+ clear_session_flags(APPID_SESSION_CHP_INSPECTING);
if (thirdparty_appid_module)
thirdparty_appid_module->session_attr_clear(tpsession,
TP_ATTR_CONTINUE_MONITORING);
HTTP_XFF_FIELD_TRUE_CLIENT_IP
};
- // XFF precedence configuration cannot change for a session. Do not get it again if we already
+ // XFF precedence configuration cannot change for a asd. Do not get it again if we already
// got it.
-// FIXIT-M:
#ifdef REMOVED_WHILE_NOT_IN_USE
if (!hsession->xffPrecedence)
hsession->xffPrecedence = _dpd.sessionAPI->get_http_xff_precedence(
sizeof(defaultXffPrecedence[0]);
}
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
{
for (i = 0; i < attribute_data->numXffFields; i++)
- LogMessage("AppIdDbg %s %s : %s\n", app_id_debug_session,
+ LogMessage("AppIdDbg %s %s : %s\n", session_logging_id,
attribute_data->xffFieldValue[i].field, attribute_data->xffFieldValue[i].value);
}
if (!http_session)
{
clear_app_id_data();
- if (app_id_debug_session_flag)
+ if (session_logging_enabled)
LogMessage("AppIdDbg %s attempt to process HTTP packet with no HTTP data\n",
- app_id_debug_session);
+ session_logging_id);
return 0;
}
return 0;
}
- if (direction == APP_ID_FROM_RESPONDER && !getAppIdFlag(
+ if (direction == APP_ID_FROM_RESPONDER && !get_session_flags(
APPID_SESSION_RESPONSE_CODE_CHECKED))
{
if (http_session->response_code)
{
- setAppIdFlag(APPID_SESSION_RESPONSE_CODE_CHECKED);
+ set_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED);
if (strlen(http_session->response_code) != RESPONSE_CODE_LENGTH)
{
- /* received bad response code. Stop processing this session */
+ /* received bad response code. Stop processing this asd */
clear_app_id_data();
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s bad http response code\n", app_id_debug_session);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s bad http response code\n", session_logging_id);
return 0;
}
#if RESPONSE_CODE_PACKET_THRESHHOLD
else if (++(http_session->response_code_packets) == RESPONSE_CODE_PACKET_THRESHHOLD)
{
- setAppIdFlag(APPID_SESSION_RESPONSE_CODE_CHECKED);
- /* didn't receive response code in first X packets. Stop processing this session */
- clear_app_id_data(session);
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s no response code received\n", app_id_debug_session);
+ set_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED);
+ /* didn't receive response code in first X packets. Stop processing this asd */
+ clear_app_id_data(asd);
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s no response code received\n", session_logging_id);
PREPROC_PROFILE_END(httpPerfStats);
return 0;
}
if (serviceAppId == APP_ID_NONE)
{
serviceAppId = APP_ID_HTTP;
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (config->mod_config->instance_id)
checkSandboxDetection(APP_ID_HTTP);
}
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", app_id_debug_session,
+ if (session_logging_enabled)
+ LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", session_logging_id,
http_session->chp_finished, http_session->chp_hold_flow);
if (!http_session->chp_finished || http_session->chp_hold_flow)
if (!http_session->skip_simple_detect) // false unless a match happened with a call to
// processCHP().
{
- if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT))
+ if (!get_session_flags(APPID_SESSION_APP_REINSPECT))
{
// Scan Server Header for Vendor & Version
if ( (thirdparty_appid_module && (scan_flags & SCAN_HTTP_VENDOR_FLAG) &&
hsession->server) ||
(!thirdparty_appid_module &&
- getHTTPHeaderLocation(p->data, p->dsize, HTTP_ID_SERVER, &start, &end,
- &hmp) == 1) )
+ get_http_header_location(p->data, p->dsize, HTTP_ID_SERVER,
+ &start, &end, &hmp) == 1) )
{
if (serviceAppId == APP_ID_NONE || serviceAppId == APP_ID_HTTP)
{
RNAServiceSubtype** tmpSubtype;
if (thirdparty_appid_module)
- getServerVendorVersion((uint8_t*)hsession->server,
+ get_server_vendor_version((uint8_t*)hsession->server,
strlen(hsession->server), &vendorVersion, &vendor, &subtype);
else
- getServerVendorVersion(p->data + start, end - start, &vendorVersion,
+ get_server_vendor_version(p->data + start, end - start, &vendorVersion,
&vendor, &subtype);
if (vendor || vendorVersion)
{
}
}
- if (webdav_found(&hmp))
+ if (is_webdav_found(&hmp))
{
- if (app_id_debug_session_flag && payload_id > APP_ID_NONE &&
+ if (session_logging_enabled && payload_id > APP_ID_NONE &&
payload_app_id != payload_id)
- LogMessage("AppIdDbg %s data is webdav\n", app_id_debug_session);
+ LogMessage("AppIdDbg %s data is webdav\n", session_logging_id);
set_payload_app_id_data(APP_ID_WEBDAV, nullptr);
}
snort_free(version);
version = nullptr;
}
- identifyUserAgent((uint8_t*)useragent, size, &service_id, &client_id, &version);
- if (app_id_debug_session_flag && service_id > APP_ID_NONE && service_id !=
- APP_ID_HTTP && serviceAppId != service_id)
- LogMessage("AppIdDbg %s User Agent is service %d\n", app_id_debug_session,
+ identify_user_agent((uint8_t*)useragent, size, &service_id, &client_id, &version);
+ if (session_logging_enabled && service_id > APP_ID_NONE &&
+ service_id != APP_ID_HTTP && serviceAppId != service_id)
+ LogMessage("AppIdDbg %s User Agent is service %d\n", session_logging_id,
service_id);
set_service_appid_data(service_id, nullptr, nullptr);
- if (app_id_debug_session_flag && client_id > APP_ID_NONE && client_id !=
+ if (session_logging_enabled && client_id > APP_ID_NONE && client_id !=
APP_ID_HTTP && client_app_id != client_id)
- LogMessage("AppIdDbg %s User Agent is client %d\n", app_id_debug_session,
+ LogMessage("AppIdDbg %s User Agent is client %d\n", session_logging_id,
client_id);
set_client_app_id_data(client_id, &version);
scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG;
snort_free(version);
version = nullptr;
}
- payload_id = geAppidByViaPattern((uint8_t*)via, size, &version);
- if (app_id_debug_session_flag && payload_id > APP_ID_NONE &&
+ payload_id = get_appid_by_pattern((uint8_t*)via, size, &version);
+ if (session_logging_enabled && payload_id > APP_ID_NONE &&
payload_app_id != payload_id)
- LogMessage("AppIdDbg %s VIA is data %d\n", app_id_debug_session,
+ LogMessage("AppIdDbg %s VIA is data %d\n", session_logging_id,
payload_id);
set_payload_app_id_data((ApplicationId)payload_id, nullptr);
scan_flags &= ~SCAN_HTTP_VIA_FLAG;
/* Scan X-Working-With HTTP header */
if ((thirdparty_appid_module && (scan_flags & SCAN_HTTP_XWORKINGWITH_FLAG) &&
hsession->x_working_with) ||
- (!thirdparty_appid_module && getHTTPHeaderLocation(p->data, p->dsize,
+ (!thirdparty_appid_module && get_http_header_location(p->data, p->dsize,
HTTP_ID_X_WORKING_WITH, &start, &end, &hmp) == 1))
{
AppId appId;
{
if (direction == APP_ID_FROM_INITIATOR)
{
- if (app_id_debug_session_flag && client_id > APP_ID_NONE && client_id !=
+ if (session_logging_enabled && client_id > APP_ID_NONE && client_id !=
APP_ID_HTTP && client_app_id != client_id)
- LogMessage("AppIdDbg %s X is client %d\n", app_id_debug_session, appId);
+ LogMessage("AppIdDbg %s X is client %d\n", session_logging_id, appId);
set_client_app_id_data(appId, &version);
}
else
{
- if (app_id_debug_session_flag && service_id > APP_ID_NONE && service_id !=
+ if (session_logging_enabled && service_id > APP_ID_NONE && service_id !=
APP_ID_HTTP && serviceAppId != service_id)
- LogMessage("AppIdDbg %s X is service %d\n", app_id_debug_session, appId);
+ LogMessage("AppIdDbg %s X is service %d\n", session_logging_id, appId);
set_service_appid_data(appId, nullptr, &version);
}
scan_flags &= ~SCAN_HTTP_XWORKINGWITH_FLAG;
if ((thirdparty_appid_module && (scan_flags & SCAN_HTTP_CONTENT_TYPE_FLAG)
&& hsession->content_type && !is_payload_appid_set()) ||
(!thirdparty_appid_module && !is_payload_appid_set() &&
- getHTTPHeaderLocation(p->data, p->dsize, HTTP_ID_CONTENT_TYPE, &start, &end,
- &hmp) == 1))
+ get_http_header_location(p->data, p->dsize, HTTP_ID_CONTENT_TYPE,
+ &start, &end, &hmp) == 1))
{
if (thirdparty_appid_module)
- payload_id = geAppidByContentType((uint8_t*)hsession->content_type,
+ payload_id = get_appid_by_content_type((uint8_t*)hsession->content_type,
strlen(hsession->content_type));
else
- payload_id = geAppidByContentType(p->data + start, end - start);
- if (app_id_debug_session_flag && payload_id > APP_ID_NONE
+ payload_id = get_appid_by_content_type(p->data + start, end - start);
+ if (session_logging_enabled && payload_id > APP_ID_NONE
&& payload_app_id != payload_id)
- LogMessage("AppIdDbg %s Content-Type is data %d\n", app_id_debug_session,
+ LogMessage("AppIdDbg %s Content-Type is data %d\n", session_logging_id,
payload_id);
set_payload_app_id_data((ApplicationId)payload_id, nullptr);
scan_flags &= ~SCAN_HTTP_CONTENT_TYPE_FLAG;
snort_free(version);
version = nullptr;
}
- if (getAppIdFromUrl(host, url, &version, referer, &client_id, &service_id,
+ if (get_appid_from_url(host, url, &version, referer, &client_id, &service_id,
&payload_id, &referredPayloadAppId, 0) == 1)
{
// do not overwrite a previously-set client or service
if (client_app_id <= APP_ID_NONE)
{
- if (app_id_debug_session_flag && client_id > APP_ID_NONE && client_id !=
+ if (session_logging_enabled && client_id > APP_ID_NONE && client_id !=
APP_ID_HTTP && client_app_id != client_id)
- LogMessage("AppIdDbg %s URL is client %d\n", app_id_debug_session,
+ LogMessage("AppIdDbg %s URL is client %d\n", session_logging_id,
client_id);
set_client_app_id_data(client_id, nullptr);
}
if (serviceAppId <= APP_ID_NONE)
{
- if (app_id_debug_session_flag && service_id > APP_ID_NONE && service_id !=
+ if (session_logging_enabled && service_id > APP_ID_NONE && service_id !=
APP_ID_HTTP && serviceAppId != service_id)
- LogMessage("AppIdDbg %s URL is service %d\n", app_id_debug_session,
+ LogMessage("AppIdDbg %s URL is service %d\n", session_logging_id,
service_id);
set_service_appid_data(service_id, nullptr, nullptr);
}
// DO overwrite a previously-set data
- if (app_id_debug_session_flag && payload_id > APP_ID_NONE &&
+ if (session_logging_enabled && payload_id > APP_ID_NONE &&
payload_app_id != payload_id)
- LogMessage("AppIdDbg %s URL is data %d\n", app_id_debug_session, payload_id);
+ LogMessage("AppIdDbg %s URL is data %d\n", session_logging_id, payload_id);
set_payload_app_id_data((ApplicationId)payload_app_id, &version);
set_referred_payload_app_id_data(referredPayloadAppId);
}
{
if (tp_payload_app_id > APP_ID_NONE)
{
- entry = appInfoEntryGet(tp_payload_app_id);
+ entry = app_info_mgr->get_app_info_entry(tp_payload_app_id);
// only move tpPayloadAppId to client if its got a clientAppId
if (entry->clientId > APP_ID_NONE)
{
}
else if (payload_app_id > APP_ID_NONE)
{
- entry = appInfoEntryGet(payload_app_id);
+ entry = app_info_mgr->get_app_info_entry(payload_app_id);
// only move payloadAppId to client if it has a ClientAppid
if (entry->clientId > APP_ID_NONE)
{
#define HTTP_PREFIX "http://"
#define SF_DEBUG_FILE stdout
-#define NUMBER_OF_PTYPES 9
#define APPID_SESSION_DATA_NONE 0
-
#define APPID_SESSION_DATA_DHCP_FP_DATA 2
#define APPID_SESSION_DATA_SMB_DATA 4
#define APPID_SESSION_DATA_DHCP_INFO 5
-
#define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT 0x20000000
#define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT 0x40000000
#define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000
-
#define APPID_SESSION_BIDIRECTIONAL_CHECKED \
(APPID_SESSION_INITIATOR_CHECKED | \
APPID_SESSION_RESPONDER_CHECKED)
(APPID_SESSION_RESPONDER_MONITORED | \
APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | \
APPID_SESSION_SPECIAL_MONITORED)
+#define MAX_SESSION_LOGGING_ID_LEN (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1)
struct RNAServiceElement;
struct RNAServiceSubtype;
struct RNAClientAppModule;
+class AppInfoManager;
enum RNA_INSPECTION_STATE
{
AppIdFreeFCN fd_free;
};
-#define APPID_SESSION_TYPE_IGNORE APPID_FLOW_TYPE_IGNORE
-#define APPID_SESSION_TYPE_NORMAL APPID_FLOW_TYPE_NORMAL
-#define APPID_SESSION_TYPE_TMP APPID_FLOW_TYPE_TMP
-
-struct APPID_SESSION_STRUCT_FLAG
-{
- APPID_FLOW_TYPE flow_type;
-};
-
struct CommonAppIdData
{
- APPID_SESSION_STRUCT_FLAG fsf_type; /* This must be first. */
+ APPID_FLOW_TYPE flow_type;
unsigned policyId;
//flags shared with other preprocessor via session attributes.
uint64_t flags;
int flow_prepared;
};
-struct HttpRewriteableFields
-{
- char* str;
-};
-
struct httpSession
{
char* host;
int tls_orgUnit_strlen;
};
-extern char app_id_debug_session[];
-extern bool app_id_debug_session_flag;
-
/* The UNSYNCED_SNORT_ID value is to cheaply insure we get
the value from snort rather than assume */
#define UNSYNCED_SNORT_ID 0x5555
class AppIdSession : public FlowData
{
public:
- AppIdSession(IpProtocol proto, const sfip_t* ip);
+ AppIdSession(IpProtocol, const sfip_t*);
~AppIdSession();
static AppIdSession* allocate_session(const Packet*, IpProtocol, int);
uint16_t, IpProtocol, int16_t, int);
static void do_application_discovery(Packet*);
-private:
- bool do_client_discovery(int, Packet*);
- bool do_service_discovery(IpProtocol, int, AppId, AppId, Packet*);
- int exec_client_detectors(Packet*, int);
-
- static uint64_t is_session_monitored(const Packet*, int, AppIdSession*);
- static bool is_packet_ignored(Packet* p);
- bool is_payload_appid_set();
- void clear_app_id_data();
- void reinit_shared_data();
- bool is_ssl_decryption_enabled();
- void check_app_detection_restart();
- void update_encrypted_app_id(AppId serviceAppId);
- void sync_with_snort_id(AppId, Packet*);
- void examine_ssl_metadata(Packet*);
- void examine_rtmp_metadata();
- void set_client_app_id_data(AppId clientAppId, char** version);
- void set_service_appid_data( AppId, char*, char**);
- void set_referred_payload_app_id_data( AppId);
- void set_payload_app_id_data( ApplicationId, char**);
- void stop_rna_service_inspection(Packet*, int);
-
-#ifdef REMOVED_WHILE_NOT_IN_USE
- // FIXIT-M: these are not needed until appid for snort3 supports 3rd party detectors (e.g. NAVL)
- void ProcessThirdPartyResults(Packet*, int, AppId*, ThirdPartyAppIDAttributeData*);
- void checkTerminateTpModule(uint16_t tpPktCount);
- bool do_third_party_discovery(IpProtocol, const sfip_t*, Packet*, int&);
-
- // FIXIT-H: when http detection is made functional we need to look at these methods and determine if they are
- // needed and what changes are required for snort3
- void pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData*);
- int initial_CHP_sweep(char**, MatchedCHPAction**);
- void clearMiscHttpFlags();
- int processHTTPPacket(Packet*, int, HttpParsedHeaders* const);
- void processCHP(char**, Packet*);
-#endif
-
-public:
+ AppIdConfig* config = nullptr;
CommonAppIdData common;
AppIdSession* next = nullptr;
Flow* flow = nullptr;
+ AppIdFlowData* flowData = nullptr;
+ AppInfoManager* app_info_mgr = nullptr;
sfip_t service_ip;
uint16_t service_port = 0;
IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
uint8_t previous_tcp_flags = 0;
-
- AppIdFlowData* flowData = nullptr;
-
// AppId matching service side
AppId serviceAppId = APP_ID_NONE;
AppId portServiceAppId = APP_ID_NONE;
char* username = nullptr;
AppId username_service = APP_ID_NONE;
char* netbios_domain = nullptr;
- uint32_t id = 0;
+ uint32_t session_id = 0;
httpSession* hsession = nullptr;
tlsSession* tsession = nullptr;
unsigned scan_flags = 0;
AppId pastForecast = APP_ID_NONE;
bool is_http2 = false;
- SEARCH_SUPPORT_TYPE search_support_type = SEARCH_SUPPORT_TYPE_UNKNOWN;
-
+ SEARCH_SUPPORT_TYPE search_support_type = UNKNOWN_SEARCH_ENGINE;
bool in_expected_cache = false;
-
static unsigned flow_id;
static void init() { flow_id = FlowData::get_flow_id(); }
- void setAppIdFlag(uint64_t flags)
+ void set_session_flags(uint64_t flags)
{
common.flags |= flags;
}
- void clearAppIdFlag(uint64_t flags)
+ void clear_session_flags(uint64_t flags)
{
common.flags &= ~flags;
}
- inline uint64_t getAppIdFlag(uint64_t flags)
+ inline uint64_t get_session_flags(uint64_t flags)
{
return (common.flags & flags);
}
+ char session_logging_id[MAX_SESSION_LOGGING_ID_LEN];
+ bool session_logging_enabled = false;
+
static void release_free_list_flow_data();
void* get_flow_data(unsigned id);
int add_flow_data(void* data, unsigned id, AppIdFreeFCN);
AppId fw_pick_payload_app_id();
AppId fw_pick_referred_payload_app_id();
bool is_ssl_session_decrypted();
+private:
+ bool do_client_discovery(int, Packet*);
+ bool do_service_discovery(IpProtocol, int, AppId, AppId, Packet*);
+ int exec_client_detectors(Packet*, int);
+
+ static uint64_t is_session_monitored(const Packet*, int, AppIdSession*);
+ static bool is_packet_ignored(Packet* p);
+ bool is_payload_appid_set();
+ void reinit_shared_data();
+ bool is_ssl_decryption_enabled();
+ void check_app_detection_restart();
+ void update_encrypted_app_id(AppId serviceAppId);
+ void sync_with_snort_id(AppId, Packet*);
+ void examine_ssl_metadata(Packet*);
+ void examine_rtmp_metadata();
+ void set_client_app_id_data(AppId clientAppId, char** version);
+ void set_service_appid_data( AppId, char*, char**);
+ void set_referred_payload_app_id_data( AppId);
+ void set_payload_app_id_data( ApplicationId, char**);
+ void stop_rna_service_inspection(Packet*, int);
+ void set_session_logging_state(const Packet* pkt, int direction);
+
+#ifdef REMOVED_WHILE_NOT_IN_USE
+ // FIXIT-M these are not needed until appid for snort3 supports 3rd party detectors (e.g. NAVL)
+ void ProcessThirdPartyResults(Packet*, int, AppId*, ThirdPartyAppIDAttributeData*);
+ void checkTerminateTpModule(uint16_t tpPktCount);
+ bool do_third_party_discovery(IpProtocol, const sfip_t*, Packet*, int&);
+
+ // FIXIT-H when http detection is made functional we need to look at these methods and determine if they are
+ // needed and what changes are required for snort3
+ void clear_app_id_data();
+ void pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData*);
+ int initial_CHP_sweep(char**, MatchedCHPAction**);
+ void clearMiscHttpFlags();
+ int processHTTPPacket(Packet*, int, HttpParsedHeaders* const);
+ void processCHP(char**, Packet*);
+#endif
+
+ void create_session_logging_id(int direction, Packet* pkt);
+
+ static THREAD_LOCAL uint32_t appid_flow_data_id;
+ static THREAD_LOCAL AppIdFlowData* fd_free_list;
};
#endif
#define URLCATBUCKETS 100
#define URLREPBUCKETS 5
-// FIXIT - find out where this is defined in snort 2.x and define appropriately here
-#if 1
-#define UNIFIED2_IDS_EVENT_APPSTAT 1
-#endif
-
struct AppIdStatRecord
{
uint32_t app_id;
struct AppIdStatOutputRecord
{
- char appName[MAX_EVENT_APPNAME_LEN];
+ char app_name[MAX_EVENT_APPNAME_LEN];
uint32_t initiatorBytes;
uint32_t responderBytes;
};
return now - (now % bucketInterval);
}
-void update_appid_statistics(AppIdSession* session)
+void update_appid_statistics(AppIdSession* asd)
{
if ( !enableAppStats )
return;
start_stats_period(now);
}
- time_t bucketTime = session->stats.firstPktsecond -
- (session->stats.firstPktsecond % bucketInterval);
+ time_t bucketTime = asd->stats.firstPktsecond -
+ (asd->stats.firstPktsecond % bucketInterval);
StatsBucket* bucket = get_stats_bucket(bucketTime);
if ( !bucket )
return;
- bucket->totalStats.txByteCnt += session->stats.initiatorBytes;
- bucket->totalStats.rxByteCnt += session->stats.responderBytes;
+ bucket->totalStats.txByteCnt += asd->stats.initiatorBytes;
+ bucket->totalStats.rxByteCnt += asd->stats.responderBytes;
- const uint32_t web_app_id = session->pick_payload_app_id();
+ const uint32_t web_app_id = asd->pick_payload_app_id();
if (web_app_id > APP_ID_NONE)
{
const uint32_t app_id = web_app_id;
}
else
{
- // FIXIT-M really? we just silently ignore an allocation failure?
+ WarningMessage("Error saving statistics record for app id: %u", app_id);
snort_free(record);
record = nullptr;
}
if (record)
{
- record->initiatorBytes += session->stats.initiatorBytes;
- record->responderBytes += session->stats.responderBytes;
+ record->initiatorBytes += asd->stats.initiatorBytes;
+ record->responderBytes += asd->stats.responderBytes;
}
}
- const uint32_t service_app_id = session->pick_service_app_id();
+ const uint32_t service_app_id = asd->pick_service_app_id();
if ((service_app_id) &&
(service_app_id != web_app_id))
{
}
else
{
- // FIXIT-M really? don't ignore insert failure? add a stat here
+ WarningMessage("Error saving statistics record for app id: %u", app_id);
snort_free(record);
record = nullptr;
}
if (record)
{
- record->initiatorBytes += session->stats.initiatorBytes;
- record->responderBytes += session->stats.responderBytes;
+ record->initiatorBytes += asd->stats.initiatorBytes;
+ record->responderBytes += asd->stats.responderBytes;
}
}
- const uint32_t client_app_id = session->pick_client_app_id();
+ const uint32_t client_app_id = asd->pick_client_app_id();
if (client_app_id > APP_ID_NONE
&& client_app_id != service_app_id
&& client_app_id != web_app_id)
}
else
{
- // FIXIT-M really? we just silently ignore an allocation failure?
+ WarningMessage("Error saving statistics record for app id: %u", app_id);
snort_free(record);
record = nullptr;
}
if (record)
{
- record->initiatorBytes += session->stats.initiatorBytes;
- record->responderBytes += session->stats.responderBytes;
+ record->initiatorBytes += asd->stats.initiatorBytes;
+ record->responderBytes += asd->stats.responderBytes;
}
}
}
}
}
-void reinit_appid_statistics()
-{
- // FIXIT-L J really should something like:
- // if ( !stats_files_are_open() )
- // return;
- if (!enableAppStats)
- return;
-
- close_stats_log_file();
-}
-
void flush_appid_statistics()
{
if (!enableAppStats)
for (node = fwAvlFirst(bucket->appsTree); node != nullptr; node = fwAvlNext(node))
{
struct AppIdStatOutputRecord* recBuffPtr;
- const char* appName;
+ const char* app_name;
bool cooked_client = false;
AppId app_id;
char tmpBuff[MAX_EVENT_APPNAME_LEN];
app_id -= 2000000000;
}
- AppInfoTableEntry* entry = appInfoEntryGet(app_id);
+ AppInfoTableEntry* entry = AppInfoManager::get_instance().get_app_info_entry(app_id);
if (entry)
{
- appName = entry->appName;
+ app_name = entry->app_name;
if (cooked_client)
{
- snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_cl_%s", appName);
+ snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_cl_%s", app_name);
tmpBuff[MAX_EVENT_APPNAME_LEN-1] = 0;
- appName = tmpBuff;
+ app_name = tmpBuff;
}
}
else if (app_id == APP_ID_UNKNOWN || app_id == APP_ID_UNKNOWN_UI)
- appName = "__unknown";
+ app_name = "__unknown";
else if (app_id == APP_ID_NONE)
- appName = "__none";
+ app_name = "__none";
else
{
ErrorMessage("invalid appid in appStatRecord (%u)\n", record->app_id);
snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_err_%u",app_id);
tmpBuff[MAX_EVENT_APPNAME_LEN - 1] = 0;
- appName = tmpBuff;
+ app_name = tmpBuff;
}
- memcpy(recBuffPtr->appName, appName, strlen(appName));
+ memcpy(recBuffPtr->app_name, app_name, strlen(app_name));
/**buffPtr++ = htonl(record->app_id); */
recBuffPtr->initiatorBytes = htonl(record->initiatorBytes);
class AppIdModuleConfig;
void update_appid_statistics(AppIdSession*);
-void init_appid_statistics(const AppIdModuleConfig*);
-void reinit_appid_statistics();
+void init_appid_statistics(const AppIdModuleConfig* config);
void flush_appid_statistics();
void cleanup_appid_statistics();
-
#endif
#include "framework/decode_data.h"
-struct FWDebugSessionConstraints
-{
- ip::snort_in6_addr sip;
- int sip_flag;
- ip::snort_in6_addr dip;
- int dip_flag;
- uint16_t sport;
- uint16_t dport;
- PktType protocol;
-};
-
-#define FW_DEBUG_SESSION_ID_SIZE (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1)
-
struct ConfigItem
{
char* name; /* name of the config item */
#include <stdint.h>
-int SFGetRelocatePathForFile(const char* const content_file, const char** const root_path);
extern int Tokenize(char* data, char* toklist[]);
extern int strip(char* data);
extern void InitNetmasks(uint32_t netmasks[]);
APP_ID_ANYCONNECT_IPSEC_CLIENT = 2923,
APP_ID_FTP_ACTIVE = 4002,
APP_ID_FTP_PASSIVE = 4003,
-
- // FIXIT - L Need better name since often there is no UI
APP_ID_UNKNOWN_UI = 65535 // this causes the UI to render Unknown instead of pending or blank
};
}
static CLIENT_APP_RETCODE aim_validate( const uint8_t* const data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, Detector*)
+ AppIdSession* asd, Packet*, Detector*)
{
if ( dir != APP_ID_FROM_INITIATOR )
return CLIENT_APP_INPROCESS;
char username[USERNAME_LEN];
if ( check_username(cur, tlv, username, username + USERNAME_LEN) )
- aim_client_mod.api->add_user(flowp, username,
+ aim_client_mod.api->add_user(asd, username,
APP_ID_AOL_INSTANT_MESSENGER, 1);
}
break;
char version[MAX_VERSION_SIZE];
snprintf(version, sizeof(version), "%d.%d.%d", major, minor, lesser);
- aim_client_mod.api->add_app(
- flowp, APP_ID_AOL_INSTANT_MESSENGER,
+ aim_client_mod.api->add_app( asd, APP_ID_AOL_INSTANT_MESSENGER,
APP_ID_AOL_INSTANT_MESSENGER, version);
appid_stats.aim_clients++;
}
return CLIENT_APP_INPROCESS;
bail:
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
return CLIENT_APP_SUCCESS;
}
#include "appid_api.h"
#include "appid_session.h"
+#include "utils/util.h"
struct Packet;
struct Detector;
* already exist). */
#define MAX_CANDIDATE_CLIENTS 10
-static void* client_app_flowdata_get(AppIdSession* flowp, unsigned client_id);
-static int client_app_flowdata_add(AppIdSession* flowp, void* data, unsigned client_id, AppIdFreeFCN
+static void* client_app_flowdata_get(AppIdSession* asd, unsigned client_id);
+static int client_app_flowdata_add(AppIdSession* asd, void* data, unsigned client_id, AppIdFreeFCN
fcn);
-static void AppIdAddClientAppInfo(AppIdSession* flowp, const char* info);
+static void AppIdAddClientAppInfo(AppIdSession* asd, const char* info);
static const ClientAppApi client_app_api =
{
static void appSetClientValidator(RNAClientAppFCN fcn, AppId appId, unsigned extractsInfo)
{
- AppInfoTableEntry* pEntry = appInfoEntryGet(appId);
+ AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId);
if (!pEntry)
{
ErrorMessage("AppId: invalid direct client application AppId: %d\n", appId);
sflist_init(&client_app_config->module_configs);
client_app_config->enabled = true;
- ClientAppParseArgs(&pAppidActiveConfig->client_app_args);
+ ClientAppParseArgs(&AppIdConfig::get_appid_config()->client_app_args);
if (client_app_config->enabled)
{
- client_init_api.debug = pAppidActiveConfig->mod_config->debug;
- client_init_api.pAppidConfig = pAppidActiveConfig;
- // FIXIT - active config global must go...
- client_init_api.instance_id = pAppidActiveConfig->mod_config->instance_id;
+ client_init_api.debug = AppIdConfig::get_appid_config()->mod_config->debug;
+ client_init_api.pAppidConfig = AppIdConfig::get_appid_config();
+ client_init_api.instance_id = AppIdConfig::get_appid_config()->mod_config->instance_id;
for (li = client_app_config->tcp_client_app_list; li; li = li->next)
initialize_module(li);
return 0;
}
-void AppIdAddClientApp(AppIdSession* flowp, AppId service_id, AppId id, const char* version)
+void AppIdAddClientApp(AppIdSession* asd, AppId service_id, AppId id, const char* version)
{
if (version)
{
- if (flowp->client_version)
+ if (asd->client_version)
{
- if (strcmp(version, flowp->client_version))
+ if (strcmp(version, asd->client_version))
{
- snort_free(flowp->client_version);
- flowp->client_version = snort_strdup(version);
+ snort_free(asd->client_version);
+ asd->client_version = snort_strdup(version);
}
}
else
- flowp->client_version = snort_strdup(version);
+ asd->client_version = snort_strdup(version);
}
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->client_service_app_id = service_id;
- flowp->client_app_id = id;
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->client_service_app_id = service_id;
+ asd->client_app_id = id;
checkSandboxDetection(id);
}
-static void AppIdAddClientAppInfo(AppIdSession* flowp, const char* info)
+static void AppIdAddClientAppInfo(AppIdSession* asd, const char* info)
{
- if (flowp->hsession && !flowp->hsession->url)
- flowp->hsession->url = snort_strdup(info);
+ if (asd->hsession && !asd->hsession->url)
+ asd->hsession->url = snort_strdup(info);
}
static ClientAppMatch* BuildClientPatternList(const Packet* pkt, IpProtocol protocol)
*
* @param p packet to process
*/
-static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* flowp)
+static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* asd)
{
const RNAClientAppModule* client = nullptr;
ClientAppMatch* match_list;
if (!p->dsize)
return;
- if (flowp->rna_client_data != nullptr)
+ if (asd->rna_client_data != nullptr)
return;
- if (flowp->candidate_client_list != nullptr)
+ if (asd->candidate_client_list != nullptr)
{
- if (flowp->num_candidate_clients_tried > 0)
+ if (asd->num_candidate_clients_tried > 0)
return;
}
else
{
- flowp->candidate_client_list = (SF_LIST*) snort_calloc(sizeof(SF_LIST));
- sflist_init(flowp->candidate_client_list);
- flowp->num_candidate_clients_tried = 0;
+ asd->candidate_client_list = (SF_LIST*) snort_calloc(sizeof(SF_LIST));
+ sflist_init(asd->candidate_client_list);
+ asd->num_candidate_clients_tried = 0;
}
- match_list = BuildClientPatternList(p, flowp->protocol);
- while (flowp->num_candidate_clients_tried < MAX_CANDIDATE_CLIENTS)
+ match_list = BuildClientPatternList(p, asd->protocol);
+ while (asd->num_candidate_clients_tried < MAX_CANDIDATE_CLIENTS)
{
const RNAClientAppModule* tmp = GetNextFromClientPatternList(&match_list);
if (tmp != nullptr)
{
SF_LNODE* cursor;
- client = (RNAClientAppModule*)sflist_first(flowp->candidate_client_list, &cursor);
+ client = (RNAClientAppModule*)sflist_first(asd->candidate_client_list, &cursor);
while (client && (client != tmp))
client = (RNAClientAppModule*)sflist_next(&cursor);
if (client == nullptr)
{
- sflist_add_tail(flowp->candidate_client_list, (void*)tmp);
- flowp->num_candidate_clients_tried++;
+ sflist_add_tail(asd->candidate_client_list, (void*)tmp);
+ asd->num_candidate_clients_tried++;
#ifdef CLIENT_APP_DEBUG
_dpd.logMsg("Using %s from pattern match", tmp ? tmp->name : \ n ",ULL");
#endif
}
FreeClientPatternList(&match_list);
- if (sflist_count(flowp->candidate_client_list) == 0)
+ if (sflist_count(asd->candidate_client_list) == 0)
{
client = nullptr;
switch (p->ptrs.dp)
{
case 465:
- if (flowp->getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (asd->get_session_flags(APPID_SESSION_DECRYPTED))
client = &smtp_client_mod;
break;
default:
}
if (client != nullptr)
{
- sflist_add_tail(flowp->candidate_client_list, (void*)client);
- flowp->num_candidate_clients_tried++;
+ sflist_add_tail(asd->candidate_client_list, (void*)client);
+ asd->num_candidate_clients_tried++;
}
}
}
if (direction == APP_ID_FROM_INITIATOR)
{
/* get out if we've already tried to validate a client app */
- if (!rnaData->getAppIdFlag(APPID_SESSION_CLIENT_DETECTED))
+ if (!rnaData->get_session_flags(APPID_SESSION_CLIENT_DETECTED))
ClientAppID(p, direction, rnaData);
}
else if ( rnaData->rnaServiceState != RNA_STATE_STATEFUL
- && rnaData->getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))
+ && rnaData->get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))
ClientAppID(p, direction, rnaData);
return APPID_SESSION_SUCCESS;
}
-static void* client_app_flowdata_get(AppIdSession* flowp, unsigned client_id)
+static void* client_app_flowdata_get(AppIdSession* asd, unsigned client_id)
{
- return flowp->get_flow_data(client_id);
+ return asd->get_flow_data(client_id);
}
-static int client_app_flowdata_add(AppIdSession* flowp, void* data, unsigned client_id, AppIdFreeFCN
+static int client_app_flowdata_add(AppIdSession* asd, void* data, unsigned client_id, AppIdFreeFCN
fcn)
{
- return flowp->add_flow_data(data, client_id, fcn);
+ return asd->add_flow_data(data, client_id, fcn);
}
static CLIENT_APP_RETCODE bit_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE bit_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule bit_client_mod =
{
}
static CLIENT_APP_RETCODE bit_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientBITData* fd;
uint16_t offset;
if (dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
- fd = (ClientBITData*)bit_client_mod.api->data_get(flowp, bit_client_mod.flow_data_index);
+ fd = (ClientBITData*)bit_client_mod.api->data_get(asd, bit_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientBITData*)snort_calloc(sizeof(ClientBITData));
- bit_client_mod.api->data_add(flowp, fd, bit_client_mod.flow_data_index, &snort_free);
+ bit_client_mod.api->data_add(asd, fd, bit_client_mod.flow_data_index, &snort_free);
fd->state = BIT_STATE_BANNER;
}
return CLIENT_APP_INPROCESS;
done:
- bit_client_mod.api->add_app(flowp, APP_ID_BITTORRENT, APP_ID_BITTORRENT, nullptr);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ bit_client_mod.api->add_app(asd, APP_ID_BITTORRENT, APP_ID_BITTORRENT, nullptr);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.bit_clients++;
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE udp_bit_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE udp_bit_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule bit_tracker_client_mod =
{
}
static CLIENT_APP_RETCODE udp_bit_validate(const uint8_t* data, uint16_t size, const int /*dir*/,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientBITData* fd;
uint16_t offset;
if (size < (UDP_BIT_FIRST_LEN + UDP_BIT_END_LEN + 3))
return CLIENT_APP_EINVALID;
- fd = (ClientBITData*)bit_tracker_client_mod.api->data_get(flowp,
+ fd = (ClientBITData*)bit_tracker_client_mod.api->data_get(asd,
bit_tracker_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientBITData*)snort_calloc(sizeof(ClientBITData));
- bit_tracker_client_mod.api->data_add(flowp, fd,
+ bit_tracker_client_mod.api->data_add(asd, fd,
bit_tracker_client_mod.flow_data_index, &snort_free);
fd->state = BIT_STATE_BANNER;
}
return CLIENT_APP_INPROCESS;
done:
- bit_tracker_client_mod.api->add_app(flowp, APP_ID_BITTORRENT, APP_ID_BITTRACKER_CLIENT,
+ bit_tracker_client_mod.api->add_app(asd, APP_ID_BITTORRENT, APP_ID_BITTRACKER_CLIENT,
nullptr);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.bittracker_clients++;
return CLIENT_APP_SUCCESS;
}
THREAD_LOCAL MSN_CLIENT_APP_CONFIG msn_config;
static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
struct Client_App_Pattern
{
}
static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector*)
+ AppIdSession* asd, Packet* pkt, struct Detector*)
{
const uint8_t* end;
uint8_t version[MAX_VERSION_SIZE];
product_id = APP_ID_MSN_MESSENGER;
memset(&version,0,sizeof(version));
- if (!data || !msn_client_mod.api || !flowp || !pkt)
+ if (!data || !msn_client_mod.api || !asd || !pkt)
return CLIENT_APP_ENULL;
if (dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
done:
- msn_client_mod.api->add_app(flowp, APP_ID_MSN_MESSENGER, product_id, (char*)version);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ msn_client_mod.api->add_app(asd, APP_ID_MSN_MESSENGER, product_id, (char*)version);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.msn_clients++;
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE rtp_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule rtp_client_mod =
{
}
static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientRTPData* fd;
ClientRTPMsg* hdr;
if (!size)
return CLIENT_APP_INPROCESS;
- fd = (ClientRTPData*)rtp_client_mod.api->data_get(flowp, rtp_client_mod.flow_data_index);
+ fd = (ClientRTPData*)rtp_client_mod.api->data_get(asd, rtp_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientRTPData*)snort_calloc(sizeof(ClientRTPData));
- rtp_client_mod.api->data_add(flowp, fd, rtp_client_mod.flow_data_index, &snort_free);
+ rtp_client_mod.api->data_add(asd, fd, rtp_client_mod.flow_data_index, &snort_free);
fd->state = RTP_STATE_CONNECTION;
}
return CLIENT_APP_INPROCESS;
}
- rtp_client_mod.api->add_app(flowp, APP_ID_RTP, APP_ID_RTP, nullptr);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ rtp_client_mod.api->add_app(asd, APP_ID_RTP, APP_ID_RTP, nullptr);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.rtp_clients++;
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE smtp_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule smtp_client_mod =
{
* prefix_len - The number of characters that are the prefix to the version,
* including the NUL terminating character.
*/
-static int extract_version_and_add_client_app(ApplicationId clientId,
- const int prefix_len, const uint8_t* product, const uint8_t* product_end,
- ClientSMTPData* const client_data, AppIdSession* flowp,
- AppId appId, PegCount *stat_counter)
+static int extract_version_and_add_client_app(ApplicationId clientId, const int prefix_len,
+ const uint8_t* product, const uint8_t* product_end, ClientSMTPData* const client_data,
+ AppIdSession* asd, AppId appId, PegCount *stat_counter)
{
const uint8_t* p;
uint8_t* v;
*v = *p;
}
*v = 0;
- smtp_client_mod.api->add_app(flowp, appId, clientId, (char*)client_data->version);
+ smtp_client_mod.api->add_app(asd, appId, clientId, (char*)client_data->version);
(*stat_counter)++;
return 0;
}
* Returns 0 if a recognized product is found. Otherwise returns 1.
*/
static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* product,
- const uint8_t* data_end, AppIdSession* flowp, Packet*)
+ const uint8_t* data_end, AppIdSession* asd, Packet*)
{
const uint8_t* p;
uint8_t* v;
if (p >= data_end || *p != ' ')
return 1;
return extract_version_and_add_client_app(APP_ID_OUTLOOK,
- 2, p, data_end, fd, flowp, appId,
+ 2, p, data_end, fd, asd, appId,
&appid_stats.smtp_microsoft_outlook_clients);
}
else if (*p == ' ')
if (data_end-p >= (int)sizeof(EXPRESS) && memcmp(p, EXPRESS, sizeof(EXPRESS)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_OUTLOOK_EXPRESS,
- sizeof(EXPRESS), p, data_end, fd, flowp, appId,
+ sizeof(EXPRESS), p, data_end, fd, asd, appId,
&appid_stats.smtp_microsoft_outlook_express_clients);
}
else if (data_end-p >= (int)sizeof(IMO) && memcmp(p, IMO, sizeof(IMO)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_OUTLOOK,
- sizeof(IMO), p, data_end, fd, flowp, appId,
+ sizeof(IMO), p, data_end, fd, asd, appId,
&appid_stats.smtp_microsoft_outlook_imo_clients);
}
}
sizeof(APP_SMTP_EVOLUTION)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_EVOLUTION,
- sizeof(APP_SMTP_EVOLUTION), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_EVOLUTION), product, data_end, fd, asd, appId,
&appid_stats.smtp_evolution_clients);
}
else if (len >= sizeof(APP_SMTP_LOTUS_NOTES) && memcmp(product, APP_SMTP_LOTUS_NOTES,
sizeof(APP_SMTP_LOTUS_NOTES)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_LOTUS_NOTES,
- sizeof(APP_SMTP_LOTUS_NOTES), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_LOTUS_NOTES), product, data_end, fd, asd, appId,
&appid_stats.smtp_lotus_notes_clients);
}
else if (len >= sizeof(APP_SMTP_APPLEMAIL) && memcmp(product, APP_SMTP_APPLEMAIL,
*v = *p;
}
*v = 0;
- smtp_client_mod.api->add_app(flowp, appId, APP_ID_APPLE_EMAIL, (char*)fd->version);
+ smtp_client_mod.api->add_app(asd, appId, APP_ID_APPLE_EMAIL, (char*)fd->version);
appid_stats.smtp_applemail_clients++;
return 0;
}
sizeof(APP_SMTP_EUDORA)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_EUDORA,
- sizeof(APP_SMTP_EUDORA), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_EUDORA), product, data_end, fd, asd, appId,
&appid_stats.smtp_eudora_clients);
}
else if (len >= sizeof(APP_SMTP_EUDORAPRO) && memcmp(product, APP_SMTP_EUDORAPRO,
sizeof(APP_SMTP_EUDORAPRO)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_EUDORA_PRO,
- sizeof(APP_SMTP_EUDORAPRO), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_EUDORAPRO), product, data_end, fd, asd, appId,
&appid_stats.smtp_eudora_pro_clients);
}
else if (len >= sizeof(APP_SMTP_AOL) && memcmp(product, APP_SMTP_AOL,
sizeof(APP_SMTP_AOL)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_AOL_EMAIL,
- sizeof(APP_SMTP_AOL), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_AOL), product, data_end, fd, asd, appId,
&appid_stats.smtp_aol_clients);
}
else if (len >= sizeof(APP_SMTP_MUTT) && memcmp(product, APP_SMTP_MUTT,
sizeof(APP_SMTP_MUTT)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_MUTT,
- sizeof(APP_SMTP_MUTT), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_MUTT), product, data_end, fd, asd, appId,
&appid_stats.smtp_mutt_clients);
}
else if (len >= sizeof(APP_SMTP_KMAIL) && memcmp(product, APP_SMTP_KMAIL,
sizeof(APP_SMTP_KMAIL)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_KMAIL,
- sizeof(APP_SMTP_KMAIL), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_KMAIL), product, data_end, fd, asd, appId,
&appid_stats.smtp_kmail_clients);
}
else if (len >= sizeof(APP_SMTP_THUNDERBIRD) && memcmp(product, APP_SMTP_THUNDERBIRD,
sizeof(APP_SMTP_THUNDERBIRD)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_THUNDERBIRD,
- sizeof(APP_SMTP_THUNDERBIRD), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_THUNDERBIRD), product, data_end, fd, asd, appId,
&appid_stats.smtp_thunderbird_clients);
}
else if (len >= sizeof(APP_SMTP_MTHUNDERBIRD) && memcmp(product, APP_SMTP_MTHUNDERBIRD,
sizeof(APP_SMTP_MTHUNDERBIRD)-1) == 0)
{
return extract_version_and_add_client_app(APP_ID_THUNDERBIRD,
- sizeof(APP_SMTP_MTHUNDERBIRD), product, data_end, fd, flowp, appId,
+ sizeof(APP_SMTP_MTHUNDERBIRD), product, data_end, fd, asd, appId,
&appid_stats.smtp_thunderbird_clients);
}
else if (len >= sizeof(APP_SMTP_MOZILLA) && memcmp(product, APP_SMTP_MOZILLA,
{
return extract_version_and_add_client_app(
APP_ID_THUNDERBIRD, sizeof(APP_SMTP_THUNDERBIRD_SHORT),
- p, data_end, fd, flowp, appId,
+ p, data_end, fd, asd, appId,
&appid_stats.smtp_thunderbird_clients);
}
}
}
static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector*)
+ AppIdSession* asd, Packet* pkt, struct Detector*)
{
ClientSMTPData* fd;
const uint8_t* end;
SMTPState currState = SMTP_STATE_NONE;
#endif
- fd = (ClientSMTPData*)smtp_client_mod.api->data_get(flowp, smtp_client_mod.flow_data_index);
+ fd = (ClientSMTPData*)smtp_client_mod.api->data_get(asd, smtp_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientSMTPData*)snort_calloc(sizeof(ClientSMTPData));
if (!fd)
return CLIENT_APP_ENOMEM;
- if (smtp_client_mod.api->data_add(flowp, fd, smtp_client_mod.flow_data_index, &freeData))
+ if (smtp_client_mod.api->data_add(asd, fd, smtp_client_mod.flow_data_index, &freeData))
{
snort_free(fd);
return CLIENT_APP_ENOMEM;
{
fd->flags &= ~(CLIENT_FLAG_STARTTLS_SENT);
fd->flags |= CLIENT_FLAG_SMTPS;
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); // we no longer need
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); // we no longer need
// to examine the
// response.
- if (!flowp->getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (!asd->get_session_flags(APPID_SESSION_DECRYPTED))
{
/* Because we can't see any further info without decryption we settle for
plain APP_ID_SMTPS instead of perhaps finding data that would make calling
IdentifyClientVersion() worthwhile, So set the appid and call it good. */
- smtp_client_mod.api->add_app(flowp, APP_ID_SMTPS, APP_ID_SMTPS, nullptr);
+ smtp_client_mod.api->add_app(asd, APP_ID_SMTPS, APP_ID_SMTPS, nullptr);
goto done;
}
}
return CLIENT_APP_INPROCESS;
}
- if (flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED))
+ if (asd->get_session_flags(APPID_SESSION_ENCRYPTED))
{
- if (!flowp->getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (!asd->get_session_flags(APPID_SESSION_DECRYPTED))
return CLIENT_APP_INPROCESS;
}
for (end = data + size; data < end; data++)
{
#if UNIT_TESTING
- if (app_id_debug_session_flag && currState != fd->state)
+ if (session_logging_enabled && currState != fd->state)
{
DEBUG_WRAP(DebugMessage(DEBUG_APPID, "AppIdDbg %s SMTP client state %s\n",
- app_id_debug_session, stateName[fd->state]); );
+ session_logging_id, stateName[fd->state]); );
currState = fd->state;
}
#endif
fd->pos = 0;
fd->nextstate = fd->state;
fd->state = SMTP_STATE_SKIP_LINE;
- flowp->setAppIdFlag(APPID_SESSION_ENCRYPTED);
+ asd->set_session_flags(APPID_SESSION_ENCRYPTED);
}
}
else
(len >= 2 && data[1] == 0x0D && data[2] == 0x0A))
{
AppId appId = (fd->flags & CLIENT_FLAG_SMTPS) ? APP_ID_SMTPS : APP_ID_SMTP;
- smtp_client_mod.api->add_app(flowp, appId, appId, nullptr);
+ smtp_client_mod.api->add_app(asd, appId, appId, nullptr);
goto done;
}
}
{
if (fd->headerline && fd->pos)
{
- IdentifyClientVersion(fd, fd->headerline, fd->headerline + fd->pos, flowp, pkt);
+ IdentifyClientVersion(fd, fd->headerline, fd->headerline + fd->pos, asd, pkt);
snort_free(fd->headerline);
fd->headerline = nullptr;
}
return CLIENT_APP_INPROCESS;
done:
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE ssh_client_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE ssh_client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule ssh_client_mod =
{
if (fd->pos >= fd->plen)
{
offset++;
- // FIXIT-M: if offset > size then there is probably a D-H Key Exchange Init packet in this payload
+ // FIXIT-L if offset > size then there is probably a D-H Key Exchange Init packet in this payload
// For now parsing the Key Exchange Init is good enough to declare valid key exchange but for
// future enhance parsing to validate the D-H Key Exchange Init.
if (offset == size)
}
static CLIENT_APP_RETCODE ssh_client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientSSHData* fd;
CLIENT_APP_RETCODE sm_ret;
if (!size || dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
- fd = ( ClientSSHData*)ssh_client_mod.api->data_get(flowp, ssh_client_mod.flow_data_index);
+ fd = ( ClientSSHData*)ssh_client_mod.api->data_get(asd, ssh_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientSSHData*)snort_calloc(sizeof(ClientSSHData));
- ssh_client_mod.api->data_add(flowp, fd, ssh_client_mod.flow_data_index, &snort_free);
+ ssh_client_mod.api->data_add(asd, fd, ssh_client_mod.flow_data_index, &snort_free);
fd->state = SSH_CLIENT_STATE_BANNER;
fd->hstate = SSH2_HEADER_BEGIN;
fd->oldhstate = SSH1_HEADER_BEGIN;
if (sm_ret != CLIENT_APP_SUCCESS)
return sm_ret;
- ssh_client_mod.api->add_app(flowp, APP_ID_SSH, fd->client_id, (const char*)fd->version);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ ssh_client_mod.api->add_app(asd, APP_ID_SSH, fd->client_id, (const char*)fd->version);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.ssh_clients++;
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE timbuktu_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE timbuktu_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule timbuktu_client_mod =
{
}
static CLIENT_APP_RETCODE timbuktu_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientTIMBUKTUData* fd;
uint16_t offset;
if (dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
- fd = (ClientTIMBUKTUData*)timbuktu_client_mod.api->data_get(flowp,
+ fd = (ClientTIMBUKTUData*)timbuktu_client_mod.api->data_get(asd,
timbuktu_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientTIMBUKTUData*)snort_calloc(sizeof(ClientTIMBUKTUData));
- timbuktu_client_mod.api->data_add(flowp, fd,
+ timbuktu_client_mod.api->data_add(asd, fd,
timbuktu_client_mod.flow_data_index, &snort_free);
fd->state = TIMBUKTU_STATE_BANNER;
}
return CLIENT_APP_INPROCESS;
done:
- timbuktu_client_mod.api->add_app(flowp, APP_ID_TIMBUKTU, APP_ID_TIMBUKTU, nullptr);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ timbuktu_client_mod.api->add_app(asd, APP_ID_TIMBUKTU, APP_ID_TIMBUKTU, nullptr);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE tns_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE tns_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule tns_client_mod =
{
#define TNS_MAX_INFO_SIZE 63
static CLIENT_APP_RETCODE tns_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
char username[TNS_MAX_INFO_SIZE+1];
ClientTNSData* fd;
if (dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
- fd = (ClientTNSData*)tns_client_mod.api->data_get(flowp, tns_client_mod.flow_data_index);
+ fd = (ClientTNSData*)tns_client_mod.api->data_get(asd, tns_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientTNSData*)snort_calloc(sizeof(ClientTNSData));
- tns_client_mod.api->data_add(flowp, fd, tns_client_mod.flow_data_index, &snort_free);
+ tns_client_mod.api->data_add(asd, fd, tns_client_mod.flow_data_index, &snort_free);
fd->state = TNS_STATE_MESSAGE_LEN;
}
return CLIENT_APP_INPROCESS;
done:
- tns_client_mod.api->add_app(flowp, APP_ID_ORACLE_TNS, APP_ID_ORACLE_DATABASE, fd->version);
+ tns_client_mod.api->add_app(asd, APP_ID_ORACLE_TNS, APP_ID_ORACLE_DATABASE, fd->version);
if (user_start && user_end && ((user_size = user_end - user_start) > 0))
{
/* we truncate extra long usernames */
user_size = TNS_MAX_INFO_SIZE;
memcpy(username, &data[user_start], user_size);
username[user_size] = 0;
- tns_client_mod.api->add_user(flowp, username, APP_ID_ORACLE_DATABASE, 1);
+ tns_client_mod.api->add_user(asd, username, APP_ID_ORACLE_DATABASE, 1);
}
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.tns_clients++;
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE vnc_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE vnc_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
SO_PUBLIC RNAClientAppModule vnc_client_mod =
{
}
static CLIENT_APP_RETCODE vnc_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientVNCData* fd;
uint16_t offset;
if (dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
- fd = (ClientVNCData*)vnc_client_mod.api->data_get(flowp, vnc_client_mod.flow_data_index);
+ fd = (ClientVNCData*)vnc_client_mod.api->data_get(asd, vnc_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientVNCData*)snort_calloc(sizeof(ClientVNCData));
- vnc_client_mod.api->data_add(flowp, fd, vnc_client_mod.flow_data_index, &snort_free);
+ vnc_client_mod.api->data_add(asd, fd, vnc_client_mod.flow_data_index, &snort_free);
fd->state = VNC_STATE_BANNER;
}
return CLIENT_APP_INPROCESS;
done:
- vnc_client_mod.api->add_app(flowp, APP_ID_VNC_RFB, APP_ID_VNC, (const char*)fd->version);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ vnc_client_mod.api->add_app(asd, APP_ID_VNC_RFB, APP_ID_VNC, (const char*)fd->version);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.vnc_clients++;
return CLIENT_APP_SUCCESS;
}
static CLIENT_APP_RETCODE ym_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
RNAClientAppModule ym_client_mod =
{
}
static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, Detector*)
+ AppIdSession* asd, Packet* pkt, Detector*)
{
#define HEADERSIZE 20
#define VERSIONID "135"
DebugFormat(DEBUG_LOG,"Found yahoo! client: %zu\n",sizeof(VERSIONID));
- if (!data || !ym_client_mod.api || !flowp || !pkt)
+ if (!data || !ym_client_mod.api || !asd || !pkt)
return CLIENT_APP_ENULL;
if (dir != APP_ID_FROM_INITIATOR)
return CLIENT_APP_INPROCESS;
done:
- ym_client_mod.api->add_app(flowp, APP_ID_YAHOO, product_id, (char*)version);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ ym_client_mod.api->add_app(asd, APP_ID_YAHOO, product_id, (char*)version);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
appid_stats.yahoo_messenger_clients++;
return CLIENT_APP_SUCCESS;
}
check_client_version(client_str, APP_ID_THUNDERBIRD, "5.0", &appid_stats.smtp_thunderbird_clients);
}
-// FIXIT-M: Add additional tests for other client types (Outlook, etc).
+// FIXIT-M Add additional tests for other client types (Outlook, etc).
int main(int argc, char** argv)
{
#include "log/messages.h"
#include "service_plugins/service_base.h"
-static void* detector_flowdata_get(AppIdSession* flowp, unsigned detector_id);
-static int detector_flowdata_add(AppIdSession* flowp, void* data, unsigned detector_id,
+static void* detector_flowdata_get(AppIdSession* asd, unsigned detector_id);
+static int detector_flowdata_add(AppIdSession* asd, void* data, unsigned detector_id,
AppIdFreeFCN fcn);
static const DetectorApi detector_api
*
* @return RNA flow data structure for success
*/
-static void* detector_flowdata_get(AppIdSession* flowp, unsigned detector_id)
+static void* detector_flowdata_get(AppIdSession* asd, unsigned detector_id)
{
- return flowp->get_flow_data(detector_id);
+ return asd->get_flow_data(detector_id);
}
/**
*
* @return RNA flow data structure for success
*/
-static int detector_flowdata_add(AppIdSession* flowp, void* data, unsigned detector_id,
+static int detector_flowdata_add(AppIdSession* asd, void* data, unsigned detector_id,
AppIdFreeFCN fcn)
{
- return flowp->add_flow_data(data, detector_id, fcn);
+ return asd->add_flow_data(data, detector_id, fcn);
}
#pragma pack(1)
-// FIXIT-H J bitfields should be replaced with getters/setters
struct DNSHeader
{
uint16_t id;
static int dns_udp_validate(ServiceValidationArgs*);
static int dns_tcp_validate(ServiceValidationArgs*);
-static RNAServiceElement udp_svc_element =
+static const RNAServiceElement udp_svc_element =
{
nullptr, // next
&dns_udp_validate, // validate
"dns" // name
};
-static RNAServiceElement tcp_svc_element =
+static const RNAServiceElement tcp_svc_element =
{
nullptr, // next
&dns_tcp_validate, // validate
"tcp dns" // name
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &dns_tcp_validate, 53, IpProtocol::TCP, 0 },
{ &dns_udp_validate, 53, IpProtocol::UDP, 0 },
}
static int dns_validate_query(const uint8_t* data, uint16_t* offset, uint16_t size,
- uint16_t id, unsigned host_reporting, AppIdSession* flowp)
+ uint16_t id, unsigned host_reporting, AppIdSession* asd)
{
int ret;
const uint8_t* host;
case PATTERN_MX_REC:
case PATTERN_SOA_REC:
case PATTERN_NS_REC:
- dns_service_mod.api->add_dns_query_info(flowp, id, host, host_len, host_offset,
+ dns_service_mod.api->add_dns_query_info(asd, id, host, host_len, host_offset,
record_type);
break;
case PATTERN_PTR_REC:
- dns_service_mod.api->add_dns_query_info(flowp, id, nullptr, 0, 0, record_type);
+ dns_service_mod.api->add_dns_query_info(asd, id, nullptr, 0, 0, record_type);
break;
default:
break;
}
static int dns_validate_answer(const uint8_t* data, uint16_t* offset, uint16_t size,
- uint16_t id, uint8_t rcode, unsigned host_reporting, AppIdSession* flowp)
+ uint16_t id, uint8_t rcode, unsigned host_reporting, AppIdSession* asd)
{
int ret;
const uint8_t* host;
case PATTERN_MX_REC:
case PATTERN_SOA_REC:
case PATTERN_NS_REC:
- dns_service_mod.api->add_dns_response_info(flowp, id, nullptr, 0, 0, rcode, ttl);
+ dns_service_mod.api->add_dns_response_info(asd, id, nullptr, 0, 0, rcode, ttl);
break;
case PATTERN_PTR_REC:
host = data + r_data_offset;
host_len = 0;
host_offset = 0;
}
- dns_service_mod.api->add_dns_response_info(flowp, id, host, host_len, host_offset,
+ dns_service_mod.api->add_dns_response_info(asd, id, host, host_len, host_offset,
rcode, ttl);
break;
default:
}
static int dns_validate_header(const int dir, DNSHeader* hdr,
- unsigned host_reporting, AppIdSession* flowp)
+ unsigned host_reporting, AppIdSession* asd)
{
if (hdr->Opcode > MAX_OPCODE || hdr->Opcode == INVALID_OPCODE)
{
{
// Query.
if (host_reporting)
- dns_service_mod.api->reset_dns_info(flowp);
+ dns_service_mod.api->reset_dns_info(asd);
return dir == APP_ID_FROM_INITIATOR ? SERVICE_SUCCESS : SERVICE_REVERSED;
}
}
static int validate_packet(const uint8_t* data, uint16_t size, const int,
- unsigned host_reporting, AppIdSession* flowp)
+ unsigned host_reporting, AppIdSession* asd)
{
uint16_t i;
uint16_t count;
count = ntohs(hdr->QDCount);
for (i=0; i<count; i++)
{
- if (dns_validate_query(data, &offset, size, ntohs(hdr->id), host_reporting, flowp) !=
+ if (dns_validate_query(data, &offset, size, ntohs(hdr->id), host_reporting, asd) !=
SERVICE_SUCCESS)
{
return SERVICE_NOMATCH;
for (i=0; i<count; i++)
{
if (dns_validate_answer(data, &offset, size, ntohs(hdr->id), hdr->RCODE,
- host_reporting, flowp) != SERVICE_SUCCESS)
+ host_reporting, asd) != SERVICE_SUCCESS)
{
return SERVICE_NOMATCH;
}
for (i=0; i<count; i++)
{
if (dns_validate_answer(data, &offset, size, ntohs(hdr->id), hdr->RCODE,
- host_reporting, flowp) != SERVICE_SUCCESS)
+ host_reporting, asd) != SERVICE_SUCCESS)
{
return SERVICE_NOMATCH;
}
for (i=0; i<count; i++)
{
if (dns_validate_answer(data, &offset, size, ntohs(hdr->id), hdr->RCODE,
- host_reporting, flowp) != SERVICE_SUCCESS)
+ host_reporting, asd) != SERVICE_SUCCESS)
{
return SERVICE_NOMATCH;
}
}
if (hdr->QR && (hdr->RCODE != 0)) // error response
- dns_service_mod.api->add_dns_response_info(flowp, ntohs(hdr->id), nullptr, 0, 0,
+ dns_service_mod.api->add_dns_response_info(asd, ntohs(hdr->id), nullptr, 0, 0,
hdr->RCODE,
0);
static int dns_udp_validate(ServiceValidationArgs* args)
{
int rval;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
goto udp_done;
}
if ((rval = dns_validate_header(dir, (DNSHeader*)data,
- pAppidActiveConfig->mod_config->dns_host_reporting, flowp)) != SERVICE_SUCCESS)
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd)) != SERVICE_SUCCESS)
{
if (rval == SERVICE_REVERSED)
{
if (dir == APP_ID_FROM_RESPONDER)
{
- if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
// To get here, we missed the initial query, got a
// response, and now we've got another query.
rval = validate_packet(data, size, dir,
- pAppidActiveConfig->mod_config->dns_host_reporting, flowp);
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd);
if (rval == SERVICE_SUCCESS)
goto inprocess;
}
// To get here, we missed the initial query, but now we've got
// a response.
rval = validate_packet(data, size, dir,
- pAppidActiveConfig->mod_config->dns_host_reporting, flowp);
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd);
if (rval == SERVICE_SUCCESS)
{
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
goto success;
}
goto nomatch;
}
rval = validate_packet(data, size, dir,
- pAppidActiveConfig->mod_config->dns_host_reporting, flowp);
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd);
if ((rval == SERVICE_SUCCESS) && (dir == APP_ID_FROM_INITIATOR))
goto inprocess;
{
case SERVICE_SUCCESS:
success:
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
- dns_service_mod.api->add_service(flowp, args->pkt, dir, &udp_svc_element,
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
+ dns_service_mod.api->add_service(asd, args->pkt, dir, &udp_svc_element,
APP_ID_DNS, nullptr, nullptr, nullptr);
appid_stats.dns_udp_flows++;
return SERVICE_SUCCESS;
case SERVICE_INVALID_CLIENT:
invalid:
- dns_service_mod.api->incompatible_data(flowp, args->pkt, dir, &udp_svc_element,
+ dns_service_mod.api->incompatible_data(asd, args->pkt, dir, &udp_svc_element,
dns_service_mod.flow_data_index,
args->pConfig);
return SERVICE_NOT_COMPATIBLE;
case SERVICE_NOMATCH:
nomatch:
- dns_service_mod.api->fail_service(flowp, args->pkt, dir, &udp_svc_element,
- dns_service_mod.flow_data_index,
- args->pConfig);
+ dns_service_mod.api->fail_service(asd, args->pkt, dir, &udp_svc_element,
+ dns_service_mod.flow_data_index);
return SERVICE_NOMATCH;
case SERVICE_INPROCESS:
inprocess:
- dns_udp_client_mod.api->add_app(flowp, APP_ID_NONE, APP_ID_DNS, nullptr);
- dns_service_mod.api->service_inprocess(flowp, args->pkt, dir, &udp_svc_element);
+ dns_udp_client_mod.api->add_app(asd, APP_ID_NONE, APP_ID_DNS, nullptr);
+ dns_service_mod.api->service_inprocess(asd, args->pkt, dir, &udp_svc_element);
return SERVICE_INPROCESS;
default:
return rval;
const DNSTCPHeader* hdr;
uint16_t tmp;
int rval;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
size -= sizeof(DNSTCPHeader);
tmp = ntohs(hdr->length);
if (tmp < sizeof(DNSHeader) || dns_validate_header(dir, (DNSHeader*)data,
- pAppidActiveConfig->mod_config->dns_host_reporting, flowp))
+ AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd))
{
if (dir == APP_ID_FROM_INITIATOR)
goto not_compatible;
if (tmp > size)
goto not_compatible;
- rval = validate_packet(data, size, dir, pAppidActiveConfig->mod_config->dns_host_reporting,
- flowp);
+ rval = validate_packet(data, size, dir, AppIdConfig::get_appid_config()->mod_config->dns_host_reporting,
+ asd);
if (rval != SERVICE_SUCCESS)
goto tcp_done;
- dd = static_cast<ServiceDNSData*>(dns_service_mod.api->data_get(flowp,
+ dd = static_cast<ServiceDNSData*>(dns_service_mod.api->data_get(asd,
dns_service_mod.flow_data_index));
if (!dd)
{
dd = static_cast<ServiceDNSData*>(snort_calloc(sizeof(ServiceDNSData)));
- if (dns_service_mod.api->data_add(flowp, dd, dns_service_mod.flow_data_index, &snort_free))
+ if (dns_service_mod.api->data_add(asd, dd, dns_service_mod.flow_data_index, &snort_free))
dd->state = DNS_STATE_QUERY;
}
}
success:
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
- dns_service_mod.api->add_service(flowp, args->pkt, dir, &tcp_svc_element,
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
+ dns_service_mod.api->add_service(asd, args->pkt, dir, &tcp_svc_element,
APP_ID_DNS, nullptr, nullptr, nullptr);
appid_stats.dns_tcp_flows++;
return SERVICE_SUCCESS;
not_compatible:
- dns_service_mod.api->incompatible_data(flowp, args->pkt, dir, &tcp_svc_element,
+ dns_service_mod.api->incompatible_data(asd, args->pkt, dir, &tcp_svc_element,
dns_service_mod.flow_data_index,
args->pConfig);
return SERVICE_NOT_COMPATIBLE;
fail:
- dns_service_mod.api->fail_service(flowp, args->pkt, dir, &tcp_svc_element,
- dns_service_mod.flow_data_index,
- args->pConfig);
+ dns_service_mod.api->fail_service(asd, args->pkt, dir, &tcp_svc_element,
+ dns_service_mod.flow_data_index);
return SERVICE_NOMATCH;
inprocess:
- dns_tcp_client_mod.api->add_app(flowp, APP_ID_NONE, APP_ID_DNS, nullptr);
- dns_service_mod.api->service_inprocess(flowp, args->pkt, dir, &tcp_svc_element);
+ dns_tcp_client_mod.api->add_app(asd, APP_ID_NONE, APP_ID_DNS, nullptr);
+ dns_service_mod.api->service_inprocess(asd, args->pkt, dir, &tcp_svc_element);
return SERVICE_INPROCESS;
}
HTTPListElement* clientAgentPatternList = nullptr;
HTTPListElement* contentTypePatternList = nullptr;
CHPListElement* chpList = nullptr;
- DetectorAppUrlList appUrlList;
- DetectorAppUrlList RTMPUrlList;
+ std::vector<DetectorAppUrlPattern*> app_url_patterns;
+ std::vector<DetectorAppUrlPattern*> rtmp_url_patterns;
};
static THREAD_LOCAL HttpPatternLists* httpPatternLists = nullptr;
void insert_url_pattern(DetectorAppUrlPattern* pattern)
{
- DetectorAppUrlList* urlList = &httpPatternLists->appUrlList;
- /**first time usedCount and allocatedCount are both 0, urlPattern will be nullptr.
- * This case is same as malloc. In case of error, realloc will return nullptr, and
- * original urlPattern buffer is left untouched.
- */
- if (urlList->usedCount == urlList->allocatedCount)
- {
- DetectorAppUrlPattern** tmp = (decltype(tmp)) (realloc(urlList->urlPattern,
- (urlList->allocatedCount + URL_LIST_STEP_SIZE) * sizeof(*tmp)));
- if (!tmp)
- {
- FreeDetectorAppUrlPattern(pattern);
- return;
- }
- urlList->urlPattern = tmp;
- urlList->allocatedCount += URL_LIST_STEP_SIZE;
- }
- urlList->urlPattern[urlList->usedCount++] = pattern;
+ httpPatternLists->app_url_patterns.push_back(pattern);
}
void insert_rtmp_url_pattern(DetectorAppUrlPattern* pattern)
{
- DetectorAppUrlList* urlList = &httpPatternLists->RTMPUrlList;
- /**first time usedCount and allocatedCount are both 0, urlPattern will be nullptr.
- * This case is same as malloc. In case of error, realloc will return nullptr, and
- * original urlPattern buffer is left untouched.
- */
- if (urlList->usedCount == urlList->allocatedCount)
- {
- DetectorAppUrlPattern** tmp = (decltype(tmp)) (realloc(urlList->urlPattern,
- (urlList->allocatedCount + URL_LIST_STEP_SIZE) * sizeof(*tmp)));
- if (!tmp)
- {
- FreeDetectorAppUrlPattern(pattern);
- return;
- }
- urlList->urlPattern = tmp;
- urlList->allocatedCount += URL_LIST_STEP_SIZE;
- }
- urlList->urlPattern[urlList->usedCount++] = pattern;
+ httpPatternLists->rtmp_url_patterns.push_back(pattern);
}
void insert_app_url_pattern(DetectorAppUrlPattern* pattern)
{
- DetectorAppUrlList* urlList = &httpPatternLists->appUrlList;
- /**first time usedCount and allocatedCount are both 0, urlPattern will be nullptr.
- * This case is same as malloc. In case of error, realloc will return nullptr, and
- * original urlPattern buffer is left untouched.
- */
- if (urlList->usedCount == urlList->allocatedCount)
- {
- DetectorAppUrlPattern** tmp = (decltype(tmp)) (realloc(urlList->urlPattern,
- (urlList->allocatedCount + URL_LIST_STEP_SIZE) * sizeof(*tmp)));
- if (!tmp)
- {
- FreeDetectorAppUrlPattern(pattern);
- return;
- }
- urlList->urlPattern = tmp;
- urlList->allocatedCount += URL_LIST_STEP_SIZE;
- }
- urlList->urlPattern[urlList->usedCount++] = pattern;
-}
-
-DetectorAppUrlList* getAppUrlList()
-{
- return (&httpPatternLists->appUrlList);
+ insert_url_pattern( pattern );
}
static void FreeHTTPListElement(HTTPListElement* element)
{
HTTPListElement* element;
CHPListElement* chpe;
- size_t i;
- for (i = 0; i < httpPatternLists->appUrlList.usedCount; i++)
- {
- FreeDetectorAppUrlPattern(httpPatternLists->appUrlList.urlPattern[i]);
- httpPatternLists->appUrlList.urlPattern[i] = nullptr;
- }
- for (i = 0; i < httpPatternLists->RTMPUrlList.usedCount; i++)
- {
- FreeDetectorAppUrlPattern(httpPatternLists->RTMPUrlList.urlPattern[i]);
- httpPatternLists->RTMPUrlList.urlPattern[i] = nullptr;
- }
- if (httpPatternLists->appUrlList.urlPattern)
- {
- // FIXIT-M: still allocated by malloc/realloc
- free(httpPatternLists->appUrlList.urlPattern);
- httpPatternLists->appUrlList.urlPattern = nullptr;
- }
- httpPatternLists->appUrlList.allocatedCount = 0;
- if (httpPatternLists->RTMPUrlList.urlPattern)
- {
- free(httpPatternLists->RTMPUrlList.urlPattern);
- httpPatternLists->RTMPUrlList.urlPattern = nullptr;
- }
- httpPatternLists->RTMPUrlList.allocatedCount = 0;
- httpPatternLists->appUrlList.usedCount = 0;
- httpPatternLists->RTMPUrlList.usedCount = 0;
+ for(auto* pattern: httpPatternLists->app_url_patterns)
+ FreeDetectorAppUrlPattern(pattern);
+
+ httpPatternLists->app_url_patterns.clear();
+
+ for(auto* pattern: httpPatternLists->rtmp_url_patterns)
+ FreeDetectorAppUrlPattern(pattern);
+
+ httpPatternLists->rtmp_url_patterns.clear();
+
while ((element = httpPatternLists->clientAgentPatternList))
{
httpPatternLists->clientAgentPatternList = element->next;
new_match->next = *matches;
*matches = new_match;
}
+
return 0;
}
-#define CHP_TALLY_GROWTH_FACTOR 10
-static inline void chp_add_candidate_to_tally(CHPMatchTally** ppTally, CHPApp* chpapp)
+static inline void chp_add_candidate_to_tally(CHPMatchTally& match_tally, CHPApp* chpapp)
{
- int index;
- CHPMatchTally* pTally = *ppTally;
- if (!pTally)
+ for (auto& item: match_tally)
{
- pTally = (CHPMatchTally*)snort_calloc(sizeof(CHPMatchTally) +
- ( CHP_TALLY_GROWTH_FACTOR * sizeof(CHPMatchCandidate)));
- pTally->in_use_elements = 0;
- pTally->allocated_elements = CHP_TALLY_GROWTH_FACTOR;
- *ppTally = pTally;
- }
- for (index=0; index < pTally->in_use_elements; index++ )
- {
- if (chpapp == pTally->item[index].chpapp)
+ if (chpapp == item.chpapp)
{
- pTally->item[index].key_pattern_countdown--;
+ item.key_pattern_countdown--;
return;
}
}
- // Not found. Add to array
- if (pTally->in_use_elements == pTally->allocated_elements)
- {
- int newCount = pTally->allocated_elements + CHP_TALLY_GROWTH_FACTOR;
- CHPMatchTally* pNewTally = (CHPMatchTally*)realloc(pTally, sizeof(CHPMatchTally)+newCount*
- sizeof(CHPMatchCandidate));
- if (pNewTally)
- {
- *ppTally = pTally = pNewTally;
- pTally->allocated_elements = newCount;
- }
- else
- return; // failed to allocate a bigger chunk
- }
- // index == pTally->in_use_elements
- pTally->in_use_elements++;
- pTally->item[index].chpapp = chpapp;
- pTally->item[index].key_pattern_length_sum = chpapp->key_pattern_length_sum;
- pTally->item[index].key_pattern_countdown = chpapp->key_pattern_count - 1; // the count would
- // have included
- // this find.
-}
-struct CHPTallyAndActions
-{
- CHPMatchTally* pTally;
- MatchedCHPAction* matches;
-};
+ match_tally.push_back({chpapp, chpapp->key_pattern_length_sum, chpapp->key_pattern_count - 1});
+}
// In addition to creating the linked list of matching actions this function will
// create the CHPMatchTally needed to find the longest matching pattern.
static int chp_key_pattern_match(void* id, void*, int index, void* data, void*)
{
- CHPTallyAndActions* pTallyAndActions = (CHPTallyAndActions*)data;
+ CHPTallyAndActions* chp = (CHPTallyAndActions*)data;
CHPAction* target = (CHPAction*)id;
if (target->key_pattern)
{
// We have a match from a key pattern. We need to have it's parent chpapp represented in
- // the tally.
- // If the chpapp has never been seen then add an item to the tally's array
+ // the tally. If the chpapp has never been seen then add an item to the tally's array
// else decrement the count of expected key_patterns until zero so that we know when we
// have them all.
- chp_add_candidate_to_tally(&pTallyAndActions->pTally, target->chpapp);
+ chp_add_candidate_to_tally(chp->match_tally, target->chpapp);
}
- return chp_pattern_match(id, nullptr, index, &pTallyAndActions->matches, nullptr);
+
+ return chp_pattern_match(id, nullptr, index, &chp->matches, nullptr);
}
static int http_pattern_match(void* id, void*, int index, void* data, void*)
DetectorHTTPPattern* target = (DetectorHTTPPattern*)id;
/* make sure we haven't already seen this pattern */
- for (tmp = matches;
- *tmp;
- tmp = &(*tmp)->next)
- {
+ for (tmp = matches; *tmp; tmp = &(*tmp)->next)
cm = *tmp;
- }
if (!*tmp)
{
return patternMatcher;
}
-static int processHostPatterns(DetectorHTTPPattern* patternList, size_t patternListCount,
- HTTPListElement* luaPatternList, DetectorAppUrlList* urlPatternList,
- DetectorAppUrlList* RTMPUrlList)
+static int processHostPatterns(DetectorHTTPPattern* patternList, size_t patternListCount)
{
HTTPListElement* element;
- DetectorAppUrlPattern* appUrlPattern;
if (!detectorHttpConfig->host_url_matcher)
detectorHttpConfig->host_url_matcher = mlmpCreate();
return -1;
}
- for (element = luaPatternList; element != 0; element = element->next)
+ for (element = httpPatternLists->hostPayloadPatternList; element != 0; element = element->next)
{
if (addMlmpPattern(detectorHttpConfig->host_url_matcher, &detectorHttpConfig->hosUrlPatternsList,
element->detectorHTTPPattern.pattern, element->detectorHTTPPattern.pattern_size,
return -1;
}
- for (uint32_t i = 0; i < RTMPUrlList->usedCount; i++)
+ for (auto* pattern: httpPatternLists->rtmp_url_patterns)
{
- appUrlPattern = RTMPUrlList->urlPattern[i];
if (addMlmpPattern(detectorHttpConfig->RTMPHosUrlMatcher, &detectorHttpConfig->hosUrlPatternsList,
- appUrlPattern->patterns.host.pattern, appUrlPattern->patterns.host.patternSize,
- appUrlPattern->patterns.path.pattern, appUrlPattern->patterns.path.patternSize,
- appUrlPattern->userData.query.pattern, appUrlPattern->userData.query.patternSize,
- appUrlPattern->userData.appId, appUrlPattern->userData.payload,
- appUrlPattern->userData.service_id, appUrlPattern->userData.client_app,
+ pattern->patterns.host.pattern, pattern->patterns.host.patternSize,
+ pattern->patterns.path.pattern, pattern->patterns.path.patternSize,
+ pattern->userData.query.pattern, pattern->userData.query.patternSize,
+ pattern->userData.appId, pattern->userData.payload,
+ pattern->userData.service_id, pattern->userData.client_app,
SINGLE) < 0)
return -1;
}
- for (uint32_t i = 0; i < urlPatternList->usedCount; i++)
+ for (auto* pattern: httpPatternLists->app_url_patterns)
{
- appUrlPattern = urlPatternList->urlPattern[i];
if (addMlmpPattern(detectorHttpConfig->host_url_matcher, &detectorHttpConfig->hosUrlPatternsList,
- appUrlPattern->patterns.host.pattern, appUrlPattern->patterns.host.patternSize,
- appUrlPattern->patterns.path.pattern, appUrlPattern->patterns.path.patternSize,
- appUrlPattern->userData.query.pattern, appUrlPattern->userData.query.patternSize,
- appUrlPattern->userData.appId, appUrlPattern->userData.payload,
- appUrlPattern->userData.service_id, appUrlPattern->userData.client_app,
+ pattern->patterns.host.pattern, pattern->patterns.host.patternSize,
+ pattern->patterns.path.pattern, pattern->patterns.path.patternSize,
+ pattern->userData.query.pattern, pattern->userData.query.patternSize,
+ pattern->userData.appId, pattern->userData.payload,
+ pattern->userData.service_id, pattern->userData.client_app,
SINGLE) < 0)
return -1;
}
numPatterns = sizeof(host_payload_http_detector_patterns)/
sizeof(*host_payload_http_detector_patterns);
- if (processHostPatterns(host_payload_http_detector_patterns, numPatterns,
- httpPatternLists->hostPayloadPatternList, &httpPatternLists->appUrlList,
- &httpPatternLists->RTMPUrlList) < 0)
+ if (processHostPatterns(host_payload_http_detector_patterns, numPatterns) < 0)
return -1;
numPatterns = sizeof(content_type_patterns)/sizeof(*content_type_patterns);
fflow->flow_prepared = 1;
}
-void finalizeFflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appId, Packet* p)
+void finalize_fflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appId, Packet* p)
{
AppIdSession* fp;
sfip_t saddr, daddr;
}
}
-int scanKeyCHP(PatternType ptype, char* buf, int buf_size, CHPMatchTally** ppTally,
- MatchedCHPAction** ppmatches)
+void scan_key_chp(PatternType ptype, char* buf, int buf_size, CHPTallyAndActions& match_tally)
{
- CHPTallyAndActions tallyAndActions;
- tallyAndActions.pTally = *ppTally;
- tallyAndActions.matches = *ppmatches;
-
- //FIXIT-H
detectorHttpConfig->chp_matchers[ptype]->find_all(buf, buf_size, &chp_key_pattern_match,
- false, (void*)(&tallyAndActions));
-
- *ppTally = tallyAndActions.pTally;
- *ppmatches = tallyAndActions.matches;
- return (int)(tallyAndActions.pTally != nullptr);
+ false, (void*)(&match_tally));
}
-AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, char** version,
+AppId scan_chp(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, char** version,
char** user, char** new_field, int* total_found, httpSession* hsession, Packet* p)
{
MatchedCHPAction* second_sweep_for_inserts = nullptr;
if (ptype > MAX_KEY_PATTERN)
{
- // There is no previous attempt to match generated by scanKeyCHP()
+ // There is no previous attempt to match generated by scan_key_chp()
mp = nullptr;
-
- // FIXIT-H
detectorHttpConfig->chp_matchers[ptype]->find_all(buf, buf_size, &chp_pattern_match,
false, (void*)(&mp));
}
if (!mp)
return APP_ID_NONE;
- if (pAppidActiveConfig->mod_config->disable_safe_search)
+ if (AppIdConfig::get_appid_config()->mod_config->disable_safe_search)
{
new_field = nullptr;
}
{
case DEFER_TO_SIMPLE_DETECT:
// Ignore all other patterns; we are done.
- FreeMatchedCHPActions(mp);
+ free_matched_chp_actions(mp);
// Returning APP_ID_NONE will trigger the clearing of hsession->skip_simple_detect
// and the freeing of any planned field rewrites.
return APP_ID_NONE;
hsession->skip_simple_detect = true;
break;
case EXTRACT_USER:
- if (!*user && !pAppidActiveConfig->mod_config->chp_userid_disabled)
+ if (!*user && !AppIdConfig::get_appid_config()->mod_config->chp_userid_disabled)
{
extractCHP(buf, buf_size, tmp->index, match->psize,
match->action_data, user);
}
break;
case FUTURE_APPID_SESSION_SIP:
- if (pAppidActiveConfig->mod_config->chp_fflow_disabled)
+ if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
break;
if (!hsession->fflow)
hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
break;
case FUTURE_APPID_SESSION_DIP:
- if (pAppidActiveConfig->mod_config->chp_fflow_disabled)
+ if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
break;
if (!hsession->fflow)
hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
break;
case FUTURE_APPID_SESSION_SPORT:
- if (pAppidActiveConfig->mod_config->chp_fflow_disabled)
+ if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
break;
if (!hsession->fflow)
hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
break;
case FUTURE_APPID_SESSION_DPORT:
- if (pAppidActiveConfig->mod_config->chp_fflow_disabled)
+ if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
break;
if (!hsession->fflow)
hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
break;
case FUTURE_APPID_SESSION_PROTOCOL:
- if (pAppidActiveConfig->mod_config->chp_fflow_disabled)
+ if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
break;
if (!hsession->fflow)
hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
break;
case FUTURE_APPID_SESSION_CREATE:
- if (pAppidActiveConfig->mod_config->chp_fflow_disabled)
+ if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled)
break;
if (!hsession->fflow)
hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info));
(*total_found)++;
}
- FreeMatchedCHPActions(mp);
+ free_matched_chp_actions(mp);
return ret;
}
return 0;
}
-void identifyUserAgent(const uint8_t* start, int size, AppId* serviceAppId, AppId* ClientAppId,
+void identify_user_agent(const uint8_t* start, int size, AppId* serviceAppId, AppId* ClientAppId,
char** version)
{
int skypeDetect;
char temp_ver[MAX_VERSION_SIZE];
temp_ver[0] = 0;
- // FIXIT-H
detectorHttpConfig->client_agent_matcher->find_all((const char*)start, size, &http_pattern_match,
false, (void*)&mp);
FreeMatchStructures(mp);
}
-int geAppidByViaPattern(const uint8_t* data, unsigned size, char** version)
+int get_appid_by_pattern(const uint8_t* data, unsigned size, char** version)
{
unsigned i;
const uint8_t* data_ptr;
if (detectorHttpConfig->via_matcher)
{
- // FIXIT-H
detectorHttpConfig->via_matcher->find_all((const char*)data, size, &http_pattern_match,
false, (void*)&mp);
}
return APP_ID_NONE;
}
-AppId geAppidByContentType(const uint8_t* data, int size)
+AppId get_appid_by_content_type(const uint8_t* data, int size)
{
MatchedPatterns* mp = nullptr;
DetectorHTTPPattern* match;
if (detectorHttpConfig->content_type_matcher)
{
- // FIXIT-H
detectorHttpConfig->content_type_matcher->find_all((const char*)data, size,
&content_pattern_match, false, (void*)&mp);
}
return 0;
}
-int getHTTPHeaderLocation(const uint8_t* data, unsigned size, HttpId id, int* start, int* end,
+int get_http_header_location(const uint8_t* data, unsigned size, HttpId id, int* start, int* end,
HeaderMatchedPatterns* hmp)
{
HTTPHeaderIndices* match;
if (detectorHttpConfig->header_matcher)
{
- //FIXIT-H
detectorHttpConfig->header_matcher->find_all((const char*)data, size,
&http_header_pattern_match, false, (void*)hmp);
}
return 0;
}
-AppId getAppIdFromUrl(char* host, char* url, char** version, char* referer, AppId* ClientAppId,
+AppId get_appid_from_url(char* host, char* url, char** version, char* referer, AppId* ClientAppId,
AppId* serviceAppId, AppId* payloadAppId, AppId* referredPayloadAppId, unsigned from_rtmp)
{
char* path;
snort_free(temp_host);
/* if referred_id feature id disabled, referer will be null */
- if (referer && (!payload_found || appInfoEntryFlagGet(data->payload_id, APPINFO_FLAG_REFERRED)))
+ if (referer && (!payload_found || AppInfoManager::get_instance().get_app_info_flags(data->payload_id, APPINFO_FLAG_REFERRED)))
{
referer_start = referer;
return payload_found;
}
-void getServerVendorVersion(const uint8_t* data, int len, char** version, char** vendor,
+void get_server_vendor_version(const uint8_t* data, int len, char** version, char** vendor,
RNAServiceSubtype** subtype)
{
const uint8_t* subname;
*(*vendor+vendor_len) = '\0';
}
-int webdav_found(HeaderMatchedPatterns* hmp)
+bool is_webdav_found(HeaderMatchedPatterns* hmp)
{
- // to check for webdav, look for one of the special methods
- int found = 0;
+ bool found = false;
+
if (hmp->headers[HTTP_ID_COPY].start > 0)
- found = 1;
+ found = true;
else if (hmp->headers[HTTP_ID_MOVE].start > 0)
- found = 1;
+ found = true;
else if (hmp->headers[HTTP_ID_LOCK].start > 0)
- found = 1;
+ found = true;
else if (hmp->headers[HTTP_ID_UNLOCK].start > 0)
- found = 1;
+ found = true;
else if (hmp->headers[HTTP_ID_MKCOL].start > 0)
- found = 1;
+ found = true;
else if (hmp->headers[HTTP_ID_PROPPATCH].start > 0)
- found = 1;
+ found = true;
else if (hmp->headers[HTTP_ID_PROPFIND].start > 0)
- found = 1;
+ found = true;
+
return found;
}
static CLIENT_APP_RETCODE http_client_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE http_client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
static int http_service_init(const IniServiceAPI* const init_api);
static int http_service_validate(ServiceValidationArgs* args);
0
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{
nullptr,
}
};
-static RNAServiceElement http_service_element =
+static const RNAServiceElement http_service_element =
{
nullptr,
&http_service_validate,
static CLIENT_APP_RETCODE http_client_init(const IniClientAppAPI* const init_api, SF_LIST*)
{
- if (pAppidActiveConfig->mod_config->http2_detection_enabled)
+ if (AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled)
{
for (unsigned i = 0; i < sizeof(patterns)/sizeof(*patterns); i++)
{
}
static CLIENT_APP_RETCODE http_client_validate(const uint8_t*, uint16_t, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector*)
+ AppIdSession* asd, Packet* pkt, struct Detector*)
{
- http_client_mod.api->add_app(flowp, APP_ID_HTTP, APP_ID_HTTP + GENERIC_APP_OFFSET, nullptr);
- flowp->rna_client_state = RNA_STATE_FINISHED;
- http_service_mod.api->add_service(flowp, pkt, dir, &http_service_element,
+ http_client_mod.api->add_app(asd, APP_ID_HTTP, APP_ID_HTTP + GENERIC_APP_OFFSET, nullptr);
+ asd->rna_client_state = RNA_STATE_FINISHED;
+ http_service_mod.api->add_service(asd, pkt, dir, &http_service_element,
APP_ID_HTTP, nullptr, nullptr, nullptr);
- flowp->rnaServiceState = RNA_STATE_FINISHED;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
- flowp->is_http2 = true;
+ asd->rnaServiceState = RNA_STATE_FINISHED;
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
+ asd->is_http2 = true;
return CLIENT_APP_SUCCESS;
}
UrlUserData userData;
};
-struct DetectorAppUrlList
-{
- DetectorAppUrlPattern** urlPattern = nullptr;
- size_t usedCount = 0;
- size_t allocatedCount = 0;
-};
-
void init_http_detector();
int finalize_http_detector();
void clean_http_detector();
void insert_url_pattern(DetectorAppUrlPattern* pattern);
void insert_rtmp_url_pattern(DetectorAppUrlPattern* pattern);
void insert_app_url_pattern(DetectorAppUrlPattern* pattern);
-DetectorAppUrlList* getAppUrlList();
-
-int geAppidByViaPattern(const uint8_t*, unsigned, char**);
-int getHTTPHeaderLocation(const uint8_t*, unsigned, HttpId, int*, int*, HeaderMatchedPatterns*);
-inline void FreeMatchedCHPActions(MatchedCHPAction* ma)
+int get_appid_by_pattern(const uint8_t*, unsigned, char**);
+int get_http_header_location(const uint8_t*, unsigned, HttpId, int*, int*, HeaderMatchedPatterns*);
+inline void free_matched_chp_actions(MatchedCHPAction* ma)
{
MatchedCHPAction* tmp;
}
}
-int scanKeyCHP(PatternType, char*, int, CHPMatchTally**, MatchedCHPAction**);
-AppId scanCHP(PatternType, char*, int, MatchedCHPAction*, char**, char**, char**, int*,
+void scan_key_chp(PatternType ptype, char* buf, int buf_size, CHPTallyAndActions& match_tally);
+AppId scan_chp(PatternType, char*, int, MatchedCHPAction*, char**, char**, char**, int*,
httpSession*, Packet*);
-AppId getAppIdFromUrl(char*, char*, char**, char*, AppId*, AppId*, AppId*, AppId*, unsigned);
-AppId geAppidByContentType(const uint8_t*, int);
+AppId get_appid_from_url(char*, char*, char**, char*, AppId*, AppId*, AppId*, AppId*, unsigned);
+AppId get_appid_by_content_type(const uint8_t*, int);
AppId scan_header_x_working_with(const uint8_t*, uint32_t, char**);
-void identifyUserAgent(const uint8_t*, int, AppId*, AppId*, char**);
-void getServerVendorVersion(const uint8_t*, int, char**, char**, RNAServiceSubtype**);
-int webdav_found(HeaderMatchedPatterns*);
-
-void finalizeFflow(fflow_info*, unsigned app_type_flags, AppId, Packet* );
+void identify_user_agent(const uint8_t*, int, AppId*, AppId*, char**);
+void get_server_vendor_version(const uint8_t*, int, char**, char**, RNAServiceSubtype**);
+bool is_webdav_found(HeaderMatchedPatterns*);
+void finalize_fflow(fflow_info*, unsigned app_type_flags, AppId, Packet* );
#endif
static const unsigned IMAP_TAG_MAX_LEN = 6;
static const unsigned MIN_CMDS = 3;
-// FIXIT-M: delete OK_LOGIN if not needed...
-// static const char* const OK_LOGIN = " LOGIN Ok.";
static const char NO_LOGIN[] = " Login failed.";
struct CLIENT_APP_CONFIG
char imapCmdTag[IMAP_TAG_MAX_LEN+1];
};
-// FIXIT-L THREAD_LOCAL?
static CLIENT_APP_CONFIG ca_config;
static CLIENT_APP_RETCODE init(const IniClientAppAPI* const init_api, SF_LIST* config);
static void clean();
static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, Detector* userData);
+ AppIdSession* asd, Packet* pkt, Detector* userData);
static RNAClientAppModule client_app_mod =
{
{ UID, sizeof(UID)-1, 0 },
};
-// FIXIT-L THREAD_LOCAL?
static size_t longest_pattern;
-
static const unsigned IMAP_PORT = 143;
-
static const unsigned IMAP_COUNT_THRESHOLD = 2;
-
static const char OK[] = "OK";
static const char BAD[] = "BAD";
static const char NO[] = "NO";
static int imap_init(const IniServiceAPI* const init_api);
static int imap_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&imap_validate,
"imap",
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &imap_validate, IMAP_PORT, IpProtocol::TCP, 0 },
{ &imap_validate, 220, IpProtocol::TCP, 0 },
}
cmd_matcher->prep();
- pAppidActiveConfig->add_generic_config_element(client_app_mod.name, cmd_matcher);
+ AppIdConfig::get_appid_config()->add_generic_config_element(client_app_mod.name, cmd_matcher);
ca_config.enabled = 1;
{
DebugFormat(DEBUG_LOG,"Processing %s: %s\n",item->name, item->value);
if (strcasecmp(item->name, "enabled") == 0)
- {
ca_config.enabled = atoi(item->value);
- }
}
}
if (ca_config.enabled)
- {
for (i=0; i < sizeof(patterns)/sizeof(*patterns); i++)
{
DebugFormat(DEBUG_LOG,"registering pattern: %s\n",(const char*)patterns[i].pattern);
init_api->RegisterPatternNoCase(&validate, IpProtocol::TCP, patterns[i].pattern,
patterns[i].length, -1);
}
- }
unsigned j;
for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++)
static void clean()
{
SearchTool* cmd_matcher =
- (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
if (cmd_matcher)
delete cmd_matcher;
- pAppidActiveConfig->remove_generic_config_element(client_app_mod.name);
+ AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name);
}
static int pattern_match(void* id, void*, int index, void* data, void*)
}
static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t size,
- AppIdSession* flowp)
+ AppIdSession* asd)
{
const uint8_t* end = data + size;
ServiceIMAPData* id = &dd->server;
#ifdef DEBUG_IMAP_DETECTOR
if (id->state != id->last_state)
{
- DebugFormat(DEBUG_INSPECTOR,"%p State %d\n",flowp, id->state);
+ DebugFormat(DEBUG_INSPECTOR,"%p State %d\n",asd, id->state);
id->last_state = id->state;
}
#endif
/*add user successful */
if ((id->flags & IMAP_FLAG_RESULT_OK) && dd->client.username[0])
{
- service_mod.api->add_user(flowp, dd->client.username, APP_ID_IMAP, 1); // use of
+ service_mod.api->add_user(asd, dd->client.username, APP_ID_IMAP, 1); // use of
// LOGIN
// cmd
// implies
/*add user login failed */
if ((id->flags & IMAP_FLAG_RESULT_NO) && dd->client.username[0])
{
- service_mod.api->add_user(flowp, dd->client.username, APP_ID_IMAP, 0); // use
+ service_mod.api->add_user(asd, dd->client.username, APP_ID_IMAP, 0); // use
// of
// LOGIN
// cmd
{
if (id->flags & IMAP_FLAG_RESULT_OK)
{
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
/* we are potentially overriding any APP_ID_IMAP assessment that was made earlier. */
- client_app_mod.api->add_app(flowp, APP_ID_IMAPS, APP_ID_IMAPS, nullptr); // sets
+ client_app_mod.api->add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr); // sets
// APPID_SESSION_CLIENT_DETECTED
}
else
}
static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
const uint8_t* s = data;
const uint8_t* end = (data + size);
ClientAppData* fd;
char tag[IMAP_TAG_MAX_LEN+1] = { 0 };
SearchTool* cmd_matcher =
- (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
#ifdef APP_ID_USES_REASSEMBLED
Stream::flush_response_flush(pkt);
if (!size)
return CLIENT_APP_INPROCESS;
- dd = (DetectorData*)imap_detector_mod.api->data_get(flowp, imap_detector_mod.flow_data_index);
+ dd = (DetectorData*)imap_detector_mod.api->data_get(asd, imap_detector_mod.flow_data_index);
if (!dd)
{
dd = (DetectorData*)snort_calloc(sizeof(DetectorData));
- imap_detector_mod.api->data_add(flowp, dd, imap_detector_mod.flow_data_index, &snort_free);
+ imap_detector_mod.api->data_add(asd, dd, imap_detector_mod.flow_data_index, &snort_free);
dd->server.flags = IMAP_FLAG_FIRST_PACKET;
fd = &dd->client;
}
{
dd->need_continue = 1;
fd->set_flags = 1;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
if (dir == APP_ID_FROM_RESPONDER)
{
- if (imap_server_validate(dd, data, size, flowp))
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ if (imap_server_validate(dd, data, size, asd))
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
return CLIENT_APP_INPROCESS;
}
if (end == s || !isblank(*s))
{
dd->need_continue = 0;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
return CLIENT_APP_SUCCESS;
}
for (; (s < end) && isblank(*s); s++)
if ((length = (end - s)) <= 0)
{
dd->need_continue = 0;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
return CLIENT_APP_SUCCESS;
}
cmd = nullptr;
fd->count++;
if (fd->count == MIN_CMDS)
{
- client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP,
+ client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP,
nullptr);
fd->detected = 1;
if (fd->got_user)
{
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
fd->state = IMAP_CLIENT_STATE_AUTH;
}
fd->count++;
if (fd->count == MIN_CMDS)
{
- client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP,
+ client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP,
nullptr);
fd->detected = 1;
if (fd->got_user)
{
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(
APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
}
fd->count++;
if (fd->count == MIN_CMDS)
{
- client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP, nullptr);
+ client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP, nullptr);
fd->detected = 1;
if (fd->got_user)
{
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
}
if (!cmd->eoc)
fd->count++;
if (fd->count == MIN_CMDS)
{
- client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP, nullptr);
+ client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP, nullptr);
fd->detected = 1;
if (fd->got_user)
{
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
}
if (!cmd->eoc)
{
DetectorData* dd;
ServiceIMAPData* id;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (!size)
goto inprocess;
- dd = (DetectorData*)imap_detector_mod.api->data_get(flowp, imap_detector_mod.flow_data_index);
+ dd = (DetectorData*)imap_detector_mod.api->data_get(asd, imap_detector_mod.flow_data_index);
if (!dd)
{
dd = (DetectorData*)snort_calloc(sizeof(DetectorData));
- imap_detector_mod.api->data_add(flowp, dd, imap_detector_mod.flow_data_index, &snort_free);
+ imap_detector_mod.api->data_add(asd, dd, imap_detector_mod.flow_data_index, &snort_free);
id = &dd->server;
id->state = IMAP_STATE_BEGIN;
id->flags = IMAP_FLAG_FIRST_PACKET;
id = &dd->server;
if (dd->need_continue)
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
else
{
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
- if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
+ if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
appid_stats.imap_flows++;
return SERVICE_SUCCESS;
}
}
- if (!imap_server_validate(dd, data, size, flowp))
+ if (!imap_server_validate(dd, data, size, asd))
{
if ((id->flags & IMAP_FLAG_RESULT_OK) &&
dd->client.state == IMAP_CLIENT_STATE_STARTTLS_CMD)
{
/* IMAP server response to STARTTLS command from client was OK */
- service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_IMAPS, nullptr, nullptr, nullptr);
appid_stats.imaps_flows++;
return SERVICE_SUCCESS;
}
if (id->count >= IMAP_COUNT_THRESHOLD &&
- !flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ !asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_IMAP, nullptr, nullptr, nullptr);
appid_stats.imap_flows++;
return SERVICE_SUCCESS;
}
}
- else if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ else if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- service_mod.flow_data_index, args->pConfig);
+ service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
else
{
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_SUCCESS;
}
inprocess:
- service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
}
int need_continue;
};
-// FIXIT-L THREAD_LOCAL?
static KRB_CLIENT_APP_CONFIG krb_client_config;
static CLIENT_APP_RETCODE krb_client_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
static RNAClientAppModule client_app_mod =
{
static int krb_server_init(const IniServiceAPI* const init_api);
static int krb_server_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&krb_server_validate,
"kerberos"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &krb_server_validate, 88, IpProtocol::TCP, 0 },
{ &krb_server_validate, 88, IpProtocol::UDP, 0 },
#define ERROR_MSG_TYPE 0x1e
static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, const uint8_t* end,
- AppIdSession* flowp)
+ AppIdSession* asd)
{
static const uint8_t KRB_CLIENT_VERSION[] = "\x0a1\x003\x002\x001";
static const uint8_t KRB_CLIENT_TYPE[] = "\x0a2\x003\x002\x001";
#ifdef DEBUG_MSGS
if (krbs->state != krbs->last_state)
{
- DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)flowp, krbs->state);
+ DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state);
krbs->last_state = krbs->state;
}
#endif
break;
case KRB_STATE_APP:
DebugFormat(DEBUG_INSPECTOR,"%p Type %u (%02X)\n",
- (void*)flowp, *s & (~ASN_1_TYPE_MASK), *s);
+ (void*)asd, *s & (~ASN_1_TYPE_MASK), *s);
if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT))
return KRB_FAILED;
krbs->msg_type = *s & (~ASN_1_TYPE_MASK);
krbs->tag = 0xa2;
break;
case KRB_STATE_FIELD:
- DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)flowp, *s);
+ DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s);
if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0)
return KRB_FAILED;
krbs->tag = *s;
{
if (krbs->msg_len <= 1)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)flowp);
+ DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd);
if (!krbs->added)
{
- client_app_mod.api->add_app(flowp, APP_ID_KERBEROS, APP_ID_KERBEROS,
+ client_app_mod.api->add_app(asd, APP_ID_KERBEROS, APP_ID_KERBEROS,
krbs->ver);
krbs->added = 1;
}
break;
case KRB_STATE_FIELD_LEVEL2:
- DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)flowp, *s);
+ DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s);
if (krbs->msg_len <= 1)
{
krbs->state = KRB_STATE_APP;
{
if (krbs->pos)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)flowp, krbs->pos);
+ DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos);
krbs->cname[krbs->pos] = 0;
}
if (krbs->msg_len <= 1)
}
static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, const uint8_t* end,
- AppIdSession* flowp, Packet* pkt, const int dir,
+ AppIdSession* asd, Packet* pkt, const int dir,
const char* reqCname)
{
static const uint8_t KRB_SERVER_VERSION[] = "\x0a0\x003\x002\x001";
#ifdef DEBUG_MSGS
if (krbs->state != krbs->last_state)
{
- DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)flowp, krbs->state);
+ DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state);
krbs->last_state = krbs->state;
}
#endif
break;
case KRB_STATE_APP:
DebugFormat(DEBUG_INSPECTOR,"%p Type %u (%02X)\n",
- (void*)flowp, *s & (~ASN_1_TYPE_MASK), *s);
+ (void*)asd, *s & (~ASN_1_TYPE_MASK), *s);
if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT))
return KRB_FAILED;
krbs->msg_type = *s & (~ASN_1_TYPE_MASK);
krbs->pos++;
break;
case KRB_STATE_ERROR_VALUE:
- DebugFormat(DEBUG_INSPECTOR,"%p Error %u\n", (void*)flowp, *s);
+ DebugFormat(DEBUG_INSPECTOR,"%p Error %u\n", (void*)asd, *s);
if (krbs->msg_len <= 1)
{
krbs->flags |= KRB_FLAG_SERVICE_DETECTED;
if (*s == KDC_ERR_PREAUTH_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p unAuthorized\n", (void*)flowp);
+ DebugFormat(DEBUG_INSPECTOR,"%p unAuthorized\n", (void*)asd);
krbs->flags |= KRB_FLAG_AUTH_FAILED;
}
krbs->state = KRB_STATE_FIELD;
break;
case KRB_STATE_FIELD:
- DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)flowp, *s);
+ DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s);
if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0)
return KRB_FAILED;
krbs->tag = *s;
{
if (krbs->pos)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)flowp, krbs->pos);
+ DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos);
krbs->cname[krbs->pos] = 0;
krbs->flags |= KRB_FLAG_USER_DETECTED;
}
if (krbs->msg_len <= 1)
{
/*end of server response message */
- DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)flowp);
+ DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd);
if (krbs->flags & KRB_FLAG_SERVICE_DETECTED)
{
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED) && pkt)
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED) && pkt)
{
- service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_KERBEROS,
+ service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_KERBEROS,
nullptr, krbs->ver, nullptr);
- flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
appid_stats.kerberos_flows++;
}
}
if (krb_client_config.failedLogin
&& ((krbs->flags & KRB_FLAG_USER_DETECTED) || reqCname))
{
- service_mod.api->add_user(flowp,
+ service_mod.api->add_user(asd,
(krbs->flags & KRB_FLAG_USER_DETECTED) ? krbs->cname : reqCname,
APP_ID_LDAP, 0);
appid_stats.kerberos_users++;
}
else if (krbs->flags & KRB_FLAG_USER_DETECTED)
{
- service_mod.api->add_user(flowp, krbs->cname, APP_ID_LDAP, 1);
+ service_mod.api->add_user(asd, krbs->cname, APP_ID_LDAP, 1);
appid_stats.kerberos_users++;
}
}
static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector*)
+ AppIdSession* asd, Packet* pkt, struct Detector*)
{
const uint8_t* s = data;
const uint8_t* end = (data + size);
#ifdef DEBUG_MSGS
DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %u->%u %u %d",
- (void*)flowp, (unsigned int)flowp->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir);
+ (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir);
#else
UNUSED(pkt);
#endif
if (!size)
return CLIENT_APP_INPROCESS;
- fd = (DetectorData*)kerberos_detector_mod.api->data_get(flowp,
+ fd = (DetectorData*)kerberos_detector_mod.api->data_get(asd,
kerberos_detector_mod.flow_data_index);
if (!fd)
{
fd = (DetectorData*)snort_calloc(sizeof(DetectorData));
- kerberos_detector_mod.api->data_add(flowp, fd,
+ kerberos_detector_mod.api->data_add(asd, fd,
kerberos_detector_mod.flow_data_index, &snort_free);
- if (flowp->protocol == IpProtocol::TCP)
+ if (asd->protocol == IpProtocol::TCP)
{
fd->clnt_state.state = KRB_STATE_TCP_LENGTH;
fd->svr_state.state = KRB_STATE_TCP_LENGTH;
{
fd->need_continue = 1;
fd->set_flags = 1;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
if (dir == APP_ID_FROM_INITIATOR)
{
- if (krb_walk_client_packet(&fd->clnt_state, s, end, flowp) == KRB_FAILED)
+ if (krb_walk_client_packet(&fd->clnt_state, s, end, asd) == KRB_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)flowp);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
return CLIENT_APP_SUCCESS;
}
}
- else if (krb_walk_server_packet(&fd->svr_state, s, end, flowp, nullptr, dir,
+ else if (krb_walk_server_packet(&fd->svr_state, s, end, asd, nullptr, dir,
fd->clnt_state.cname) == KRB_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Server Failed\n", (void*)flowp);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ DebugFormat(DEBUG_INSPECTOR,"%p Server Failed\n", (void*)asd);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
return CLIENT_APP_INPROCESS;
}
static int krb_server_validate(ServiceValidationArgs* args)
{
DetectorData* fd;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
const uint8_t* end = (data + size);
DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %u->%u %u %d",
- (void*)flowp, (unsigned int)flowp->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir);
+ (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir);
if (dir != APP_ID_FROM_RESPONDER)
goto inprocess;
if (!size)
goto inprocess;
- fd = (DetectorData*)kerberos_detector_mod.api->data_get(flowp,
+ fd = (DetectorData*)kerberos_detector_mod.api->data_get(asd,
kerberos_detector_mod.flow_data_index);
if (!fd)
{
fd = (DetectorData*)snort_calloc(sizeof(DetectorData));
- kerberos_detector_mod.api->data_add(flowp, fd,
+ kerberos_detector_mod.api->data_add(asd, fd,
kerberos_detector_mod.flow_data_index, &snort_free);
- if (flowp->protocol == IpProtocol::TCP)
+ if (asd->protocol == IpProtocol::TCP)
{
fd->clnt_state.state = KRB_STATE_TCP_LENGTH;
fd->svr_state.state = KRB_STATE_TCP_LENGTH;
}
if (fd->need_continue)
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
else
{
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
- if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
+ if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
return SERVICE_SUCCESS;
}
- if (krb_walk_server_packet(&fd->svr_state, s, end, flowp, pkt, dir, fd->clnt_state.cname) ==
+ if (krb_walk_server_packet(&fd->svr_state, s, end, asd, pkt, dir, fd->clnt_state.cname) ==
KRB_FAILED)
{
- DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)flowp);
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd);
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- service_mod.flow_data_index, args->pConfig);
+ service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_SUCCESS;
}
inprocess:
- service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
}
static CLIENT_APP_RETCODE client_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE client_init_tcp(const IniClientAppAPI* const init_api, SF_LIST* config);
static CLIENT_APP_RETCODE client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
static void client_clean();
static const IniServiceAPI* iniServiceApi;
static const IniClientAppAPI* iniClientApi;
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&service_validate,
0
};
-static RNAServiceValidationPort pp =
-{
- &service_validate,
- 0,
- IpProtocol::PROTO_NOT_SET,
- 0
-};
-
static void FreePattern(Pattern* pattern)
{
if (pattern)
pattern->offset = pNode->offset;
pattern->next = ps->pattern;
ps->pattern = pattern;
- set_app_info_active(ps->id);
+ AppInfoManager::get_instance().set_app_info_active(ps->id);
}
}
{
PatternService* ps;
PortNode* port;
+ RNAServiceValidationPort pp = { &service_validate, 0, IpProtocol::PROTO_NOT_SET, 0 };
for (ps = serviceList; ps; ps = ps->next)
{
{
uint32_t id;
const RNAServiceElement* service = nullptr;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
uint16_t size = args->size;
- if (!data || !pattern_service_mod.api || !flowp || !pkt)
+ if (!data || !pattern_service_mod.api || !asd || !pkt)
return SERVICE_ENULL;
if (!size)
goto inprocess;
if (dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- id = csdPatternTreeSearch(data, size, flowp->protocol, pkt, &service, false);
+ id = csdPatternTreeSearch(data, size, asd->protocol, pkt, &service, false);
if (!id)
goto fail;
- pattern_service_mod.api->add_service(flowp, pkt, dir, &svc_element, id, nullptr, nullptr,
+ pattern_service_mod.api->add_service(asd, pkt, dir, &svc_element, id, nullptr, nullptr,
nullptr);
return SERVICE_SUCCESS;
inprocess:
- pattern_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ pattern_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
fail:
- pattern_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- pattern_service_mod.flow_data_index,
- args->pConfig);
+ pattern_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ pattern_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
}
static CLIENT_APP_RETCODE client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector*)
+ AppIdSession* asd, Packet* pkt, struct Detector*)
{
AppId id;
const RNAServiceElement* service = nullptr;
- if (!data || !flowp || !pkt)
+ if (!data || !asd || !pkt)
return CLIENT_APP_ENULL;
if (!size)
goto inprocess;
if (dir == APP_ID_FROM_RESPONDER)
goto inprocess;
- id = csdPatternTreeSearch(data, size, flowp->protocol, pkt, &service, true);
+ id = csdPatternTreeSearch(data, size, asd->protocol, pkt, &service, true);
if (!id)
goto fail;
- pattern_tcp_client_mod.api->add_app(flowp, id, id, nullptr);
+ pattern_tcp_client_mod.api->add_app(asd, id, id, nullptr);
return CLIENT_APP_SUCCESS;
inprocess:
PatternService* ps;
};
-struct PortNode // FIXIT this name changed from "Port" which is already in use by Snort++
+struct PortNode
{
PortNode* next;
uint16_t port;
int got_user;
};
-// static const unsigned MIN_POP3_CMDS = 3;
-
-// FIXIT-L THREAD_LOCAL?
static POP3_CLIENT_APP_CONFIG pop3_config;
static CLIENT_APP_RETCODE pop3_ca_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static void pop3_ca_clean();
static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, struct Detector* userData);
+ AppIdSession* asd, Packet* pkt, struct Detector* userData);
static RNAClientAppModule client_app_mod =
{
{ CAPA2, sizeof(CAPA2)-1, 1 },
};
-// FIXIT-L THREAD_LOCAL?
static size_t longest_pattern;
-
static const unsigned POP3_PORT = 110;
-
static const unsigned POP3_COUNT_THRESHOLD = 4;
static const char POP3_OK[] = "+OK";
static int pop3_init(const IniServiceAPI* const init_api);
static int pop3_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&pop3_validate,
"pop3"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &pop3_validate, POP3_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
static void pop3_ca_clean()
{
SearchTool* cmd_matcher =
- (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
if (cmd_matcher)
delete cmd_matcher;
- pAppidActiveConfig->remove_generic_config_element(client_app_mod.name);
+ AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name);
}
static int pop3_pattern_match(void* id, void*, int index, void* data, void*)
}
static int pop3_server_validate(POP3DetectorData* dd, const uint8_t* data, uint16_t size,
- AppIdSession* flowp, int server)
+ AppIdSession* asd, int server)
{
static const char ven_cppop[] = "cppop";
static const char ven_cc[] = "Cubic Circle";
}
else
{
- flowp->setAppIdFlag(APPID_SESSION_ENCRYPTED);
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_ENCRYPTED);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
/* we are potentially overriding the APP_ID_POP3 assessment that was made earlier.
*/
- client_app_mod.api->add_app(flowp, APP_ID_POP3S, APP_ID_POP3S, nullptr); // sets
+ client_app_mod.api->add_app(asd, APP_ID_POP3S, APP_ID_POP3S, nullptr); // sets
// APPID_SESSION_CLIENT_DETECTED
}
}
{
if (pd->error)
{
- service_mod.api->add_user(flowp, dd->client.username, APP_ID_POP3, 0);
+ service_mod.api->add_user(asd, dd->client.username, APP_ID_POP3, 0);
snort_free(dd->client.username);
dd->client.username = nullptr;
}
else
{
- service_mod.api->add_user(flowp, dd->client.username, APP_ID_POP3, 1);
+ service_mod.api->add_user(asd, dd->client.username, APP_ID_POP3, 1);
snort_free(dd->client.username);
dd->client.username = nullptr;
dd->need_continue = 0;
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
dd->client.got_user = 1;
if (dd->client.detected)
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
}
}
if (server && begin)
}
static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
const uint8_t* s = data;
const uint8_t* end = (data + size);
Stream::flush_response_flush(pkt);
#endif
- dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(flowp,
+ dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(asd,
pop3_detector_mod.flow_data_index);
if (!dd)
{
dd = (POP3DetectorData*)snort_calloc(sizeof(POP3DetectorData));
- pop3_detector_mod.api->data_add(flowp, dd,
+ pop3_detector_mod.api->data_add(asd, dd,
pop3_detector_mod.flow_data_index, &pop3_free_state);
dd->server.state = POP3_STATE_CONNECT;
fd = &dd->client;
{
dd->need_continue = 1;
fd->set_flags = 1;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
if (dir == APP_ID_FROM_RESPONDER)
{
#ifdef DEBUG_POP3
- DebugFormat(DEBUG_INSPECTOR,"%p Calling server\n",flowp);
+ DebugFormat(DEBUG_INSPECTOR,"%p Calling server\n",asd);
DumpHex(SF_DEBUG_FILE, data, size);
#endif
- if (pop3_server_validate(dd, data, size, flowp, 0))
- flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ if (pop3_server_validate(dd, data, size, asd, 0))
+ asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
return CLIENT_APP_INPROCESS;
}
#ifdef DEBUG_POP3
- DebugFormat(DEBUG_INSPECTOR,"%p Client\n",flowp);
+ DebugFormat(DEBUG_INSPECTOR,"%p Client\n",asd);
DumpHex(SF_DEBUG_FILE, data, size);
#endif
{
unsigned pattern_index;
SearchTool* cmd_matcher =
- (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name);
+ (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name);
cmd = nullptr;
cmd_matcher->find_all((char*)s, (length > longest_pattern ? longest_pattern : length),
if (!cmd)
{
dd->need_continue = 0;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
return CLIENT_APP_SUCCESS;
}
s += cmd->length;
{
/* We stayed in non-secure mode and received a TRANSACTION-state command: POP3
found */
- client_app_mod.api->add_app(flowp, APP_ID_POP3, APP_ID_POP3, nullptr); // sets
+ client_app_mod.api->add_app(asd, APP_ID_POP3, APP_ID_POP3, nullptr); // sets
// APPID_SESSION_CLIENT_DETECTED
fd->detected = 1;
}
{
POP3DetectorData* dd;
ServicePOP3Data* pd;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
goto inprocess;
#ifdef DEBUG_POP3
- DebugFormat(DEBUG_INSPECTOR,"%p Dir %d\n",flowp, dir);
+ DebugFormat(DEBUG_INSPECTOR,"%p Dir %d\n",asd, dir);
DumpHex(SF_DEBUG_FILE, data, size);
#endif
- dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(flowp,
+ dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(asd,
pop3_detector_mod.flow_data_index);
if (!dd)
{
dd = (POP3DetectorData*)snort_calloc(sizeof(POP3DetectorData));
- pop3_detector_mod.api->data_add(flowp, dd,
+ pop3_detector_mod.api->data_add(asd, dd,
pop3_detector_mod.flow_data_index, &pop3_free_state);
dd->client.state = POP3_CLIENT_STATE_AUTH;
pd = &dd->server;
pd = &dd->server;
if (dd->need_continue)
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
else
{
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
- if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
+ if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
appid_stats.pop_flows++;
return SERVICE_SUCCESS;
}
}
- if (!pop3_server_validate(dd, data, size, flowp, 1))
+ if (!pop3_server_validate(dd, data, size, asd, 1))
{
if (pd->count >= POP3_COUNT_THRESHOLD
- && !flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ && !asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- service_mod.api->add_service_consume_subtype(flowp, pkt, dir, &svc_element,
+ service_mod.api->add_service_consume_subtype(asd, pkt, dir, &svc_element,
dd->client.state == POP3_CLIENT_STATE_STLS_CMD ? APP_ID_POP3S : APP_ID_POP3,
pd->vendor,
pd->version[0] ? pd->version : nullptr, pd->subtype);
return SERVICE_SUCCESS;
}
}
- else if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ else if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- service_mod.flow_data_index, args->pConfig);
+ service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
else
{
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
appid_stats.pop_flows++;
return SERVICE_SUCCESS;
}
inprocess:
- service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
}
static CLIENT_APP_RETCODE sip_client_init(const IniClientAppAPI* const init_api, SF_LIST* config);
static void sip_clean();
static CLIENT_APP_RETCODE sip_client_validate(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, Detector* userData);
+ AppIdSession* asd, Packet* pkt, Detector* userData);
static CLIENT_APP_RETCODE sip_tcp_client_init(const IniClientAppAPI* const init_api,
SF_LIST* config);
static CLIENT_APP_RETCODE sip_tcp_client_validate(const uint8_t* data, uint16_t size,
- const int dir, AppIdSession* flowp, Packet* pkt, Detector* userData);
+ const int dir, AppIdSession* asd, Packet* pkt, Detector* userData);
static int get_sip_client_app(void* patternMatcher, char* pattern, uint32_t patternLen,
AppId* ClientAppId, char** clientVersion);
static void clean_sip_ua();
static int sip_service_init(const IniServiceAPI* const init_api);
static int sip_service_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&sip_service_validate,
"sip"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &sip_service_validate, SIP_PORT, IpProtocol::TCP, 0 },
{ &sip_service_validate, SIP_PORT, IpProtocol::UDP, 0 },
// static const char* const SIP_USRNAME_BEGIN_MARKER = "<sip:";
static CLIENT_APP_RETCODE sip_client_validate(const uint8_t*, uint16_t, const int,
- AppIdSession* flowp, Packet*, struct Detector*)
+ AppIdSession* asd, Packet*, struct Detector*)
{
ClientSIPData* fd;
- fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(flowp,
+ fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(asd,
sip_udp_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientSIPData*)snort_calloc(sizeof(ClientSIPData));
- sip_udp_client_mod.api->data_add(flowp, fd,
+ sip_udp_client_mod.api->data_add(asd, fd,
sip_udp_client_mod.flow_data_index, &clientDataFree);
fd->owner = &sip_udp_client_mod;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
return CLIENT_APP_INPROCESS;
}
-static CLIENT_APP_RETCODE sip_tcp_client_validate(const uint8_t* data, uint16_t size,
- const int dir, AppIdSession* flowp, Packet* pkt, struct Detector* userData)
+static CLIENT_APP_RETCODE sip_tcp_client_validate(const uint8_t* data, uint16_t size, const int
+ dir, AppIdSession* asd, Packet* pkt, struct Detector* userData)
{
- return sip_client_validate(data, size, dir, flowp, pkt, userData);
+ return sip_client_validate(data, size, dir, asd, pkt, userData);
}
static int sipAppAddPattern(DetectorAppSipPattern** patternList, AppId ClientAppId,
return sipAppAddPattern(&detector_sip_config.sip_ua_list, ClientAppId, clientVersion, pattern);
}
-// FIXIT-L - noone calls this function, is it needed?
int sipServerPatternAdd(AppId ClientAppId, const char* clientVersion, const char* pattern)
{
return sipAppAddPattern(&detector_sip_config.sip_server_list, ClientAppId, clientVersion, pattern);
return 1;
}
-static void createRtpFlow(AppIdSession* flowp, const Packet* pkt, const sfip_t* cliIp,
- uint16_t cliPort, const sfip_t* srvIp, uint16_t srvPort, IpProtocol proto, int16_t app_id)
+static void createRtpFlow(AppIdSession* asd, const Packet* pkt, const sfip_t* cliIp,
+ uint16_t cliPort, const sfip_t* srvIp, uint16_t srvPort, IpProtocol proto, int16_t app_id)
{
AppIdSession* fp, * fp2;
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (fp)
{
- fp->client_app_id = flowp->client_app_id;
- fp->payload_app_id = flowp->payload_app_id;
+ fp->client_app_id = asd->client_app_id;
+ fp->payload_app_id = asd->payload_app_id;
fp->serviceAppId = APP_ID_RTP;
- PopulateExpectedFlow(flowp, fp, APPID_SESSION_IGNORE_ID_FLAGS);
+ PopulateExpectedFlow(asd, fp, APPID_SESSION_IGNORE_ID_FLAGS);
}
// create an RTCP flow as well
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (fp2)
{
- fp2->client_app_id = flowp->client_app_id;
- fp2->payload_app_id = flowp->payload_app_id;
+ fp2->client_app_id = asd->client_app_id;
+ fp2->payload_app_id = asd->payload_app_id;
fp2->serviceAppId = APP_ID_RTCP;
- PopulateExpectedFlow(flowp, fp2, APPID_SESSION_IGNORE_ID_FLAGS);
+ PopulateExpectedFlow(asd, fp2, APPID_SESSION_IGNORE_ID_FLAGS);
}
}
-static int addFutureRtpFlows(AppIdSession* flowp, const SipDialog* dialog, const Packet* p)
+static int addFutureRtpFlows(AppIdSession* asd, const SipDialog* dialog, const Packet* p)
{
SIP_MediaData* mdataA,* mdataB;
- // check the first media session
+ // check the first media asd
if (nullptr == dialog->mediaSessions)
return -1;
- // check the second media session
+ // check the second media asd
if (nullptr == dialog->mediaSessions->nextS)
return -1;
DebugFormat(DEBUG_SIP, "Adding future channels Destine IP: %s Port: %u\n",
sfip_to_str(&mdataB->maddress), mdataB->mport);
- // FIXIT All of the casts in these two function calls are flagrantly wrong. These
- // signatures don't line up and it doesn't seem to be a simple fix.
- createRtpFlow(flowp, p, &mdataA->maddress, mdataA->mport, &mdataB->maddress,
+ createRtpFlow(asd, p, &mdataA->maddress, mdataA->mport, &mdataB->maddress,
mdataB->mport, IpProtocol::UDP, APP_ID_RTP);
- createRtpFlow(flowp, p, &mdataB->maddress, mdataB->mport, &mdataA->maddress,
+ createRtpFlow(asd, p, &mdataB->maddress, mdataB->mport, &mdataA->maddress,
mdataA->mport, IpProtocol::UDP, APP_ID_RTP);
-
mdataA = mdataA->nextM;
mdataB = mdataB->nextM;
}
}
static void SipSessionCbClientProcess(const Packet* p, const SipHeaders* headers, const
- SipDialog* dialog, AppIdSession* flowp)
+ SipDialog* dialog, AppIdSession* asd)
{
ClientSIPData* fd;
AppId ClientAppId = APP_ID_SIP;
char* clientVersion = nullptr;
int direction;
- fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(flowp,
+ fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(asd,
sip_udp_client_mod.flow_data_index);
if (!fd)
{
fd = (ClientSIPData*)snort_calloc(sizeof(ClientSIPData));
- sip_udp_client_mod.api->data_add(flowp, fd,
+ sip_udp_client_mod.api->data_add(asd, fd,
sip_udp_client_mod.flow_data_index, &clientDataFree);
fd->owner = &sip_udp_client_mod;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
if (fd->owner != &sip_udp_client_mod && fd->owner != &sip_tcp_client_mod)
success:
//client detection successful
- sip_udp_client_mod.api->add_app(flowp, APP_ID_SIP, ClientAppId, clientVersion);
+ sip_udp_client_mod.api->add_app(asd, APP_ID_SIP, ClientAppId, clientVersion);
if (fd->userName)
- sip_udp_client_mod.api->add_user(flowp, (char*)fd->userName, APP_ID_SIP, 1);
+ sip_udp_client_mod.api->add_user(asd, (char*)fd->userName, APP_ID_SIP, 1);
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED);
+ asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED);
}
static void SipSessionCbServiceProcess(const Packet* p, const SipHeaders* headers, const
- SipDialog* dialog, AppIdSession* flowp)
+ SipDialog* dialog, AppIdSession* asd)
{
ServiceSIPData* ss;
int direction;
- ss = (ServiceSIPData*)sip_service_mod.api->data_get(flowp, sip_service_mod.flow_data_index);
+ ss = (ServiceSIPData*)sip_service_mod.api->data_get(asd, sip_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceSIPData*)snort_calloc(sizeof(ServiceSIPData));
- sip_service_mod.api->data_add(flowp, ss, sip_service_mod.flow_data_index, &snort_free);
+ sip_service_mod.api->data_add(asd, ss, sip_service_mod.flow_data_index, &snort_free);
}
ss->serverPkt = 0;
return;
if (dialog->mediaUpdated)
- addFutureRtpFlows(flowp, dialog, p);
+ addFutureRtpFlows(asd, dialog, p);
if (dialog->state == SIP_DLG_ESTABLISHED)
{
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
- sip_service_mod.api->add_service(flowp, p, direction, &svc_element,
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
+ sip_service_mod.api->add_service(asd, p, direction, &svc_element,
APP_ID_SIP, ss->vendor[0] ? ss->vendor : nullptr, nullptr, nullptr);
}
}
void SipSessionSnortCallback(void*, ServiceEventType, void* data)
{
- AppIdSession* session = nullptr;
+ AppIdSession* asd = nullptr;
SipEventData* eventData = (SipEventData*)data;
const Packet* p = eventData->packet;
}
#endif
if(p->flow)
- session = appid_api.get_appid_data(p->flow);
+ asd = appid_api.get_appid_data(p->flow);
- if(!session)
+ if(!asd)
{
WarningMessage("AppId Session does not exist.\n");
return;
}
- SipSessionCbClientProcess(p, headers, dialog, session);
- SipSessionCbServiceProcess(p, headers, dialog, session);
+ SipSessionCbClientProcess(p, headers, dialog, asd);
+ SipSessionCbServiceProcess(p, headers, dialog, asd);
}
static int sip_service_init(const IniServiceAPI* const init_api)
static int sip_service_validate(ServiceValidationArgs* args)
{
ServiceSIPData* ss;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
- ss = (ServiceSIPData*)sip_service_mod.api->data_get(flowp, sip_service_mod.flow_data_index);
+ ss = (ServiceSIPData*)sip_service_mod.api->data_get(asd, sip_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceSIPData*)snort_calloc(sizeof(ServiceSIPData));
- sip_service_mod.api->data_add(flowp, ss, sip_service_mod.flow_data_index, &snort_free);
+ sip_service_mod.api->data_add(asd, ss, sip_service_mod.flow_data_index, &snort_free);
}
if (args->size && args->dir == APP_ID_FROM_RESPONDER)
if (ss->serverPkt > 10)
{
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- sip_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- sip_service_mod.flow_data_index, args->pConfig);
+ sip_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ sip_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
}
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- sip_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ sip_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
}
return SERVICE_INPROCESS;
extern struct RNAClientAppModule sip_tcp_client_mod;
extern struct RNAServiceValidationModule sip_service_mod;
-// FIXIT-M: ServiceEventType enum needs to become real when SIP is supported
+// FIXIT-M ServiceEventType enum needs to become real when SIP is supported
enum ServiceEventType {};
void SipSessionSnortCallback(void* ssnptr, ServiceEventType, void* eventData);
#include "utils/util.h"
#include "appid_stats.h"
+#include "appid_config.h"
#include "appid_module.h"
#include "app_forecast.h"
#include "app_info_table.h"
}
#endif
-unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone)
+void AppIdAddUser(AppIdSession* asd, const char* username, AppId appId, int success)
{
- NetworkSet* net_list;
- unsigned flags;
- AppIdConfig* pConfig = pAppidActiveConfig;
-
- if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone])
- net_list = pConfig->net_list_by_zone[zone];
- else
- net_list = pConfig->net_list;
-
- NetworkSet_ContainsEx(net_list, ip4, &flags);
- return flags;
-}
-
-void AppIdAddUser(AppIdSession* session, const char* username, AppId appId, int success)
-{
- if (session->username)
- snort_free(session->username);
- session->username = snort_strdup(username);
- session->username_service = appId;
+ if (asd->username)
+ snort_free(asd->username);
+ asd->username = snort_strdup(username);
+ asd->username_service = appId;
if (success)
- session->setAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED);
- else
- session->clearAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED);
-}
-
-void AppIdAddDnsQueryInfo(AppIdSession* session, uint16_t id, const uint8_t* host, uint8_t host_len,
- uint16_t host_offset, uint16_t record_type)
-{
- if ( session->dsession )
- {
- if ( ( session->dsession->state != 0 ) && ( session->dsession->id != id ) )
- AppIdResetDnsInfo(session);
- }
- else
- session->dsession = (dnsSession*)snort_calloc(sizeof(dnsSession));
-
- if (session->dsession->state & DNS_GOT_QUERY)
- return;
- session->dsession->state |= DNS_GOT_QUERY;
-
- session->dsession->id = id;
- session->dsession->record_type = record_type;
-
- if (!session->dsession->host)
- {
- if ((host != nullptr) && (host_len > 0) && (host_offset > 0))
- {
- session->dsession->host_len = host_len;
- session->dsession->host_offset = host_offset;
- session->dsession->host = dns_parse_host(host, host_len);
- }
- }
-}
-
-void AppIdAddDnsResponseInfo(AppIdSession* session, uint16_t id, const uint8_t* host,
- uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl)
-{
- if ( session->dsession )
- {
- if ( ( session->dsession->state != 0 ) && ( session->dsession->id != id ) )
- AppIdResetDnsInfo(session);
- }
+ asd->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
else
- session->dsession = (dnsSession*)snort_calloc(sizeof(*session->dsession));
-
- if (session->dsession->state & DNS_GOT_RESPONSE)
- return;
- session->dsession->state |= DNS_GOT_RESPONSE;
-
- session->dsession->id = id;
- session->dsession->response_type = response_type;
- session->dsession->ttl = ttl;
-
- if (!session->dsession->host)
- {
- if ((host != nullptr) && (host_len > 0) && (host_offset > 0))
- {
- session->dsession->host_len = host_len;
- session->dsession->host_offset = host_offset;
- session->dsession->host = dns_parse_host(host, host_len);
- }
- }
-}
-
-void AppIdResetDnsInfo(AppIdSession* session)
-{
- if (session->dsession)
- {
- snort_free(session->dsession->host);
- memset(session->dsession, 0, sizeof(*(session->dsession)));
- }
+ asd->clear_session_flags(APPID_SESSION_LOGIN_SUCCEEDED);
}
-void AppIdAddPayload(AppIdSession* session, AppId payload_id)
+void AppIdAddPayload(AppIdSession* asd, AppId payload_id)
{
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (AppIdConfig::get_appid_config()->mod_config->instance_id)
checkSandboxDetection(payload_id);
- session->payload_app_id = payload_id;
+ asd->payload_app_id = payload_id;
}
-
void checkSandboxDetection(AppId appId)
{
AppInfoTableEntry* entry;
- if (pAppidActiveConfig->mod_config->instance_id)
+ if (AppIdConfig::get_appid_config()->mod_config->instance_id)
{
- entry = appInfoEntryGet(appId);
+ entry = AppInfoManager::get_instance().get_app_info_entry(appId);
if ( entry && ( entry->flags & APPINFO_FLAG_ACTIVE ) )
fprintf(SF_DEBUG_FILE, "Detected AppId %d\n", entry->appId);
else if( appId != 0 )
AppIdSession* getAppIdData(void* lwssn);
void AppIdAddUser(AppIdSession*, const char* username, AppId, int success);
-void AppIdAddDnsQueryInfo(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len,
- uint16_t host_offset, uint16_t record_type);
-void AppIdAddDnsResponseInfo(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len,
- uint16_t host_offset, uint8_t response_type, uint32_t ttl);
-void AppIdResetDnsInfo(AppIdSession*);
void AppIdAddPayload(AppIdSession*, AppId);
extern unsigned dhcp_fp_table_size;
-unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone);
void checkSandboxDetection(AppId appId);
-
inline void initializePriorityArray()
{
for ( int i=0; i < SF_APPID_MAX; ++i )
inline int testSSLAppIdForReinspect(AppId app_id)
{
if (app_id <= SF_APPID_MAX &&
- (app_id == APP_ID_SSL || appInfoEntryFlagGet(app_id, APPINFO_FLAG_SSL_INSPECT)))
+ (app_id == APP_ID_SSL || AppInfoManager::get_instance().get_app_info_flags(app_id, APPINFO_FLAG_SSL_INSPECT)))
return 1;
else
return 0;
class SearchTool;
struct tMlmpTree;
-// FIXIT-M hack to get initial port to build, define these properly
-#if 1
struct HttpParsedHeaders
{
struct HttpBuf
#define HTTP_XFF_FIELD_X_FORWARDED_FOR ""
#define HTTP_XFF_FIELD_TRUE_CLIENT_IP ""
-
-#endif
+#define HTTP_MAX_XFF_FIELDS 255
// These values are used in Lua code as raw numbers. Do NOT reassign new values.
enum DHPSequence
int key_pattern_countdown;
};
-// FIXIT-M: make the 'item' field a std:vector and refactor code to eliminate realloc calls
-struct CHPMatchTally
+typedef std::vector<CHPMatchCandidate> CHPMatchTally;
+
+struct CHPTallyAndActions
{
- int allocated_elements;
- int in_use_elements;
- CHPMatchCandidate item[1];
+ CHPMatchTally match_tally;
+ MatchedCHPAction* matches;
};
// url parts extracted from http headers.
void AppIdIpsOption::map_names_to_ids()
{
for (auto& appid_info : opt_data.appid_table)
- appid_info.appid_ordinal = get_appid_by_name(appid_info.appid_name);
+ appid_info.appid_ordinal = AppInfoManager::get_instance().get_appid_by_name(appid_info.appid_name);
opt_data.ids_mapped = true;
}
UserData<Detector>::push(L, DETECTOR, detector);
// add a lua reference so the detector doesn't get garbage-collected
- // FIXIT-M J should go in a different table maybe?
lua_pushvalue(L, -1);
detector->detectorUserDataRef = luaL_ref(L, LUA_REGISTRYINDEX);
return detector;
auto& ud = *UserData<Detector>::check(L, DETECTOR, index++);
// FIXIT-M none of these params check for signedness casting issues
- // FIXIT-M: May want to create a lua_toipprotocol() so we can handle
+ // FIXIT-M May want to create a lua_toipprotocol() so we can handle
// error checking in that function.
int protocol = lua_tonumber(L, index++);
if (protocol > UINT8_MAX)
{
AppInfoTableEntry* entry;
- if ((entry = appInfoEntryGet(appId)))
+ if ((entry = AppInfoManager::get_instance().get_app_info_entry(appId)))
{
entry->flags |= APPINFO_FLAG_ACTIVE;
extractsInfo &= (APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER);
{
AppInfoTableEntry* entry;
- // FIXIT-L: what type of error would cause this lookup to fail? is this programming error
- // or user error due to misconfig or something like that... if change in handling needed
- // apply to all instances where this lookup is done
- if ((entry = appInfoEntryGet(appId)))
+ if ((entry = AppInfoManager::get_instance().get_app_info_entry(appId)))
{
entry->flags |= APPINFO_FLAG_ACTIVE;
return;
}
- entry->svrValidator = ServiceGetServiceElement(fcn, data);
+ entry->svrValidator = get_service_element(fcn, data);
if (entry->svrValidator)
entry->flags |= extractsInfo;
else
- ErrorMessage("AppId: Failed to find a service element for AppId: %d - %p\n",
- appId, (void*)data);
+ ErrorMessage("AppId: Failed to find a service element for AppId: %d\n",appId);
}
else
{
- ErrorMessage("Invalid direct service for AppId: %d - %p\n", appId, (void*)data);
+ WarningMessage("AppId: %d has not entry in application mapping configuration and no custom detector\n", appId);
}
}
appSetLuaClientValidator(
validateAnyClientApp, appId, APPINFO_FLAG_CLIENT_ADDITIONAL, ud.ptr);
- set_app_info_active(appId);
+ AppInfoManager::get_instance().set_app_info_active(appId);
lua_pushnumber(L, 0);
return 1;
static int Detector_htons(lua_State* L)
{
- // FIXIT-L ignoring arg #1, as it is unused
- // auto* ud = UserData<Detector>::check(L, DETECTOR, 1);
-
unsigned short aShort = lua_tonumber(L, 2);
lua_pushnumber(L, htons(aShort));
static int Detector_htonl(lua_State* L)
{
- // FIXIT-L ignoring arg #1, as it is unused
- // auto* ud = UserData<Detector>::check(L, DETECTOR, 1);
-
unsigned int anInt = lua_tonumber(L, 2);
lua_pushnumber(L, htonl(anInt));
assert(ud->validateParams.pkt);
- ud->validateParams.flowp->payload_app_id = payloadId;
+ ud->validateParams.asd->payload_app_id = payloadId;
return 0;
}
if ( !detector )
{
- // FIXIT-M J unhelpful error message
- ErrorMessage("invalid LUA parameters");
+ ErrorMessage("The service validation arguments do not contain a detector object\n");
return SERVICE_ENULL;
}
detector->validateParams.data = args->data;
detector->validateParams.size = args->size;
detector->validateParams.dir = args->dir;
- detector->validateParams.flowp = args->flowp;
+ detector->validateParams.asd = args->asd;
detector->validateParams.pkt = args->pkt;
const auto& serverName = detector->name;
* @return int - Number of elements on stack, which is always 1.
* @return serviceName/stack - service name if successful, nil otherwise.
*/
-static int service_getServiceName(
- lua_State* L
- )
+static int service_getServiceName(lua_State* L)
{
auto& ud = *UserData<Detector>::check(L, DETECTOR, 1);
return 1;
}
- ud->validateParams.flowp->add_flow_data_id(sport, ud->server.pServiceElement);
+ ud->validateParams.asd->add_flow_data_id(sport, ud->server.pServiceElement);
lua_pushnumber(L, 0);
return 1;
/*Phase2 - discuss RNAServiceSubtype will be maintained on lua side therefore the last
parameter on the following call is nullptr.
Subtype is not displayed on DC at present. */
- retValue = AppIdServiceAddService(ud->validateParams.flowp, ud->validateParams.pkt,
+ retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt,
ud->validateParams.dir, ud->server.pServiceElement,
- get_appid_by_service_id(serviceId), vendor, version, nullptr);
+ AppInfoManager::get_instance().get_appid_by_service_id(serviceId), vendor, version, nullptr);
lua_pushnumber(L, retValue);
return 1;
CHECK_INPUTS();
- unsigned int retValue = AppIdServiceFailService(ud->validateParams.flowp,
+ unsigned int retValue = AppIdServiceFailService(ud->validateParams.asd,
ud->validateParams.pkt, ud->validateParams.dir, ud->server.pServiceElement,
- APPID_SESSION_DATA_NONE, ud->appid_config);
+ APPID_SESSION_DATA_NONE);
lua_pushnumber(L, retValue);
return 1;
CHECK_INPUTS();
- unsigned int retValue = AppIdServiceInProcess(ud->validateParams.flowp, ud->validateParams.pkt,
+ unsigned int retValue = AppIdServiceInProcess(ud->validateParams.asd, ud->validateParams.pkt,
ud->validateParams.dir, ud->server.pServiceElement);
lua_pushnumber(L, retValue);
CHECK_INPUTS();
- retValue = AppIdServiceIncompatibleData(ud->validateParams.flowp,
+ retValue = AppIdServiceIncompatibleData(ud->validateParams.asd,
ud->validateParams.pkt,
ud->validateParams.dir, ud->server.pServiceElement,
APPID_SESSION_DATA_NONE, ud->appid_config);
}
lua_checkstack (L, 1);
- // FIXIT-M: is this conversion to double valid?
+ // FIXIT-M is this conversion to double valid?
lua_pushnumber(L, (double)ud->validateParams.pkt->get_ip_proto_next() );
return 1;
}
}
CLIENT_APP_RETCODE validateAnyClientApp( const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, Packet* pkt, Detector* detector )
+ AppIdSession* asd, Packet* pkt, Detector* detector )
{
Profile lua_profile_context(luaCustomPerfStats);
const char* validateFn;
const char* clientName;
- if (!data || !flowp || !pkt || !detector)
+ if (!data || !asd || !pkt || !detector)
{
return CLIENT_APP_ENULL;
}
detector->validateParams.data = data;
detector->validateParams.size = size;
detector->validateParams.dir = dir;
- detector->validateParams.flowp = flowp;
+ detector->validateParams.asd = asd;
detector->validateParams.pkt = (Packet*)pkt;
validateFn = detector->packageInfo.client.validateFunctionName.c_str();
clientName = detector->name.c_str();
return 1;
}
- AppIdAddClientApp(ud->validateParams.flowp, serviceId, clienAppId, version);
+ AppIdAddClientApp(ud->validateParams.asd, serviceId, clienAppId, version);
lua_pushnumber(L, 0);
return 1;
return 1;
}
- ud->client.appModule.api->add_app(ud->validateParams.flowp,
- get_appid_by_service_id(serviceId), get_appid_by_client_id(productId), version);
+ ud->client.appModule.api->add_app(ud->validateParams.asd,
+ AppInfoManager::get_instance().get_appid_by_service_id(serviceId),
+ AppInfoManager::get_instance().get_appid_by_client_id(productId), version);
lua_pushnumber(L, 0);
return 1;
return 1;
}
- ud->client.appModule.api->add_info(ud->validateParams.flowp, info);
+ ud->client.appModule.api->add_info(ud->validateParams.asd, info);
lua_pushnumber(L, 0);
return 1;
return 1;
}
- ud->client.appModule.api->add_user(ud->validateParams.flowp, userName,
- get_appid_by_service_id(serviceId), 1);
+ ud->client.appModule.api->add_user(ud->validateParams.asd, userName,
+ AppInfoManager::get_instance().get_appid_by_service_id(serviceId), 1);
lua_pushnumber(L, 0);
return 1;
return 1;
}
- ud->client.appModule.api->add_payload(ud->validateParams.flowp,
- get_appid_by_payload_id(payloadId));
+ ud->client.appModule.api->add_payload(ud->validateParams.asd,
+ AppInfoManager::get_instance().get_appid_by_payload_id(payloadId));
lua_pushnumber(L, 0);
return 1;
}
auto df = new DetectorFlow();
- df->pFlow = ud->validateParams.flowp;
+ df->asd = ud->validateParams.asd;
UserData<DetectorFlow>::push(L, DETECTORFLOW, df);
df->myLuaState = L;
uint8_t* pattern_str = (uint8_t*)snort_strdup(tmpString);
uint32_t appId = lua_tointeger(L, index++);
-
+ AppInfoManager& app_info_manager = AppInfoManager::get_instance();
HTTPListElement* element = (HTTPListElement*)snort_calloc(sizeof(HTTPListElement));
DetectorHTTPPattern* pattern = &element->detectorHTTPPattern;
pattern->seq = seq;
- pattern->service_id = get_appid_by_service_id(service_id);
- pattern->client_app = get_appid_by_client_id(client_app);
- pattern->payload = get_appid_by_payload_id(payload);
+ pattern->service_id = app_info_manager.get_appid_by_service_id(service_id);
+ pattern->client_app = app_info_manager.get_appid_by_client_id(client_app);
+ pattern->payload = app_info_manager.get_appid_by_payload_id(payload);
pattern->pattern = pattern_str;
pattern->pattern_size = (int)pattern_size;
pattern->appId = appId;
insert_http_pattern_element(pType, element);
- set_app_info_active(pattern->service_id);
- set_app_info_active(pattern->client_app);
- set_app_info_active(pattern->payload);
- set_app_info_active(appId);
+ app_info_manager.set_app_info_active(pattern->service_id);
+ app_info_manager.set_app_info_active(pattern->client_app);
+ app_info_manager.set_app_info_active(pattern->payload);
+ app_info_manager.set_app_info_active(appId);
return 0;
}
UNUSED(type);
#endif
- set_app_info_active(app_id);
+ AppInfoManager::get_instance().set_app_info_active(app_id);
return 0;
}
UNUSED(type);
#endif
- set_app_info_active(app_id);
+ AppInfoManager::get_instance().set_app_info_active(app_id);
return 0;
}
detector->pattern_size = strlen((char*)pattern);
detector->appId = appId;
insert_content_type_pattern(element);
- set_app_info_active(appId);
+ AppInfoManager::get_instance().set_app_info_active(appId);
return 0;
}
*pattern_size = 0;
*pattern_data = nullptr;
tmpString = lua_tolstring(L, index, &*pattern_size);
- // FIXIT-M: recode all this to something elegant since snort_strdup can't fail (just like Rudy)
// non-empty pattern required
- if (!tmpString || !*pattern_size || !(*pattern_data = snort_strdup(tmpString)))
+ if (!tmpString || !*pattern_size)
{
- if (*pattern_size) // implies snort_strdup() failed
- ErrorMessage("LuaDetectorApi:CHP Action PATTERN string mem alloc failed.");
- else
- ErrorMessage("LuaDetectorApi:Invalid CHP Action PATTERN string."); // empty string in
- // Lua code - bad
+ ErrorMessage("LuaDetectorApi:Invalid CHP Action PATTERN string.");
return -1;
}
+ *pattern_data = snort_strdup(tmpString);
return 0;
}
static inline int CHPGetActionType(lua_State* L, int index, ActionType* action_type)
{
*action_type = (ActionType)lua_tointeger(L, index);
- // FIXIT-M: many lua detectors call this with action_type == 14, max is set to 14...is this an issue or a feature
if (*action_type < NO_ACTION || *action_type > MAX_ACTION_TYPE)
{
- WarningMessage("LuaDetectorApi:Incompatible CHP Action type, might be for a later version.");
+ WarningMessage(
+ "LuaDetectorApi:Unsupported CHP Action type: %d, possible version mismatch.",
+ *action_type);
return -1;
}
return 0;
if (actionType == GET_OFFSETS_FROM_REBUILT)
{
/* This is a search engine and it is SUPPORTED for safe-search packet rewrite */
- appInfoEntryFlagSet(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE |
+ AppInfoManager::get_instance().set_app_info_flags(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE |
APPINFO_FLAG_SUPPORTED_SEARCH);
}
else if (actionType == SEARCH_UNSUPPORTED)
{
/* This is a search engine and it is UNSUPPORTED for safe-search packet rewrite */
- appInfoEntryFlagSet(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE);
+ AppInfoManager::get_instance().set_app_info_flags(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE);
}
return 0;
}
queryPattern = (uint8_t*)snort_strdup(tmpString);
uint32_t appId = lua_tointeger(L, index++);
-
- /* Allocate memory for data structures */
+ AppInfoManager& app_info_manager = AppInfoManager::get_instance();
DetectorAppUrlPattern* pattern =
(DetectorAppUrlPattern*)snort_calloc(sizeof(DetectorAppUrlPattern));
-
- pattern->userData.service_id = get_appid_by_service_id(service_id);
- pattern->userData.client_app = get_appid_by_client_id(client_app);
- pattern->userData.payload = get_appid_by_payload_id(payload);
+ pattern->userData.service_id = app_info_manager.get_appid_by_service_id(service_id);
+ pattern->userData.client_app = app_info_manager.get_appid_by_client_id(client_app);
+ pattern->userData.payload = app_info_manager.get_appid_by_payload_id(payload);
pattern->userData.appId = appId;
pattern->userData.query.pattern = queryPattern;
pattern->userData.query.patternSize = queryPatternSize;
pattern->patterns.scheme.patternSize = (int)schemePatternSize;
insert_url_pattern(pattern);
- set_app_info_active(pattern->userData.service_id);
- set_app_info_active(pattern->userData.client_app);
- set_app_info_active(pattern->userData.payload);
- set_app_info_active(appId);
+ app_info_manager.set_app_info_active(pattern->userData.service_id);
+ app_info_manager.set_app_info_active(pattern->userData.client_app);
+ app_info_manager.set_app_info_active(pattern->userData.payload);
+ app_info_manager.set_app_info_active(appId);
return 0;
}
/* Verify that host pattern is a valid string */
size_t hostPatternSize = 0;
- uint8_t* hostPattern = nullptr;
tmpString = lua_tolstring(L, index++, &hostPatternSize);
- // FIXIT-L: recode all this to something elegant since snort_strdup can't fail (just like Rudy)
- if (!tmpString || !hostPatternSize || !(hostPattern = (uint8_t*)snort_strdup(tmpString)))
+ if (!tmpString || !hostPatternSize)
{
ErrorMessage("Invalid host pattern string.");
return 0;
}
+ u_int8_t* hostPattern = (u_int8_t*)snort_strdup(tmpString);
/* Verify that path pattern is a valid string */
size_t pathPatternSize = 0;
- uint8_t* pathPattern = nullptr;
tmpString = lua_tolstring(L, index++, &pathPatternSize);
- // FIXIT-L: recode all this to something elegant since snort_strdup can't fail (just like Rudy)
- if (!tmpString || !pathPatternSize || !(pathPattern = (uint8_t*)snort_strdup(tmpString)))
+ if (!tmpString || !pathPatternSize)
{
ErrorMessage("Invalid path pattern string.");
snort_free(hostPattern);
return 0;
}
+ u_int8_t* pathPattern = (u_int8_t*)snort_strdup(tmpString);
/* Verify that scheme pattern is a valid string */
size_t schemePatternSize;
- uint8_t* schemePattern = nullptr;
tmpString = lua_tolstring(L, index++, &schemePatternSize);
- // FIXIT-L: recode all this to something elegant since snort_strdup can't fail (just like Rudy)
- if (!tmpString || !schemePatternSize || !(schemePattern = (uint8_t*)snort_strdup(tmpString)))
+ if (!tmpString || !schemePatternSize)
{
ErrorMessage("Invalid scheme pattern string.");
snort_free(pathPattern);
snort_free(hostPattern);
return 0;
}
+ u_int8_t* schemePattern = (u_int8_t*)snort_strdup(tmpString);
/* Verify that query pattern is a valid string */
size_t queryPatternSize;
if (tmpString && queryPatternSize)
queryPattern = (uint8_t*)snort_strdup(tmpString);
- uint32_t appId = lua_tointeger(L, index++);
+ u_int32_t appId = lua_tointeger(L, index++);
/* Allocate memory for data structures */
- DetectorAppUrlPattern* pattern = (DetectorAppUrlPattern*)snort_calloc(
- sizeof(DetectorAppUrlPattern));
+ DetectorAppUrlPattern* pattern =
+ (DetectorAppUrlPattern*)snort_calloc(sizeof(DetectorAppUrlPattern));
/* we want to put these patterns in just like for regular Urls, but we do NOT need legacy IDs for them.
* so just use the appID for service, client, or payload ID */
pattern->patterns.scheme.patternSize = (int)schemePatternSize;
insert_rtmp_url_pattern(pattern);
- set_app_info_active(pattern->userData.service_id);
- set_app_info_active(pattern->userData.client_app);
- set_app_info_active(pattern->userData.payload);
- set_app_info_active(appId);
+ AppInfoManager& app_info_manager = AppInfoManager::get_instance();
+ app_info_manager.set_app_info_active(pattern->userData.service_id);
+ app_info_manager.set_app_info_active(pattern->userData.client_app);
+ app_info_manager.set_app_info_active(pattern->userData.payload);
+ app_info_manager.set_app_info_active(appId);
return 0;
}
sipUaPatternAdd(client_app, clientVersion, uaPattern);
- set_app_info_active(client_app);
+ AppInfoManager::get_instance().set_app_info_active(client_app);
return 0;
}
return 1; /*number of results */
}
- AppInfoTableEntry* entry = appInfoEntryCreate(tmpString);
+ AppInfoTableEntry* entry = AppInfoManager::get_instance().add_dynamic_app_entry(tmpString);
if (entry)
{
serviceAppId = lua_tonumber(L, 2);
clienAppId = lua_tonumber(L, 3);
- /*check inputs and whether this function is called in context of a
- packet */
+ // check inputs and whether this function is called in context of a packet
if ( !ud->validateParams.pkt )
{
lua_pushnumber(L, -1);
return 1;
}
- ud->client.appModule.api->add_app(ud->validateParams.flowp, serviceAppId,
+ ud->client.appModule.api->add_app(ud->validateParams.asd, serviceAppId,
clienAppId, "");
lua_pushnumber(L, 0);
/*Phase2 - discuss RNAServiceSubtype will be maintained on lua side therefore the last
parameter on the following call is nullptr.
Subtype is not displayed on DC at present. */
- retValue = AppIdServiceAddService(ud->validateParams.flowp, ud->validateParams.pkt,
+ retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt,
ud->validateParams.dir, ud->server.pServiceElement,
serviceId, nullptr, nullptr, nullptr);
return 1;
}
- ud->client.appModule.api->add_payload(ud->validateParams.flowp, payloadAppId);
+ ud->client.appModule.api->add_payload(ud->validateParams.asd, payloadAppId);
lua_pushnumber(L, 0);
return 1;
pattern->appId = APP_ID_NONE;
insert_http_pattern_element(pType, element);
- set_app_info_active(serviceAppId);
- set_app_info_active(clienAppId);
- set_app_info_active(payloadAppId);
+ AppInfoManager& app_info_manager = AppInfoManager::get_instance();
+ app_info_manager.set_app_info_active(serviceAppId);
+ app_info_manager.set_app_info_active(clienAppId);
+ app_info_manager.set_app_info_active(payloadAppId);
return 0;
}
pattern->patterns.scheme.patternSize = (int)schemePatternSize;
insert_app_url_pattern(pattern);
- set_app_info_active(serviceAppId);
- set_app_info_active(clienAppId);
- set_app_info_active(payloadAppId);
+ AppInfoManager& app_info_manager = AppInfoManager::get_instance();
+ app_info_manager.set_app_info_active(serviceAppId);
+ app_info_manager.set_app_info_active(clienAppId);
+ app_info_manager.set_app_info_active(payloadAppId);
return 0;
}
pPattern->detectorName = snort_strdup(ud->name.c_str());
insert_client_port_pattern(pPattern);
- set_app_info_active(appId);
+ AppInfoManager::get_instance().set_app_info_active(appId);
return 0;
}
//insert ports in order.
insert_service_port_pattern(pPattern);
- set_app_info_active(appId);
+ AppInfoManager::get_instance().set_app_info_active(appId);
return 0;
}
return 0;
}
- // FIXIT-M: uncomment when sip detector is included in the build
+ // FIXIT-M uncomment when sip detector is included in the build
#ifdef REMOVED_WHILE_NOT_IN_USE
sipServerPatternAdd(client_app, clientVersion, uaPattern,
&ud->appid_config->detectorSipConfig);
#endif
- set_app_info_active(client_app);
+ AppInfoManager::get_instance().set_app_info_active(client_app);
return 0;
}
app_id_to_snort = lua_tointeger(L, 10);
if (app_id_to_snort > APP_ID_NONE)
{
- AppInfoTableEntry* entry = appInfoEntryGet(app_id_to_snort);
+ AppInfoTableEntry* entry = AppInfoManager::get_instance().get_app_info_entry(app_id_to_snort);
if (nullptr == entry)
return 0;
snort_app_id = entry->snortId;
fp->serviceAppId = service_app_id;
fp->client_app_id = client_app_id;
fp->payload_app_id = payload_app_id;
- fp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE |
+ fp->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE |
APPID_SESSION_PORT_SERVICE_DONE);
fp->rnaServiceState = RNA_STATE_FINISHED;
fp->rna_client_state = RNA_STATE_FINISHED;
lua_close(myLuaState);
}
-/**Garbage collector hook function. Called when Lua side garbage collects detector api instance. Current design is to allocate
- * one of each luaState, detector and detectorUserData buffers, and hold these buffers till RNA exits. SigHups processing
- * reuses the buffers and calls DetectorInit to reinitialize. RNA ensures that UserData<Detector> is not garbage collected, by
- * creating a reference in LUA_REGISTRY table. The reference is released only on RNA exit.
+/* Garbage collector hook function. Called when Lua side garbage collects detector
+ * api instance. Current design is to allocate one of each luaState, detector and
+ * detectorUserData buffers, and hold these buffers till RNA exits. SigHups processing
+ * reuses the buffers and calls DetectorInit to reinitialize. RNA ensures that
+ * UserData<Detector> is not garbage collected, by creating a reference in LUA_REGISTRY
+ * table. The reference is released only on RNA exit.
*
- * If in future, one needs to free any of these buffers then one should consider references to detector buffer in RNAServiceElement
- * stored in flows and hostServices data structures. Other detectors at this time create one static instance for the lifetime of RNA,
- * and therefore we have adopted the same principle for Lua Detecotors.
+ * If in future, one needs to free any of these buffers then one should consider
+ * references to detector buffer in RNAServiceElement stored in flows and hostServices
+ * data structures. Other detectors at this time create one static instance for the
+ * lifetime of RNA, and therefore we have adopted the same principle for Lua Detecotors.
*/
static int Detector_gc(lua_State*)
{
- // FIXIT-M Does Detector_gc need to not be a no-op
return 0;
}
{
struct UniInfo
{
- std::string initFunctionName; // FIXIT-M: clean this up = "DetectorInit"; // client init function
- std::string cleanFunctionName; // = "DetectorClean"; // client clean function
- std::string validateFunctionName; // = "DetectorValidate"; // client validate function
+ std::string initFunctionName;
+ std::string cleanFunctionName;
+ std::string validateFunctionName;
int minimum_matches = 0;
};
{
~Detector();
- /**Identifies customer created detectors using SDL. */
- bool isCustom;
+ bool isCustom; // true for customer created detectors
bool isActive;
bool wasActive;
const uint8_t* data;
uint16_t size;
int dir;
- AppIdSession* flowp;
+ AppIdSession* asd;
Packet* pkt;
uint8_t macAddress[6];
} validateParams;
- /**Pointer to flow created by a validator.
- */
- AppIdSession* pFlow;
-
struct
{
unsigned int serviceId;
-
- /**present only for server detectors*/
RNAServiceValidationModule serviceModule;
-
- /**calloced buffer to satisfy internal flow API.
- */
RNAServiceElement* pServiceElement;
} server;
- /**constructed from packageInfo read from lua detector directly. Present
- * only for client detectors.
- */
struct
{
- /**application fingerprint id.*/
unsigned int appFpId;
-
- /**Client Application Module. */
RNAClientAppModule appModule;
} client;
+ AppIdSession* pFlow;
lua_State* myLuaState;
-
- /**Reference to lua userdata. This is a key into LUA_REGISTRYINDEX */
- int detectorUserDataRef;
-
- std::string name; // lua file name is used as detector name
-
- /**Package information retrieved from detector lua file.
- */
+ int detectorUserDataRef; // key into LUA_REGISTRYINDEX
+ std::string name;
DetectorPackageInfo packageInfo;
-
unsigned detector_version;
char* validatorBuffer;
unsigned char digest[16];
-
AppIdConfig* appid_config;
};
sflist_add_tail(&allocatedFlowList, detector_flow);
- detector_flow->pFlow = AppIdSession::create_future_session(detector_data->validateParams.pkt, &saddr,
+ detector_flow->asd = AppIdSession::create_future_session(detector_data->validateParams.pkt, &saddr,
sport, &daddr, dport, proto, 0, 0);
- if (!detector_flow->pFlow)
+ if (!detector_flow->asd)
{
/*calloced buffer will be freed later after the current packet is processed. */
lua_pop(L, 1);
flags = lua_tonumber(L, 2);
flags = ConvertFlagsLuaToC(flags);
- pLuaData->pFlow->setAppIdFlag(flags);
+ pLuaData->asd->set_session_flags(flags);
return 0;
}
flags = lua_tonumber(L, 2);
flags = ConvertFlagsLuaToC(flags);
- ret = pLuaData->pFlow->getAppIdFlag(flags);
+ ret = pLuaData->asd->get_session_flags(flags);
ret = ConvertFlagsCToLua(ret);
lua_pushnumber(L, ret);
flags = lua_tonumber(L, 2);
flags = ConvertFlagsLuaToC(flags);
- pLuaData->pFlow->clearAppIdFlag(flags);
+ pLuaData->asd->clear_session_flags(flags);
return 0;
}
auto& pLuaData = *UserData<DetectorFlow>::check(L, DETECTORFLOW, 1);
assert(pLuaData.ptr);
- lua_pushlstring(L, (char*)&pLuaData->pFlow->id,
- sizeof(pLuaData->pFlow->id));
+ lua_pushlstring(L, (char*)&pLuaData->asd->session_id,
+ sizeof(pLuaData->asd->session_id));
return 1;
}
struct DetectorFlow
{
- // FIXIT-M why is the lua state and user data ref on this object?
lua_State* myLuaState;
- AppIdSession* pFlow;
+ AppIdSession* asd;
int userDataRef;
};
#define LUA_DETECTOR_FILENAME_MAX 1024
THREAD_LOCAL SF_LIST allocatedFlowList; /*list of flows allocated. */
-static uint32_t gLuaTrackerSize = 0;
-static unsigned gNumDetectors = 0;
-static unsigned gNumActiveDetectors;
static inline bool match_char_set(char c, const char* set)
{
return result;
}
-static lua_State* createLuaState()
+static lua_State* create_lua_state()
{
auto L = luaL_newstate();
luaL_openlibs(L);
// set lua library paths
char extra_path_buffer[PATH_MAX];
+ // FIXIT-L compute this path in the appid config module and return it ready to use
snprintf(
extra_path_buffer, PATH_MAX-1, "%s/odp/libs/?.lua;%s/custom/libs/?.lua",
- pAppidActiveConfig->mod_config->app_detector_dir,
- pAppidActiveConfig->mod_config->app_detector_dir);
+ AppIdConfig::get_appid_config()->mod_config->app_detector_dir,
+ AppIdConfig::get_appid_config()->mod_config->app_detector_dir);
const int save_top = lua_gettop(L);
if ( get_lua_ns(L, "package.path") )
return L;
}
-// fetch or create packageInfo defined inside lua detector
-static void getDetectorPackageInfo(Detector* detector)
+static void get_detector_package_info(Detector* detector)
{
auto L = detector->myLuaState;
Lua::ManageStack mgr(L);
lua_pop(L, 1); /*pop DetectorPackageInfo table */
}
-/**Calls DetectorInit function inside lua detector.
- * Calls initialization function as defined in packageInfo, which reads either user defined name
- * or DetectorInit symbol. Pushes detectorUserData on stack as input parameter and the calls the
- * function. Notice * that on error, lua_state is not closed. This keeps faulty detectors around
- * without using it, but it keeps wrapping functions simpler.
- */
-static void luaServerInit(Detector* detector)
-{
- const auto& name = detector->name;
- auto L = detector->myLuaState;
- const auto& server = detector->packageInfo.server;
-
- lua_getglobal(L, server.initFunctionName.c_str());
- if (!lua_isfunction(L, -1))
- return;
-
- /*first parameter is DetectorUserData */
- lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef);
- if ( lua_pcall(L, 1, 1, 0) )
- {
- ErrorMessage("error loading lua Detector %s, error %s\n",
- name.c_str(), lua_tostring(L, -1));
- return;
- }
- else
- {
- if ( detector->server.pServiceElement )
- detector->server.pServiceElement->ref_count = 1;
-
- DebugFormat(DEBUG_APPID, "Initialized %s\n", name.c_str());
- }
-}
-
-/**Calls init function inside lua detector.
- * Calls initialization function as defined in packageInfo. Pushes detectorUserData on stack
- * as input parameter and the calls the function. Notice * that on error, lua_state is not
- * closed. This keeps faulty detectors around without using it, but it keeps wrapping functions
- * simpler.
- */
-static void luaClientInit(Detector* detector)
+static void clean_client_detector(Detector* detector)
{
auto L = detector->myLuaState;
const auto& client = detector->packageInfo.client;
- assert(!client.initFunctionName.empty());
+ assert(!client.cleanFunctionName.empty() );
- lua_getglobal(L, client.initFunctionName.c_str());
+ lua_getglobal(L, client.cleanFunctionName.c_str());
if (!lua_isfunction(L, -1))
{
- ErrorMessage("Detector %s: does not contain DetectorInit() function\n",
+ ErrorMessage("Detector %s: does not contain DetectorFini() function\n",
detector->name.c_str());
return;
}
/*first parameter is DetectorUserData */
lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef);
- /*second parameter is a table containing configuration stuff. */
- // ... which is empty.???
- lua_newtable(L);
-
- if ( lua_pcall(L, 2, 1, 0) )
+ if ( lua_pcall(L, 1, 1, 0) )
{
- ErrorMessage("Could not initialize the %s client app element: %s\n",
+ ErrorMessage("Could not cleanup the %s client app element: %s\n",
detector->name.c_str(), lua_tostring(L, -1));
- return;
- }
- else
- {
- DebugFormat(DEBUG_APPID, "Initialized %s\n", detector->name.c_str());
}
}
-static void luaClientFini(Detector* detector)
+LuaDetectorManager::LuaDetectorManager()
{
- auto L = detector->myLuaState;
- const auto& client = detector->packageInfo.client;
-
- assert(!client.cleanFunctionName.empty() );
+ sflist_init(&allocatedFlowList);
+ allocated_detectors.clear();
+}
- lua_getglobal(L, client.cleanFunctionName.c_str());
- if (!lua_isfunction(L, -1))
+LuaDetectorManager::~LuaDetectorManager()
+{
+ for ( auto& detector : allocated_detectors )
{
- ErrorMessage("Detector %s: does not contain DetectorFini() function\n",
- detector->name.c_str());
- return;
- }
-
- /*first parameter is DetectorUserData */
- lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef);
+ if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() )
+ clean_client_detector(detector);
- if ( lua_pcall(L, 1, 1, 0) )
- {
- ErrorMessage("Could not cleanup the %s client app element: %s\n",
- detector->name.c_str(), lua_tostring(L, -1));
+ delete detector;
}
+
+ sflist_static_free_all(&allocatedFlowList, freeDetectorFlow);
+ allocated_detectors.clear();
}
-static inline void setLuaTrackerSize(lua_State* L, uint32_t numTrackers)
+/**calculates Number of flow and host tracker entries for Lua detectors, given amount
+ * of memory allocated to RNA (fraction of total system memory) and number of detectors
+ * loaded in database. Calculations are based on CAICCI detector and observing memory
+ * consumption per tracker.
+ * @param rnaMemory - total memory RNA is allowed to use. This is calculated as a fraction of
+ * total system memory.
+ * @param numDetectors - number of lua detectors present in database.
+ */
+#define LUA_TRACKERS_MAX 10000
+#define LUA_TRACKER_AVG_MEM_BYTES 740
+
+static inline void set_lua_tracker_size(lua_State* L, uint32_t numTrackers)
{
/*change flow tracker size according to available memory calculation */
lua_getglobal(L, "hostServiceTrackerModule");
lua_pop(L, 1);
}
-LuaDetectorManager::LuaDetectorManager()
-{
- sflist_init(&allocatedFlowList);
- allocatedDetectorList.clear();
-}
-
-LuaDetectorManager::~LuaDetectorManager()
+static inline uint32_t compute_lua_tracker_size(uint64_t rnaMemory, uint32_t numDetectors)
{
- for ( auto& detector : allocatedDetectorList )
- if ( !detector->packageInfo.client.initFunctionName.empty() )
- luaClientFini(detector);
+ uint64_t detectorMemory = (rnaMemory / 8);
+ unsigned numTrackers;
- sflist_static_free_all(&allocatedFlowList, freeDetectorFlow);
- for ( auto& detector : allocatedDetectorList )
- delete detector;
- allocatedDetectorList.clear();}
+ if (!numDetectors)
+ numDetectors = 1;
+ numTrackers = (detectorMemory / LUA_TRACKER_AVG_MEM_BYTES) / numDetectors;
+ return (numTrackers > LUA_TRACKERS_MAX) ? LUA_TRACKERS_MAX : numTrackers;
+}
-void LuaDetectorManager::luaCustomLoad( char* detectorName, char* validator,
+void LuaDetectorManager::initialize_lua_detector( const char* detectorName, char* validator,
unsigned int validatorLen, unsigned char* const digest, AppIdConfig* pConfig,
bool isCustom)
{
Detector* detector;
- RNAClientAppModule* cam = nullptr;
- lua_State* L = createLuaState();
+ lua_State* L = create_lua_state();
if ( !L )
{
ErrorMessage("can not create new luaState");
return;
}
- getDetectorPackageInfo(detector);
+ get_detector_package_info(detector);
detector->validatorBuffer = validator;
detector->isActive = true;
detector->appid_config = pConfig;
if ( detector->packageInfo.server.initFunctionName.empty() )
{
- //assert(false); // FIXIT-M cam is null at this point so... WOMP
+ RNAClientAppModule* cam = nullptr;
detector->client.appFpId = APP_ID_UNKNOWN;
cam = &detector->client.appModule;
- // cam->name = detector->packageInfo.name;
+ cam->name = detector->packageInfo.name.c_str();
cam->proto = detector->packageInfo.proto;
cam->validate = validateAnyClientApp;
cam->minimum_matches = detector->packageInfo.client.minimum_matches;
}
memcpy(detector->digest, digest, sizeof(detector->digest));
- allocatedDetectorList.push_front(detector);
- gNumDetectors++;
+ allocated_detectors.push_front(detector);
+ num_lua_detectors++;
DebugFormat(DEBUG_LOG,"Loaded detector %s\n", detectorName);
}
-/**calculates Number of flow and host tracker entries for Lua detectors, given amount
- * of memory allocated to RNA (fraction of total system memory) and number of detectors
- * loaded in database. Calculations are based on CAICCI detector and observing memory
- * consumption per tracker.
- * @param rnaMemory - total memory RNA is allowed to use. This is calculated as a fraction of
- * total system memory.
- * @param numDetectors - number of lua detectors present in database.
- */
-#define LUA_TRACKERS_MAX 10000
-#define LUA_TRACKER_AVG_MEM_BYTES 740
-
-static inline uint32_t calculateLuaTrackerSize(uint64_t rnaMemory, uint32_t numDetectors)
-{
- uint64_t detectorMemory = (rnaMemory/8);
- unsigned numTrackers;
- if (!numDetectors)
- numDetectors = 1;
- numTrackers = (detectorMemory/LUA_TRACKER_AVG_MEM_BYTES)/numDetectors;
- return (numTrackers > LUA_TRACKERS_MAX) ? LUA_TRACKERS_MAX : numTrackers;
-}
-
-void LuaDetectorManager::loadCustomLuaModules(char* path, AppIdConfig* pConfig, bool isCustom)
+void LuaDetectorManager::validate_lua_detector(const char* path, AppIdConfig* pConfig, bool isCustom)
{
unsigned n;
FILE* file;
// FIXIT-M this finds the wrong detector -- it should be find_last_of
auto it = std::find_if(
- allocatedDetectorList.begin(),
- allocatedDetectorList.end(),
+ allocated_detectors.begin(),
+ allocated_detectors.end(),
[&detectorName](const Detector* d) {
return d->name == detectorName;
});
- if ( it != allocatedDetectorList.end() )
+ if ( it != allocated_detectors.end() )
{
Detector* detector = *it;
if ( !memcmp(digest, detector->digest, sizeof(digest)) )
}
}
- luaCustomLoad(detectorName, (char*)validatorBuffer, validatorBufferLen, digest, pConfig,
+ initialize_lua_detector(detectorName, (char*)validatorBuffer, validatorBufferLen, digest, pConfig,
isCustom);
}
globfree(&globs);
}
-void LuaDetectorManager::FinalizeLuaModules()
+// These functions call the 'DetectorInit' function of the lua detector.
+// Calls initialization function as defined in packageInfo, which reads either user defined name
+// or DetectorInit symbol. Pushes detectorUserData on stack as input parameter and the calls the
+// function. Notice * that on error, lua_state is not closed. This keeps faulty detectors around
+// without using it, but it keeps wrapping functions simpler.
+static void init_service_detector(Detector* detector)
{
- gNumActiveDetectors = 0;
+ const auto& name = detector->name;
+ auto L = detector->myLuaState;
+ const auto& server = detector->packageInfo.server;
- for ( auto& detector : allocatedDetectorList )
- {
- if ( detector->isActive )
- {
- ++gNumActiveDetectors;
+ lua_getglobal(L, server.initFunctionName.c_str());
+ if (!lua_isfunction(L, -1))
+ return;
- if ( detector->server.pServiceElement )
- detector->server.pServiceElement->current_ref_count =
- detector->server.pServiceElement->ref_count;
- }
+ /*first parameter is DetectorUserData */
+ lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef);
+ if ( lua_pcall(L, 1, 1, 0) )
+ {
+ ErrorMessage("error loading lua Detector %s, error %s\n",
+ name.c_str(), lua_tostring(L, -1));
+ return;
}
-
- luaDetectorsSetTrackerSize();
-}
-
-void LuaDetectorManager::LoadLuaModules(AppIdConfig* pConfig)
-{
- for ( auto& detector : allocatedDetectorList )
+ else
{
- detector->wasActive = detector->isActive;
- detector->isActive = 0;
-
if ( detector->server.pServiceElement )
- detector->server.pServiceElement->ref_count = 0;
- }
+ detector->server.pServiceElement->ref_count = 1;
- char path[PATH_MAX];
- snprintf(path, sizeof(path), "%s/odp/lua", pAppidActiveConfig->mod_config->app_detector_dir);
- loadCustomLuaModules(path, pConfig, 0);
- snprintf(path, sizeof(path), "%s/custom/lua",
- pAppidActiveConfig->mod_config->app_detector_dir);
- loadCustomLuaModules(path, pConfig, 1);
- // luaDetectorsCleanInactive();
+ DebugFormat(DEBUG_APPID, "Initialized %s\n", name.c_str());
+ }
}
-void LuaDetectorManager::luaDetectorsUnload()
+static void init_client_detector(Detector* detector)
{
- for ( auto& detector : allocatedDetectorList )
+ auto L = detector->myLuaState;
+ const auto& client = detector->packageInfo.client;
+
+ assert(!client.initFunctionName.empty());
+
+ lua_getglobal(L, client.initFunctionName.c_str());
+ if (!lua_isfunction(L, -1))
{
- if ( detector->isActive && !detector->packageInfo.server.initFunctionName.empty())
- detectorRemoveAllPorts(detector);
+ ErrorMessage("Detector %s: does not contain DetectorInit() function\n",
+ detector->name.c_str());
+ return;
+ }
- if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() )
- luaClientFini(detector);
+ /*first parameter is DetectorUserData */
+ lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef);
- detector->isActive = false;
+ /*second parameter is a table containing configuration stuff. */
+ // ... which is empty.???
+ lua_newtable(L);
- if (detector->server.pServiceElement)
- detector->server.pServiceElement->ref_count = 0;
+ if ( lua_pcall(L, 2, 1, 0) )
+ {
+ ErrorMessage("Could not initialize the %s client app element: %s\n",
+ detector->name.c_str(), lua_tostring(L, -1));
+ return;
}
-
- gNumActiveDetectors = 0;
}
-void LuaDetectorManager::luaDetectorsSetTrackerSize()
+void LuaDetectorManager::init_lua_service_detectors()
{
- gLuaTrackerSize = calculateLuaTrackerSize(512*1024*1024, gNumActiveDetectors);
-
- DebugFormat(DEBUG_APPID, " Setting tracker size to %u\n", gLuaTrackerSize);
+ for ( auto& detector : allocated_detectors )
+ init_service_detector(detector);
+}
- for ( auto& detector : allocatedDetectorList )
- {
- if ( detector->isActive )
- setLuaTrackerSize(detector->myLuaState, gLuaTrackerSize);
- }
+void LuaDetectorManager::init_lua_client_detectors()
+{
+ for ( auto& detector : allocated_detectors )
+ if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() )
+ init_client_detector(detector);
}
-void LuaDetectorManager::UnloadLuaModules(AppIdConfig*)
+void LuaDetectorManager::activate_lua_detectors()
{
- for ( auto& detector : allocatedDetectorList )
- {
- if ( detector->wasActive )
+ init_lua_client_detectors();
+ init_lua_service_detectors();
+
+ for ( auto& detector : allocated_detectors )
+ if ( detector->isActive )
{
- if ( detector->client.appFpId )
- luaClientFini(detector);
+ ++num_active_lua_detectors;
- detector->wasActive = false;
+ if ( detector->server.pServiceElement )
+ detector->server.pServiceElement->current_ref_count =
+ detector->server.pServiceElement->ref_count;
}
- }
-}
-/**Reconfigure all Lua modules.
- * Iterates over all Lua detectors in system and reconfigures them. This
- * will however not read rna_csd_validator_map table again to check for
- * newly activated or deactivate detectors. Current design calls for restarting
- * RNA whenever detectors are activated/deactivated.
- */
-void LuaDetectorManager::luaModuleInitAllServices()
-{
- for ( auto& detector : allocatedDetectorList )
- luaServerInit(detector);
+ lua_tracker_size = compute_lua_tracker_size(512*1024*1024, num_active_lua_detectors);
+ for ( auto& detector : allocated_detectors )
+ {
+ if ( detector->isActive )
+ set_lua_tracker_size(detector->myLuaState, lua_tracker_size);
+ }
}
-/**Reconfigure all Lua modules.
- * Iterates over all Lua detectors in system and reconfigures them. This
- * will however not read rna_csd_validator_map table again to check for
- * newly activated or deactivate detectors. Current design calls for restarting
- * RNA whenever detectors are activated/deactivated.
- */
-void LuaDetectorManager::luaModuleInitAllClients()
+void LuaDetectorManager::load_lua_detectors(AppIdConfig* pConfig)
{
- for ( auto& detector : allocatedDetectorList )
- if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() )
- luaClientInit(detector);
+ char path[PATH_MAX];
+ snprintf(path, sizeof(path), "%s/odp/lua",
+ AppIdConfig::get_appid_config()->mod_config->app_detector_dir);
+ validate_lua_detector(path, pConfig, 0);
+ snprintf(path, sizeof(path), "%s/custom/lua",
+ AppIdConfig::get_appid_config()->mod_config->app_detector_dir);
+ validate_lua_detector(path, pConfig, 1);
}
void LuaDetectorManager::list_lua_detectors()
{
+ // FIXIT-L make these perf counters
size_t totalMem = 0;
size_t mem;
- uint32_t total_detectors = 0;
- if ( allocatedDetectorList.empty() )
+ if ( allocated_detectors.empty() )
return;
LogMessage("Lua Detector Stats:\n");
- for ( auto& detector : allocatedDetectorList )
+ for ( auto& detector : allocated_detectors )
{
mem = lua_gc(detector->myLuaState, LUA_GCCOUNT, 0);
totalMem += mem;
- total_detectors++;
LogMessage("\tDetector %s: Lua Memory usage %zu kb\n", detector->name.c_str(), mem);
}
- LogMessage("Lua Stats total detectors: %u\n", total_detectors);
+ LogMessage("Lua Stats total detectors: %lu\n", allocated_detectors.size());
LogMessage("Lua Stats total memory usage %zu kb\n", totalMem);
}
LuaDetectorManager();
~LuaDetectorManager();
- // Load all Lua modules into a detector list
- //
- // Each RNA detector file in the folder app_id_detector_path is parsed for
- // detector information. If it is a valid detector, a detector data structure
- // is created for it and stored in allocatedDetectorList.
- void LoadLuaModules(AppIdConfig*);
-
- // Finalize Lua modules
- // This function should be called after LoadLuaModules(). It sets up proper AppId references
- // and tracker size for all the detectors.
- void FinalizeLuaModules();
-
- // Unload Lua modules
- //
- // This function cleans up all the data structures that were created for the Lua detectors
- // in a given AppId context. It should be called after FinalizeLuaModules().
- void UnloadLuaModules(AppIdConfig*);
-
- void add_chunk(const std::string&);
-
- void luaModuleInitAllServices();
- void luaModuleInitAllClients();
+ void load_lua_detectors(AppIdConfig*);
+ void activate_lua_detectors();
void list_lua_detectors();
private:
- void luaCustomLoad( char* detectorName, char* validator, unsigned int validatorLen,
+ void init_lua_service_detectors();
+ void init_lua_client_detectors();
+ void initialize_lua_detector(const char* detectorName, char* validator, unsigned int validatorLen,
unsigned char* const digest, AppIdConfig*, bool isCustom);
- void loadCustomLuaModules(char* path, AppIdConfig*, bool isCustom);
- void luaDetectorsUnload();
- void luaDetectorsSetTrackerSize();
+ void validate_lua_detector(const char* path, AppIdConfig*, bool isCustom);
+
+ std::list<Detector*> allocated_detectors;
- std::list<Detector*> allocatedDetectorList;
+ // FIXIT-L make these perf counters
+ uint32_t lua_tracker_size = 0;
+ uint32_t num_lua_detectors = 0;
+ uint32_t num_active_lua_detectors = 0;
};
extern THREAD_LOCAL SF_LIST allocatedFlowList;
assert(ud);
ud->ptr = ptr;
luaL_getmetatable(L, meta);
- // FIXIT-L: clean this up if not needed or enable the assert...metatable should already be in registry at this point
- //assert(lua_istable(L, -1));
-
lua_setmetatable(L, -2);
return ud;
}
const uint8_t* data;
uint16_t size;
int dir;
- AppIdSession* flowp;
+ AppIdSession* asd;
Packet* pkt;
struct Detector* userdata;
const AppIdConfig* pConfig;
- bool app_id_debug_session_flag;
- char* app_id_debug_session;
+ bool session_logging_enabled;
+ char* session_logging_id;
};
using RNAServiceValidationFCN = int(*)(ServiceValidationArgs*);
-#define MakeRNAServiceValidationPrototype(name) static int name(ServiceValidationArgs* args)
-
struct CleanServiceAPI
{
AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used
AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used
};
-struct RNAServicePerf
-{
- /*time to validate */
- uint64_t totalValidateTime;
-};
-
struct RNAServiceElement
{
RNAServiceElement* next;
typedef int (* ServiceInProcess)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element);
typedef int (* FailService)(AppIdSession* flow, const Packet* pkt, int dir,
- const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig* pConfig);
+ const RNAServiceElement* svc_element, unsigned flow_data_index);
typedef int (* IncompatibleData)(AppIdSession* flow, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*);
typedef void (* AddHostInfo)(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info);
#include "service_base.h"
-#include <limits.h>
+#include <vector>
+#include <algorithm>
+#include <limits.h>
#include "service_api.h"
#include "service_battle_field.h"
#include "service_bgp.h"
#include "utils/util.h"
#include "sfip/sf_ip.h"
-/*#define SERVICE_DEBUG 1
- #define SERVICE_DEBUG_PORT 0 */
+//#define SERVICE_DEBUG 1
+//#define SERVICE_DEBUG_PORT 80
+
+#ifdef SERVICE_DEBUG
+static const char* service_id_state_name[] =
+{
+ "NEW",
+ "VALID",
+ "PORT",
+ "PATTERN",
+ "BRUTE_FORCE"
+};
+
+#ifdef SERVICE_DEBUG_PORT
+#define APPID_LOG_SERVICE(fmt) fprintf(SF_DEBUG_FILE, fmt)
+#define APPID_LOG_FILTER_PORTS(dp, sp, fmt, ...) \
+ if (dp == SERVICE_DEBUG_PORT || sp == SERVICE_DEBUG_PORT) \
+ fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__)
+#define APPID_LOG_FILTER_SERVICE_PORT(port, fmt, ...) \
+ if (port == SERVICE_DEBUG_PORT) \
+ fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__)
+#define APPID_LOG_IP_FILTER_PORTS(dp, sp, ip, fmt, ...) \
+ if (dp == SERVICE_DEBUG_PORT || sp == SERVICE_DEBUG_PORT) \
+ { \
+ char ipstr[INET6_ADDRSTRLEN]; \
+ sfip_ntop(&ip, ipstr, sizeof(ipstr)); \
+ fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__); \
+ }
+#else
+#define APPID_LOG_SERVICE(fmt) fprintf(SF_DEBUG_FILE, fmt)
+#define APPID_LOG_FILTER_PORTS(dp, sp, fmt, ...) fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__)
+#define APPID_LOG_FILTER_SERVICE_PORT(port, fmt, ...) \
+ UNUSED(port); \
+ fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__)
+#define APPID_LOG_IP_FILTER_PORTS(dp, sp, ip, fmt, ...) \
+ { \
+ char ipstr[INET6_ADDRSTRLEN]; \
+ sfip_ntop(&ip, ipstr, sizeof(ipstr)); \
+ fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__); \
+ }
+#endif
+#else
+#define APPID_LOG_SERVICE(fmt)
+#define APPID_LOG_FILTER_PORTS(dp, sp, fmt, ...)
+#define APPID_LOG_FILTER_SERVICE_PORT(port, fmt, ...) UNUSED(port);
+#define APPID_LOG_IP_FILTER_PORTS(dp, sp, ip, fmt, ...) UNUSED(ip);
+#endif
#define BUFSIZE 512
* and tried per flow based on port/pattern (if a valid detector doesn't
* already exist). */
#define MAX_CANDIDATE_SERVICES 10
+#define DHCP_OPTION55_LEN_MAX 255
-static void* service_flowdata_get(AppIdSession* flow, unsigned service_id);
-static int service_flowdata_add(AppIdSession* flow, void* data, unsigned service_id, AppIdFreeFCN
+static void* service_flowdata_get(AppIdSession* asd, unsigned service_id);
+static int service_flowdata_add(AppIdSession* asd, void* data, unsigned service_id, AppIdFreeFCN
fcn);
-static void AppIdAddHostInfo(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info);
-static int AppIdAddDHCP(AppIdSession* flowp, unsigned op55_len, const uint8_t* op55, unsigned
+static void add_host_info(AppIdSession* asd, SERVICE_HOST_INFO_CODE code, const void* info);
+static int add_dhcp_info(AppIdSession* asd, unsigned op55_len, const uint8_t* op55, unsigned
op60_len, const uint8_t* op60, const uint8_t* mac);
-static void AppIdAddHostIP(AppIdSession* flow, const uint8_t* mac, uint32_t ip4,
+static void add_host_ip_info(AppIdSession* asd, const uint8_t* mac, uint32_t ip4,
int32_t zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router);
-static void AppIdAddSMBData(AppIdSession* flow, unsigned major, unsigned minor, uint32_t flags);
-static void AppIdServiceAddMisc(AppIdSession* flow, AppId miscId);
+static void add_smb_info(AppIdSession* asd, unsigned major, unsigned minor, uint32_t flags);
+static void add_miscellaneous_info(AppIdSession* asd, AppId miscId);
+static void add_dns_query_info(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len,
+ uint16_t host_offset, uint16_t record_type);
+static void add_dns_response_info(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len,
+ uint16_t host_offset, uint8_t response_type, uint32_t ttl);
+static void reset_dns_info(AppIdSession*);
struct ServiceMatch
{
};
static const uint8_t zeromac[6] = { 0, 0, 0, 0, 0, 0 };
-static unsigned smOrderedListSize = 32;
-static THREAD_LOCAL DHCPInfo* dhcp_info_free_list;
-static THREAD_LOCAL FpSMBData* smb_data_free_list;
-static THREAD_LOCAL ServiceMatch** smOrderedList = nullptr;
-static THREAD_LOCAL ServiceMatch* free_service_match;
-static THREAD_LOCAL ServiceConfig* serviceConfig = nullptr;
+static THREAD_LOCAL DHCPInfo* dhcp_info_free_list = nullptr;
+static THREAD_LOCAL FpSMBData* smb_data_free_list = nullptr;
+static THREAD_LOCAL ServiceConfig* service_config = nullptr;
static THREAD_LOCAL RNAServiceElement* ftp_service = nullptr;
static THREAD_LOCAL ServicePatternData* free_pattern_data = nullptr;
{
&service_flowdata_get,
&service_flowdata_add,
- &AppIdAddDHCP,
- &AppIdAddHostIP,
- &AppIdAddSMBData,
+ &add_dhcp_info,
+ &add_host_ip_info,
+ &add_smb_info,
&AppIdServiceAddService,
&AppIdServiceFailService,
&AppIdServiceInProcess,
&AppIdServiceIncompatibleData,
- &AppIdAddHostInfo,
+ &add_host_info,
&AppIdAddPayload,
&AppIdAddUser,
&AppIdServiceAddServiceSubtype,
- &AppIdServiceAddMisc,
- &AppIdAddDnsQueryInfo,
- &AppIdAddDnsResponseInfo,
- &AppIdResetDnsInfo,
+ &add_miscellaneous_info,
+ &add_dns_query_info,
+ &add_dns_response_info,
+ &reset_dns_info,
};
-#ifdef SERVICE_DEBUG
-static const char* serviceIdStateName[] =
-{
- "NEW",
- "VALID",
- "PORT",
- "PATTERN",
- "BRUTE_FORCE"
-};
-#endif
-
/*C service API */
static void ServiceRegisterPattern(RNAServiceValidationFCN, IpProtocol, const uint8_t*, unsigned,
- int, struct Detector*, int, const char* );
-static void CServiceRegisterPattern(RNAServiceValidationFCN, IpProtocol, const uint8_t* ,
- unsigned, int , const char*);
+ int, struct Detector*, int, const char* );
+static void CServiceRegisterPattern(RNAServiceValidationFCN, IpProtocol, const uint8_t*, unsigned,
+ int, const char*);
static void ServiceRegisterPatternUser(RNAServiceValidationFCN, IpProtocol, const uint8_t*,
- unsigned, int, const char*);
+ unsigned, int, const char*);
void appSetServiceValidator( RNAServiceValidationFCN, AppId, unsigned extractsInfo);
static int CServiceAddPort(const RNAServiceValidationPort*, RNAServiceValidationModule*);
static void CServiceRemovePorts(RNAServiceValidationFCN validate);
void appSetServiceValidator(RNAServiceValidationFCN fcn, AppId appId, unsigned extractsInfo)
{
- AppInfoTableEntry* pEntry = appInfoEntryGet(appId);
+ AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId);
if (!pEntry)
{
ErrorMessage("AppId: invalid direct service AppId, %d", appId);
DebugFormat(DEBUG_APPID, "Ignoring direct service without info for AppId %d", appId);
return;
}
- pEntry->svrValidator = ServiceGetServiceElement(fcn, nullptr);
+ pEntry->svrValidator = get_service_element(fcn, nullptr);
if (pEntry->svrValidator)
pEntry->flags |= extractsInfo;
else
ErrorMessage("AppId: failed to find a service element for AppId %d", appId);
}
-/**free ServiceMatch List.
- */
void AppIdFreeServiceMatchList(ServiceMatch* sm)
{
ServiceMatch* tmpSm;
- if (!sm)
- return;
-
- for (tmpSm = sm; tmpSm->next; tmpSm = tmpSm->next)
- ;
- tmpSm->next = free_service_match;
- free_service_match = sm;
+ while( sm )
+ {
+ tmpSm = sm;
+ sm = sm->next;
+ snort_free(tmpSm);
+ }
}
-int AddFTPServiceState(AppIdSession* fp)
+int AddFTPServiceState(AppIdSession* asd)
{
if (!ftp_service)
return -1;
- return fp->add_flow_data_id(21, ftp_service);
+ return asd->add_flow_data_id(21, ftp_service);
}
-/**allocate one ServiceMatch element.
- */
static inline ServiceMatch* allocServiceMatch(void)
{
- ServiceMatch* sm;
-
- if ((sm = free_service_match))
- {
- free_service_match = sm->next;
- memset(sm, 0, sizeof(*sm));
- return sm;
- }
return (ServiceMatch*)snort_calloc(sizeof(ServiceMatch));
}
if (pd->position >= 0 && pd->position != index)
return 0;
- for (sm=*matches; sm; sm=sm->next)
+ for (sm = *matches; sm; sm = sm->next)
if (sm->svc == pd->svc)
break;
+
if (sm)
sm->count++;
else
{
- sm=allocServiceMatch();
+ sm = allocServiceMatch();
sm->count++;
sm->svc = pd->svc;
sm->size = pd->size;
return appId;
}
-static inline uint16_t sslPortRemap(
- uint16_t port
- )
+static inline uint16_t sslPortRemap(uint16_t port)
{
switch (port)
{
}
static inline RNAServiceElement* AppIdGetNexServiceByPort( IpProtocol protocol, uint16_t port,
- const RNAServiceElement* const lasService, AppIdSession* rnaData)
+ const RNAServiceElement* const lasService, AppIdSession* asd)
{
RNAServiceElement* service = nullptr;
SF_LIST* list = nullptr;
- if (AppIdServiceDetectionLevel(rnaData) == 1)
+ if (AppIdServiceDetectionLevel(asd) == 1)
{
unsigned remappedPort = sslPortRemap(port);
if (remappedPort)
- list = serviceConfig->tcp_services[remappedPort];
+ list = service_config->tcp_services[remappedPort];
}
else if (protocol == IpProtocol::TCP)
- {
- list = serviceConfig->tcp_services[port];
- }
+ list = service_config->tcp_services[port];
else
- {
- list = serviceConfig->udp_services[port];
- }
+ list = service_config->udp_services[port];
if (list)
{
}
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (port == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Port service for protocol %u port %u, service %s\n",
+ APPID_LOG_FILTER_SERVICE_PORT(port, "Port service for protocol %u port %u, service %s\n",
(unsigned)protocol, (unsigned)port, (service && service->name) ? service->name :
"UNKNOWN");
-#endif
return service;
}
-static inline RNAServiceElement* AppIdNexServiceByPattern(AppIdServiceIDState* id_state
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- , uint16_t port
-#endif
-#endif
- )
+static inline RNAServiceElement* get_service_by_pattern(AppIdServiceIDState* id_state,
+ uint16_t port)
{
RNAServiceElement* service = nullptr;
- while (id_state->currenService)
+ while (id_state->current_service)
{
- id_state->currenService = id_state->currenService->next;
- if (id_state->currenService && id_state->currenService->svc->current_ref_count)
+ id_state->current_service = id_state->current_service->next;
+ if (id_state->current_service && id_state->current_service->svc->current_ref_count)
{
- service = id_state->currenService->svc;
+ service = id_state->current_service->svc;
break;
}
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (port == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Next pattern service %s\n",
+ APPID_LOG_FILTER_SERVICE_PORT(port, "Next pattern service %s\n",
(service && service->name) ? service->name : "UNKNOWN");
-#endif
return service;
}
-const RNAServiceElement* ServiceGetServiceElement(RNAServiceValidationFCN fcn, Detector* userdata)
+const RNAServiceElement* get_service_element(RNAServiceValidationFCN fcn, Detector* userdata)
{
RNAServiceElement* li;
- for (li=serviceConfig->tcp_service_list; li; li=li->next)
- {
+ for (li = service_config->tcp_service_list; li; li = li->next)
if ((li->validate == fcn) && (li->userdata == userdata))
return li;
- }
- for (li=serviceConfig->udp_service_list; li; li=li->next)
- {
+ for (li=service_config->udp_service_list; li; li=li->next)
if ((li->validate == fcn) && (li->userdata == userdata))
return li;
- }
+
return nullptr;
}
if ((IpProtocol)proto == IpProtocol::TCP)
{
- patterns = &serviceConfig->tcp_patterns;
- pd_list = &serviceConfig->tcp_pattern_data;
+ patterns = &service_config->tcp_patterns;
+ pd_list = &service_config->tcp_pattern_data;
- count = &serviceConfig->tcp_pattern_count;
- list = &serviceConfig->tcp_service_list;
+ count = &service_config->tcp_pattern_count;
+ list = &service_config->tcp_service_list;
}
else if ((IpProtocol)proto == IpProtocol::UDP)
{
- patterns = &serviceConfig->udp_patterns;
- pd_list = &serviceConfig->udp_pattern_data;
+ patterns = &service_config->udp_patterns;
+ pd_list = &service_config->udp_pattern_data;
- count = &serviceConfig->udp_pattern_count;
- list = &serviceConfig->udp_service_list;
+ count = &service_config->udp_pattern_count;
+ list = &service_config->udp_service_list;
}
else
{
{
li->ref_count--;
sflist_remove_node(listTmp, iter);
- // FIXIT-M: Revisit this for better solution to calling sflist_first after
+ // FIXIT-M Revisit this for better solution to calling sflist_first after
// deleting a node... ultimate solution for use of sflist would be move
// to STL
liTmp = (RNAServiceElement*)sflist_first(listTmp, &iter);
}
}
-/**
- * \brief Remove all ports registered for all services
- *
- * This function takes care of removing ports for all services including C service modules,
- * Lua detector modules and services associated with C detector modules.
- *
- * @return void
- */
static void RemoveAllServicePorts()
{
int i;
for ( i= 0; i < RNA_SERVICE_MAX_PORT; i++)
{
- if (serviceConfig->tcp_services[i])
+ if (service_config->tcp_services[i])
{
- sflist_free(serviceConfig->tcp_services[i]);
- serviceConfig->tcp_services[i] = nullptr;
+ sflist_free(service_config->tcp_services[i]);
+ service_config->tcp_services[i] = nullptr;
}
}
for (i = 0; i < RNA_SERVICE_MAX_PORT; i++)
{
- if (serviceConfig->udp_services[i])
+ if (service_config->udp_services[i])
{
- sflist_free(serviceConfig->udp_services[i]);
- serviceConfig->udp_services[i] = nullptr;
+ sflist_free(service_config->udp_services[i]);
+ service_config->udp_services[i] = nullptr;
}
}
for (i = 0; i < RNA_SERVICE_MAX_PORT; i++)
{
- if (serviceConfig->udp_reversed_services[i])
+ if (service_config->udp_reversed_services[i])
{
- sflist_free(serviceConfig->udp_reversed_services[i]);
- serviceConfig->udp_reversed_services[i] = nullptr;
+ sflist_free(service_config->udp_reversed_services[i]);
+ service_config->udp_reversed_services[i] = nullptr;
}
}
}
void ServiceRemovePorts(RNAServiceValidationFCN validate, struct Detector* userdata)
{
- RemoveServicePortsByType(validate, serviceConfig->tcp_services,
- serviceConfig->tcp_service_list, userdata);
- RemoveServicePortsByType(validate, serviceConfig->udp_services,
- serviceConfig->udp_service_list, userdata);
- RemoveServicePortsByType(validate, serviceConfig->udp_reversed_services,
- serviceConfig->udp_reversed_service_list, userdata);
+ RemoveServicePortsByType(validate, service_config->tcp_services,
+ service_config->tcp_service_list, userdata);
+ RemoveServicePortsByType(validate, service_config->udp_services,
+ service_config->udp_service_list, userdata);
+ RemoveServicePortsByType(validate, service_config->udp_reversed_services,
+ service_config->udp_reversed_service_list, userdata);
}
static void CServiceRemovePorts(RNAServiceValidationFCN validate)
svm->name, (unsigned)pp->proto, (unsigned)pp->port);
if (pp->proto == IpProtocol::TCP)
{
- services = serviceConfig->tcp_services;
- list = &serviceConfig->tcp_service_list;
+ services = service_config->tcp_services;
+ list = &service_config->tcp_service_list;
}
else if (pp->proto == IpProtocol::UDP)
{
if (!pp->reversed_validation)
{
- services = serviceConfig->udp_services;
- list = &serviceConfig->udp_service_list;
+ services = service_config->udp_services;
+ list = &service_config->udp_service_list;
}
else
{
- services = serviceConfig->udp_reversed_services;
- list = &serviceConfig->udp_reversed_service_list;
+ services = service_config->udp_reversed_services;
+ list = &service_config->udp_reversed_service_list;
}
}
else
void add_service_to_active_list(RNAServiceValidationModule* service)
{
- service->next = serviceConfig->active_service_list;
- serviceConfig->active_service_list = service;
+ service->next = service_config->active_service_list;
+ service_config->active_service_list = service;
}
static int serviceLoadForConfigCallback(void* symbol)
if (svm->init(&svc_init_api))
ErrorMessage("Error initializing service %s\n",svm->name);
- svm->next = serviceConfig->active_service_list;
- serviceConfig->active_service_list = svm;
+ svm->next = service_config->active_service_list;
+ service_config->active_service_list = svm;
svm->flow_data_index = service_module_index | APPID_SESSION_DATA_SERVICE_MODSTATE_BIT;
service_module_index++;
static int load_service_detectors()
{
- svc_init_api.instance_id = pAppidActiveConfig->mod_config->instance_id;
- svc_init_api.debug = pAppidActiveConfig->mod_config->debug;
- svc_init_api.pAppidConfig = pAppidActiveConfig;
+ svc_init_api.instance_id = AppIdConfig::get_appid_config()->mod_config->instance_id;
+ svc_init_api.debug = AppIdConfig::get_appid_config()->mod_config->debug;
+ svc_init_api.pAppidConfig = AppIdConfig::get_appid_config();
for ( unsigned i = 0; i < NUM_STATIC_SERVICES; i++)
{
void init_service_plugins()
{
- serviceConfig = new ServiceConfig;
+ service_config = new ServiceConfig;
if ( load_service_detectors() )
exit(-1);
void finalize_service_patterns()
{
ServicePatternData* curr;
- ServicePatternData* lists[] = { serviceConfig->tcp_pattern_data,
- serviceConfig->udp_pattern_data };
+ ServicePatternData* lists[] = { service_config->tcp_pattern_data,
+ service_config->udp_pattern_data };
for ( unsigned i = 0; i < (sizeof(lists) / sizeof(*lists)); i++)
{
curr = lists[i];
}
}
- if (serviceConfig->tcp_patterns)
- serviceConfig->tcp_patterns->prep();
- if (serviceConfig->udp_patterns)
- serviceConfig->udp_patterns->prep();
+ if (service_config->tcp_patterns)
+ service_config->tcp_patterns->prep();
+ if (service_config->udp_patterns)
+ service_config->udp_patterns->prep();
}
void clean_service_plugins()
{
ServicePatternData* pattern;
RNAServiceElement* se;
- ServiceMatch* sm;
RNAServiceValidationModule* svm;
FpSMBData* sd;
DHCPInfo* info;
- if (serviceConfig->tcp_patterns)
+ if (service_config->tcp_patterns)
{
- delete serviceConfig->tcp_patterns;
- serviceConfig->tcp_patterns = nullptr;
+ delete service_config->tcp_patterns;
+ service_config->tcp_patterns = nullptr;
}
- if (serviceConfig->udp_patterns)
+ if (service_config->udp_patterns)
{
- delete serviceConfig->udp_patterns;
- serviceConfig->udp_patterns = nullptr;
+ delete service_config->udp_patterns;
+ service_config->udp_patterns = nullptr;
}
- while ((pattern = serviceConfig->tcp_pattern_data))
+ while ((pattern = service_config->tcp_pattern_data))
{
- serviceConfig->tcp_pattern_data = pattern->next;
+ service_config->tcp_pattern_data = pattern->next;
snort_free(pattern);
}
- while ((pattern = serviceConfig->udp_pattern_data))
+ while ((pattern = service_config->udp_pattern_data))
{
- serviceConfig->udp_pattern_data = pattern->next;
+ service_config->udp_pattern_data = pattern->next;
snort_free(pattern);
}
snort_free(pattern);
}
- while ((se = serviceConfig->tcp_service_list))
+ while ((se = service_config->tcp_service_list))
{
- serviceConfig->tcp_service_list = se->next;
+ service_config->tcp_service_list = se->next;
delete se;
}
- while ((se = serviceConfig->udp_service_list))
+ while ((se = service_config->udp_service_list))
{
- serviceConfig->udp_service_list = se->next;
+ service_config->udp_service_list = se->next;
delete se;
}
- while ((se = serviceConfig->udp_reversed_service_list))
+ while ((se = service_config->udp_reversed_service_list))
{
- serviceConfig->udp_reversed_service_list = se->next;
+ service_config->udp_reversed_service_list = se->next;
delete se;
}
snort_free(info);
}
- while ((sm = free_service_match))
- {
- free_service_match = sm->next;
- snort_free(sm);
- }
-
- if (smOrderedList)
- {
- // FIXIT-M: still allocated with calloc/realloc - vector coming soon...
- free(smOrderedList);
- smOrderedListSize = 32;
- }
-
RemoveAllServicePorts();
- for (svm = serviceConfig->active_service_list; svm; svm = svm->next)
+ for (svm = service_config->active_service_list; svm; svm = svm->next)
{
if (svm->clean)
svm->clean();
clean_service_port_patterns();
- delete serviceConfig;
+ delete service_config;
}
static int AppIdPatternPrecedence(const void* a, const void* b)
{
SearchTool* patterns = nullptr;
ServiceMatch* match_list;
- ServiceMatch* sm;
- uint32_t count;
uint32_t i;
RNAServiceElement* service = nullptr;
+ std::vector<ServiceMatch*> smOrderedList;
if (proto == IpProtocol::TCP)
- patterns = serviceConfig->tcp_patterns;
+ patterns = service_config->tcp_patterns;
else
- patterns = serviceConfig->udp_patterns;
+ patterns = service_config->udp_patterns;
if (!patterns)
{
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Pattern bailing due to no patterns\n");
-#endif
+ APPID_LOG_SERVICE("Pattern bailing due to no patterns\n");
return nullptr;
}
- if (!smOrderedList)
- {
- // FIXIT-M: - using calloc because this may be realloc'ed later, change to vector asap
- smOrderedList = (ServiceMatch**)calloc(smOrderedListSize, sizeof(ServiceMatch*));
- if (!smOrderedList)
- {
- ErrorMessage("Pattern bailing due to failed allocation");
- return nullptr;
- }
- }
-
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
- {
-#endif
- fprintf(SF_DEBUG_FILE, "Matching\n");
- DumpHex(SF_DEBUG_FILE, pkt->data, pkt->dsize);
-#if SERVICE_DEBUG_PORT
-}
-
-#endif
-#endif
/*FRE didn't search */
match_list = nullptr;
patterns->find_all((char*)pkt->data, pkt->dsize, &pattern_match, false, (void*)&match_list);
- count = 0;
- for (sm = match_list; sm; sm = sm->next)
- {
- if (count >= smOrderedListSize)
- {
- ServiceMatch** tmp;
- smOrderedListSize *= 2;
- assert(smOrderedListSize > 0);
-
- tmp = (ServiceMatch**)realloc(smOrderedList,
- smOrderedListSize * sizeof(*smOrderedList));
-
- if (!tmp)
- {
- ErrorMessage("Realloc failure %u\n",smOrderedListSize);
- smOrderedListSize /= 2;
-
- /*free the remaining elements. */
- AppIdFreeServiceMatchList(sm);
-
- break;
- }
- ErrorMessage("Realloc %u\n",smOrderedListSize);
-
- smOrderedList = tmp;
- }
-
- smOrderedList[count++] = sm;
- }
+ for (ServiceMatch* sm = match_list; sm; sm = sm->next)
+ smOrderedList.push_back(sm);
- if (!count)
+ if (smOrderedList.size() == 0)
return nullptr;
- qsort(smOrderedList, count, sizeof(*smOrderedList), AppIdPatternPrecedence);
+ std::sort(smOrderedList.begin(), smOrderedList.end(), AppIdPatternPrecedence);
- /*rearrange the matchlist now */
- for (i = 0; i < (count-1); i++)
- smOrderedList[i]->next = smOrderedList[i+1];
+ for (i = 0; i < smOrderedList.size() - 1; i++)
+ smOrderedList[i]->next = smOrderedList[i + 1];
smOrderedList[i]->next = nullptr;
service = smOrderedList[0]->svc;
if (id_state)
{
id_state->svc = service;
- if (id_state->serviceList != nullptr)
- {
- AppIdFreeServiceMatchList(id_state->serviceList);
- }
- id_state->serviceList = smOrderedList[0];
- id_state->currenService = smOrderedList[0];
+ if (id_state->service_list != nullptr)
+ AppIdFreeServiceMatchList(id_state->service_list);
+
+ id_state->service_list = smOrderedList[0];
+ id_state->current_service = smOrderedList[0];
}
else
AppIdFreeServiceMatchList(smOrderedList[0]);
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Pattern service for protocol %u (%u->%u), %s\n",
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
+ "Pattern service for protocol %u (%u->%u), %s\n",
(unsigned)proto, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp,
- (service && service->name) ? service->name.c_str() : "UNKNOWN");
-#endif
+ (service && service->name) ? service->name : "UNKNOWN");
return service;
}
if (lasService)
service = lasService->next;
else
- service = ((protocol == IpProtocol::TCP) ? serviceConfig->tcp_service_list :
- serviceConfig->udp_service_list);
+ service = ((protocol == IpProtocol::TCP) ? service_config->tcp_service_list :
+ service_config->udp_service_list);
while (service && !service->current_ref_count)
service = service->next;
return service;
}
-static void AppIdAddHostInfo(AppIdSession*, SERVICE_HOST_INFO_CODE, const void*)
+static void add_host_info(AppIdSession*, SERVICE_HOST_INFO_CODE, const void*)
{
}
-void AppIdFreeDhcpData(DhcpFPData* dd)
+void AppIdFreeDhcpData(DHCPData* dd)
{
snort_free(dd);
}
-static int AppIdAddDHCP(AppIdSession* flowp, unsigned op55_len, const uint8_t* op55, unsigned
+static int add_dhcp_info(AppIdSession* asd, unsigned op55_len, const uint8_t* op55, unsigned
op60_len, const uint8_t* op60, const uint8_t* mac)
{
if (op55_len && op55_len <= DHCP_OPTION55_LEN_MAX
- && !flowp->getAppIdFlag(APPID_SESSION_HAS_DHCP_FP))
+ && !asd->get_session_flags(APPID_SESSION_HAS_DHCP_FP))
{
- DhcpFPData* rdd;
+ DHCPData* rdd;
- rdd = (DhcpFPData*)snort_calloc(sizeof(*rdd));
- if (flowp->add_flow_data(rdd, APPID_SESSION_DATA_DHCP_FP_DATA,
+ rdd = (DHCPData*)snort_calloc(sizeof(*rdd));
+ if (asd->add_flow_data(rdd, APPID_SESSION_DATA_DHCP_FP_DATA,
(AppIdFreeFCN)AppIdFreeDhcpData))
{
AppIdFreeDhcpData(rdd);
return -1;
}
- flowp->setAppIdFlag(APPID_SESSION_HAS_DHCP_FP);
+ asd->set_session_flags(APPID_SESSION_HAS_DHCP_FP);
rdd->op55_len = (op55_len > DHCP_OP55_MAX_SIZE) ? DHCP_OP55_MAX_SIZE : op55_len;
memcpy(rdd->op55, op55, rdd->op55_len);
rdd->op60_len = (op60_len > DHCP_OP60_MAX_SIZE) ? DHCP_OP60_MAX_SIZE : op60_len;
if (op60_len)
memcpy(rdd->op60, op60, rdd->op60_len);
- memcpy(rdd->mac, mac, sizeof(rdd->mac));
+ memcpy(rdd->eth_addr, mac, sizeof(rdd->eth_addr));
}
return 0;
}
}
}
-static void AppIdAddHostIP(AppIdSession* flow, const uint8_t* mac, uint32_t ip, int32_t zone,
+static unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone)
+{
+ NetworkSet* net_list;
+ unsigned flags;
+ AppIdConfig* pConfig = AppIdConfig::get_appid_config();
+
+ if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone])
+ net_list = pConfig->net_list_by_zone[zone];
+ else
+ net_list = pConfig->net_list;
+
+ NetworkSet_ContainsEx(net_list, ip4, &flags);
+ return flags;
+}
+
+static void add_host_ip_info(AppIdSession* asd, const uint8_t* mac, uint32_t ip, int32_t zone,
uint32_t subnetmask, uint32_t leaseSecs, uint32_t router)
{
DHCPInfo* info;
if (memcmp(mac, zeromac, 6) == 0 || ip == 0)
return;
- if (!flow->getAppIdFlag(APPID_SESSION_DO_RNA)
- || flow->getAppIdFlag(APPID_SESSION_HAS_DHCP_INFO))
+ if (!asd->get_session_flags(APPID_SESSION_DO_RNA)
+ || asd->get_session_flags(APPID_SESSION_HAS_DHCP_INFO))
return;
flags = isIPv4HostMonitored(ntohl(ip), zone);
else
info = (DHCPInfo*)snort_calloc(sizeof(DHCPInfo));
- if (flow->add_flow_data(info, APPID_SESSION_DATA_DHCP_INFO,
+ if (asd->add_flow_data(info, APPID_SESSION_DATA_DHCP_INFO,
(AppIdFreeFCN)AppIdFreeDhcpInfo))
{
AppIdFreeDhcpInfo(info);
return;
}
- flow->setAppIdFlag(APPID_SESSION_HAS_DHCP_INFO);
+ asd->set_session_flags(APPID_SESSION_HAS_DHCP_INFO);
info->ipAddr = ip;
- memcpy(info->macAddr, mac, sizeof(info->macAddr));
+ memcpy(info->eth_addr, mac, sizeof(info->eth_addr));
info->subnetmask = subnetmask;
info->leaseSecs = leaseSecs;
info->router = router;
}
}
-static void AppIdAddSMBData(AppIdSession* flow, unsigned major, unsigned minor, uint32_t flags)
+static void add_smb_info(AppIdSession* asd, unsigned major, unsigned minor, uint32_t flags)
{
FpSMBData* sd;
else
sd = (FpSMBData*)snort_calloc(sizeof(FpSMBData));
- if (flow->add_flow_data(sd, APPID_SESSION_DATA_SMB_DATA, (AppIdFreeFCN)AppIdFreeSMBData))
+ if (asd->add_flow_data(sd, APPID_SESSION_DATA_SMB_DATA, (AppIdFreeFCN)AppIdFreeSMBData))
{
AppIdFreeSMBData(sd);
return;
}
- flow->setAppIdFlag(APPID_SESSION_HAS_SMB_INFO);
+ asd->set_session_flags(APPID_SESSION_HAS_SMB_INFO);
sd->major = major;
sd->minor = minor;
sd->flags = flags & FINGERPRINT_UDP_FLAGS_MASK;
}
-static int AppIdServiceAddServiceEx(AppIdSession* flow, const Packet* pkt, int dir,
- const RNAServiceElement* svc_element,
- AppId appId, const char* vendor, const char* version)
+static int AppIdServiceAddServiceEx(AppIdSession* asd, const Packet* pkt, int dir,
+ const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version)
{
AppIdServiceIDState* id_state;
uint16_t port;
const sfip_t* ip;
- if (!flow || !pkt || !svc_element)
+ if (!asd || !pkt || !svc_element)
{
ErrorMessage("Invalid arguments to absinthe_add_appId");
return SERVICE_EINVALID;
}
- flow->serviceData = svc_element;
+ asd->serviceData = svc_element;
if (vendor)
{
- if (flow->serviceVendor)
- snort_free(flow->serviceVendor);
- flow->serviceVendor = snort_strdup(vendor);
+ if (asd->serviceVendor)
+ snort_free(asd->serviceVendor);
+ asd->serviceVendor = snort_strdup(vendor);
}
if (version)
{
- if (flow->serviceVersion)
- snort_free(flow->serviceVersion);
- flow->serviceVersion = snort_strdup(version);
+ if (asd->serviceVersion)
+ snort_free(asd->serviceVersion);
+ asd->serviceVersion = snort_strdup(version);
}
- flow->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
- flow->serviceAppId = appId;
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ asd->serviceAppId = appId;
checkSandboxDetection(appId);
- if (flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST))
+ if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST))
return SERVICE_SUCCESS;
- if (!flow->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ if (!asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
if (dir == APP_ID_FROM_INITIATOR)
{
ip = pkt->ptrs.ip_api.get_src();
port = pkt->ptrs.sp;
}
- if (flow->service_port)
- port = flow->service_port;
+ if (asd->service_port)
+ port = asd->service_port;
}
else
{
/* If we ended up with UDP reversed, make sure we're pointing to the
* correct host tracker entry. */
- if (flow->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
- flow->id_state = AppIdGetServiceIDState(ip, flow->protocol, port,
- AppIdServiceDetectionLevel(flow));
+ asd->id_state = get_service_id_state(ip, asd->protocol, port,
+ AppIdServiceDetectionLevel(asd));
}
- if (!(id_state = flow->id_state))
+ if (!(id_state = asd->id_state))
{
- if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel(
- flow))))
+ if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(
+ asd))))
{
ErrorMessage("Add service failed to create state");
return SERVICE_ENOMEM;
}
- flow->id_state = id_state;
- flow->service_ip = *ip;
- flow->service_port = port;
+
+ asd->id_state = id_state;
+ asd->service_ip = *ip;
+ asd->service_port = port;
}
else
{
- if (id_state->serviceList)
+ if (id_state->service_list)
{
- AppIdFreeServiceMatchList(id_state->serviceList);
- id_state->serviceList = nullptr;
- id_state->currenService = nullptr;
+ AppIdFreeServiceMatchList(id_state->service_list);
+ id_state->service_list = nullptr;
+ id_state->current_service = nullptr;
}
- if (!sfip_is_set(&flow->service_ip))
+
+ if (!sfip_is_set(&asd->service_ip))
{
- flow->service_ip = *ip;
- flow->service_port = port;
+ asd->service_ip = *ip;
+ asd->service_port = port;
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Service %d for protocol %u on port %u (%u->%u) is valid\n",
- (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port,
+
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
+ "Service %d for protocol %u on port %u (%u->%u) is valid\n",
+ (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port,
(unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp);
-#endif
}
id_state->reset_time = 0;
if (id_state->state != SERVICE_ID_VALID)
}
id_state->svc = svc_element;
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- {
- char ipstr[INET6_ADDRSTRLEN];
-
- ipstr[0] = 0;
- sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr));
- fprintf(SF_DEBUG_FILE, "Valid: %s:%u:%u %p %d\n", ipstr, (unsigned)flow->proto,
- (unsigned)flow->service_port, id_state, (int)id_state->state);
- }
-#endif
+ APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, asd->service_ip,
+ "Valid: %s:%u:%u %p %d\n",
+ ipstr, (unsigned)asd->protocol, (unsigned)asd->service_port,
+ (void*)id_state, (int)id_state->state);
if (!id_state->valid_count)
{
/* Done looking for this session. */
id_state->searching = false;
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Service %d for protocol %u on port %u (%u->%u) is valid\n",
- (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port, (unsigned)pkt->ptrs.sp,
- (unsigned)pkt->ptrs.dp);
-#endif
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
+ "Service %d for protocol %u on port %u (%u->%u) is valid\n",
+ (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port,
+ (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp);
return SERVICE_SUCCESS;
}
-int AppIdServiceAddServiceSubtype(AppIdSession* flow, const Packet* pkt, int dir,
- const RNAServiceElement* svc_element,
- AppId appId, const char* vendor, const char* version,
+int AppIdServiceAddServiceSubtype(AppIdSession* asd, const Packet* pkt, int dir,
+ const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version,
RNAServiceSubtype* subtype)
{
- flow->subtype = subtype;
+ asd->subtype = subtype;
if (!svc_element->current_ref_count)
{
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
"Service %d for protocol %u on port %u (%u->%u) is valid, but skipped\n",
- (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port,
+ (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port,
(unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp);
-#endif
return SERVICE_SUCCESS;
}
- return AppIdServiceAddServiceEx(flow, pkt, dir, svc_element, appId, vendor, version);
+ return AppIdServiceAddServiceEx(asd, pkt, dir, svc_element, appId, vendor, version);
}
-int AppIdServiceAddService(AppIdSession* flow, const Packet* pkt, int dir,
- const RNAServiceElement* svc_element,
- AppId appId, const char* vendor, const char* version,
+int AppIdServiceAddService(AppIdSession* asd, const Packet* pkt, int dir,
+ const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version,
const RNAServiceSubtype* subtype)
{
RNAServiceSubtype* new_subtype = nullptr;
if (!svc_element->current_ref_count)
{
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
"Service %d for protocol %u on port %u (%u->%u) is valid, but skipped\n",
- (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port,
+ (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port,
(unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp);
-#endif
return SERVICE_SUCCESS;
}
tmp_subtype->next = new_subtype;
new_subtype = tmp_subtype;
}
- flow->subtype = new_subtype;
- return AppIdServiceAddServiceEx(flow, pkt, dir, svc_element, appId, vendor, version);
+ asd->subtype = new_subtype;
+ return AppIdServiceAddServiceEx(asd, pkt, dir, svc_element, appId, vendor, version);
}
-int AppIdServiceInProcess(AppIdSession* flow, const Packet* pkt, int dir,
+int AppIdServiceInProcess(AppIdSession* asd, const Packet* pkt, int dir,
const RNAServiceElement* svc_element)
{
AppIdServiceIDState* id_state;
- if (!flow || !pkt)
+ if (!asd || !pkt)
{
ErrorMessage("Invalid arguments to service_in_process");
return SERVICE_EINVALID;
}
- if (dir == APP_ID_FROM_INITIATOR || flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST|
+ if (dir == APP_ID_FROM_INITIATOR || asd->get_session_flags(APPID_SESSION_IGNORE_HOST|
APPID_SESSION_UDP_REVERSED))
return SERVICE_SUCCESS;
- if (!(id_state = flow->id_state))
+ if (!(id_state = asd->id_state))
{
uint16_t port;
const sfip_t* ip;
ip = pkt->ptrs.ip_api.get_src();
- port = flow->service_port ? flow->service_port : pkt->ptrs.sp;
+ port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel(
- flow))))
+ if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(
+ asd))))
{
ErrorMessage("In-process service failed to create state");
return SERVICE_ENOMEM;
}
- flow->id_state = id_state;
- flow->service_ip = *ip;
- flow->service_port = port;
+ asd->id_state = id_state;
+ asd->service_ip = *ip;
+ asd->service_port = port;
id_state->state = SERVICE_ID_NEW;
id_state->svc = svc_element;
}
else
{
- if (!sfip_is_set(&flow->service_ip))
+ if (!sfip_is_set(&asd->service_ip))
{
const sfip_t* ip = pkt->ptrs.ip_api.get_src();
- flow->service_ip = *ip;
- if (!flow->service_port)
- flow->service_port = pkt->ptrs.sp;
+ asd->service_ip = *ip;
+ if (!asd->service_port)
+ asd->service_port = pkt->ptrs.sp;
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Service for protocol %u on port %u is in process (%u->%u), %p %s",
- (unsigned)flow->proto, (unsigned)flow->service_port, (unsigned)pkt->ptrs.sp,
- (unsigned)pkt->ptrs.dp,
- svc_element->validate, svc_element->name ? : "UNKNOWN");
-#endif
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- {
- char ipstr[INET6_ADDRSTRLEN];
-
- ipstr[0] = 0;
- sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr));
- fprintf(SF_DEBUG_FILE, "Inprocess: %s:%u:%u %p %d\n", ipstr, (unsigned)flow->proto,
- (unsigned)flow->service_port,
- id_state, (int)id_state->state);
- }
-#endif
+ APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,asd->service_ip,
+ "Inprocess: %s:%u:%u %p %d\n", ipstr,
+ (unsigned)asd->protocol, (unsigned)asd->service_port, (void*)id_state,
+ (int)id_state->state);
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "Service for protocol %u on port %u is in process (%u->%u), %s\n",
- (unsigned)flow->proto, (unsigned)flow->service_port, (unsigned)pkt->ptrs.sp,
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
+ "Service for protocol %u on port %u is in process (%u->%u), %s\n",
+ (unsigned)asd->protocol, (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp,
(unsigned)pkt->ptrs.dp,
- svc_element->name ? : "UNKNOWN");
-#endif
+ svc_element->name ? svc_element->name : "UNKNOWN");
return SERVICE_SUCCESS;
}
* client ultimately we will have to fail the service. If the same behavior is seen from different
* clients going to same service then this most likely the service is something else.
*/
-int AppIdServiceIncompatibleData(AppIdSession* flow, const Packet* pkt, int dir,
+int AppIdServiceIncompatibleData(AppIdSession* asd, const Packet* pkt, int dir,
const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*)
{
AppIdServiceIDState* id_state;
- if (!flow || !pkt)
+ if (!asd || !pkt)
{
ErrorMessage("Invalid arguments to service_incompatible_data");
return SERVICE_EINVALID;
}
if (flow_data_index != APPID_SESSION_DATA_NONE)
- flow->free_flow_data_by_id(flow_data_index);
+ asd->free_flow_data_by_id(flow_data_index);
/* If we're still working on a port/pattern list of detectors, then ignore
* individual fails until we're done looking at everything. */
- if ( (flow->serviceData == nullptr) /* we're
- working
- on a list
- of
- detectors,
- and... */
- && (flow->candidate_service_list != nullptr)
- && (flow->id_state != nullptr) )
- {
- if (sflist_count(flow->candidate_service_list) != 0)
+ if ( (asd->serviceData == nullptr) && (asd->candidate_service_list != nullptr)
+ && (asd->id_state != nullptr) )
+ {
+ if (sflist_count(asd->candidate_service_list) != 0)
{
return SERVICE_SUCCESS;
}
- else if ((flow->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES)
- || (flow->id_state->state == SERVICE_ID_BRUTE_FORCE) )
+ else if ((asd->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES)
+ || (asd->id_state->state == SERVICE_ID_BRUTE_FORCE) )
{
return SERVICE_SUCCESS;
}
}
- flow->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
- flow->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
- flow->serviceAppId = APP_ID_NONE;
+ asd->serviceAppId = APP_ID_NONE;
- if (flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST|APPID_SESSION_UDP_REVERSED) || (svc_element &&
+ if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST|APPID_SESSION_UDP_REVERSED) || (svc_element &&
!svc_element->current_ref_count))
return SERVICE_SUCCESS;
if (dir == APP_ID_FROM_INITIATOR)
{
- flow->setAppIdFlag(APPID_SESSION_INCOMPATIBLE);
+ asd->set_session_flags(APPID_SESSION_INCOMPATIBLE);
return SERVICE_SUCCESS;
}
- if (!(id_state = flow->id_state))
+ if (!(id_state = asd->id_state))
{
uint16_t port;
const sfip_t* ip;
ip = pkt->ptrs.ip_api.get_src();
- port = flow->service_port ? flow->service_port : pkt->ptrs.sp;
+ port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel(
- flow))))
+ if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel(
+ asd))))
{
ErrorMessage("Incompatible service failed to create state");
return SERVICE_ENOMEM;
}
- flow->id_state = id_state;
- flow->service_ip = *ip;
- flow->service_port = port;
+
+ //id_state->service_list = nullptr;
id_state->state = SERVICE_ID_NEW;
id_state->svc = svc_element;
+ asd->id_state = id_state;
+ asd->service_ip = *ip;
+ asd->service_port = port;
}
else
{
- if (!sfip_is_set(&flow->service_ip))
+ if (!sfip_is_set(&asd->service_ip))
{
const sfip_t* ip = pkt->ptrs.ip_api.get_src();
- flow->service_ip = *ip;
- if (!flow->service_port)
- flow->service_port = pkt->ptrs.sp;
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
+ asd->service_ip = *ip;
+ if (!asd->service_port)
+ asd->service_port = pkt->ptrs.sp;
+
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
"service_IC: Changed State to %s for protocol %u on port %u (%u->%u), count %u, %s\n",
- serviceIdStateName[id_state->state], (unsigned)flow->proto,
- (unsigned)flow->service_port,
+ service_id_state_name[id_state->state], (unsigned)asd->protocol,
+ (unsigned)asd->service_port,
(unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count,
(id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN");
-#endif
}
id_state->reset_time = 0;
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
"service_IC: State %s for protocol %u on port %u (%u->%u), count %u, %s\n",
- serviceIdStateName[id_state->state], (unsigned)flow->proto, (unsigned)flow->service_port,
+ service_id_state_name[id_state->state], (unsigned)asd->protocol, (unsigned)asd->service_port,
(unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count,
(id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN");
-#endif
-
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- {
- char ipstr[INET6_ADDRSTRLEN];
- ipstr[0] = 0;
- sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr));
- fprintf(SF_DEBUG_FILE, "Incompat: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto,
- (unsigned)flow->service_port,
- id_state, (int)id_state->state,
+ APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, asd->service_ip,
+ "Incompat: %s:%u:%u %p %d %s\n",
+ ipstr, (unsigned)asd->protocol, (unsigned)asd->service_port, (void*)id_state,
+ (int)id_state->state,
(id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN");
- }
-#endif
-
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- {
- char ipstr[INET6_ADDRSTRLEN];
-
- ipstr[0] = 0;
- sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr));
- fprintf(SF_DEBUG_FILE, "Incompat End: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto,
- (unsigned)flow->service_port,
- id_state, (int)id_state->state, (id_state->svc && id_state->svc->name) ?
- id_state->svc->name : "UNKNOWN");
- }
-#endif
return SERVICE_SUCCESS;
}
-int AppIdServiceFailService(AppIdSession* flow, const Packet* pkt, int dir,
- const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*)
+int AppIdServiceFailService(AppIdSession* asd, const Packet* pkt, int dir,
+ const RNAServiceElement* svc_element, unsigned flow_data_index)
{
AppIdServiceIDState* id_state;
if (flow_data_index != APPID_SESSION_DATA_NONE)
- flow->free_flow_data_by_id(flow_data_index);
+ asd->free_flow_data_by_id(flow_data_index);
/* If we're still working on a port/pattern list of detectors, then ignore
* individual fails until we're done looking at everything. */
- if ( (flow->serviceData == nullptr)
- && (flow->candidate_service_list != nullptr)
- && (flow->id_state != nullptr) )
+ if ( (asd->serviceData == nullptr)
+ && (asd->candidate_service_list != nullptr)
+ && (asd->id_state != nullptr) )
{
- if (sflist_count(flow->candidate_service_list) != 0)
+ if (sflist_count(asd->candidate_service_list) != 0)
return SERVICE_SUCCESS;
- else if ( (flow->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES)
- || (flow->id_state->state == SERVICE_ID_BRUTE_FORCE) )
+ else if ( (asd->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES)
+ || (asd->id_state->state == SERVICE_ID_BRUTE_FORCE) )
return SERVICE_SUCCESS;
}
- flow->serviceAppId = APP_ID_NONE;
+ asd->serviceAppId = APP_ID_NONE;
- flow->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
- flow->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
- /* detectors should be careful in marking flow UDP_REVERSED otherwise the same detector
+ /* detectors should be careful in marking session UDP_REVERSED otherwise the same detector
* gets all future flows. UDP_REVERSE should be marked only when detector positively
* matches opposite direction patterns. */
- if (flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED)
+ if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED)
|| (svc_element && !svc_element->current_ref_count))
return SERVICE_SUCCESS;
* otherwise the service will show up on client side. */
if (dir == APP_ID_FROM_INITIATOR)
{
- flow->setAppIdFlag(APPID_SESSION_INCOMPATIBLE);
+ asd->set_session_flags(APPID_SESSION_INCOMPATIBLE);
return SERVICE_SUCCESS;
}
- if (!(id_state = flow->id_state))
+ if (!(id_state = asd->id_state))
{
uint16_t port;
const sfip_t* ip;
ip = pkt->ptrs.ip_api.get_src();
- port = flow->service_port ? flow->service_port : pkt->ptrs.sp;
+ port = asd->service_port ? asd->service_port : pkt->ptrs.sp;
- if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel(
- flow))))
+ if (!(id_state = add_service_id_state(ip, asd->protocol, port,
+ AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Fail service failed to create state");
return SERVICE_ENOMEM;
}
- flow->id_state = id_state;
- flow->service_ip = *ip;
- flow->service_port = port;
+
+ //id_state->service_list = nullptr;
id_state->state = SERVICE_ID_NEW;
id_state->svc = svc_element;
+ asd->id_state = id_state;
+ asd->service_ip = *ip;
+ asd->service_port = port;
}
else
{
- if (!sfip_is_set(&flow->service_ip))
+ if (!sfip_is_set(&asd->service_ip))
{
const sfip_t* ip = pkt->ptrs.ip_api.get_src();
- flow->service_ip = *ip;
- if (!flow->service_port)
- flow->service_port = pkt->ptrs.sp;
+ asd->service_ip = *ip;
+ if (!asd->service_port)
+ asd->service_port = pkt->ptrs.sp;
}
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
- "service_fail: State %s for protocol %u on port %u (%u->%u), count %u, valid count %u, currSvc %s\n",
- serviceIdStateName[id_state->state], (unsigned)flow->proto,
- (unsigned)flow->service_port,
- (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count,
- id_state->valid_count,
- (svc_element && svc_element->name) ? svc_element->name : "UNKNOWN");
-#endif
}
id_state->reset_time = 0;
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
- "service_fail: State %s for protocol %u on port %u (%u->%u), count %u, valid count %u, currSvc %s\n",
- serviceIdStateName[id_state->state], (unsigned)flow->proto, (unsigned)flow->service_port,
- (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count,
- id_state->valid_count,
- (svc_element && svc_element->name) ? svc_element->name : "UNKNOWN");
-#endif
-
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- {
- char ipstr[INET6_ADDRSTRLEN];
+ APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,
+ "service_fail: State %s for protocol %u on port %u (%u->%u), count %u, valid count %u, currSvc %s\n",
+ service_id_state_name[id_state->state], (unsigned)asd->protocol,
+ (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp,
+ id_state->invalid_client_count, id_state->valid_count,
+ (svc_element && svc_element->name) ? svc_element->name : "UNKNOWN");
- ipstr[0] = 0;
- sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr));
- fprintf(SF_DEBUG_FILE, "Fail: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto,
- (unsigned)flow->service_port,
- id_state, (int)id_state->state,
+ APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, asd->service_ip,
+ "Fail: %s:%u:%u %p %d %s\n",
+ ipstr, (unsigned)asd->protocol, (unsigned)asd->service_port, (void*)id_state,
+ (int)id_state->state,
(id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN");
- }
-#endif
-
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT)
-#endif
- {
- char ipstr[INET6_ADDRSTRLEN];
-
- ipstr[0] = 0;
- sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr));
- fprintf(SF_DEBUG_FILE, "Fail End: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto,
- (unsigned)flow->service_port,
- id_state, (int)id_state->state, (id_state->svc && id_state->svc->name) ?
- id_state->svc->name : "UNKNOWN");
- }
-#endif
return SERVICE_SUCCESS;
}
* - invalid_client_count: If our service detector search had trouble
* simply because of unrecognized client data, then consider retrying
* the search again. */
-static void HandleFailure(AppIdSession* flowp,
- AppIdServiceIDState* id_state,
- const sfip_t* client_ip,
- unsigned timeout)
+static void HandleFailure(AppIdSession* asd, AppIdServiceIDState* id_state,
+ const sfip_t* client_ip, unsigned timeout)
{
/* If we had a valid detector, check for too many fails. If so, start
* search sequence again. */
}
/* If we were port/pattern searching and timed out, just restart over next
* time. */
- else if (timeout && (flowp->candidate_service_list != nullptr))
+ else if (timeout && (asd->candidate_service_list != nullptr))
{
id_state->state = SERVICE_ID_NEW;
}
/* If we were working on a port/pattern list of detectors, see if we
* should restart search (because of invalid clients) or just let it
* naturally continue onto brute force next. */
- else if ( (flowp->candidate_service_list != nullptr)
+ else if ( (asd->candidate_service_list != nullptr)
&& (id_state->state == SERVICE_ID_BRUTE_FORCE) )
{
/* If we're getting some invalid clients, keep retrying
*
* @note Packet may be nullptr when this function is called upon session timeout.
*/
-void FailInProcessService(AppIdSession* flowp, const AppIdConfig*)
+void FailInProcessService(AppIdSession* asd, const AppIdConfig*)
{
AppIdServiceIDState* id_state;
- if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED|APPID_SESSION_UDP_REVERSED))
+ if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_UDP_REVERSED))
return;
- id_state = AppIdGetServiceIDState(&flowp->service_ip, flowp->protocol, flowp->service_port,
- AppIdServiceDetectionLevel(flowp));
+ id_state = get_service_id_state(&asd->service_ip, asd->protocol, asd->service_port,
+ AppIdServiceDetectionLevel(asd));
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (flowp->service_port == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "FailInProcess %" PRIx64 ", %08X:%u proto %u\n",
- flowp->common.flags, flowp->common.initiator_ip.ip32[3],
- (unsigned)flowp->service_port, (unsigned)flowp->proto);
-#endif
+ APPID_LOG_FILTER_SERVICE_PORT(asd->service_port,
+ "FailInProcess %" PRIx64 ", %08X:%u proto %u\n", asd->common.flags,
+ asd->common.initiator_ip.ip32[3], (unsigned)asd->service_port,
+ (unsigned)asd->protocol);
if (!id_state || (id_state->svc && !id_state->svc->current_ref_count))
return;
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (flowp->service_port == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE, "FailInProcess: State %s for protocol %u on port %u, count %u, %s\n",
- serviceIdStateName[id_state->state], (unsigned)flowp->proto, (unsigned)flowp->service_port,
- id_state->invalid_client_count, (id_state->svc && id_state->svc->name) ?
- id_state->svc->name : "UNKNOWN");
-#endif
+ APPID_LOG_FILTER_SERVICE_PORT(asd->service_port,
+ "FailInProcess: State %s for protocol %u on port %u, count %u, %s\n",
+ service_id_state_name[id_state->state], (unsigned)asd->protocol,
+ (unsigned)asd->service_port, id_state->invalid_client_count,
+ (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN");
id_state->invalid_client_count += STATE_ID_INCONCLUSIVE_SERVICE_WEIGHT;
+ if (sfip_fast_eq6(&asd->flow->server_ip, &asd->service_ip))
+ HandleFailure(asd, id_state, &asd->flow->client_ip, 1);
+ else
+ HandleFailure(asd, id_state, &asd->flow->server_ip, 1);
- // FIXIT-M: we need a Flow to get the ip address of client/server...
-#ifdef REMOVED_WHILE_NOT_IN_USE
- sfip_t* tmp_ip = _dpd.sessionAPI->get_session_ip_address(flowp->ssn, SSN_DIR_FROM_SERVER);
- if (sfip_fast_eq6(tmp_ip, &flowp->service_ip))
- tmp_ip = _dpd.sessionAPI->get_session_ip_address(flowp->ssn, SSN_DIR_FROM_CLIENT);
-
- HandleFailure(flowp, id_state, tmp_ip, 1);
-#endif
-
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- if (flowp->service_port == SERVICE_DEBUG_PORT)
-#endif
- fprintf(SF_DEBUG_FILE,
- "FailInProcess: Changed State to %s for protocol %u on port %u, count %u, %s\n",
- serviceIdStateName[id_state->state], (unsigned)flowp->proto, (unsigned)flowp->service_port,
- id_state->invalid_client_count, (id_state->svc && id_state->svc->name) ?
- id_state->svc->name : "UNKNOWN");
-#endif
+ APPID_LOG_FILTER_SERVICE_PORT(asd->service_port,
+ "FailInProcess: Changed State to %s for protocol %u on port %u, count %u, %s\n",
+ service_id_state_name[id_state->state], (unsigned)asd->protocol,
+ (unsigned)asd->service_port, id_state->invalid_client_count,
+ (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN");
}
+
/* This function should be called to find the next service detector to try when
* we have not yet found a valid detector in the host tracker. It will try
* both port and/or pattern (but not brute force - that should be done outside
* been specified (serviceData). Basically, this function handles going
* through the main port/pattern search (and returning which detector to add
* next to the list of detectors to try (even if only 1)). */
-static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int dir,
- AppIdSession* rnaData, AppIdServiceIDState* id_state)
+static const RNAServiceElement* get_next_service(const Packet* p, const int dir,
+ AppIdSession* asd, AppIdServiceIDState* id_state)
{
- auto proto = rnaData->protocol;
+ auto proto = asd->protocol;
/* If NEW, just advance onto trying ports. */
if (id_state->state == SERVICE_ID_NEW)
if (id_state->state == SERVICE_ID_PORT)
{
id_state->svc = AppIdGetNexServiceByPort(proto, (uint16_t)((dir ==
- APP_ID_FROM_RESPONDER) ? p->ptrs.sp : p->ptrs.dp), id_state->svc, rnaData);
+ APP_ID_FROM_RESPONDER) ? p->ptrs.sp : p->ptrs.dp), id_state->svc, asd);
if (id_state->svc != nullptr)
{
return id_state->svc;
{
id_state->state = SERVICE_ID_PATTERN;
id_state->svc = nullptr;
- if (id_state->serviceList != nullptr)
- {
- id_state->currenService = id_state->serviceList;
- }
+ if (id_state->service_list != nullptr)
+ id_state->current_service = id_state->service_list;
else
- {
- id_state->serviceList = nullptr;
- id_state->currenService = nullptr;
- }
+ id_state->current_service = nullptr;
}
}
* first with UDP reversed services before moving onto pattern matches. */
if (dir == APP_ID_FROM_INITIATOR)
{
- if (!rnaData->getAppIdFlag(APPID_SESSION_ADDITIONAL_PACKET)
- && (proto == IpProtocol::UDP) && !rnaData->tried_reverse_service )
+ if (!asd->get_session_flags(APPID_SESSION_ADDITIONAL_PACKET)
+ && (proto == IpProtocol::UDP) && !asd->tried_reverse_service )
{
SF_LNODE* iter;
AppIdServiceIDState* reverse_id_state;
const RNAServiceElement* reverse_service = nullptr;
const sfip_t* reverse_ip = p->ptrs.ip_api.get_src();
- rnaData->tried_reverse_service = true;
- if ((reverse_id_state = AppIdGetServiceIDState(reverse_ip, proto, p->ptrs.sp,
- AppIdServiceDetectionLevel(rnaData))))
+ asd->tried_reverse_service = true;
+ if ((reverse_id_state = get_service_id_state(reverse_ip, proto, p->ptrs.sp,
+ AppIdServiceDetectionLevel(asd))))
{
reverse_service = reverse_id_state->svc;
}
+
if ( reverse_service
- || (serviceConfig->udp_reversed_services[p->ptrs.sp] &&
+ || (service_config->udp_reversed_services[p->ptrs.sp] &&
(reverse_service = ( RNAServiceElement*)sflist_first(
- serviceConfig->udp_reversed_services[p->ptrs.sp], &iter)))
+ service_config->udp_reversed_services[p->ptrs.sp], &iter)))
|| (p->dsize &&
(reverse_service = AppIdGetServiceByPattern(p, proto, dir, nullptr))) )
{
}
return nullptr;
}
- /* Try pattern match detectors. If not, give up, and go to brute
- * force. */
- else /* APP_ID_FROM_RESPONDER */
+ else
{
- if (id_state->serviceList == nullptr) /* no list yet (need to make one) */
- {
+ // Try pattern match detectors. If not, give up, and go to brute force.
+ if (id_state->service_list == nullptr) /* no list yet (need to make one) */
id_state->svc = AppIdGetServiceByPattern(p, proto, dir, id_state);
- }
else /* already have a pattern service list (just use it) */
- {
- id_state->svc = AppIdNexServiceByPattern(id_state
-#ifdef SERVICE_DEBUG
-#if SERVICE_DEBUG_PORT
- , flow->service_port
-#endif
-#endif
- );
- }
+ id_state->svc = get_service_by_pattern(id_state, asd->service_port);
if (id_state->svc != nullptr)
{
return nullptr;
}
-int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData,
- const AppIdConfig* pConfig)
+int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* asd)
{
const sfip_t* ip;
int ret = SERVICE_NOMATCH;
ServiceValidationArgs args;
/* Get packet info. */
- auto proto = rnaData->protocol;
- if (sfip_is_set(&rnaData->service_ip))
+ auto proto = asd->protocol;
+ if (sfip_is_set(&asd->service_ip))
{
- ip = &rnaData->service_ip;
- port = rnaData->service_port;
+ ip = &asd->service_ip;
+ port = asd->service_port;
}
else
{
}
/* Get host tracker state. */
- id_state = rnaData->id_state;
+ id_state = asd->id_state;
if (id_state == nullptr)
{
- id_state = AppIdGetServiceIDState(ip, proto, port, AppIdServiceDetectionLevel(rnaData));
+ id_state = get_service_id_state(ip, proto, port, AppIdServiceDetectionLevel(asd));
/* Create it if it doesn't exist yet. */
if (id_state == nullptr)
{
- if (!(id_state = AppIdAddServiceIDState(ip, proto, port,
- AppIdServiceDetectionLevel(rnaData))))
+ if (!(id_state = add_service_id_state(ip, proto, port,
+ AppIdServiceDetectionLevel(asd))))
{
ErrorMessage("Discover service failed to create state");
return SERVICE_ENOMEM;
}
memset(id_state, 0, sizeof(*id_state));
}
- rnaData->id_state = id_state;
+
+ //id_state->service_list = nullptr;
+ asd->id_state = id_state;
}
- if (rnaData->serviceData == nullptr)
+ if (asd->serviceData == nullptr)
{
/* If a valid service already exists in host tracker, give it a try. */
if ((id_state->svc != nullptr) && (id_state->state == SERVICE_ID_VALID))
{
- rnaData->serviceData = id_state->svc;
+ asd->serviceData = id_state->svc;
}
/* If we've gotten to brute force, give next detector a try. */
- else if ( (id_state->state == SERVICE_ID_BRUTE_FORCE)
- && (rnaData->num_candidate_services_tried == 0)
+ else if ((id_state->state == SERVICE_ID_BRUTE_FORCE)
+ && (asd->num_candidate_services_tried == 0)
&& !id_state->searching )
{
- rnaData->serviceData = AppIdGetServiceByBruteForce(proto, id_state->svc);
- id_state->svc = rnaData->serviceData;
+ asd->serviceData = AppIdGetServiceByBruteForce(proto, id_state->svc);
+ id_state->svc = asd->serviceData;
}
}
args.data = p->data;
args.size = p->dsize;
args.dir = dir;
- args.flowp = rnaData;
+ args.asd = asd;
args.pkt = p;
- args.pConfig = pConfig;
- args.app_id_debug_session_flag = app_id_debug_session_flag;
- args.app_id_debug_session = app_id_debug_session;
+ args.pConfig = AppIdConfig::get_appid_config();
+ args.session_logging_enabled = asd->session_logging_enabled;
+ args.session_logging_id = asd->session_logging_id;
/* If we already have a service to try, then try it out. */
- if (rnaData->serviceData != nullptr)
+ if (asd->serviceData != nullptr)
{
- service = rnaData->serviceData;
+ service = asd->serviceData;
args.userdata = service->userdata;
ret = service->validate(&args);
if (ret == SERVICE_NOT_COMPATIBLE)
- rnaData->got_incompatible_services = 1;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s %s returned %d\n", app_id_debug_session,
+ asd->got_incompatible_services = 1;
+ if (asd->session_logging_enabled)
+ LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id,
service->name ? service->name : "UNKNOWN", ret);
}
- /* Else, try to find detector(s) to use based on ports and patterns. */
else
{
- if (rnaData->candidate_service_list == nullptr)
+ if (asd->candidate_service_list == nullptr)
{
- rnaData->candidate_service_list = (SF_LIST*)snort_calloc(sizeof(SF_LIST));
- sflist_init(rnaData->candidate_service_list);
- rnaData->num_candidate_services_tried = 0;
+ asd->candidate_service_list = (SF_LIST*)snort_calloc(sizeof(SF_LIST));
+ sflist_init(asd->candidate_service_list);
+ asd->num_candidate_services_tried = 0;
/* This is our first time in for this session, and we're about to
* search for a service, because we don't have any solid history on
|| (id_state->state == SERVICE_ID_PORT)
|| ((id_state->state == SERVICE_ID_PATTERN) && (dir == APP_ID_FROM_RESPONDER)) )
{
- while (rnaData->num_candidate_services_tried < MAX_CANDIDATE_SERVICES)
+ while (asd->num_candidate_services_tried < MAX_CANDIDATE_SERVICES)
{
- const RNAServiceElement* tmp = AppIdGetNexService(p, dir, rnaData, id_state);
+ const RNAServiceElement* tmp = get_next_service(p, dir, asd, id_state);
if (tmp != nullptr)
{
SF_LNODE* iter = nullptr;
/* Add to list (if not already there). */
- service = (RNAServiceElement*)sflist_first(rnaData->candidate_service_list,
+ service = (RNAServiceElement*)sflist_first(asd->candidate_service_list,
&iter);
while (service && (service != tmp))
service = (RNAServiceElement*)sflist_next(&iter);
if (service == nullptr)
{
- sflist_add_tail(rnaData->candidate_service_list, (void*)tmp);
- rnaData->num_candidate_services_tried++;
+ sflist_add_tail(asd->candidate_service_list, (void*)tmp);
+ asd->num_candidate_services_tried++;
}
}
else
/* Run all of the detectors that we currently have. */
ret = SERVICE_INPROCESS;
SF_LNODE* iter;
- service = (RNAServiceElement*)sflist_first(rnaData->candidate_service_list, &iter);
+ service = (RNAServiceElement*)sflist_first(asd->candidate_service_list, &iter);
while (service)
{
int result;
args.userdata = service->userdata;
result = service->validate(&args);
if (result == SERVICE_NOT_COMPATIBLE)
- rnaData->got_incompatible_services = 1;
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s %s returned %d\n", app_id_debug_session,
+ asd->got_incompatible_services = 1;
+ if (asd->session_logging_enabled)
+ LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id,
service->name ? service->name : "UNKNOWN", result);
if (result == SERVICE_SUCCESS)
{
ret = SERVICE_SUCCESS;
- rnaData->serviceData = service;
- sflist_free(rnaData->candidate_service_list);
- rnaData->candidate_service_list = nullptr;
+ asd->serviceData = service;
+ sflist_free(asd->candidate_service_list);
+ asd->candidate_service_list = nullptr;
break; /* done */
}
else if (result != SERVICE_INPROCESS) /* fail */
{
- sflist_remove_node(rnaData->candidate_service_list, iter);
- service = (RNAServiceElement*)sflist_first(rnaData->candidate_service_list, &iter);
+ sflist_remove_node(asd->candidate_service_list, iter);
+ service = (RNAServiceElement*)sflist_first(asd->candidate_service_list, &iter);
}
else
service = (RNAServiceElement*)sflist_next(&iter);
/* If we tried everything and found nothing, then fail. */
if (ret != SERVICE_SUCCESS)
{
- if ( (sflist_count(rnaData->candidate_service_list) == 0)
- && ( (rnaData->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES)
+ if ( (sflist_count(asd->candidate_service_list) == 0)
+ && ( (asd->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES)
|| (id_state->state == SERVICE_ID_BRUTE_FORCE) ) )
{
- AppIdServiceFailService(rnaData, p, dir, nullptr, APPID_SESSION_DATA_NONE,
- pConfig);
+ AppIdServiceFailService(asd, p, dir, nullptr, APPID_SESSION_DATA_NONE);
ret = SERVICE_NOMATCH;
}
}
else if (dir == APP_ID_FROM_RESPONDER) /* we have seen bidirectional exchange and have not
identified any service */
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s no RNA service detector\n", app_id_debug_session);
- AppIdServiceFailService(rnaData, p, dir, nullptr, APPID_SESSION_DATA_NONE, pConfig);
+ if (asd->session_logging_enabled)
+ LogMessage("AppIdDbg %s no RNA service detector\n", asd->session_logging_id);
+ AppIdServiceFailService(asd, p, dir, nullptr, APPID_SESSION_DATA_NONE);
ret = SERVICE_NOMATCH;
}
else
tmp_ip = p->ptrs.ip_api.get_src();
- if (rnaData->got_incompatible_services)
+ if (asd->got_incompatible_services)
{
if (id_state->invalid_client_count < STATE_ID_INVALID_CLIENT_THRESHOLD)
{
}
}
- HandleFailure(rnaData, id_state, tmp_ip, 0);
+ HandleFailure(asd, id_state, tmp_ip, 0);
}
/* Can free up any pattern match lists if done with them. */
if ( (id_state->state == SERVICE_ID_BRUTE_FORCE)
|| (id_state->state == SERVICE_ID_VALID) )
{
- if (id_state->serviceList != nullptr)
- {
- AppIdFreeServiceMatchList(id_state->serviceList);
- }
- id_state->serviceList = nullptr;
- id_state->currenService = nullptr;
+ if (id_state->service_list != nullptr)
+ AppIdFreeServiceMatchList(id_state->service_list);
+
+ id_state->service_list = nullptr;
+ id_state->current_service = nullptr;
}
return ret;
}
-static void* service_flowdata_get(AppIdSession* flow, unsigned service_id)
+static void* service_flowdata_get(AppIdSession* asd, unsigned service_id)
{
- return flow->get_flow_data(service_id);
+ return asd->get_flow_data(service_id);
}
-static int service_flowdata_add(AppIdSession* flow, void* data, unsigned service_id, AppIdFreeFCN
+static int service_flowdata_add(AppIdSession* asd, void* data, unsigned service_id, AppIdFreeFCN
fcn)
{
- return flow->add_flow_data(data, service_id, fcn);
+ return asd->add_flow_data(data, service_id, fcn);
}
static void dumpServices(FILE* stream, SF_LIST* const* parray)
void dumpPorts(FILE* stream)
{
fprintf(stream,"(tcp ");
- dumpServices(stream, serviceConfig->tcp_services);
+ dumpServices(stream, service_config->tcp_services);
fprintf(stream,") \n");
fprintf(stream,"(udp ");
- dumpServices(stream, serviceConfig->udp_services);
+ dumpServices(stream, service_config->udp_services);
fprintf(stream,") \n");
}
-static void AppIdServiceAddMisc(AppIdSession* flow, AppId miscId)
+static void add_miscellaneous_info(AppIdSession* asd, AppId miscId)
{
- if (flow != nullptr)
- flow->misc_app_id = miscId;
+ if (asd != nullptr)
+ asd->misc_app_id = miscId;
}
+static void add_dns_query_info(AppIdSession* asd, uint16_t id, const uint8_t* host, uint8_t host_len,
+ uint16_t host_offset, uint16_t record_type)
+{
+ if ( asd->dsession )
+ {
+ if ( ( asd->dsession->state != 0 ) && ( asd->dsession->id != id ) )
+ reset_dns_info(asd);
+ }
+ else
+ asd->dsession = (dnsSession*)snort_calloc(sizeof(dnsSession));
+
+ if (asd->dsession->state & DNS_GOT_QUERY)
+ return;
+ asd->dsession->state |= DNS_GOT_QUERY;
+
+ asd->dsession->id = id;
+ asd->dsession->record_type = record_type;
+
+ if (!asd->dsession->host)
+ {
+ if ((host != nullptr) && (host_len > 0) && (host_offset > 0))
+ {
+ asd->dsession->host_len = host_len;
+ asd->dsession->host_offset = host_offset;
+ asd->dsession->host = dns_parse_host(host, host_len);
+ }
+ }
+}
+
+static void add_dns_response_info(AppIdSession* asd, uint16_t id, const uint8_t* host,
+ uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl)
+{
+ if ( asd->dsession )
+ {
+ if ( ( asd->dsession->state != 0 ) && ( asd->dsession->id != id ) )
+ reset_dns_info(asd);
+ }
+ else
+ asd->dsession = (dnsSession*)snort_calloc(sizeof(*asd->dsession));
+
+ if (asd->dsession->state & DNS_GOT_RESPONSE)
+ return;
+ asd->dsession->state |= DNS_GOT_RESPONSE;
+
+ asd->dsession->id = id;
+ asd->dsession->response_type = response_type;
+ asd->dsession->ttl = ttl;
+
+ if (!asd->dsession->host)
+ {
+ if ((host != nullptr) && (host_len > 0) && (host_offset > 0))
+ {
+ asd->dsession->host_len = host_len;
+ asd->dsession->host_offset = host_offset;
+ asd->dsession->host = dns_parse_host(host, host_len);
+ }
+ }
+}
+
+static void reset_dns_info(AppIdSession* asd)
+{
+ if (asd->dsession)
+ {
+ snort_free(asd->dsession->host);
+ memset(asd->dsession, 0, sizeof(*(asd->dsession)));
+ }
+}
class AppIdConfig;
class AppIdSession;
struct RNAServiceElement;
-struct DhcpFPData;
+struct DHCPData;
struct FpSMBData;
struct Packet;
struct ServiceMatch;
void ServiceRemovePorts(RNAServiceValidationFCN, Detector*);
void ServiceRegisterPatternDetector(RNAServiceValidationFCN, IpProtocol proto,
const uint8_t* pattern, unsigned size, int position, Detector*, const char* name);
-int AppIdDiscoverService(Packet*, int direction, AppIdSession*, const AppIdConfig*);
+int AppIdDiscoverService(Packet*, int direction, AppIdSession*);
AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig*);
void AppIdFreeServiceIDState(AppIdServiceIDState*);
int AppIdServiceAddService(AppIdSession*, const Packet*, int dir, const RNAServiceElement*,
int AppIdServiceIncompatibleData(AppIdSession*, const Packet*, int dir, const RNAServiceElement*,
unsigned flow_data_index, const AppIdConfig*);
int AppIdServiceFailService(AppIdSession*, const Packet*, int dir, const RNAServiceElement*,
- unsigned flow_data_index, const AppIdConfig*);
+ unsigned flow_data_index);
int AddFTPServiceState(AppIdSession*);
void AppIdFreeDhcpInfo(DHCPInfo*);
void AppIdFreeSMBData(FpSMBData*);
-void AppIdFreeDhcpData(DhcpFPData*);
+void AppIdFreeDhcpData(DHCPData*);
void dumpPorts(FILE*);
-const RNAServiceElement* ServiceGetServiceElement(RNAServiceValidationFCN, Detector*);
-
+const RNAServiceElement* get_service_element(RNAServiceValidationFCN, Detector*);
void add_service_to_active_list(RNAServiceValidationModule* service);
extern uint32_t app_id_instance_id;
return (first->validate != second->validate || first->userdata != second->userdata);
}
-inline uint32_t AppIdServiceDetectionLevel(AppIdSession* session)
+inline uint32_t AppIdServiceDetectionLevel(AppIdSession* asd)
{
- if (session->getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (asd->get_session_flags(APPID_SESSION_DECRYPTED))
return 1;
return 0;
}
inline void PopulateExpectedFlow(AppIdSession* parent, AppIdSession* expected, uint64_t flags)
{
- expected->setAppIdFlag(flags |
- parent->getAppIdFlag(APPID_SESSION_RESPONDER_MONITORED |
+ expected->set_session_flags(flags |
+ parent->get_session_flags(APPID_SESSION_RESPONDER_MONITORED |
APPID_SESSION_INITIATOR_MONITORED |
APPID_SESSION_SPECIAL_MONITORED |
APPID_SESSION_RESPONDER_CHECKED |
static int battle_field_init(const IniServiceAPI* const init_api);
static int battle_field_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&battle_field_validate,
"battle_field"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &battle_field_validate, 4711, IpProtocol::TCP, 0 },
{ &battle_field_validate, 16567, IpProtocol::UDP, 0 },
unsigned i;
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
- DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId);
init_api->RegisterAppId(&battle_field_validate, appIdRegistry[i].appId,
appIdRegistry[i].additionalInfo);
}
static int battle_field_validate(ServiceValidationArgs* args)
{
ServiceData* fd;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
uint16_t size = args->size;
goto inprocess_nofd;
}
- fd = (ServiceData*)battlefield_service_mod.api->data_get(flowp,
+ fd = (ServiceData*)battlefield_service_mod.api->data_get(asd,
battlefield_service_mod.flow_data_index);
if (!fd)
{
fd = (ServiceData*)snort_calloc(sizeof(ServiceData));
- battlefield_service_mod.api->data_add(flowp, fd,
+ battlefield_service_mod.api->data_add(asd, fd,
battlefield_service_mod.flow_data_index, &snort_free);
}
goto success;
}
- battlefield_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element,
- battlefield_service_mod.flow_data_index,
- args->pConfig);
+ battlefield_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element,
+ battlefield_service_mod.flow_data_index);
return SERVICE_NOMATCH;
inprocess:
if (fd->packetCount >= MAX_PACKET_INSPECTION_COUNT)
goto fail;
inprocess_nofd:
- battlefield_service_mod.api->service_inprocess(flowp, pkt, args->dir, &svc_element);
+ battlefield_service_mod.api->service_inprocess(asd, pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
goto inprocess;
}
- battlefield_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element,
+ battlefield_service_mod.api->add_service(asd, pkt, args->dir, &svc_element,
APP_ID_BATTLEFIELD, nullptr, nullptr, nullptr);
appid_stats.battlefield_flows++;
return SERVICE_SUCCESS;
fail:
- battlefield_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element,
- battlefield_service_mod.flow_data_index,
- args->pConfig);
+ battlefield_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element,
+ battlefield_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int bgp_init(const IniServiceAPI* const init_api);
static int bgp_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&bgp_validate,
"bgp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &bgp_validate, BGP_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
{
ServiceBGPData* bd;
const ServiceBGPHeader* bh;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
uint16_t len;
if (size < sizeof(ServiceBGPHeader))
goto fail;
- bd = (ServiceBGPData*)bgp_service_mod.api->data_get(flowp, bgp_service_mod.flow_data_index);
+ bd = (ServiceBGPData*)bgp_service_mod.api->data_get(asd, bgp_service_mod.flow_data_index);
if (!bd)
{
bd = (ServiceBGPData*)snort_calloc(sizeof(ServiceBGPData));
- bgp_service_mod.api->data_add(flowp, bd, bgp_service_mod.flow_data_index, &snort_free);
+ bgp_service_mod.api->data_add(asd, bd, bgp_service_mod.flow_data_index, &snort_free);
bd->state = BGP_STATE_CONNECTION;
}
}
inprocess:
- bgp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ bgp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
fail:
- bgp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- bgp_service_mod.flow_data_index, args->pConfig);
+ bgp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ bgp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
success:
- bgp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ bgp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_BGP, nullptr, nullptr, nullptr);
appid_stats.bgp_flows++;
return SERVICE_SUCCESS;
static int bit_init(const IniServiceAPI* const init_api);
static int bit_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&bit_validate,
"bit"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &bit_validate, BIT_PORT, IpProtocol::TCP, 0 },
{ &bit_validate, BIT_PORT+1, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
};
-// FIXIT - Why is there no service_bit.h that declares this extern like all the others?
SO_PUBLIC RNAServiceValidationModule bit_service_mod =
{
svc_name,
static int bit_validate(ServiceValidationArgs* args)
{
ServiceBITData* ss;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
uint16_t offset;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- ss = (ServiceBITData*)bit_service_mod.api->data_get(flowp, bit_service_mod.flow_data_index);
+ ss = (ServiceBITData*)bit_service_mod.api->data_get(asd, bit_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceBITData*)snort_calloc(sizeof(ServiceBITData));
- bit_service_mod.api->data_add(flowp, ss, bit_service_mod.flow_data_index, &snort_free);
+ bit_service_mod.api->data_add(asd, ss, bit_service_mod.flow_data_index, &snort_free);
ss->state = BIT_STATE_BANNER;
}
}
inprocess:
- bit_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ bit_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- bit_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ bit_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_BITTORRENT, nullptr, nullptr, nullptr);
appid_stats.bit_flows++;
return SERVICE_SUCCESS;
fail:
- bit_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- bit_service_mod.flow_data_index, args->pConfig);
+ bit_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ bit_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int bootp_init(const IniServiceAPI* const init_api);
static int bootp_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&bootp_validate,
"bootp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &bootp_validate, 67, IpProtocol::UDP, 0 },
{ &bootp_validate, 67, IpProtocol::UDP, 1 },
unsigned op60_len=0;
const uint8_t* op55=nullptr;
const uint8_t* op60=nullptr;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
if (option53 && op55_len && (memcmp(eh->ether_src, bh->chaddr, 6) == 0))
{
- if (bootp_service_mod.api->data_add_dhcp(flowp, op55_len, op55,
+ if (bootp_service_mod.api->data_add_dhcp(asd, op55_len, op55,
op60_len, op60,
bh->chaddr))
{
if (dir == APP_ID_FROM_INITIATOR)
{
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
}
else
{
- flowp->clearAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->clear_session_flags(APPID_SESSION_UDP_REVERSED);
}
if (size > sizeof(ServiceBOOTPHeader) + 4)
goto fail;
if (option53 && (memcmp(eh->ether_dst, bh->chaddr, 6) == 0))
- bootp_service_mod.api->dhcpNewLease(flowp, bh->chaddr, bh->yiaddr,
+ bootp_service_mod.api->dhcpNewLease(asd, bh->chaddr, bh->yiaddr,
pkt->pkth->ingress_group, ntohl(subnet), ntohl(leaseTime),
router);
goto success;
}
success:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
- bootp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
+ bootp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_DHCP, nullptr, nullptr, nullptr);
appid_stats.bootp_flows++;
}
return SERVICE_SUCCESS;
inprocess:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- bootp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ bootp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
}
return SERVICE_INPROCESS;
fail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- bootp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- bootp_service_mod.flow_data_index, args->pConfig);
+ bootp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ bootp_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
not_compatible:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- bootp_service_mod.api->incompatible_data(flowp, args->pkt, args->dir, &svc_element,
+ bootp_service_mod.api->incompatible_data(asd, args->pkt, args->dir, &svc_element,
bootp_service_mod.flow_data_index, args->pConfig);
}
return SERVICE_NOT_COMPATIBLE;
static int dcerpc_tcp_validate(ServiceValidationArgs* args);
static int dcerpc_udp_validate(ServiceValidationArgs* args);
-static RNAServiceElement tcp_svc_element =
+static const RNAServiceElement tcp_svc_element =
{
nullptr,
&dcerpc_tcp_validate,
0,
"dcerpc"
};
-static RNAServiceElement udp_svc_element =
+static const RNAServiceElement udp_svc_element =
{
nullptr,
&dcerpc_udp_validate,
"udp dcerpc"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &dcerpc_tcp_validate, 135, IpProtocol::TCP, 0 },
{ &dcerpc_udp_validate, 135, IpProtocol::UDP, 0 },
ServiceDCERPCData* dd;
int retval = SERVICE_INPROCESS;
int length;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (!size)
goto inprocess;
- dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(flowp,
+ dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(asd,
dcerpc_service_mod.flow_data_index);
if (!dd)
{
dd = (ServiceDCERPCData*)snort_calloc(sizeof(ServiceDCERPCData));
- dcerpc_service_mod.api->data_add(flowp, dd, dcerpc_service_mod.flow_data_index,
+ dcerpc_service_mod.api->data_add(asd, dd, dcerpc_service_mod.flow_data_index,
&snort_free);
}
}
if (retval == SERVICE_SUCCESS)
{
- dcerpc_service_mod.api->add_service(flowp, args->pkt, args->dir, &tcp_svc_element,
+ dcerpc_service_mod.api->add_service(asd, args->pkt, args->dir, &tcp_svc_element,
APP_ID_DCE_RPC, nullptr, nullptr, nullptr);
appid_stats.dcerpc_tcp_flows++;
return SERVICE_SUCCESS;
}
inprocess:
- dcerpc_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &tcp_svc_element);
+ dcerpc_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &tcp_svc_element);
return SERVICE_INPROCESS;
fail:
- dcerpc_service_mod.api->fail_service(flowp, args->pkt, args->dir, &tcp_svc_element,
- dcerpc_service_mod.flow_data_index, args->pConfig);
+ dcerpc_service_mod.api->fail_service(asd, args->pkt, args->dir, &tcp_svc_element,
+ dcerpc_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
ServiceDCERPCData* dd;
int retval = SERVICE_NOMATCH;
int length;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (!size)
goto inprocess;
- dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(flowp,
+ dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(asd,
dcerpc_service_mod.flow_data_index);
if (!dd)
{
dd = (ServiceDCERPCData*)snort_calloc(sizeof(ServiceDCERPCData));
- dcerpc_service_mod.api->data_add(flowp, dd, dcerpc_service_mod.flow_data_index,
+ dcerpc_service_mod.api->data_add(asd, dd, dcerpc_service_mod.flow_data_index,
&snort_free);
}
}
if (retval == SERVICE_SUCCESS)
{
- dcerpc_service_mod.api->add_service(flowp, args->pkt, args->dir, &udp_svc_element,
+ dcerpc_service_mod.api->add_service(asd, args->pkt, args->dir, &udp_svc_element,
APP_ID_DCE_RPC, nullptr, nullptr, nullptr);
appid_stats.dcerpc_udp_flows++;
return SERVICE_SUCCESS;
}
inprocess:
- dcerpc_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &udp_svc_element);
+ dcerpc_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &udp_svc_element);
return SERVICE_INPROCESS;
fail:
- dcerpc_service_mod.api->fail_service(flowp, args->pkt, args->dir, &udp_svc_element,
- dcerpc_service_mod.flow_data_index, args->pConfig);
+ dcerpc_service_mod.api->fail_service(asd, args->pkt, args->dir, &udp_svc_element,
+ dcerpc_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int direct_connect_init(const IniServiceAPI* const init_api);
static int direct_connect_validate(ServiceValidationArgs* args);
static int validateDirectConnectTcp(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData,
- const AppIdConfig* pConfig);
+ AppIdSession* asd, const Packet* pkt, ServiceData* serviceData);
static int validateDirectConnectUdp(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData,
- const AppIdConfig* pConfig);
+ AppIdSession* asd, const Packet* pkt, ServiceData* serviceData);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&direct_connect_validate,
"direct_connect"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &direct_connect_validate, 411, IpProtocol::TCP, 0 },
{ &direct_connect_validate, 411, IpProtocol::UDP, 0 },
static int direct_connect_validate(ServiceValidationArgs* args)
{
ServiceData* fd;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (!size)
{
- directconnect_service_mod.api->service_inprocess(flowp, args->pkt, args->dir,
+ directconnect_service_mod.api->service_inprocess(asd, args->pkt, args->dir,
&svc_element);
return SERVICE_INPROCESS;
}
- fd = (ServiceData*)directconnect_service_mod.api->data_get(flowp,
+ fd = (ServiceData*)directconnect_service_mod.api->data_get(asd,
directconnect_service_mod.flow_data_index);
if (!fd)
{
fd = (ServiceData*)snort_calloc(sizeof(ServiceData));
- directconnect_service_mod.api->data_add(flowp, fd,
+ directconnect_service_mod.api->data_add(asd, fd,
directconnect_service_mod.flow_data_index, &snort_free);
}
- if (flowp->protocol == IpProtocol::TCP)
- return validateDirectConnectTcp(data, size, args->dir, flowp, args->pkt, fd,
- args->pConfig);
+ if (asd->protocol == IpProtocol::TCP)
+ return validateDirectConnectTcp(data, size, args->dir, asd, args->pkt, fd);
else
- return validateDirectConnectUdp(data, size, args->dir, flowp, args->pkt, fd,
- args->pConfig);
+ return validateDirectConnectUdp(data, size, args->dir, asd, args->pkt, fd);
}
static int validateDirectConnectTcp(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData,
- const AppIdConfig* pConfig)
+ AppIdSession* asd, const Packet* pkt, ServiceData* serviceData)
{
switch (serviceData->state)
{
if (serviceData->packetCount >= MAX_PACKET_INSPECTION_COUNT)
goto fail;
- directconnect_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ directconnect_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
goto inprocess;
}
- directconnect_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ directconnect_service_mod.api->add_service(asd, pkt, dir, &svc_element,
APP_ID_DIRECT_CONNECT, nullptr, nullptr, nullptr);
appid_stats.direct_connect_flows++;
return SERVICE_SUCCESS;
fail:
- directconnect_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- directconnect_service_mod.flow_data_index, pConfig);
+ directconnect_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ directconnect_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int validateDirectConnectUdp(const uint8_t* data, uint16_t size, const int dir,
- AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData,
- const AppIdConfig* pConfig)
+ AppIdSession* asd, const Packet* pkt, ServiceData* serviceData)
{
if (dir == APP_ID_FROM_RESPONDER && serviceData->state == CONN_STATE_SERVICE_DETECTED)
{
if (serviceData->packetCount >= MAX_PACKET_INSPECTION_COUNT)
goto fail;
- directconnect_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ directconnect_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
}
reportSuccess:
- directconnect_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ directconnect_service_mod.api->add_service(asd, pkt, dir, &svc_element,
APP_ID_DIRECT_CONNECT, nullptr, nullptr, nullptr);
appid_stats.direct_connect_flows++;
return SERVICE_SUCCESS;
fail:
- directconnect_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- directconnect_service_mod.flow_data_index, pConfig);
+ directconnect_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ directconnect_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int flap_init(const IniServiceAPI* const init_api);
static int flap_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&flap_validate,
"flap"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &flap_validate, 5190, IpProtocol::TCP, 0 },
{ &flap_validate, 9898, IpProtocol::TCP, 0 },
const FLAPHeader* hdr = (const FLAPHeader*)args->data;
const FLAPFNAC* ff;
const FLAPTLV* tlv;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
uint16_t size = args->size;
uint16_t len;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- sf = (ServiceFLAPData*)flap_service_mod.api->data_get(flowp, flap_service_mod.flow_data_index);
+ sf = (ServiceFLAPData*)flap_service_mod.api->data_get(asd, flap_service_mod.flow_data_index);
if (!sf)
{
sf = (ServiceFLAPData*)snort_calloc(sizeof(ServiceFLAPData));
- flap_service_mod.api->data_add(flowp, sf, flap_service_mod.flow_data_index, &snort_free);
+ flap_service_mod.api->data_add(asd, sf, flap_service_mod.flow_data_index, &snort_free);
sf->state = FLAP_STATE_ACK;
}
}
fail:
- flap_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- flap_service_mod.flow_data_index, args->pConfig);
+ flap_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ flap_service_mod.flow_data_index);
return SERVICE_NOMATCH;
success:
- flap_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ flap_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_AOL_INSTANT_MESSENGER, nullptr, nullptr, nullptr);
return SERVICE_SUCCESS;
inprocess:
- flap_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ flap_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
}
#include "main/snort_debug.h"
#include "sfip/sf_ip.h"
-#include "target_based/snort_protocols.h"
#include "utils/util.h"
#include "app_info_table.h"
#include "service_util.h"
#include "appid_module.h"
-// FIXIT-H This needs to use a real SFIP function
-static SFIP_RET sfip_convert_ip_text_to_binary(const int, const char*, void*)
-{ return SFIP_SUCCESS; }
-
#define FTP_PORT 21
-/*#define RNA_FTP_EXPECTED_ON_PORT 1 */
enum FTPState
{
static int ftp_init(const IniServiceAPI* const init_api);
static int ftp_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&ftp_validate,
"ftp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &ftp_validate, FTP_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
static int ftp_init(const IniServiceAPI* const init_api)
{
- ftp_data_app_id = AddProtocolReference("ftp-data");
+ ftp_data_app_id = add_appid_protocol_reference("ftp-data");
init_api->RegisterPattern(&ftp_validate, IpProtocol::TCP, (uint8_t*)FTP_PATTERN1,
sizeof(FTP_PATTERN1)-1, 0, "ftp");
{ 0, 0 }
};
-static int ftp_validate_eprt(const uint8_t* data, uint16_t size,
- sfip_t* address, uint16_t* port)
+static int ftp_validate_eprt(const uint8_t* data, uint16_t size, sfip_t* address, uint16_t* port)
{
int index;
int addrFamilySupported = 0;
uint32_t tmp;
char tmp_str[INET6_ADDRSTRLEN+1];
- memset(address,0,sizeof(sfip_t));
+ memset(address, 0, sizeof(sfip_t));
*port = 0;
end = data + size;
}
tmp_str[index] = '\0'; // make the copied portion be nul terminated.
+ // FIXIT-L recode logic above and this call to call sfip_pton instead...
if (sfip_convert_ip_text_to_binary(addrFamilySupported, tmp_str, &address) != SFIP_SUCCESS)
return -1;
return 0;
}
-static inline void WatchForCommandResult(ServiceFTPData* fd, AppIdSession* flowp, FTPCmd command)
+static inline void WatchForCommandResult(ServiceFTPData* fd, AppIdSession* asd, FTPCmd command)
{
if (fd->state != FTP_STATE_MONITOR)
{
- flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE);
fd->state = FTP_STATE_MONITOR;
}
fd->cmd = command;
}
-static inline void InitializeDataSession(AppIdSession* flowp,AppIdSession* fp)
+static inline void InitializeDataSession(AppIdSession* asd, AppIdSession* fp)
{
- unsigned encryptedFlag = flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED |
+ unsigned encryptedFlag = asd->get_session_flags(APPID_SESSION_ENCRYPTED |
APPID_SESSION_DECRYPTED);
if (encryptedFlag == APPID_SESSION_ENCRYPTED)
{
// zeroes.
fp->serviceAppId = APP_ID_FTP_DATA;
}
- PopulateExpectedFlow(flowp, fp, APPID_SESSION_IGNORE_ID_FLAGS | encryptedFlag);
+ PopulateExpectedFlow(asd, fp, APPID_SESSION_IGNORE_ID_FLAGS | encryptedFlag);
}
static int ftp_validate(ServiceValidationArgs* args)
uint16_t port;
AppIdSession* fp;
int retval = SERVICE_INPROCESS;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
//to direct traffic to SSL detector to extract payload from certs. This will require
// manintaining
//two detector states at the same time.
- if (flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED))
+ if (asd->get_session_flags(APPID_SESSION_ENCRYPTED))
{
- if (!flowp->getAppIdFlag(APPID_SESSION_DECRYPTED))
+ if (!asd->get_session_flags(APPID_SESSION_DECRYPTED))
{
goto inprocess;
}
}
- fd = (ServiceFTPData*)ftp_service_mod.api->data_get(flowp, ftp_service_mod.flow_data_index);
+ fd = (ServiceFTPData*)ftp_service_mod.api->data_get(asd, ftp_service_mod.flow_data_index);
if (!fd)
{
fd = (ServiceFTPData*)snort_calloc(sizeof(ServiceFTPData));
- ftp_service_mod.api->data_add(flowp, fd, ftp_service_mod.flow_data_index, &snort_free);
+ ftp_service_mod.api->data_add(asd, fd, ftp_service_mod.flow_data_index, &snort_free);
fd->state = FTP_STATE_CONNECTION;
fd->rstate = FTP_REPLY_BEGIN;
fd->cmd = FTP_CMD_NONE;
size-(sizeof(FTP_PORT_CMD)-1),
&fd->address, &fd->port) == 0)
{
- WatchForCommandResult(fd, flowp, FTP_CMD_PORT_EPRT);
+ WatchForCommandResult(fd, asd, FTP_CMD_PORT_EPRT);
}
}
else if (size > sizeof(FTP_EPRT_CMD)-1 &&
size-(sizeof(FTP_EPRT_CMD)-1),
&fd->address, &fd->port) == 0)
{
- WatchForCommandResult(fd, flowp, FTP_CMD_PORT_EPRT);
+ WatchForCommandResult(fd, asd, FTP_CMD_PORT_EPRT);
}
}
else if ( size > sizeof(FTP_PASV_CMD)-1 &&
strncasecmp((char*)data, FTP_EPSV_CMD, sizeof(FTP_EPSV_CMD)-1) == 0 )
)
{
- WatchForCommandResult(fd, flowp, FTP_CMD_PASV_EPSV);
+ WatchForCommandResult(fd, asd, FTP_CMD_PASV_EPSV);
}
goto inprocess;
}
case 551: /*requested action aborted :page type unknown */
case 552: /*requested action aborted */
case 553: /*requested action not taken file name is not allowed */
- flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE);
fd->state = FTP_STATE_MONITOR;
break;
case 221: /*good bye */
fd->state = FTP_STATE_CONNECTION_ERROR;
break;
case 230:
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
fd->state = FTP_STATE_MONITOR;
retval = SERVICE_SUCCESS;
break;
case 234:
{
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
retval = SERVICE_SUCCESS;
/*
// we do not set the state to FTP_STATE_MONITOR here because we don't know
// if there will be SSL decryption to allow us to see what we are interested in.
// Let the WatchForCommandResult() usage elsewhere take care of it.
*/
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE | APPID_SESSION_ENCRYPTED |
+ asd->set_session_flags(APPID_SESSION_CONTINUE | APPID_SESSION_ENCRYPTED |
APPID_SESSION_STICKY_SERVICE);
}
break;
break;
case 202:
case 230:
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
fd->state = FTP_STATE_MONITOR;
retval = SERVICE_SUCCESS;
default:
{
case 202:
case 230:
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
fd->state = FTP_STATE_MONITOR;
retval = SERVICE_SUCCESS;
default:
sip = pkt->ptrs.ip_api.get_src();
addr = htonl(address);
sfip_set_raw(&ip, &addr, AF_INET);
- fp = AppIdSession::create_future_session(pkt, dip, 0, &ip, port, flowp->protocol, ftp_data_app_id,
+ fp = AppIdSession::create_future_session(pkt, dip, 0, &ip, port, asd->protocol, ftp_data_app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (fp)
- InitializeDataSession(flowp,fp);
+ InitializeDataSession(asd,fp);
if (!sfip_fast_eq6(&ip, sip))
{
- fp = flowp->create_future_session(pkt, dip, 0, sip, port, flowp->protocol, ftp_data_app_id,
+ fp = asd->create_future_session(pkt, dip, 0, sip, port, asd->protocol, ftp_data_app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (fp)
- InitializeDataSession(flowp,fp);
+ InitializeDataSession(asd,fp);
}
- ftp_service_mod.api->add_payload(flowp, APP_ID_FTP_PASSIVE);
+ ftp_service_mod.api->add_payload(asd, APP_ID_FTP_PASSIVE);
}
else if (code < 0)
goto fail;
const sfip_t* dip;
dip = pkt->ptrs.ip_api.get_dst();
sip = pkt->ptrs.ip_api.get_src();
- fp = flowp->create_future_session(pkt, dip, 0, sip, port, flowp->protocol,
+ fp = asd->create_future_session(pkt, dip, 0, sip, port, asd->protocol,
ftp_data_app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (fp)
- InitializeDataSession(flowp,fp);
- ftp_service_mod.api->add_payload(flowp, APP_ID_FTP_PASSIVE);
+ InitializeDataSession(asd,fp);
+ ftp_service_mod.api->add_payload(asd, APP_ID_FTP_PASSIVE);
}
else if (code < 0)
goto fail;
{
const sfip_t* sip;
sip = pkt->ptrs.ip_api.get_src();
- fp = flowp->create_future_session(pkt, sip, 0, &fd->address, fd->port, flowp->protocol, ftp_data_app_id,
+ fp = asd->create_future_session(pkt, sip, 0, &fd->address, fd->port, asd->protocol, ftp_data_app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (fp)
- InitializeDataSession(flowp,fp);
- ftp_service_mod.api->add_payload(flowp, APP_ID_FTP_ACTIVE); // Active mode FTP
+ InitializeDataSession(asd,fp);
+ ftp_service_mod.api->add_payload(asd, APP_ID_FTP_ACTIVE); // Active mode FTP
// is reported as a
// payload id
}
default:
case SERVICE_INPROCESS:
inprocess:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- ftp_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ ftp_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
}
return SERVICE_INPROCESS;
case SERVICE_SUCCESS:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- uint64_t encryptedFlag = flowp->getAppIdFlag(
+ uint64_t encryptedFlag = asd->get_session_flags(
APPID_SESSION_ENCRYPTED | APPID_SESSION_DECRYPTED);
// FTPS only when encrypted==1 decrypted==0
- ftp_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ ftp_service_mod.api->add_service(asd, pkt, dir, &svc_element,
encryptedFlag == APPID_SESSION_ENCRYPTED ?
APP_ID_FTPS : APP_ID_FTP_CONTROL,
fd->vendor[0] ? fd->vendor : nullptr,
case SERVICE_NOMATCH:
fail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- ftp_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- ftp_service_mod.flow_data_index, args->pConfig);
+ ftp_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ ftp_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
}
}
static int irc_init(const IniServiceAPI* const init_api);
static int irc_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&irc_validate,
"irc"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &irc_validate, 6667, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
IRCState* state;
unsigned* pos;
const char** command;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
if (!size)
goto inprocess;
- id = (ServiceIRCData*)irc_service_mod.api->data_get(flowp, irc_service_mod.flow_data_index);
+ id = (ServiceIRCData*)irc_service_mod.api->data_get(asd, irc_service_mod.flow_data_index);
if (!id)
{
id = (ServiceIRCData*)snort_calloc(sizeof(ServiceIRCData));
- irc_service_mod.api->data_add(flowp, id, irc_service_mod.flow_data_index, &snort_free);
+ irc_service_mod.api->data_add(asd, id, irc_service_mod.flow_data_index, &snort_free);
id->initiator_state = IRC_STATE_BEGIN;
id->state = IRC_STATE_BEGIN;
}
}
}
inprocess:
- irc_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element);
+ irc_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
- irc_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
+ irc_service_mod.api->add_service(asd, args->pkt, dir, &svc_element,
APP_ID_IRCD, nullptr, nullptr, nullptr);
appid_stats.irc_flows++;
return SERVICE_SUCCESS;
fail:
if (dir == APP_ID_FROM_RESPONDER)
{
- irc_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
- irc_service_mod.flow_data_index, args->pConfig);
+ irc_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element,
+ irc_service_mod.flow_data_index);
}
else
{
- irc_service_mod.api->incompatible_data(flowp, args->pkt, dir, &svc_element,
+ irc_service_mod.api->incompatible_data(asd, args->pkt, dir, &svc_element,
irc_service_mod.flow_data_index, args->pConfig);
}
return SERVICE_NOMATCH;
static int lpr_init(const IniServiceAPI* const init_api);
static int lpr_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&lpr_validate,
"lpr"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &lpr_validate, 515, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
{
ServiceLPRData* ld;
int i;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
if (!size)
goto inprocess;
- ld = (ServiceLPRData*)lpr_service_mod.api->data_get(flowp, lpr_service_mod.flow_data_index);
+ ld = (ServiceLPRData*)lpr_service_mod.api->data_get(asd, lpr_service_mod.flow_data_index);
if (!ld)
{
ld = (ServiceLPRData*)snort_calloc(sizeof(ServiceLPRData));
- lpr_service_mod.api->data_add(flowp, ld, lpr_service_mod.flow_data_index, &snort_free);
+ lpr_service_mod.api->data_add(asd, ld, lpr_service_mod.flow_data_index, &snort_free);
ld->state = LPR_STATE_COMMAND;
}
goto bail;
}
inprocess:
- lpr_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element);
+ lpr_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
- lpr_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
+ lpr_service_mod.api->add_service(asd, args->pkt, dir, &svc_element,
APP_ID_PRINTSRV, nullptr, nullptr, nullptr);
appid_stats.lpr_flows++;
return SERVICE_SUCCESS;
fail:
- lpr_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
- lpr_service_mod.flow_data_index, args->pConfig);
+ lpr_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element,
+ lpr_service_mod.flow_data_index);
return SERVICE_NOMATCH;
bail:
- lpr_service_mod.api->incompatible_data(flowp, args->pkt, dir, &svc_element,
+ lpr_service_mod.api->incompatible_data(asd, args->pkt, dir, &svc_element,
lpr_service_mod.flow_data_index, args->pConfig);
return SERVICE_NOT_COMPATIBLE;
}
static void mdnsMatchListDestroy();
static void MDNS_clean();
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&MDNS_validate,
"MDNS"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &MDNS_validate, 5353, IpProtocol::UDP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
2. Calls the function which scans for pattern to identify the user
3. Calls the function which does the Username reporting along with the host
MDNS User Analysis*/
-static int MDNSUserAnalyser(AppIdSession* flowp, const Packet* pkt, uint16_t size, const
+static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, const
AppIdConfig* pConfig)
{
const char* query_val;
user_index++;
}
- mdns_service_mod.api->add_user(flowp, user_name, APP_ID_MDNS, 1);
+ mdns_service_mod.api->add_user(asd, user_name, APP_ID_MDNS, 1);
break;
}
/* Find the length to Jump to the next response */
memcpy(user_name, user_name_bkp + user_index, user_name_len -
user_index);
user_name[ user_name_len - user_index ] = '\0';
- mdns_service_mod.api->add_user(flowp, user_name, APP_ID_MDNS, 1);
+ mdns_service_mod.api->add_user(asd, user_name, APP_ID_MDNS, 1);
return 1;
}
else
{
ServiceMDNSData* fd;
int ret_val;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
uint16_t size = args->size;
- fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(flowp, mdns_service_mod.flow_data_index);
+ fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(asd, mdns_service_mod.flow_data_index);
if (!fd)
{
fd = (ServiceMDNSData*)snort_calloc(sizeof(ServiceMDNSData));
- mdns_service_mod.api->data_add(flowp, fd, mdns_service_mod.flow_data_index, &snort_free);
+ mdns_service_mod.api->data_add(asd, fd, mdns_service_mod.flow_data_index, &snort_free);
fd->state = MDNS_STATE_CONNECTION;
}
ret_val = MDNS_validate_reply(data, size);
if (ret_val == 1)
{
- if (pAppidActiveConfig->mod_config->mdns_user_reporting)
+ if (AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting)
{
- MDNSUserAnalyser(flowp, pkt, size, args->pConfig);
+ MDNSUserAnalyser(asd, pkt, size, args->pConfig);
mdnsMatchListDestroy();
goto success;
}
goto fail;
success:
- mdns_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element,
+ mdns_service_mod.api->add_service(asd, pkt, args->dir, &svc_element,
APP_ID_MDNS, nullptr, nullptr, nullptr);
appid_stats.mdns_flows++;
return SERVICE_SUCCESS;
fail:
- mdns_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element,
- mdns_service_mod.flow_data_index, args->pConfig);
+ mdns_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element,
+ mdns_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
(char*)patterns[i].pattern, patterns[i].length, &patterns[i]);
pMdnsConfig->mdnsMatcher->prep();
- pAppidActiveConfig->add_generic_config_element(svc_element.name, pMdnsConfig);
+ AppIdConfig::get_appid_config()->add_generic_config_element(svc_element.name, pMdnsConfig);
return 1;
}
static void mdnsMatcherDestroy()
{
MdnsConfig* pMdnsConfig =
- (MdnsConfig*)pAppidActiveConfig->find_generic_config_element(svc_element.name);
+ (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name);
MatchedPatterns* node;
if (pMdnsConfig->mdnsMatcher)
delete pMdnsConfig->mdnsMatcher;
snort_free(node);
}
snort_free(pMdnsConfig);
- pAppidActiveConfig->remove_generic_config_element(svc_element.name);
+ AppIdConfig::get_appid_config()->remove_generic_config_element(svc_element.name);
}
static int mdns_pattern_match(void* id, void*, int index, void* data, void*)
MatchedPatterns* element;
MdnsConfig* pMdnsConfig =
- (MdnsConfig*)pAppidActiveConfig->find_generic_config_element(svc_element.name);
+ (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name);
while (pMdnsConfig->patternList)
{
element = pMdnsConfig->patternList;
static int svc_mysql_init(const IniServiceAPI* const init_api);
static int svc_mysql_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element
+static const RNAServiceElement svc_element
{
nullptr,
&svc_mysql_validate,
"mysql"
};
-static RNAServiceValidationPort pp[]
+static const RNAServiceValidationPort pp[]
{
{ &svc_mysql_validate, 3306, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
uint32_t len;
const uint8_t* end;
const uint8_t* p = nullptr;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
uint16_t size = args->size;
if (!size)
data += 6;
if (data >= end)
goto fail;
- mysql_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ mysql_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_MYSQL, nullptr, (char*)p, nullptr);
appid_stats.mysql_flows++;
return SERVICE_SUCCESS;
inprocess:
- mysql_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ mysql_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
fail:
- mysql_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- mysql_service_mod.flow_data_index, args->pConfig);
+ mysql_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ mysql_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int nbss_validate(ServiceValidationArgs* args);
static int nbdgm_validate(ServiceValidationArgs* args);
-static RNAServiceElement nbns_svc_element
+static const RNAServiceElement nbns_svc_element =
{
nullptr,
&nbns_validate,
0,
"nbns"
};
-static RNAServiceElement nbdgm_svc_element
+static const RNAServiceElement nbdgm_svc_element =
{
nullptr,
&nbdgm_validate,
0,
"nbdgm"
};
-static RNAServiceElement nbss_svc_element
+static const RNAServiceElement nbss_svc_element =
{
nullptr,
&nbss_validate,
"nbss"
};
-static RNAServiceValidationPort pp[]
+static const RNAServiceValidationPort pp[]
{
{ &nbns_validate, 137, IpProtocol::TCP, 0 },
{ &nbns_validate, 137, IpProtocol::UDP, 0 },
const NBNSHeader* hdr;
const uint8_t* begin;
const uint8_t* end;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
{
if (dir == APP_ID_FROM_RESPONDER)
{
- if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
goto success;
goto fail;
}
if (dir == APP_ID_FROM_INITIATOR)
{
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
goto inprocess;
}
success:
- netbios_service_mod.api->add_service(flowp, args->pkt, dir, &nbns_svc_element,
+ netbios_service_mod.api->add_service(asd, args->pkt, dir, &nbns_svc_element,
APP_ID_NETBIOS_NS, nullptr, nullptr, nullptr);
appid_stats.netbios_ns_flows++;
return SERVICE_SUCCESS;
inprocess:
- netbios_service_mod.api->service_inprocess(flowp, args->pkt, dir, &nbns_svc_element);
+ netbios_service_mod.api->service_inprocess(asd, args->pkt, dir, &nbns_svc_element);
return SERVICE_INPROCESS;
fail:
- netbios_service_mod.api->fail_service(flowp, args->pkt, dir, &nbns_svc_element,
- netbios_service_mod.flow_data_index,
- args->pConfig);
+ netbios_service_mod.api->fail_service(asd, args->pkt, dir, &nbns_svc_element,
+ netbios_service_mod.flow_data_index);
return SERVICE_NOMATCH;
not_compatible:
- netbios_service_mod.api->incompatible_data(flowp, args->pkt, dir, &nbns_svc_element,
+ netbios_service_mod.api->incompatible_data(asd, args->pkt, dir, &nbns_svc_element,
netbios_service_mod.flow_data_index,
args->pConfig);
return SERVICE_NOT_COMPATIBLE;
}
static inline void smb_find_domain(const uint8_t* data, uint16_t size, const int,
- AppIdSession* flowp, const Packet* pkt)
+ AppIdSession* asd, const Packet* pkt)
{
const ServiceSMBHeader* smb;
const ServiceSMBAndXResponse* resp;
domain, smb->command, pkt->src_ip.s_addr, pkt->src_port, pkt->dst_ip.s_addr,
pkt->dst_port);
#endif
- if (!flowp->netbios_domain)
- flowp->netbios_domain = snort_strdup(domain);
+ if (!asd->netbios_domain)
+ asd->netbios_domain = snort_strdup(domain);
}
}
const uint8_t* end;
uint32_t tmp;
int retval = -1;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
Packet* pkt = args->pkt;
const uint8_t* data = args->data;
const int dir = args->dir;
if (!size)
goto inprocess;
- nd = (ServiceNBSSData*)netbios_service_mod.api->data_get(flowp,
+ nd = (ServiceNBSSData*)netbios_service_mod.api->data_get(asd,
netbios_service_mod.flow_data_index);
if (!nd)
{
nd = (ServiceNBSSData*)snort_calloc(sizeof(ServiceNBSSData));
- netbios_service_mod.api->data_add(flowp, nd,
+ netbios_service_mod.api->data_add(asd, nd,
netbios_service_mod.flow_data_index, &nbss_free_state);
nd->state = NBSS_STATE_CONNECTION;
nd->serviceAppId = APP_ID_NETBIOS_SSN;
{
smb_find_domain(data + sizeof(NB_SMB_BANNER),
nd->length - sizeof(NB_SMB_BANNER),
- dir, flowp, pkt);
+ dir, asd, pkt);
}
}
else if (tmp >= 4 && nd->length >= 4 &&
}
if (nd->length <= tmp)
{
- smb_find_domain(data + sizeof(NB_SMB_BANNER), nd->length, dir, flowp, pkt);
+ smb_find_domain(data + sizeof(NB_SMB_BANNER), nd->length, dir, asd, pkt);
}
}
else if (tmp >= 4 && nd->length >= 4 &&
if (retval == -1)
goto inprocess;
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- if (netbios_service_mod.api->add_service(flowp, pkt, dir, &nbss_svc_element,
+ if (netbios_service_mod.api->add_service(asd, pkt, dir, &nbss_svc_element,
nd->serviceAppId, nullptr, nullptr, nullptr) == SERVICE_SUCCESS)
{
- netbios_service_mod.api->add_misc(flowp, nd->miscAppId);
+ netbios_service_mod.api->add_misc(asd, nd->miscAppId);
}
appid_stats.netbios_ssn_flows++;
}
return SERVICE_SUCCESS;
inprocess:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- netbios_service_mod.api->service_inprocess(flowp, pkt, dir, &nbss_svc_element);
+ netbios_service_mod.api->service_inprocess(asd, pkt, dir, &nbss_svc_element);
}
return SERVICE_INPROCESS;
fail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- netbios_service_mod.api->fail_service(flowp, pkt, dir, &nbss_svc_element,
- netbios_service_mod.flow_data_index, args->pConfig);
+ netbios_service_mod.api->fail_service(asd, pkt, dir, &nbss_svc_element,
+ netbios_service_mod.flow_data_index);
}
return SERVICE_NOMATCH;
}
uint32_t server_type;
AppId serviceAppId = APP_ID_NETBIOS_DGM;
AppId miscAppId = APP_ID_NONE;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
if (end-data >= (int)sizeof(NB_SMB_BANNER) &&
!memcmp(data, NB_SMB_BANNER, sizeof(NB_SMB_BANNER)))
{
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
serviceAppId = APP_ID_NETBIOS_DGM;
}
goto not_mailslot;
}
server_type = LETOHL(&browser->server_type);
- netbios_service_mod.api->analyzefp(flowp, browser->major, browser->minor, server_type);
+ netbios_service_mod.api->analyzefp(asd, browser->major, browser->minor, server_type);
}
not_mailslot:
if (source_name[0])
- netbios_service_mod.api->add_host_info(flowp, SERVICE_HOST_INFO_NETBIOS_NAME,
+ netbios_service_mod.api->add_host_info(asd, SERVICE_HOST_INFO_NETBIOS_NAME,
source_name);
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
goto success;
case NBDGM_TYPE_ERROR:
if (end-data < (int)sizeof(NBDgmError))
}
fail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- netbios_service_mod.api->fail_service(flowp, pkt, dir, &nbdgm_svc_element,
- netbios_service_mod.flow_data_index,
- args->pConfig);
+ netbios_service_mod.api->fail_service(asd, pkt, dir, &nbdgm_svc_element,
+ netbios_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
success:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
if (dir == APP_ID_FROM_RESPONDER)
{
- if (netbios_service_mod.api->add_service(flowp, pkt, dir, &nbdgm_svc_element,
+ if (netbios_service_mod.api->add_service(asd, pkt, dir, &nbdgm_svc_element,
serviceAppId, nullptr, nullptr, nullptr) == SERVICE_SUCCESS)
{
- netbios_service_mod.api->add_misc(flowp, miscAppId);
+ netbios_service_mod.api->add_misc(asd, miscAppId);
}
appid_stats.netbios_dgm_flows++;
}
return SERVICE_SUCCESS;
inprocess:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- netbios_service_mod.api->service_inprocess(flowp, pkt, dir, &nbdgm_svc_element);
+ netbios_service_mod.api->service_inprocess(asd, pkt, dir, &nbdgm_svc_element);
}
return SERVICE_INPROCESS;
}
static int nntp_init(const IniServiceAPI* const init_api);
static int nntp_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&nntp_validate,
"nntp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &nntp_validate, NNTP_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
ServiceNNTPData* nd;
uint16_t offset;
int code;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- nd = (ServiceNNTPData*)nntp_service_mod.api->data_get(flowp, nntp_service_mod.flow_data_index);
+ nd = (ServiceNNTPData*)nntp_service_mod.api->data_get(asd, nntp_service_mod.flow_data_index);
if (!nd)
{
nd = (ServiceNNTPData*)snort_calloc(sizeof(ServiceNNTPData));
- nntp_service_mod.api->data_add(flowp, nd, nntp_service_mod.flow_data_index, &snort_free);
+ nntp_service_mod.api->data_add(asd, nd, nntp_service_mod.flow_data_index, &snort_free);
nd->state = NNTP_STATE_CONNECTION;
}
}
inprocess:
- nntp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ nntp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- nntp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ nntp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_NNTP, nullptr, nullptr, nullptr);
appid_stats.nntp_flows++;
return SERVICE_SUCCESS;
fail:
- nntp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- nntp_service_mod.flow_data_index, args->pConfig);
+ nntp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ nntp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int ntp_init(const IniServiceAPI* const init_api);
static int ntp_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&ntp_validate,
"ntp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &ntp_validate, 123, IpProtocol::UDP, 0 },
{ &ntp_validate, 123, IpProtocol::TCP, 0 },
const ServiceNTPHeader* nh;
uint8_t ver;
uint8_t mode;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
goto fail;
}
- ntp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ ntp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_NTP, nullptr, nullptr, nullptr);
appid_stats.ntp_flows++;
return SERVICE_SUCCESS;
inprocess:
- ntp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ ntp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
fail:
- ntp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- ntp_service_mod.flow_data_index, args->pConfig);
+ ntp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ ntp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int radius_validate(ServiceValidationArgs* args);
static int radius_validate_accounting(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&radius_validate,
"radius"
};
-static RNAServiceElement acct_svc_element =
+static const RNAServiceElement acct_svc_element =
{
nullptr,
&radius_validate_accounting,
"radacct"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &radius_validate, 1812, IpProtocol::UDP, 0 },
{ &radius_validate, 1812, IpProtocol::UDP, 1 },
const RADIUSHeader* hdr = (const RADIUSHeader*)args->data;
uint16_t len;
int new_dir;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const int dir = args->dir;
uint16_t size = args->size;
if (size < sizeof(RADIUSHeader))
goto fail;
- rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(flowp,
+ rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(asd,
radius_service_mod.flow_data_index);
if (!rd)
{
rd = (ServiceRADIUSData*)snort_calloc(sizeof(ServiceRADIUSData));
- radius_service_mod.api->data_add(flowp, rd, radius_service_mod.flow_data_index,
+ radius_service_mod.api->data_add(asd, rd, radius_service_mod.flow_data_index,
&snort_free);
rd->state = RADIUS_STATE_REQUEST;
}
hdr->code == RADIUS_CODE_ACCESS_REJECT ||
hdr->code == RADIUS_CODE_ACCESS_CHALLENGE)
{
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
rd->state = RADIUS_STATE_RESPONSE;
new_dir = APP_ID_FROM_RESPONDER;
}
}
- else if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ else if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
new_dir = (dir == APP_ID_FROM_RESPONDER) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
}
goto fail;
}
inprocess:
- radius_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element);
+ radius_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
- radius_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
+ radius_service_mod.api->add_service(asd, args->pkt, dir, &svc_element,
APP_ID_RADIUS, nullptr, nullptr, nullptr);
appid_stats.radius_flows++;
return SERVICE_SUCCESS;
not_compatible:
- radius_service_mod.api->incompatible_data(flowp, args->pkt, dir, &svc_element,
+ radius_service_mod.api->incompatible_data(asd, args->pkt, dir, &svc_element,
radius_service_mod.flow_data_index, args->pConfig);
return SERVICE_NOT_COMPATIBLE;
fail:
- radius_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
- radius_service_mod.flow_data_index, args->pConfig);
+ radius_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element,
+ radius_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
const RADIUSHeader* hdr = (const RADIUSHeader*)args->data;
uint16_t len;
int new_dir;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const int dir = args->dir;
uint16_t size = args->size;
if (size < sizeof(RADIUSHeader))
goto fail;
- rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(flowp,
+ rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(asd,
radius_service_mod.flow_data_index);
if (!rd)
{
rd = (ServiceRADIUSData*)snort_calloc(sizeof(ServiceRADIUSData));
- radius_service_mod.api->data_add(flowp, rd, radius_service_mod.flow_data_index,
+ radius_service_mod.api->data_add(asd, rd, radius_service_mod.flow_data_index,
&snort_free);
rd->state = RADIUS_STATE_REQUEST;
}
{
if (hdr->code == RADIUS_CODE_ACCOUNTING_RESPONSE)
{
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
rd->state = RADIUS_STATE_RESPONSE;
new_dir = APP_ID_FROM_RESPONDER;
}
}
- else if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ else if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
new_dir = (dir == APP_ID_FROM_RESPONDER) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
}
goto fail;
}
inprocess:
- radius_service_mod.api->service_inprocess(flowp, args->pkt, dir, &acct_svc_element);
+ radius_service_mod.api->service_inprocess(asd, args->pkt, dir, &acct_svc_element);
return SERVICE_INPROCESS;
success:
- radius_service_mod.api->add_service(flowp, args->pkt, dir, &acct_svc_element,
+ radius_service_mod.api->add_service(asd, args->pkt, dir, &acct_svc_element,
APP_ID_RADIUS_ACCT, nullptr, nullptr, nullptr);
appid_stats.radius_flows++;
return SERVICE_SUCCESS;
not_compatible:
- radius_service_mod.api->incompatible_data(flowp, args->pkt, dir, &acct_svc_element,
+ radius_service_mod.api->incompatible_data(asd, args->pkt, dir, &acct_svc_element,
radius_service_mod.flow_data_index, args->pConfig);
return SERVICE_NOT_COMPATIBLE;
fail:
- radius_service_mod.api->fail_service(flowp, args->pkt, dir, &acct_svc_element,
- radius_service_mod.flow_data_index, args->pConfig);
+ radius_service_mod.api->fail_service(asd, args->pkt, dir, &acct_svc_element,
+ radius_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include "protocols/packet.h"
#include "main/snort_debug.h"
-#include "target_based/snort_protocols.h"
#include "utils/util.h"
#include "appid_api.h"
#include "application_ids.h"
#include "service_api.h"
#include "service_base.h"
+#include "service_util.h"
#define REXEC_PORT 512
#define REXEC_MAX_PORT_PACKET 6
static int rexec_init(const IniServiceAPI* const init_api);
static int rexec_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rexec_validate,
"rexec"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rexec_validate, REXEC_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
{
unsigned i;
- app_id = AddProtocolReference("rexec");
+ app_id = add_appid_protocol_reference("rexec");
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
int i;
uint32_t port;
AppIdSession* pf;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
uint16_t size = args->size;
ServiceREXECData* rd = (ServiceREXECData*)rexec_service_mod.api->data_get(
- flowp, rexec_service_mod.flow_data_index);
+ asd, rexec_service_mod.flow_data_index);
if (!rd)
{
if (!size)
goto inprocess;
rd = (ServiceREXECData*)snort_calloc(sizeof(ServiceREXECData));
- rexec_service_mod.api->data_add(flowp, rd,
+ rexec_service_mod.api->data_add(asd, rd,
rexec_service_mod.flow_data_index, &rexec_free_state);
rd->state = REXEC_STATE_PORT;
}
rd->state = REXEC_STATE_SERVER_CONNECT;
pf->rnaServiceState = RNA_STATE_STATEFUL;
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
- PopulateExpectedFlow(flowp, pf,
+ PopulateExpectedFlow(asd, pf,
APPID_SESSION_CONTINUE |
APPID_SESSION_REXEC_STDERR |
APPID_SESSION_NO_TPI |
if (rd->parent && rd->parent->state == REXEC_STATE_SERVER_CONNECT)
{
rd->parent->state = REXEC_STATE_USERNAME;
- flowp->clearAppIdFlag(APPID_SESSION_REXEC_STDERR);
+ asd->clear_session_flags(APPID_SESSION_REXEC_STDERR);
}
goto bail;
default:
}
inprocess:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rexec_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ rexec_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
}
return SERVICE_INPROCESS;
success:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rexec_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ rexec_service_mod.api->add_service(asd, pkt, dir, &svc_element,
APP_ID_EXEC, nullptr, nullptr, nullptr);
appid_stats.rexec_flows++;
}
return SERVICE_SUCCESS;
bail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rexec_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element,
+ rexec_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element,
rexec_service_mod.flow_data_index,
args->pConfig);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOT_COMPATIBLE;
fail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rexec_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- rexec_service_mod.flow_data_index,
- args->pConfig);
+ rexec_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ rexec_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
}
static int rfb_init(const IniServiceAPI* const init_api);
static int rfb_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rfb_validate,
"rfb"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rfb_validate, 5900, IpProtocol::TCP, 0 },
{ &rfb_validate, 5901, IpProtocol::TCP, 0 },
unsigned i;
char* v;
const unsigned char* p;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
p++;
}
*v = 0;
- rfb_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ rfb_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_VNC_RFB, nullptr, version, nullptr);
appid_stats.rfb_flows++;
return SERVICE_SUCCESS;
inprocess:
- rfb_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ rfb_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
fail:
- rfb_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- rfb_service_mod.flow_data_index, args->pConfig);
+ rfb_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ rfb_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
static int rlogin_init(const IniServiceAPI* const init_api);
static int rlogin_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rlogin_validate,
"rlogin"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rlogin_validate, 513, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
static int rlogin_validate(ServiceValidationArgs* args)
{
ServiceRLOGINData* rd;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
Packet* pkt = args->pkt;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- rd = (ServiceRLOGINData*)rlogin_service_mod.api->data_get(flowp,
+ rd = (ServiceRLOGINData*)rlogin_service_mod.api->data_get(asd,
rlogin_service_mod.flow_data_index);
if (!rd)
{
rd = (ServiceRLOGINData*)snort_calloc(sizeof(ServiceRLOGINData));
- rlogin_service_mod.api->data_add(flowp, rd, rlogin_service_mod.flow_data_index,
+ rlogin_service_mod.api->data_add(asd, rd, rlogin_service_mod.flow_data_index,
&snort_free);
rd->state = RLOGIN_STATE_HANDSHAKE;
}
}
inprocess:
- rlogin_service_mod.api->service_inprocess(flowp, pkt, args->dir, &svc_element);
+ rlogin_service_mod.api->service_inprocess(asd, pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- rlogin_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element,
+ rlogin_service_mod.api->add_service(asd, pkt, args->dir, &svc_element,
APP_ID_RLOGIN, nullptr, nullptr, nullptr);
appid_stats.rlogin_flows++;
return SERVICE_SUCCESS;
fail:
- rlogin_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element,
- rlogin_service_mod.flow_data_index, args->pConfig);
+ rlogin_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element,
+ rlogin_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include <rpc/rpcent.h>
#endif
+#include "application_ids.h"
#include "service_api.h"
#include "app_info_table.h"
+#include "service_util.h"
#include "log/messages.h"
#include "main/snort_debug.h"
-#include "application_ids.h"
-#include "target_based/snort_protocols.h"
#include "utils/util.h"
#include "appid_module.h"
{
uint32_t program;
uint32_t version;
- uint32_t proto;
+ IpProtocol proto;
uint32_t port;
};
uint32_t program;
uint32_t procedure;
uint32_t xid;
- uint32_t proto;
+ IpProtocol proto;
uint32_t tcpsize[APP_ID_APPID_SESSION_DIRECTION_MAX];
uint32_t tcpfragpos[APP_ID_APPID_SESSION_DIRECTION_MAX];
uint32_t tcpauthsize[APP_ID_APPID_SESSION_DIRECTION_MAX];
static int rpc_validate(ServiceValidationArgs* args);
static int rpc_tcp_validate(ServiceValidationArgs* args);
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rpc_validate,
0,
"rpc"
};
-static RNAServiceElement tcp_svc_element =
+static const RNAServiceElement tcp_svc_element =
{
nullptr,
&rpc_tcp_validate,
#define RPC_PORT_MOUNTD 4046
#define RPC_PORT_NLOCKMGR 4045
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rpc_validate, RPC_PORT_PORTMAPPER, IpProtocol::UDP, 0 },
{ &rpc_validate, RPC_PORT_PORTMAPPER, IpProtocol::UDP, 1 },
struct rpcent* rpc;
RPCProgram* prog;
- app_id = AddProtocolReference("sunrpc");
+ app_id = add_appid_protocol_reference("sunrpc");
if (!rpc_programs)
{
return rpc;
}
-static int validate_packet(const uint8_t* data, uint16_t size, int dir,
- AppIdSession* flowp, Packet* pkt, ServiceRPCData* rd,
- const char** pname, uint32_t* program)
+static int validate_packet(const uint8_t* data, uint16_t size, int dir, AppIdSession* asd,
+ Packet* pkt, ServiceRPCData* rd, const char** pname, uint32_t* program)
{
const ServiceRPCCall* call;
const ServiceRPCReply* reply;
end = data + size;
- if (flowp->protocol == IpProtocol::UDP)
+ if (asd->protocol == IpProtocol::UDP)
{
if (!rd->once)
{
rpc = (ServiceRPC*)data;
if (ntohl(rpc->type) == RPC_TYPE_REPLY)
{
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
rd->state = RPC_STATE_REPLY;
dir = APP_ID_FROM_RESPONDER;
}
}
- else if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ else if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
dir = (dir == APP_ID_FROM_RESPONDER) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
}
sip = pkt->ptrs.ip_api.get_src();
tmp = ntohl(pmr->port);
pf = AppIdSession::create_future_session(pkt, dip, 0, sip, (uint16_t)tmp,
- // FIXIT-H: Change rd->proto to be IpProtocol
- (IpProtocol)ntohl(rd->proto), app_id, 0);
+ (IpProtocol)ntohl((uint32_t)rd->proto), app_id, 0);
if (pf)
{
pf->add_flow_data_id((uint16_t)tmp,
- flowp->protocol == IpProtocol::TCP ? &tcp_svc_element : &svc_element);
+ asd->protocol == IpProtocol::TCP ? &tcp_svc_element : &svc_element);
pf->rnaServiceState = RNA_STATE_STATEFUL;
- pf->setAppIdFlag(flowp->getAppIdFlag(APPID_SESSION_RESPONDER_MONITORED |
+ pf->set_session_flags(asd->get_session_flags(APPID_SESSION_RESPONDER_MONITORED |
APPID_SESSION_INITIATOR_MONITORED |
APPID_SESSION_SPECIAL_MONITORED |
APPID_SESSION_RESPONDER_CHECKED |
uint32_t program = 0;
const char* pname = nullptr;
int rval;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
goto done;
}
- rd = (ServiceRPCData*)rpc_service_mod.api->data_get(flowp, rpc_service_mod.flow_data_index);
+ rd = (ServiceRPCData*)rpc_service_mod.api->data_get(asd, rpc_service_mod.flow_data_index);
if (!rd)
{
rd = (ServiceRPCData*)snort_calloc(sizeof(ServiceRPCData));
- rpc_service_mod.api->data_add(flowp, rd, rpc_service_mod.flow_data_index, &snort_free);
+ rpc_service_mod.api->data_add(asd, rd, rpc_service_mod.flow_data_index, &snort_free);
rd->state = (dir == APP_ID_FROM_INITIATOR) ? RPC_STATE_CALL : RPC_STATE_REPLY;
rd->xid = 0xFFFFFFFF;
}
#ifdef RNA_DEBUG_RPC
fprintf(SF_DEBUG_FILE, "Begin %u -> %u %u %d state %d\n", pkt->src_port, pkt->dst_port,
- flowp->proto, dir, rd->state);
+ asd->proto, dir, rd->state);
#endif
- rval = validate_packet(data, size, dir, flowp, pkt, rd, &pname, &program);
+ rval = validate_packet(data, size, dir, asd, pkt, rd, &pname, &program);
#ifdef RNA_DEBUG_RPC
fprintf(SF_DEBUG_FILE, "End %u -> %u %u %d state %d rval %d\n", pkt->src_port, pkt->dst_port,
- flowp->proto, dir, rd->state, rval);
+ asd->proto, dir, rd->state, rval);
#endif
done:
switch (rval)
{
case SERVICE_INPROCESS:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rpc_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ rpc_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
}
return SERVICE_INPROCESS;
case SERVICE_SUCCESS:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
if (pname && *pname)
{
}
else
subtype = nullptr;
- rpc_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
- APP_ID_SUN_RPC, nullptr, nullptr, subtype);
+ rpc_service_mod.api->add_service(asd, pkt, dir, &svc_element,
+ APP_ID_SUN_RPC, nullptr, nullptr, subtype);
appid_stats.rpc_flows++;
}
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_SUCCESS;
case SERVICE_NOT_COMPATIBLE:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rpc_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element,
+ rpc_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element,
rpc_service_mod.flow_data_index,
args->pConfig);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOT_COMPATIBLE;
case SERVICE_NOMATCH:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rpc_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- rpc_service_mod.flow_data_index,
- args->pConfig);
+ rpc_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ rpc_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
default:
return rval;
uint32_t program = 0;
const char* pname = nullptr;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
if (!size)
goto inprocess;
- rd = (ServiceRPCData*)rpc_service_mod.api->data_get(flowp, rpc_service_mod.flow_data_index);
+ rd = (ServiceRPCData*)rpc_service_mod.api->data_get(asd, rpc_service_mod.flow_data_index);
if (!rd)
{
rd = (ServiceRPCData*)snort_calloc(sizeof(ServiceRPCData));
- rpc_service_mod.api->data_add(flowp, rd, rpc_service_mod.flow_data_index, &snort_free);
+ rpc_service_mod.api->data_add(asd, rd, rpc_service_mod.flow_data_index, &snort_free);
rd->state = RPC_STATE_CALL;
for (ret=0; ret<APP_ID_APPID_SESSION_DIRECTION_MAX; ret++)
{
size -= length;
if (rd->tcppos[dir] >= sizeof(ServiceRPCAuth))
{
- // FIXIT-M: the typecast for all the rd->tcpdata[dir] refs in this function cause
+ // FIXIT-M the typecast for all the rd->tcpdata[dir] refs in this function cause
// this warning:
// dereferencing type-punned pointer will break strict-aliasing rules
// investigate recoding to eliminate this and improve readability
{
#ifdef RNA_DEBUG_RPC
fprintf(SF_DEBUG_FILE, "V Begin %u -> %u %u %d state %d\n",
- pkt->src_port, pkt->dst_port, flowp->proto, dir, rd->state);
+ pkt->src_port, pkt->dst_port, asd->proto, dir, rd->state);
#endif
- ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, flowp,
- pkt,
- rd, &pname, &program);
+ ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, asd,
+ pkt, rd, &pname, &program);
#ifdef RNA_DEBUG_RPC
fprintf(SF_DEBUG_FILE, "V End %u -> %u %u %d state %d rval %d\n",
- pkt->src_port, pkt->dst_port, flowp->proto, dir, rd->state, ret);
+ pkt->src_port, pkt->dst_port, asd->proto, dir, rd->state, ret);
#endif
if (retval == -1)
{
#ifdef RNA_DEBUG_RPC
fprintf(SF_DEBUG_FILE, "P Begin %u -> %u %u %d state %d\n", pkt->src_port,
- pkt->dst_port, flowp->proto, dir, rd->state);
+ pkt->dst_port, asd->proto, dir, rd->state);
#endif
- ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, flowp, pkt,
+ ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, asd, pkt,
rd, &pname, &program);
#ifdef RNA_DEBUG_RPC
fprintf(SF_DEBUG_FILE, "P End %u -> %u %u %d state %d rval %d\n",
- pkt->src_port, pkt->dst_port, flowp->proto, dir, rd->state, ret);
+ pkt->src_port, pkt->dst_port, asd->proto, dir, rd->state, ret);
#endif
if (retval == -1)
goto fail;
else
{
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
goto done;
}
}
{
case SERVICE_INPROCESS:
inprocess:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rpc_service_mod.api->service_inprocess(flowp, pkt, dir, &tcp_svc_element);
+ rpc_service_mod.api->service_inprocess(asd, pkt, dir, &tcp_svc_element);
}
return SERVICE_INPROCESS;
case SERVICE_SUCCESS:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
if (pname && *pname)
{
}
else
subtype = nullptr;
- rpc_service_mod.api->add_service(flowp, pkt, dir, &tcp_svc_element,
- APP_ID_SUN_RPC, nullptr, nullptr, subtype);
+ rpc_service_mod.api->add_service(asd, pkt, dir, &tcp_svc_element,
+ APP_ID_SUN_RPC, nullptr, nullptr, subtype);
appid_stats.rpc_flows++;
}
- flowp->setAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->set_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_SUCCESS;
case SERVICE_NOT_COMPATIBLE:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rpc_service_mod.api->incompatible_data(flowp, pkt, dir, &tcp_svc_element,
+ rpc_service_mod.api->incompatible_data(asd, pkt, dir, &tcp_svc_element,
rpc_service_mod.flow_data_index,
args->pConfig);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOT_COMPATIBLE;
case SERVICE_NOMATCH:
fail:
- if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED))
+ if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED))
{
- rpc_service_mod.api->fail_service(flowp, pkt, dir, &tcp_svc_element,
- rpc_service_mod.flow_data_index,
- args->pConfig);
+ rpc_service_mod.api->fail_service(asd, pkt, dir, &tcp_svc_element,
+ rpc_service_mod.flow_data_index);
}
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
return SERVICE_NOMATCH;
default:
return retval;
}
bail:
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
rd->tcpstate[APP_ID_FROM_INITIATOR] = RPC_TCP_STATE_DONE;
rd->tcpstate[APP_ID_FROM_RESPONDER] = RPC_TCP_STATE_DONE;
if (dir == APP_ID_FROM_INITIATOR)
#include "application_ids.h"
#include "service_api.h"
#include "service_base.h"
+#include "service_util.h"
#include "app_info_table.h"
#include "appid_module.h"
#include "log/messages.h"
#include "main/snort_debug.h"
-#include "target_based/snort_protocols.h"
#include "utils/util.h"
#define RSHELL_PORT 514
static int rshell_init(const IniServiceAPI* const init_api);
static int rshell_validate(ServiceValidationArgs* args);
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rshell_validate,
"rshell"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rshell_validate, RSHELL_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
{
unsigned i;
- app_id = AddProtocolReference("rsh-error");
+ app_id = add_appid_protocol_reference("rsh-error");
for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
int i;
uint32_t port;
AppIdSession* pf;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
uint16_t size = args->size;
- bool app_id_debug_session_flag = args->app_id_debug_session_flag;
- char* app_id_debug_session = args->app_id_debug_session;
- rd = (ServiceRSHELLData*)rshell_service_mod.api->data_get(flowp,
+ rd = (ServiceRSHELLData*)rshell_service_mod.api->data_get(asd,
rshell_service_mod.flow_data_index);
if (!rd)
{
if (!size)
goto inprocess;
rd = (ServiceRSHELLData*)snort_calloc(sizeof(ServiceRSHELLData));
- rshell_service_mod.api->data_add(flowp, rd,
+ rshell_service_mod.api->data_add(asd, rd,
rshell_service_mod.flow_data_index, &rshell_free_state);
rd->state = RSHELL_STATE_PORT;
}
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s rshell state %d\n", app_id_debug_session, rd->state);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s rshell state %d\n", args->session_logging_id, rd->state);
switch (rd->state)
{
tmp_rd->parent = rd;
dip = pkt->ptrs.ip_api.get_dst();
sip = pkt->ptrs.ip_api.get_src();
- // FIXIT-M can flow_new return null?
pf = AppIdSession::create_future_session(pkt, dip, 0, sip, (uint16_t)port, IpProtocol::TCP, app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (pf)
return SERVICE_ENOMEM;
}
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
- PopulateExpectedFlow(flowp, pf,
+ PopulateExpectedFlow(asd, pf,
APPID_SESSION_NO_TPI |
APPID_SESSION_IGNORE_HOST |
APPID_SESSION_NOT_A_SERVICE |
case RSHELL_STATE_STDERR_CONNECT_SYN_ACK:
if (rd->parent && rd->parent->state == RSHELL_STATE_SERVER_CONNECT)
rd->parent->state = RSHELL_STATE_USERNAME;
- flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
return SERVICE_SUCCESS;
default:
goto bail;
}
inprocess:
- rshell_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ rshell_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
- rshell_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ rshell_service_mod.api->add_service(asd, pkt, dir, &svc_element,
APP_ID_SHELL, nullptr, nullptr, nullptr);
appid_stats.rshell_flows++;
return SERVICE_SUCCESS;
bail:
- rshell_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element,
+ rshell_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element,
rshell_service_mod.flow_data_index, args->pConfig);
return SERVICE_NOT_COMPATIBLE;
fail:
- rshell_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- rshell_service_mod.flow_data_index, args->pConfig);
+ rshell_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ rshell_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#define SERVICE_RSHELL_H
struct RNAServiceValidationModule;
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
extern RNAServiceValidationModule rshell_service_mod;
#endif
static int rsync_init(const IniServiceAPI* const init_api);
static int rsync_validate(ServiceValidationArgs* args);
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rsync_validate,
"rsync"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rsync_validate, RSYNC_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
ServiceRSYNCData* rd;
int i;
- // FIXIT-L: Should this be an assert instead?
- if (!args)
- return SERVICE_NOMATCH;
+ assert(args);
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- rd = (ServiceRSYNCData*)rsync_service_mod.api->data_get(flowp,
+ rd = (ServiceRSYNCData*)rsync_service_mod.api->data_get(asd,
rsync_service_mod.flow_data_index);
if (!rd)
{
rd = (ServiceRSYNCData*)snort_calloc(sizeof(ServiceRSYNCData));
- rsync_service_mod.api->data_add(flowp, rd, rsync_service_mod.flow_data_index, &snort_free);
+ rsync_service_mod.api->data_add(asd, rd, rsync_service_mod.flow_data_index, &snort_free);
rd->state = RSYNC_STATE_BANNER;
}
}
inprocess:
- rsync_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ rsync_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- rsync_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ rsync_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_RSYNC, nullptr, nullptr, nullptr);
appid_stats.rsync_flows++;
return SERVICE_SUCCESS;
fail:
- rsync_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- rsync_service_mod.flow_data_index, args->pConfig);
+ rsync_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ rsync_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include "service_api.h"
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
extern RNAServiceValidationModule rsync_service_mod;
#endif
static int rtmp_init(const IniServiceAPI* const api);
static int rtmp_validate(ServiceValidationArgs* args);
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&rtmp_validate,
"rtmp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &rtmp_validate, 1935, IpProtocol::TCP, 0 },
{ &rtmp_validate, 1935, IpProtocol::UDP, 0 },
static int rtmp_validate(ServiceValidationArgs* args)
{
ServiceRTMPData* ss;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
if (!size)
goto inprocess;
- ss = (ServiceRTMPData*)rtmp_service_mod.api->data_get(flowp, rtmp_service_mod.flow_data_index);
+ ss = (ServiceRTMPData*)rtmp_service_mod.api->data_get(asd, rtmp_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceRTMPData*)snort_calloc(sizeof(ServiceRTMPData));
- rtmp_service_mod.api->data_add(flowp, ss, rtmp_service_mod.flow_data_index, &rtmp_free);
+ rtmp_service_mod.api->data_add(asd, ss, rtmp_service_mod.flow_data_index, &rtmp_free);
}
/* Client -> Server */
}
/* Give up if it's taking us too long to figure out this thing. */
- if (flowp->session_packet_count >= pAppidActiveConfig->mod_config->rtmp_max_packets)
+ if (asd->session_packet_count >= AppIdConfig::get_appid_config()->mod_config->rtmp_max_packets)
{
goto fail;
}
inprocess:
- rtmp_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element);
+ rtmp_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element);
return SERVICE_INPROCESS;
fail:
snort_free(ss->swfUrl);
snort_free(ss->pageUrl);
ss->swfUrl = ss->pageUrl = nullptr;
- rtmp_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
- rtmp_service_mod.flow_data_index, args->pConfig);
+ rtmp_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element,
+ rtmp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
success:
if (ss->swfUrl != nullptr)
{
- if (!flowp->hsession)
- flowp->hsession = (httpSession*)snort_calloc(sizeof(httpSession));
+ if (!asd->hsession)
+ asd->hsession = (httpSession*)snort_calloc(sizeof(httpSession));
- if (flowp->hsession->url == nullptr)
+ if (asd->hsession->url == nullptr)
{
- flowp->hsession->url = ss->swfUrl;
- flowp->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
+ asd->hsession->url = ss->swfUrl;
+ asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
}
else
{
}
if (ss->pageUrl != nullptr)
{
- if (!flowp->hsession)
- flowp->hsession = (httpSession*)snort_calloc(sizeof(httpSession));
+ if (!asd->hsession)
+ asd->hsession = (httpSession*)snort_calloc(sizeof(httpSession));
- if (!pAppidActiveConfig->mod_config->referred_appId_disabled &&
- (flowp->hsession->referer == nullptr))
- flowp->hsession->referer = ss->pageUrl;
+ if (!AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled &&
+ (asd->hsession->referer == nullptr))
+ asd->hsession->referer = ss->pageUrl;
else
snort_free(ss->pageUrl);
ss->pageUrl = nullptr;
}
- rtmp_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
+ rtmp_service_mod.api->add_service(asd, args->pkt, dir, &svc_element,
APP_ID_RTMP, nullptr, nullptr, nullptr);
appid_stats.rtmp_flows++;
return SERVICE_SUCCESS;
#define SERVICE_RTMP_H
struct RNAServiceValidationModule;
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
extern RNAServiceValidationModule rtmp_service_mod;
#endif
static int smtp_init(const IniServiceAPI* const init_api);
static int smtp_validate(ServiceValidationArgs* args);
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&smtp_validate,
"smtp"
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &smtp_validate, 25, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
static int smtp_validate(ServiceValidationArgs* args)
{
ServiceSMTPData* fd;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
uint16_t offset;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- fd = (ServiceSMTPData*)smtp_service_mod.api->data_get(flowp, smtp_service_mod.flow_data_index);
+ fd = (ServiceSMTPData*)smtp_service_mod.api->data_get(asd, smtp_service_mod.flow_data_index);
if (!fd)
{
fd = (ServiceSMTPData*)snort_calloc(sizeof(ServiceSMTPData));
- smtp_service_mod.api->data_add(flowp, fd, smtp_service_mod.flow_data_index, &snort_free);
+ smtp_service_mod.api->data_add(asd, fd, smtp_service_mod.flow_data_index, &snort_free);
fd->state = SMTP_STATE_CONNECTION;
}
else
{
- if (flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED) && fd->state == SMTP_STATE_TRANSFER)
+ if (asd->get_session_flags(APPID_SESSION_ENCRYPTED) && fd->state == SMTP_STATE_TRANSFER)
{
fd->state = SMTP_STATE_STARTTLS;
}
if (!fd->set_flags)
{
fd->set_flags = 1;
- flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+ asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
}
offset = 0;
if (fd->code == 220)
goto success;
/* STARTTLS failed. */
- flowp->clearAppIdFlag(APPID_SESSION_ENCRYPTED); // not encrypted after all
+ asd->clear_session_flags(APPID_SESSION_ENCRYPTED); // not encrypted after all
fd->state = SMTP_STATE_HELO; // revert the state
break;
case SMTP_STATE_TRANSFER:
}
inprocess:
- smtp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ smtp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- smtp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ smtp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
fd->state == SMTP_STATE_STARTTLS ? APP_ID_SMTPS : APP_ID_SMTP,
nullptr, nullptr, nullptr);
if (fd->state == SMTP_STATE_STARTTLS)
return SERVICE_SUCCESS;
fail:
- smtp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- smtp_service_mod.flow_data_index, args->pConfig);
+ smtp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ smtp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include "detector_plugins/detector_api.h"
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
extern RNAServiceValidationModule smtp_service_mod;
#endif
#include "service_snmp.h"
#include "log/messages.h"
-#include "target_based/snort_protocols.h"
#include "utils/util.h"
#include "appid_api.h"
#include "appid_module.h"
#include "app_info_table.h"
#include "service_base.h"
+#include "service_util.h"
#include "application_ids.h"
#define SNMP_PORT 161
static int snmp_init(const IniServiceAPI* const init_api);
static int snmp_validate(ServiceValidationArgs* args);
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
-static RNAServiceElement svc_element =
+static const RNAServiceElement svc_element =
{
nullptr,
&snmp_validate,
"snmp",
};
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &snmp_validate, SNMP_PORT, IpProtocol::TCP, 0 },
{ &snmp_validate, SNMP_PORT, IpProtocol::UDP, 0 },
static int snmp_init(const IniServiceAPI* const init_api)
{
- app_id = AddProtocolReference("snmp");
+ app_id = add_appid_protocol_reference("snmp");
init_api->RegisterPattern(&snmp_validate, IpProtocol::UDP, SNMP_PATTERN_2,
sizeof(SNMP_PATTERN_2), 2, "snmp");
const sfip_t* dip;
uint8_t version;
const char* version_str = nullptr;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
uint16_t size = args->size;
- bool app_id_debug_session_flag = args->app_id_debug_session_flag;
- char* app_id_debug_session = args->app_id_debug_session;
if (!size)
goto inprocess;
- sd = (ServiceSNMPData*)snmp_service_mod.api->data_get(flowp, snmp_service_mod.flow_data_index);
+ sd = (ServiceSNMPData*)snmp_service_mod.api->data_get(asd, snmp_service_mod.flow_data_index);
if (!sd)
{
sd = (ServiceSNMPData*)snort_calloc(sizeof(ServiceSNMPData));
- snmp_service_mod.api->data_add(flowp, sd, snmp_service_mod.flow_data_index, &snort_free);
+ snmp_service_mod.api->data_add(asd, sd, snmp_service_mod.flow_data_index, &snort_free);
sd->state = SNMP_STATE_CONNECTION;
}
if (snmp_verify_packet(&data, data+size, &pdu, &version))
{
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s snmp payload verify failed\n", app_id_debug_session);
- if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED))
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s snmp payload verify failed\n", args->session_logging_id);
+ if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED))
{
if (dir == APP_ID_FROM_RESPONDER)
goto bail;
}
}
- if (app_id_debug_session_flag)
- LogMessage("AppIdDbg %s snmp state %d\n", app_id_debug_session, sd->state);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s snmp state %d\n", args->session_logging_id, sd->state);
switch (sd->state)
{
if (pdu != SNMP_PDU_GET_RESPONSE && dir == APP_ID_FROM_RESPONDER)
{
sd->state = SNMP_STATE_R_RESPONSE;
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
break;
}
if (pdu == SNMP_PDU_GET_RESPONSE && dir == APP_ID_FROM_INITIATOR)
{
sd->state = SNMP_STATE_R_REQUEST;
- flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED);
+ asd->set_session_flags(APPID_SESSION_UDP_REVERSED);
break;
}
if (pdu == SNMP_PDU_TRAP || pdu == SNMP_PDU_TRAPV2)
{
- flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE);
- flowp->clearAppIdFlag(APPID_SESSION_CONTINUE);
- flowp->serviceAppId = APP_ID_SNMP;
+ asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE);
+ asd->clear_session_flags(APPID_SESSION_CONTINUE);
+ asd->serviceAppId = APP_ID_SNMP;
break;
}
sd->state = SNMP_STATE_RESPONSE;
/*adding expected connection in case the server doesn't send from 161*/
dip = pkt->ptrs.ip_api.get_dst();
sip = pkt->ptrs.ip_api.get_src();
- pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, flowp->protocol, app_id, 0);
+ pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, asd->protocol, app_id, 0);
if (pf)
{
tmp_sd = (ServiceSNMPData*)snort_calloc(sizeof(ServiceSNMPData));
snmp_service_mod.flow_data_index, &snort_free);
if (pf->add_flow_data_id(pkt->ptrs.dp, &svc_element))
{
- pf->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
- pf->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ pf->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ pf->clear_session_flags(APPID_SESSION_CONTINUE);
tmp_sd->state = SNMP_STATE_ERROR;
return SERVICE_ENULL;
}
- PopulateExpectedFlow(flowp, pf, APPID_SESSION_EXPECTED_EVALUATE);
+ PopulateExpectedFlow(asd, pf, APPID_SESSION_EXPECTED_EVALUATE);
pf->rnaServiceState = RNA_STATE_STATEFUL;
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
pf->common.initiator_ip = *sip;
}
inprocess:
- snmp_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ snmp_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
version_str = nullptr;
break;
}
- snmp_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ snmp_service_mod.api->add_service(asd, pkt, dir, &svc_element,
APP_ID_SNMP,
SNMP_VENDOR_STR, version_str, nullptr);
appid_stats.snmp_flows++;
return SERVICE_SUCCESS;
bail:
- snmp_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element,
+ snmp_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element,
snmp_service_mod.flow_data_index,
args->pConfig);
return SERVICE_NOT_COMPATIBLE;
fail:
- snmp_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- snmp_service_mod.flow_data_index,
- args->pConfig);
+ snmp_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ snmp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include "detector_plugins/detector_api.h"
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
extern RNAServiceValidationModule snmp_service_mod;
#endif
"ssh",
};
-// FIXIT can this be const? That would require that RNAServiceValidationModule.pp be const which
-// I don't know about. Otherwise we have a thread safety issue here.
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &ssh_validate, SSH_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
};
-// FIXIT maybe this can be const, else thread safety issue
RNAServiceValidationModule ssh_service_mod =
{
"SSH",
const char* end;
unsigned len;
int client_major;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (!size)
goto inprocess;
- ss = (ServiceSSHData*)ssh_service_mod.api->data_get(flowp, ssh_service_mod.flow_data_index);
+ ss = (ServiceSSHData*)ssh_service_mod.api->data_get(asd, ssh_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceSSHData*)snort_calloc(sizeof(ServiceSSHData));
- ssh_service_mod.api->data_add(flowp, ss,
+ ssh_service_mod.api->data_add(asd, ss,
ssh_service_mod.flow_data_index, &ssh_free_state);
ss->state = SSH_STATE_BANNER;
ss->hstate = SSH_HEADER_BEGIN;
{
case SERVICE_INPROCESS:
inprocess:
- ssh_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ ssh_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
case SERVICE_SUCCESS:
- ssh_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ ssh_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_SSH, ss->vendor, ss->version, nullptr);
appid_stats.ssh_flows++;
return SERVICE_SUCCESS;
case SERVICE_NOMATCH:
fail:
- ssh_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- ssh_service_mod.flow_data_index, args->pConfig);
+ ssh_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ ssh_service_mod.flow_data_index);
return SERVICE_NOMATCH;
not_compatible:
- ssh_service_mod.api->incompatible_data(flowp, args->pkt, args->dir, &svc_element,
+ ssh_service_mod.api->incompatible_data(asd, args->pkt, args->dir, &svc_element,
ssh_service_mod.flow_data_index, args->pConfig);
return SERVICE_NOT_COMPATIBLE;
#include "detector_plugins/detector_api.h"
-// FIXIT-L: Make the globals const or, if necessary, thread-local.
extern RNAServiceValidationModule ssh_service_mod;
#endif
const ServiceSSLV3Record* rec;
const ServiceSSLV3CertsRecord* certs_rec;
uint16_t ver;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
const int dir = args->dir;
uint16_t size = args->size;
if (!size)
goto inprocess;
- ss = (ServiceSSLData*)ssl_service_mod.api->data_get(flowp, ssl_service_mod.flow_data_index);
+ ss = (ServiceSSLData*)ssl_service_mod.api->data_get(asd, ssl_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceSSLData*)snort_calloc(sizeof(ServiceSSLData));
- ssl_service_mod.api->data_add(flowp, ss, ssl_service_mod.flow_data_index, &ssl_free);
+ ssl_service_mod.api->data_add(asd, ss, ssl_service_mod.flow_data_index, &ssl_free);
ss->state = SSL_STATE_INITIATE;
}
/* Start off with a Client Hello from client to server. */
}
inprocess:
- ssl_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element);
+ ssl_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element);
return SERVICE_INPROCESS;
fail:
snort_free(ss->org_name);
ss->certs_data = nullptr;
ss->host_name = ss->common_name = ss->org_name = nullptr;
- ssl_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
- ssl_service_mod.flow_data_index, args->pConfig);
+ ssl_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element,
+ ssl_service_mod.flow_data_index);
return SERVICE_NOMATCH;
success:
goto fail;
}
}
- flowp->setAppIdFlag(APPID_SESSION_SSL_SESSION);
+ asd->set_session_flags(APPID_SESSION_SSL_SESSION);
if (ss->host_name || ss->common_name || ss->org_name)
{
- if (!flowp->tsession)
- flowp->tsession = (tlsSession*)snort_calloc(sizeof(tlsSession));
+ if (!asd->tsession)
+ asd->tsession = (tlsSession*)snort_calloc(sizeof(tlsSession));
/* TLS Host */
if (ss->host_name)
{
- if (flowp->tsession->tls_host)
- snort_free(flowp->tsession->tls_host);
- flowp->tsession->tls_host = ss->host_name;
- flowp->tsession->tls_host_strlen = ss->host_name_strlen;
- flowp->scan_flags |= SCAN_SSL_HOST_FLAG;
+ if (asd->tsession->tls_host)
+ snort_free(asd->tsession->tls_host);
+ asd->tsession->tls_host = ss->host_name;
+ asd->tsession->tls_host_strlen = ss->host_name_strlen;
+ asd->scan_flags |= SCAN_SSL_HOST_FLAG;
}
else if (ss->common_name)
{
// use common name (from server) if we didn't see host name (from client)
char* common_name = snort_strdup(ss->common_name);
- if (flowp->tsession->tls_host)
- snort_free(flowp->tsession->tls_host);
- flowp->tsession->tls_host = common_name;
- flowp->tsession->tls_host_strlen = ss->common_name_strlen;
- flowp->scan_flags |= SCAN_SSL_HOST_FLAG;
+ if (asd->tsession->tls_host)
+ snort_free(asd->tsession->tls_host);
+ asd->tsession->tls_host = common_name;
+ asd->tsession->tls_host_strlen = ss->common_name_strlen;
+ asd->scan_flags |= SCAN_SSL_HOST_FLAG;
}
/* TLS Common Name */
if (ss->common_name)
{
- if (flowp->tsession->tls_cname)
- snort_free(flowp->tsession->tls_cname);
- flowp->tsession->tls_cname = ss->common_name;
- flowp->tsession->tls_cname_strlen = ss->common_name_strlen;
+ if (asd->tsession->tls_cname)
+ snort_free(asd->tsession->tls_cname);
+ asd->tsession->tls_cname = ss->common_name;
+ asd->tsession->tls_cname_strlen = ss->common_name_strlen;
}
/* TLS Org Unit */
if (ss->org_name)
{
- if (flowp->tsession->tls_orgUnit)
- snort_free(flowp->tsession->tls_orgUnit);
- flowp->tsession->tls_orgUnit = ss->org_name;
- flowp->tsession->tls_orgUnit_strlen = ss->org_name_strlen;
+ if (asd->tsession->tls_orgUnit)
+ snort_free(asd->tsession->tls_orgUnit);
+ asd->tsession->tls_orgUnit = ss->org_name;
+ asd->tsession->tls_orgUnit_strlen = ss->org_name_strlen;
}
ss->host_name = ss->common_name = ss->org_name = nullptr;
}
- ssl_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
+ ssl_service_mod.api->add_service(asd, args->pkt, dir, &svc_element,
getSslServiceAppId(args->pkt->ptrs.sp), nullptr, nullptr, nullptr);
appid_stats.ssl_flows++;
return SERVICE_SUCCESS;
const sfip_t* dip;
AppIdSession* f;
- if (!appInfoEntryFlagGet(appId, APPINFO_FLAG_SSL_SQUELCH))
+ if (!AppInfoManager::get_instance().get_app_info_flags(appId, APPINFO_FLAG_SSL_SQUELCH))
return false;
dip = p->ptrs.ip_api.get_dst();
"telnet",
};
-// FIXIT thread safety, can this be const?
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &telnet_validate, 23, IpProtocol::TCP, 0 },
{ &telnet_validate, 23, IpProtocol::UDP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
};
-// FIXIT thread safety, can this be const?
RNAServiceValidationModule telnet_service_mod =
{
"TELNET",
{
ServiceTelnetData* td;
const uint8_t* end;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- td = (ServiceTelnetData*)telnet_service_mod.api->data_get(flowp,
+ td = (ServiceTelnetData*)telnet_service_mod.api->data_get(asd,
telnet_service_mod.flow_data_index);
if (!td)
{
td = (ServiceTelnetData*)snort_calloc(sizeof(ServiceTelnetData));
- telnet_service_mod.api->data_add(flowp, td, telnet_service_mod.flow_data_index,
+ telnet_service_mod.api->data_add(asd, td, telnet_service_mod.flow_data_index,
&snort_free);
}
}
}
inprocess:
- telnet_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ telnet_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- telnet_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ telnet_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_TELNET, nullptr, nullptr, nullptr);
appid_stats.telnet_flows++;
return SERVICE_SUCCESS;
fail:
- telnet_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- telnet_service_mod.flow_data_index, args->pConfig);
+ telnet_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ telnet_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include "application_ids.h"
#include "service_api.h"
#include "service_base.h"
+#include "service_util.h"
#define TFTP_PORT 69
"tftp",
};
-// FIXIT thread safety, can this be const?
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &tftp_validate, 69, IpProtocol::UDP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
};
-// FIXIT thread safety, can this be const?
RNAServiceValidationModule tftp_service_mod =
{
"TFTP",
static int tftp_init(const IniServiceAPI* const init_api)
{
- app_id = AddProtocolReference("tftp");
+ app_id = add_appid_protocol_reference("tftp");
+
for (unsigned i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
{
DebugFormat(DEBUG_LOG,"registering appId: %d\n",appIdRegistry[i].appId);
AppIdSession* pf;
const sfip_t* sip;
const sfip_t* dip;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
Packet* pkt = args->pkt;
const int dir = args->dir;
uint16_t size = args->size;
- char* app_id_debug_session = args->app_id_debug_session;
if (!size)
goto inprocess;
- td = (ServiceTFTPData*)tftp_service_mod.api->data_get(flowp, tftp_service_mod.flow_data_index);
+ td = (ServiceTFTPData*)tftp_service_mod.api->data_get(asd, tftp_service_mod.flow_data_index);
if (!td)
{
td = (ServiceTFTPData*)snort_calloc(sizeof(ServiceTFTPData));
- tftp_service_mod.api->data_add(flowp, td, tftp_service_mod.flow_data_index, &snort_free);
+ tftp_service_mod.api->data_add(asd, td, tftp_service_mod.flow_data_index, &snort_free);
td->state = TFTP_STATE_CONNECTION;
}
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp state %d\n", app_id_debug_session, td->state);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp state %d\n", args->session_logging_id, td->state);
if (td->state == TFTP_STATE_CONNECTION && dir == APP_ID_FROM_RESPONDER)
goto fail;
tmp_td->state = TFTP_STATE_TRANSFER;
dip = pkt->ptrs.ip_api.get_dst();
sip = pkt->ptrs.ip_api.get_src();
- pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, flowp->protocol, app_id,
+ pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, asd->protocol, app_id,
APPID_EARLY_SESSION_FLAG_FW_RULE);
if (pf)
{
tftp_service_mod.flow_data_index, &snort_free);
if (pf->add_flow_data_id(pkt->ptrs.dp, &svc_element))
{
- pf->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED);
- pf->clearAppIdFlag(APPID_SESSION_CONTINUE);
+ pf->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
+ pf->clear_session_flags(APPID_SESSION_CONTINUE);
tmp_td->state = TFTP_STATE_ERROR;
return SERVICE_ENOMEM;
}
- PopulateExpectedFlow(flowp, pf, APPID_SESSION_EXPECTED_EVALUATE);
+ PopulateExpectedFlow(asd, pf, APPID_SESSION_EXPECTED_EVALUATE);
pf->common.initiator_ip = *sip;
pf->rnaServiceState = RNA_STATE_STATEFUL;
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
case TFTP_STATE_TRANSFER:
if ((mode=tftp_verify_header(data, size, &block)) < 0)
{
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp failed to verify\n", app_id_debug_session);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp failed to verify\n", args->session_logging_id);
goto fail;
}
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp mode %d and block %u\n", app_id_debug_session,
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp mode %d and block %u\n", args->session_logging_id,
mode, (unsigned)block);
if (mode == TFTP_STATE_ACK)
{
goto fail;
else
{
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp failed to verify\n", app_id_debug_session);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp failed to verify\n", args->session_logging_id);
goto bail;
}
}
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp mode %d\n", app_id_debug_session, mode);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp mode %d\n", args->session_logging_id, mode);
if (mode == TFTP_STATE_ERROR)
{
td->state = TFTP_STATE_TRANSFER;
}
if (dir == APP_ID_FROM_INITIATOR && mode != TFTP_STATE_DATA)
{
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp bad mode\n", app_id_debug_session);
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp bad mode\n", args->session_logging_id);
goto bail;
}
if (dir == APP_ID_FROM_RESPONDER && mode != TFTP_STATE_ACK)
}
inprocess:
- tftp_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element);
+ tftp_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element);
return SERVICE_INPROCESS;
success:
- if (args->app_id_debug_session_flag)
- LogMessage("AppIdDbg %s tftp success\n", app_id_debug_session);
- tftp_service_mod.api->add_service(flowp, pkt, dir, &svc_element,
+ if (args->session_logging_enabled)
+ LogMessage("AppIdDbg %s tftp success\n", args->session_logging_id);
+ tftp_service_mod.api->add_service(asd, pkt, dir, &svc_element,
APP_ID_TFTP, nullptr, nullptr, nullptr);
appid_stats.tftp_flows++;
return SERVICE_SUCCESS;
bail:
- tftp_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element,
+ tftp_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element,
tftp_service_mod.flow_data_index, args->pConfig);
return SERVICE_NOT_COMPATIBLE;
fail:
- tftp_service_mod.api->fail_service(flowp, pkt, dir, &svc_element,
- tftp_service_mod.flow_data_index, args->pConfig);
+ tftp_service_mod.api->fail_service(asd, pkt, dir, &svc_element,
+ tftp_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
"timbuktu"
};
-// FIXIT thread safety, can this be const?
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &timbuktu_validate, TIMBUKTU_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
};
-// FIXIT thread safety, can this be const?
SO_PUBLIC RNAServiceValidationModule timbuktu_service_mod =
{
svc_name,
static int timbuktu_validate(ServiceValidationArgs* args)
{
ServiceTIMBUKTUData* ss;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
uint16_t offset=0;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- ss = (ServiceTIMBUKTUData*)timbuktu_service_mod.api->data_get(flowp,
+ ss = (ServiceTIMBUKTUData*)timbuktu_service_mod.api->data_get(asd,
timbuktu_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceTIMBUKTUData*)snort_calloc(sizeof(ServiceTIMBUKTUData));
- timbuktu_service_mod.api->data_add(flowp, ss,
+ timbuktu_service_mod.api->data_add(asd, ss,
timbuktu_service_mod.flow_data_index, &snort_free);
ss->state = TIMBUKTU_STATE_BANNER;
}
}
inprocess:
- timbuktu_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ timbuktu_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- timbuktu_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element,
+ timbuktu_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element,
APP_ID_TIMBUKTU, nullptr, nullptr, nullptr);
appid_stats.timbuktu_flows++;
return SERVICE_SUCCESS;
fail:
- timbuktu_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- timbuktu_service_mod.flow_data_index,
- args->pConfig);
+ timbuktu_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ timbuktu_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
"tns"
};
-// FIXIT thread safety, can this be const?
-static RNAServiceValidationPort pp[] =
+static const RNAServiceValidationPort pp[] =
{
{ &tns_validate, TNS_PORT, IpProtocol::TCP, 0 },
{ nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 }
};
-// FIXIT thread safety, can this be const?
SO_PUBLIC RNAServiceValidationModule tns_service_mod =
{
svc_name,
{
ServiceTNSData* ss;
uint16_t offset;
- AppIdSession* flowp = args->flowp;
+ AppIdSession* asd = args->asd;
const uint8_t* data = args->data;
uint16_t size = args->size;
if (args->dir != APP_ID_FROM_RESPONDER)
goto inprocess;
- ss = (ServiceTNSData*)tns_service_mod.api->data_get(flowp, tns_service_mod.flow_data_index);
+ ss = (ServiceTNSData*)tns_service_mod.api->data_get(asd, tns_service_mod.flow_data_index);
if (!ss)
{
ss = (ServiceTNSData*)snort_calloc(sizeof(ServiceTNSData));
- tns_service_mod.api->data_add(flowp, ss, tns_service_mod.flow_data_index, &snort_free);
+ tns_service_mod.api->data_add(asd, ss, tns_service_mod.flow_data_index, &snort_free);
ss->state = TNS_STATE_MESSAGE_LEN;
}
}
inprocess:
- tns_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element);
+ tns_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element);
return SERVICE_INPROCESS;
success:
- tns_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_ORACLE_TNS,
+ tns_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_ORACLE_TNS,
nullptr, ss->version ? ss->version : nullptr, nullptr);
appid_stats.tns_flows++;
return SERVICE_SUCCESS;
fail:
- tns_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element,
- tns_service_mod.flow_data_index, args->pConfig);
+ tns_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element,
+ tns_service_mod.flow_data_index);
return SERVICE_NOMATCH;
}
#include <stdint.h>
#include <string.h>
+#include <mutex>
+
+#include "target_based/snort_protocols.h"
inline const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len,
const uint8_t* needle, unsigned needle_len)
return nullptr;
}
+inline int16_t add_appid_protocol_reference(const char* protocol)
+{
+ static std::mutex apr_mutex;
+
+ apr_mutex.lock();
+ int16_t id = AddProtocolReference(protocol);
+ apr_mutex.unlock();
+ return id;
+}
+
#endif
return -1;
}
-int fake_fail_service(AppIdSession*, const Packet*, int, const RNAServiceElement*, unsigned, const AppIdConfig*)
+int fake_fail_service(AppIdSession*, const Packet*, int, const RNAServiceElement*, unsigned)
{
mock().actualCall("fail_service");
return -1;
}
};
-TEST(service_rsync, rsync_validate_null_args)
-{
- LONGS_EQUAL(SERVICE_NOMATCH, rsync_validate(nullptr));
-}
-
TEST(service_rsync, rsync_validate_zero_size)
{
ServiceValidationArgs args;
#include "log/messages.h"
#include "service_plugins/service_base.h"
#include "sfip/sf_ip.h"
+#include "utils/util.h"
-/*#define DEBUG_SERVICE_STATE 1*/
+//#define DEBUG_SERVICE_STATE 1
static THREAD_LOCAL SFXHASH* serviceStateCache4;
static THREAD_LOCAL SFXHASH* serviceStateCache6;
static int AppIdServiceStateFree(void*, void* data)
{
AppIdServiceIDState* id_state = (AppIdServiceIDState*)data;
- if (id_state->serviceList)
+
+ if (id_state->service_list)
{
- AppIdFreeServiceMatchList(id_state->serviceList);
- id_state->serviceList = nullptr;
+ AppIdFreeServiceMatchList(id_state->service_list);
+ id_state->service_list = nullptr;
}
return 0;
int init_service_state(unsigned long memcap)
{
serviceStateCache4 = sfxhash_new(SERVICE_STATE_CACHE_ROWS,
- sizeof(AppIdServiceStateKey4),
- sizeof(AppIdServiceIDState),
- memcap >> 1,
- 1,
- &AppIdServiceStateFree,
- &AppIdServiceStateFree,
- 1);
+ sizeof(AppIdServiceStateKey4), sizeof(AppIdServiceIDState), memcap >> 1, 1,
+ &AppIdServiceStateFree, &AppIdServiceStateFree, 1);
if (!serviceStateCache4)
{
ErrorMessage("Failed to allocate a hash table");
return -1;
}
serviceStateCache6 = sfxhash_new(SERVICE_STATE_CACHE_ROWS,
- sizeof(AppIdServiceStateKey6),
- sizeof(AppIdServiceIDState),
- memcap >> 1,
- 1,
- &AppIdServiceStateFree,
- &AppIdServiceStateFree,
- 1);
+ sizeof(AppIdServiceStateKey6), sizeof(AppIdServiceIDState), memcap >> 1, 1,
+ &AppIdServiceStateFree, &AppIdServiceStateFree, 1);
if (!serviceStateCache6)
{
ErrorMessage("Failed to allocate a hash table");
sfxhash_delete(serviceStateCache4);
serviceStateCache4 = nullptr;
}
+
if (serviceStateCache6)
{
sfxhash_delete(serviceStateCache6);
}
}
-#ifdef APPID_UNUSED_CODE
-static void AppIdRemoveServiceIDState(const sfip_t* ip, IpProtocol proto, uint16_t port, uint32_t level)
+void remove_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port, uint32_t level)
{
AppIdServiceStateKey k;
SFXHASH* cache;
ipstr[0] = 0;
sfip_ntop(ip, ipstr, sizeof(ipstr));
- ErrorMessage("Failed to remove from hash: %s:%u:%u\n",ipstr, (unsigned)proto,
+ ErrorMessage("Failed to remove from hash: %s:%u:%u\n", ipstr, (unsigned)proto,
(unsigned)port);
}
}
-#endif
-AppIdServiceIDState* AppIdGetServiceIDState(const sfip_t* ip, IpProtocol proto,
- uint16_t port, uint32_t level)
+AppIdServiceIDState* get_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port,
+ uint32_t level)
{
- AppIdServiceStateKey k;
SFXHASH* cache;
- AppIdServiceIDState* ss;
+ AppIdServiceStateKey k;
+ char ipstr[INET6_ADDRSTRLEN]; // FIXIT-M ASAN reports mem leak on ServiceMatch* objects if this is not defined
+ // which makes no sense, need to investigate further
if (sfip_family(ip) == AF_INET6)
{
k.key4.level = level;
cache = serviceStateCache4;
}
- ss = (AppIdServiceIDState*)sfxhash_find(cache, &k);
+ AppIdServiceIDState* ss = (AppIdServiceIDState*)sfxhash_find(cache, &k);
#ifdef DEBUG_SERVICE_STATE
- char ipstr[INET6_ADDRSTRLEN];
-
ipstr[0] = 0;
sfip_ntop(ip, ipstr, sizeof(ipstr));
- LogMessage("ServiceState: Read from hash: %s:%u:%u:%u %p %u %p\n",ipstr, (unsigned)proto,
- (unsigned)port, level, ss, ss ? ss->state : 0, ss ? ss->svc : nullptr);
+ DebugFormat(DEBUG_APPID, "ServiceState: Read from hash: %s:%u:%u:%u %p %u %p\n", ipstr, (unsigned)proto,
+ (unsigned)port, level, (void*)ss, ss ? ss->state : 0, ss ? (void*)ss->svc : nullptr);
+#else
+ UNUSED(ipstr);
#endif
if (ss && ss->svc && !ss->svc->ref_count)
return ss;
}
-AppIdServiceIDState* AppIdAddServiceIDState(const sfip_t* ip, IpProtocol proto, uint16_t port,
- uint32_t
- level)
+AppIdServiceIDState* add_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port,
+ uint32_t level)
{
AppIdServiceStateKey k;
AppIdServiceIDState* ss;
SFXHASH* cache;
- char ipstr[INET6_ADDRSTRLEN];
if (sfip_family(ip) == AF_INET6)
{
k.key4.level = level;
cache = serviceStateCache4;
}
-#ifdef DEBUG_SERVICE_STATE
- ipstr[0] = 0;
- sfip_ntop(ip, ipstr, sizeof(ipstr));
-#endif
+
if ((sfxhash_add_return_data_ptr(cache, &k, (void**)&ss) < 0) || !ss)
{
- ipstr[0] = 0;
+ char ipstr[INET6_ADDRSTRLEN];
+
sfip_ntop(ip, ipstr, sizeof(ipstr));
- ErrorMessage("ServiceState: Failed to add to hash: %s:%u:%u:%u\n",ipstr, (unsigned)proto,
+ ErrorMessage("ServiceState: Failed to add to hash: %s:%u:%u:%u\n", ipstr, (unsigned)proto,
(unsigned)port, level);
return nullptr;
}
+
#ifdef DEBUG_SERVICE_STATE
- LogMessage("ServiceState: Added to hash: %s:%u:%u:%u %p\n",ipstr, (unsigned)proto,
- (unsigned)port, level, ss);
+ char ipstr[INET6_ADDRSTRLEN];
+
+ ipstr[0] = 0;
+ sfip_ntop(ip, ipstr, sizeof(ipstr));
+ DebugFormat(DEBUG_APPID, "ServiceState: Added to hash: %s:%u:%u:%u %p\n", ipstr, (unsigned)proto,
+ (unsigned)port, level, (void*)ss);
#endif
+
return ss;
}
-void AppIdServiceStateDumpStats(void)
+void dump_service_state_stats(void)
{
LogMessage("Service State:\n");
if (serviceStateCache4)
* matching, but has the disadvantage of making one flow match dependent on first instance of the
* same flow.
*/
- ServiceMatch* serviceList;
- ServiceMatch* currenService;
+ ServiceMatch* service_list;
+ ServiceMatch* current_service;
/** Is this entry currently being used in an active session? */
bool searching;
int init_service_state(unsigned long memcap);
void clean_service_state();
-void AppIdRemoveServiceIDState(sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
-AppIdServiceIDState* AppIdGetServiceIDState( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
-AppIdServiceIDState* AppIdAddServiceIDState( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
-void AppIdServiceStateDumpStats();
+void remove_service_id_state(const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
+AppIdServiceIDState* get_service_id_state( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
+AppIdServiceIDState* add_service_id_state( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level);
+void dump_service_state_stats();
#endif
+++ /dev/null
-set (
- APPID_LIBS
- appid
-)
-
-add_cpputest(appid_simple_test appid)
-#add_cpputest(host_cache_module_test host_tracker ${HOST_TRACKER_MODULE_LIBS} hash)
-#add_cpputest(host_tracker_module_test host_tracker ${HOST_TRACKER_MODULE_LIBS})
-#add_cpputest(host_tracker_test host_tracker)
+++ /dev/null
-
-AM_CPPFLAGS+=-I$(top_srcdir)/src/network_inspectors/appid
-AM_DEFAULT_SOURCE_EXT = .cc
-
-check_PROGRAMS = \
-appid_simple_test \
-process_http_test
-
-TESTS = $(check_PROGRAMS)
-
-lib_list = \
-../../../network_inspectors/arp_spoof/libarp_spoof.a \
-../../../network_inspectors/packet_capture/libpacket_capture.a \
-../../../service_inspectors/back_orifice/libback_orifice.a \
-../../../service_inspectors/dce_rpc/libdce_rpc.a \
-../../../service_inspectors/dnp3/libdnp3.a \
-../../../service_inspectors/dns/libdns.a \
-../../../service_inspectors/ftp_telnet/libftp_telnet.a \
-../../../service_inspectors/gtp/libgtp_inspect.a \
-../../../service_inspectors/modbus/libmodbus.a \
-../../../service_inspectors/http_inspect/libhttp_inspect.a \
-../../../service_inspectors/rpc_decode/librpc_decode.a \
-../../../service_inspectors/sip/libsip.a \
-../../../service_inspectors/ssh/libssh.a \
-../../../service_inspectors/wizard/libwizard.a
-
-if STATIC_CODECS
-codec_list = \
-../../../codecs/root/libroot_codecs.a \
-../../../codecs/link/liblink_codecs.a
-endif
-
-
-test_list = ../../../catch/libcatch_tests.a
-
-if ENABLE_PIGLET
-pig_list = \
-piglet/libpiglet.a \
-piglet_plugins/libpiglet_plugins.a
-endif
-
-# order libs to avoid undefined symbols
-# from gnu linker
-snort_LIBS = \
-$(test_list) \
-../../../managers/libmanagers.a \
-../../../loggers/libloggers.a \
-../../../codecs/libcodecs.a \
-../../../codecs/ip/libip_codecs.a \
-../../../codecs/misc/libmisc_codecs.a \
-$(codec_list) \
-../../../network_inspectors/libnetwork_inspectors.a \
-../../../network_inspectors/binder/libbinder.a \
-../../../network_inspectors/normalize/libnormalize.a \
-../../../network_inspectors/perf_monitor/libperf_monitor.a \
-../../../network_inspectors/reputation/libreputation.a \
-../../../network_inspectors/appid/libappid.a \
-../../../network_inspectors/appid/client_plugins/libclient_plugins.a \
-../../../network_inspectors/appid/detector_plugins/libdetector_plugins.a \
-../../../network_inspectors/appid/service_plugins/libservice_plugins.a \
-../../../network_inspectors/appid/util/libappidutil.a \
-../../../service_inspectors/libservice_inspectors.a \
-$(lib_list) \
-../../../service_inspectors/imap/libimap.a \
-../../../service_inspectors/pop/libpop.a \
-../../../service_inspectors/smtp/libsmtp.a \
-../../../service_inspectors/ssl/libssl.a \
-../../../network_inspectors/port_scan/libport_scan.a \
-../../../stream/libstream.a \
-../../../stream/base/libstream_base.a \
-../../../stream/ip/libstream_ip.a \
-../../../stream/icmp/libstream_icmp.a \
-../../../stream/tcp/libstream_tcp.a \
-../../../stream/libtcp/libstream_libtcp.a \
-../../../stream/udp/libstream_udp.a \
-../../../stream/user/libstream_user.a \
-../../../stream/file/libstream_file.a \
-../../../stream/libstream_paf.a \
-../../../file_api/libfile_api.a \
-../../../mime/libmime.a \
-../../../service_inspectors/http_inspect/libhttp_inspect.a \
-$(pig_list) \
-../../../ips_options/libips_options.a \
-../../../search_engines/libsearch_engines.a \
-../../../target_based/libtarget_based.a \
-../../../main/libmain.a \
-../../../codecs/libcodec_module.a \
-../../../memory/libmemory.a \
-../../../host_tracker/libhost_tracker.a \
-../../../parser/libparser.a \
-../../../flow/libflow.a \
-../../../control/libcontrol.a \
-../../../filters/libfilter.a \
-../../../detection/libdetection.a \
-../../../framework/libframework.a \
-../../../time/libtime.a \
-../../../latency/liblatency.a \
-../../../profiler/libprofiler.a \
-../../../actions/libips_actions.a \
-../../../events/libevents.a \
-../../../hash/libhash.a \
-../../../log/liblog.a \
-../../../packet_io/libpacket_io.a \
-../../../helpers/libhelpers.a \
-../../../lua/liblua.a \
-../../../decompress/libdecompress.a \
-../../../sfip/libsfip.a \
-../../../sfrt/libsfrt.a \
-../../../protocols/libprotocols.a \
-../../../connectors/libconnectors.a \
-../../../connectors/file_connector/libfile_connector.a \
-../../../side_channel/libside_channel.a \
-../../../ports/libports.a \
-../../../utils/libutils.a
-
-appid_simple_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-appid_simple_test_LDADD = ${snort_LIBS} @CPPUTEST_LDFLAGS@
-process_http_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@
-process_http_test_LDADD = ${snort_LIBS} @CPPUTEST_LDFLAGS@
-
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2016-2016 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// appid_simple_test.cc author stechew
-
-// Make some API calls to demonstrate that we can link with appid libs.
-
-#if 0
-#include <stdio.h>
-#include "appid_utils/fw_avltree.h"
-#include "protocols/protocol_ids.h"
-#include "sfip/sfip_t.h"
-#include "sfip/sf_ip.h"
-#include "fw_appid.h"
-#endif
-int main()
-{
-#if 0
- IpProtocol proto=IpProtocol::TCP;
- sfip_t* ip = nullptr;
- SFIP_RET status;
-
- printf("Testing...\n");
-
- ip = sfip_alloc("10.1.1.1", &status);
- fwAvlInit();
- appSharedDataAlloc(proto, ip);
-#endif
- return 0;
-}
-
+++ /dev/null
-#include <stdio.h>
-#include <stdlib.h>
-#include <assert.h>
-
-#include <check.h>
-
-#include "parser/mstring.h"
-
-#include "appid_config.h"
-
-#include "external_apis.h"
-#include "fw_appid.h"
-#include "session_file.h"
-
-#if 1 // FIXIT-M hacks
-// not sure where this is defined; outside the appid tree probably
-using ControlDataSendFunc = void (*)();
-#endif
-
-extern void AppIdReload(struct _SnortConfig* sc, char* args, void** new_config);
-extern void* AppIdReloadSwap(struct _SnortConfig* sc, void* swap_config);
-extern void AppIdReloadFree(void* old_context);
-extern int AppIdReconfigure(uint16_t type, const uint8_t* data, uint32_t length,
- void** new_context,
- char* statusBuf, int statusBuf_len);
-extern int AppIdReconfigureSwap(uint16_t type, void* new_context, void** old_context);
-extern void AppIdReconfigureFree(uint16_t type, void* old_context, struct _THREAD_ELEMENT* te,
- ControlDataSendFunc f);
-
-extern int processHTTPPacket(Packet* p, AppIdSession* session, int direction,
- HttpParsedHeaders* const headers, const AppIdConfig* pConfig);
-extern void appIdApiInit(struct AppIdApi*);
-extern void sfiph_build(Packet* p, const void* hdr, int family);
-extern void pickHttpXffAddress(Packet* p, AppIdSession* appIdSession,
- ThirdPartyAppIDAttributeData* attribute_data);
-
-AppIdApi appIdApi;
-
-// FIXIT: use APIs instead of using global
-extern AppIdSession* pAppIdData;
-
-static char* testFilesPath = nullptr;
-static char rnaConfPath[PATH_MAX] = { 0 };
-
-static void testProcessHttpPacket(const char* useragent, const char* host, const char* referer,
- const char* trailer)
-{
- // FIXIT-M J these need to be cleared, probably
- Packet p;
- AppIdSession session;
-
- char buf[1024];
- int bufLen;
-
- session.common.flags = 0x311380;
- session.hsession = (decltype(session.hsession))snort_calloc(sizeof(httpSession));
- if (host)
- {
- session.hsession->host = snort_strdup(host);
- strcpy(buf, "http://");
- strcat(buf, host);
- if (trailer)
- strcat(buf, trailer);
- else
- strcat(buf, "/");
- session.hsession->url = snort_strdup(buf);
- }
- if (useragent)
- session.hsession->useragent = snort_strdup(useragent);
- if (referer)
- session.hsession->referer = snort_strdup(referer);
- session.hsession->uri = snort_strdup("/");
- session.hsession->cookie = snort_strdup(
- "s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug="
- "4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C"
- "1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13");
- session.serviceAppId = APP_ID_NONE;
- session.payload_app_id = APP_ID_NONE;
- session.tp_payload_app_id = 1190;
- session.scan_flags = 0x26;
- session.client_app_id = 0;
-
- strcpy(buf, "GET / HTTP/1.1\r\n");
- strcat(buf, "Host: ");
- strcat(buf, host);
- strcat(buf, "\r\nUser-Agent: ");
- strcat(buf, useragent);
- if (referer)
- {
- strcat(buf, "\r\nReferer: ");
- strcat(buf, referer);
- }
- strcat(buf, "\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
- strcat(buf,
- "Accept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n");
- strcat(buf, "Keep-Alive: 115\r\nConnection: keep-alive\r\n");
- bufLen = strlen(buf);
- strncat(buf,
- "Cookie: s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug=4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13\r\n\r\n",
- sizeof(buf) - bufLen - 1);
-
- p.data = (decltype(p.data))snort_strdup(buf);
- p.dsize = strlen((const char*)p.data);
-
- processHTTPPacket(&p, &session, APP_ID_FROM_INITIATOR, nullptr, pAppidActiveConfig);
-
- if (host)
- {
- snort_free(session.hsession->host);
- snort_free(session.hsession->url);
- }
- if (referer)
- snort_free(session.hsession->referer);
- if (useragent)
- snort_free(session.hsession->useragent);
- snort_free(session.hsession->uri);
- snort_free(session.hsession->cookie);
- snort_free(session.hsession);
-
- snort_free((uint8_t*)p.data);
-}
-
-void testFwAppIdSearch(const char* fileName)
-{
- Packet pkt;
- Flow flow;
-
- FILE* file;
- HttpParsedHeaders* httpHeader = nullptr;
- AppId service;
- bool isLoginSuccessful;
- char* userName;
- char* serviceVendor;
- char* serviceVersion;
- RNAServiceSubtype* serviceSubtype;
- int moreData = 0;
- char filePath[PATH_MAX];
-
- strcpy(filePath, testFilesPath);
- strcat(filePath, "/sessions/");
- strcat(filePath, fileName);
-
- file = fopen(filePath, "r");
- assert(file != nullptr);
-
- do
- {
- sessionFileReadSession(file, &flow);
- moreData = sessionFileReadPacket(file, &pkt, &httpHeader);
-
- pkt.flow = &flow;
-
- sfiph_build(&pkt, &pkt.ip4h, pkt.family);
-
- if (httpHeader)
- {
- //httpHeaderCallback(&pkt, httpHeader);
- }
- else
- {
- do_application_discovery(&pkt);
- }
-
- if (pkt.data)
- snort_free((uint8_t*)pkt.data);
- memset(&pkt, 0, sizeof(pkt));
-
- if (httpHeader)
- {
- if (httpHeader->host.start)
- snort_free((uint8_t*)httpHeader->host.start);
- if (httpHeader->url.start)
- snort_free((uint8_t*)httpHeader->url.start);
- if (httpHeader->method.start)
- snort_free((uint8_t*)httpHeader->method.start);
- if (httpHeader->userAgent.start)
- snort_free((uint8_t*)httpHeader->userAgent.start);
- if (httpHeader->referer.start)
- snort_free((uint8_t*)httpHeader->referer.start);
- if (httpHeader->via.start)
- snort_free((uint8_t*)httpHeader->via.start);
- if (httpHeader->responseCode.start)
- snort_free((uint8_t*)httpHeader->responseCode.start);
- if (httpHeader->server.start)
- snort_free((uint8_t*)httpHeader->server.start);
- if (httpHeader->xWorkingWith.start)
- snort_free((uint8_t*)httpHeader->xWorkingWith.start);
- if (httpHeader->contentType.start)
- snort_free((uint8_t*)httpHeader->contentType.start);
- snort_free(httpHeader);
- httpHeader = nullptr;
- }
- }
- while (moreData != -1);
-
- LogMessage("==========================================================\n");
- LogMessage("App name = %s\n", appGeAppName(appIdApi.geServiceAppId(pAppIdData)));
- LogMessage("AppId = %d\n", appGeAppId(appGeAppName(appIdApi.geServiceAppId(pAppIdData))));
- LogMessage("Service AppId = %d\n", appIdApi.geServiceAppId(pAppIdData));
- LogMessage("Only Service AppId = %d\n", appIdApi.get_only_service_app_id(pAppIdData));
- LogMessage("Misc AppId = %d\n", appIdApi.get_misc_app_id(pAppIdData));
- LogMessage("Client AppId = %d\n", appIdApi.get_client_app_id(pAppIdData));
- LogMessage("Payload AppId = %d\n", appIdApi.get_payload_app_id(pAppIdData));
- LogMessage("Referred AppId = %d\n", appIdApi.get_referred_app_id(pAppIdData));
- LogMessage("Fw Service AppId = %d\n", appIdApi.get_fw_service_app_id(pAppIdData));
- LogMessage("Fw Misc AppId = %d\n", appIdApi.get_fw_misc_app_id(pAppIdData));
- LogMessage("Fw Client AppId = %d\n", appIdApi.get_fw_client_app_id(pAppIdData));
- LogMessage("Fw Payload AppId = %d\n", appIdApi.get_fw_payload_app_id(pAppIdData));
- LogMessage("Fw Referred AppId = %d\n", appIdApi.get_fw_feferred_app_id(pAppIdData));
- LogMessage("Is Session SSL Decrypted = %d\n", appIdApi.is_ssl_session_decrypted(pAppIdData));
- LogMessage("Is AppId Inspecting Session = %d\n", appIdApi.is_appid_inspecting_session(
- pAppIdData));
- LogMessage("Is AppId Available = %d\n", appIdApi.is_appid_available(pAppIdData));
- userName = appIdApi.get_user_name(pAppIdData, &service, &isLoginSuccessful);
- LogMessage("User name = %s, service = %d, isLoginSuccessful = %d\n",
- userName, service, isLoginSuccessful);
- LogMessage("Client version = %s\n", appIdApi.geClientVersion(pAppIdData));
- // TODO: Is the flag argument correct?
- LogMessage("Session attribute = %" PRIx64 "\n", appIdApi.get_appid_session_attribute(pAppIdData,
- 0));
- LogMessage("Flow type = %08X\n", appIdApi.get_flow_type(pAppIdData));
- appIdApi.geServiceInfo(pAppIdData, &serviceVendor, &serviceVersion, &serviceSubtype);
- LogMessage("Service vendor = %s, version = %s\n",
- serviceVendor, serviceVersion);
- LogMessage("Service port = %d\n", appIdApi.geServicePort(pAppIdData));
- LogMessage("Service IP = %s\n", inet_ntoa(appIdApi.geServiceIp(pAppIdData)));
- LogMessage("HTTP user agent = %s\n", appIdApi.get_http_user_agent(pAppIdData));
- LogMessage("HTTP host = %s\n", appIdApi.getHttpHost(pAppIdData));
- LogMessage("HTTP URL = %s\n", appIdApi.get_http_url(pAppIdData));
- LogMessage("HTTP referer = %s\n", appIdApi.get_http_referer(pAppIdData));
- LogMessage("TLS host = %s\n", appIdApi.getTlsHost(pAppIdData));
- LogMessage("NetBIOS name = %s\n", appIdApi.get_netbios_name(pAppIdData));
-
- fclose(file);
-}
-
-START_TEST(ConfigParseTest)
-{
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- appIdConfigParse(
- "conf rna.conf, debug yes, dump_ports, memcap 0, app_stats_filename stats, app_stats_period 60, app_stats_rollover_size 100000, app_stats_rollover_time 60, app_detector_dir appid, instance_id 1, thirdparty_appid_dir thirdparty_appid");
-
- ck_assert_str_eq(appidStaticConfig.conf_file, "rna.conf");
- ck_assert_int_eq(appidStaticConfig.app_id_debug, 1);
- ck_assert_int_eq(appidStaticConfig.app_id_dump_ports, 1);
- ck_assert_uint_eq(appidStaticConfig.memcap, (32*1024*1024ULL));
- ck_assert_str_eq(appidStaticConfig.app_stats_filename, "stats");
- ck_assert_uint_eq(appidStaticConfig.app_stats_period, 60);
- ck_assert_uint_eq(appidStaticConfig.app_stats_rollover_size, 100000);
- ck_assert_uint_eq(appidStaticConfig.app_stats_rollover_time, 60);
- ck_assert_str_eq(appidStaticConfig.app_id_detector_path, "appid");
- ck_assert_uint_eq(appidStaticConfig.instance_id, 1);
- ck_assert_str_eq(appidStaticConfig.appid_thirdparty_dir, "thirdparty_appid");
-}
-END_TEST START_TEST(InitFiniTest)
-{
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(ReloadTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReload(nullptr, nullptr, (void**)&pNewConfig);
- pOldConfig = AppIdReloadSwap(nullptr, pNewConfig);
- AppIdReloadFree(pOldConfig);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(ReconfigureTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0);
- AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig);
- AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpTest)
-{
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- testProcessHttpPacket(
- "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
- "www.cnn.com",
- nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpAfterReloadTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReload(nullptr, nullptr, (void**)&pNewConfig);
- pOldConfig = AppIdReloadSwap(nullptr, pNewConfig);
- AppIdReloadFree(pOldConfig);
-
- testProcessHttpPacket(
- "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
- "www.cnn.com",
- nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpAfterReconfigureTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0);
- AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig);
- AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr);
-
- testProcessHttpPacket("Wget/1.9.1",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
- "www.cnn.com",
- nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpAfterReloadReconfigureTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReload(nullptr, nullptr, (void**)&pNewConfig);
- pOldConfig = AppIdReloadSwap(nullptr, pNewConfig);
- AppIdReloadFree(pOldConfig);
-
- pNewConfig = nullptr;
- pOldConfig = nullptr;
-
- AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0);
- AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig);
- AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr);
-
- testProcessHttpPacket(
- "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
- "www.123.com",
- "http://www.cnn.com", nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7",
- "www.cnn.com",
- nullptr, "/tech?a=1&b=2");
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpXffTest)
-{
- Packet p = { 0 };
- AppIdSession session = { 0 };
- httpSession hsession = { 0 };
- ThirdPartyAppIDAttributeData tpData = { 0 };
- SFIP_RET status;
- sfaddr_t* xffAddr = sfaddr_alloc("1.1.1.1", &status);
-
- // Only X-Forwarded-For
- session.hsession = &hsession;
- tpData.numXffFields = 1;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[0].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- // Only True-Client-IP
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- tpData.numXffFields = 1;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP;
- tpData.xffFieldValue[0].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- // X-Forwarded-For and True-Client-IP
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- tpData.numXffFields = 2;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP;
- tpData.xffFieldValue[0].value = "2.2.2.2";
- tpData.xffFieldValue[1].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[1].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- // Comma-separated list in X-Forwarded-For
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- tpData.numXffFields = 1;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[0].value = snort_strdup("1.1.1.1, 2.2.2.2");
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- snort_free(tpData.xffFieldValue[0].value);
- sfaddr_free(session.hsession->xffAddr);
-
- // Custom XFF
- static char* defaultXffPrecedence[] = { "Custom-XFF", HTTP_XFF_FIELD_X_FORWARDED_FOR,
- HTTP_XFF_FIELD_TRUE_CLIENT_IP };
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- session.hsession->xffPrecedence = defaultXffPrecedence;
- session.hsession->numXffFields = 3;
- tpData.numXffFields = 2;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[0].value = "2.2.2.2";
- tpData.xffFieldValue[1].field = "Custom-XFF";
- tpData.xffFieldValue[1].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- sfaddr_free(xffAddr);
-
- snort_free((uint8_t*)p.data);
-}
-
-END_TEST START_TEST(AimSessionTest)
-{
- testFwAppIdSearch("aim.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "AOL Instant Messenger");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_AOL_INSTANT_MESSENGER);
- ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_AOL_INSTANT_MESSENGER);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(CnnSessionTest)
-{
- testFwAppIdSearch("cnn.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "HTTP");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_HTTP);
- ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_FIREFOX);
- ck_assert_uint_eq(appIdApi.get_payload_app_id(pAppIdData), 1190); // CNN app
- ck_assert_str_eq(appIdApi.getHttpHost(pAppIdData), "www.cnn.com");
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(DnsSessionTest)
-{
- testFwAppIdSearch("dns.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "DNS");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_DNS);
- ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_DNS);
- ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 53);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(ImapSessionTest)
-{
- testFwAppIdSearch("imap.ssn");
-
- // TODO: Investigate why IMAP appids are not showing up
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(MdnsSessionTest)
-{
- testFwAppIdSearch("mdns.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "MDNS");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_MDNS);
- ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 5353);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(MsnSessionTest)
-{
- testFwAppIdSearch("msn.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "MSN Messenger");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_MSN_MESSENGER);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(NetbiosNsSessionTest)
-{
- testFwAppIdSearch("netbios_ns.ssn");
-
- // TODO: Investigate why NetBIOS name service appids are not showing up
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(NetbiosSsSessionTest)
-{
- testFwAppIdSearch("netbios_ss.ssn");
-
- // TODO: Investigate why NetBIOS ss appids are not showing up
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(PatternSessionTest)
-{
- testFwAppIdSearch("pattern.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "3Com AMP3");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), 3000);
- ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), 3000);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(Pop3SessionTest)
-{
- testFwAppIdSearch("pop3.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "POP3");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_POP3);
- ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 110);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(RfbSessionTest)
-{
- testFwAppIdSearch("rfb.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "RFB");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_VNC_RFB);
- ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_VNC);
- ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 5900);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(RtpSessionTest)
-{
- testFwAppIdSearch("rtp.ssn");
-
- // TODO: Investigate why RTP appids are not showing up
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(SmtpSessionTest)
-{
- testFwAppIdSearch("smtp.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "SMTP");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_SMTP);
- ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 25);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(TimbuktuSessionTest)
-{
- testFwAppIdSearch("timbuktu.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "Timbuktu");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_TIMBUKTU);
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_TIMBUKTU);
- ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 407);
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(WebexSessionTest)
-{
- testFwAppIdSearch("webex.ssn");
-
- ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "HTTP");
- ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_HTTP);
- ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), 2932); // WebEx
- ck_assert_uint_eq(appIdApi.get_payload_app_id(pAppIdData), 2932); // WebEx
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST START_TEST(YmSessionTest)
-{
- testFwAppIdSearch("ym.ssn");
-
- // TODO: Investigate why Yahoo messenger appids are not showing up
-
- appSharedDataDelete(pAppIdData);
- pAppIdData = nullptr;
-}
-
-END_TEST
-
-static void appIdTestSetup(void)
-{
- testFilesPath = getenv("APPID_TESTS_PATH");
-
- if (testFilesPath == nullptr)
- {
- printf("Env variable APPID_TESTS_PATH is not set. Exiting ...\n");
- exit(-1);
- }
-
- strcpy(rnaConfPath, testFilesPath);
- strcat(rnaConfPath, "/rna.conf");
-}
-
-static void sessionTcaseSetup(void)
-{
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-}
-
-static void sessionTcaseClean(void)
-{
- AppIdCommonFini();
-}
-
-static Suite* setupAppIdSuite(void)
-{
- Suite* appIdSuite;
- TCase* frameworkTcase;
- TCase* httpTcase;
- TCase* sessionTcase;
-
- appIdSuite = suite_create("AppId");
-
- // Create Framework test case
- frameworkTcase = tcase_create("FrameworkTestCase");
- tcase_add_checked_fixture(frameworkTcase, nullptr, nullptr);
-
- // Add tests to Framework test case
- tcase_add_test(frameworkTcase, ConfigParseTest);
- tcase_add_test(frameworkTcase, InitFiniTest);
- tcase_add_test(frameworkTcase, ReloadTest);
- tcase_add_test(frameworkTcase, ReconfigureTest);
-
- suite_add_tcase(appIdSuite, frameworkTcase);
-
- // Create Http test case
- httpTcase = tcase_create("HttpTestCase");
- tcase_add_checked_fixture(httpTcase, nullptr, nullptr);
-
- // Add tests to Http test case
- tcase_add_test(httpTcase, HttpTest);
- tcase_add_test(httpTcase, HttpAfterReloadTest);
- tcase_add_test(httpTcase, HttpAfterReconfigureTest);
- tcase_add_test(httpTcase, HttpAfterReloadReconfigureTest);
- tcase_add_test(httpTcase, HttpXffTest);
-
- suite_add_tcase(appIdSuite, httpTcase);
-
- // Create Session test case
- sessionTcase = tcase_create("SessionTestCase");
- tcase_add_checked_fixture(sessionTcase, nullptr, nullptr);
-
- // Add tests to Session test case
- tcase_add_test(sessionTcase, AimSessionTest);
- tcase_add_test(sessionTcase, CnnSessionTest);
- tcase_add_test(sessionTcase, DnsSessionTest);
- tcase_add_test(sessionTcase, ImapSessionTest);
- tcase_add_test(sessionTcase, MdnsSessionTest);
- tcase_add_test(sessionTcase, MsnSessionTest);
- tcase_add_test(sessionTcase, NetbiosNsSessionTest);
- tcase_add_test(sessionTcase, NetbiosSsSessionTest);
- tcase_add_test(sessionTcase, PatternSessionTest);
- tcase_add_test(sessionTcase, Pop3SessionTest);
- tcase_add_test(sessionTcase, RfbSessionTest);
- tcase_add_test(sessionTcase, RtpSessionTest);
- tcase_add_test(sessionTcase, SmtpSessionTest);
- tcase_add_test(sessionTcase, TimbuktuSessionTest);
- tcase_add_test(sessionTcase, WebexSessionTest);
- tcase_add_test(sessionTcase, YmSessionTest);
-
- suite_add_tcase(appIdSuite, sessionTcase);
-
- return appIdSuite;
-}
-
-int main(int argc, char* argv[])
-{
- int opt, debug = 0;
- int numberFailed;
- Suite* appIdSuite;
- SRunner* appIdRunner;
-
- while ((opt = getopt(argc, argv, "dh")) != -1)
- {
- switch (opt)
- {
- case 'd':
- debug = 1;
- break;
- case 'h':
- printf(
- "Usage:\n\
- -d: Run test in no fork mode for debugging in gdb.\n\
- -h: This text.\n");
- return EXIT_SUCCESS;
- }
- }
-
- appIdTestSetup();
-
- // Create a test runner for AppId suite
- appIdSuite = setupAppIdSuite();
- appIdRunner = srunner_create(appIdSuite);
-
- if (debug)
- {
- srunner_set_fork_status(appIdRunner, CK_NOFORK);
- }
-
- // Set test results format to TAP and specify file name
- srunner_set_tap(appIdRunner, "AppIdTests.tap~");
-
- // Run test cases in AppId suite
- srunner_run(appIdRunner, nullptr, "FrameworkTestCase", CK_NORMAL);
-
- system("cp AppIdTests.tap~ AppIdTests.tap");
-
- srunner_run(appIdRunner, nullptr, "HttpTestCase", CK_NORMAL);
-
- system("cat AppIdTests.tap~ >> AppIdTests.tap");
-
- sessionTcaseSetup();
- srunner_run(appIdRunner, nullptr, "SessionTestCase", CK_NORMAL);
- sessionTcaseClean();
-
- system("cat AppIdTests.tap~ >> AppIdTests.tap");
-
- numberFailed = srunner_ntests_failed(appIdRunner);
- srunner_free(appIdRunner);
- return (numberFailed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
-}
-
+++ /dev/null
-//#include <stdarg.h>
-#include "external_apis.h"
-#include "session_file.h"
-#include "appid_session.h"
-
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
-#include "protocols/udp.h"
-
-AppIdSession* pAppIdData = nullptr;
-
-/***********************************************************
- * Local functions
- **********************************************************/
-static void determinePacketDirection(Packet* p, uint16_t p_port, uint16_t scb_port, int is_sport)
-{
- if (is_sport)
- p->packet_flags |= (p_port == scb_port) ? PKT_FROM_CLIENT : PKT_FROM_SERVER;
- else
- p->packet_flags |= (p_port == scb_port) ? PKT_FROM_SERVER : PKT_FROM_CLIENT;
-}
-
-static void setPacketDirectionFlag(Packet* p, SessionControlBlock* session)
-{
- if (p->is_ip4())
- {
- if (sfip_fast_eq4(p->ptrs.ip_api.get_src(), &session->client_ip))
- {
- if (p->is_tcp())
- determinePacketDirection(p, p->ptrs.tcph->src_port(), session->client_port, true);
- else if (p->is_udp())
- determinePacketDirection(p, p->ptrs.udph->src_port(), session->client_port, true);
- else
- p->packet_flags |= PKT_FROM_CLIENT;
- }
- else if (sfip_fast_eq4(p->ptrs.ip_api.get_dst(), &session->client_ip))
- {
- if (p->is_tcp())
- determinePacketDirection(p, p->ptrs.tcph->dst_port(), session->client_port, false);
- else if (p->is_udp())
- determinePacketDirection(p, p->ptrs.udph->dst_port(), session->client_port, false);
- else
- p->packet_flags |= PKT_FROM_SERVER;
- }
- }
- else
- {
- if (sfip_fast_eq6(p->ptrs.ip_api.get_src(), &session->client_ip))
- {
- if (p->is_tcp())
- determinePacketDirection(p, p->ptrs.tcph->src_port(), session->client_port, true);
- else if (p->is_udp())
- determinePacketDirection(p, p->ptrs.udph->src_port(), session->client_port, true);
- else
- p->packet_flags |= PKT_FROM_CLIENT;
- }
- else if (sfip_fast_eq6(p->ptrs.ip_api.get_dst(), &session->client_ip))
- {
- if (p->is_tcp())
- determinePacketDirection(p, p->ptrs.tcph->dst_port(), session->client_port, false);
- else if (p->is_udp())
- determinePacketDirection(p, p->ptrs.udph->dst_port(), session->client_port, false);
- else
- p->packet_flags |= PKT_FROM_SERVER;
- }
- }
-}
-
-NORETURN void FatalError(const char* format,...)
-{
- va_list arg;
-
- printf("FATAL ERROR: ");
-
- va_start (arg, format);
- vfprintf (stdout, format, arg);
- va_end (arg);
- fflush(stdout);
-
- exit(-1);
-}
-
-void LogMessage(const char* format,...)
-{
- va_list arg;
-
- printf("LOG MESSAGE: ");
-
- va_start (arg, format);
- vfprintf (stdout, format, arg);
- va_end (arg);
- fflush(stdout);
-}
-
-/***********************************************************
- * _dpd APIs
- **********************************************************/
-void logMsg(const char* format, ...)
-{
- va_list arg;
-
- printf("LOG: ");
-
- va_start (arg, format);
- vfprintf (stdout, format, arg);
- va_end (arg);
- fflush(stdout);
-}
-
-void errMsg(const char* format, ...)
-{
- va_list arg;
-
- printf("ERROR: ");
-
- va_start (arg, format);
- vfprintf (stdout, format, arg);
- va_end (arg);
- fflush(stdout);
-}
-
-void debugMsg(uint64_t, const char* format, ...)
-{
- va_list arg;
-
- printf("DEBUG: ");
-
- va_start (arg, format);
- vfprintf (stdout, format, arg);
- va_end (arg);
- fflush(stdout);
-}
-
-int16_t addProtocolReference(const char*)
-{
- return 0;
-}
-
-void* addPreproc(struct _SnortConfig*, void (*)(void*, void*), uint16_t, uint32_t, uint32_t)
-{
- return nullptr;
-}
-
-tSfPolicyId getParserPolicy(struct _SnortConfig*)
-{
- return 0;
-}
-
-tSfPolicyId getDefaultPolicy(void)
-{
- return 1;
-}
-
-bool isAppIdRequired(void)
-{
- return false;
-}
-
-uint32_t getSnortInstance(void)
-{
- return 0;
-}
-
-int16_t findProtocolReference(const char*)
-{
- return 0;
-}
-
-/***********************************************************
- * Session APIs
- **********************************************************/
-void enable_preproc_all_ports(struct _SnortConfig*, uint32_t, uint32_t)
-{
-}
-
-void* get_flow_data(void*, uint32_t)
-{
- return pAppIdData;
-}
-
-int set_flow_data(void*, uint32_t, AppIdSession* data, StreamAppDataFree)
-{
- pAppIdData = data;
-
- return 0;
-}
-
-uint32_t get_packet_direction(Packet* p)
-{
- if ((p == nullptr) || (p->flow == nullptr))
- return 0;
-
- setPacketDirectionFlag(p, p->flow);
-
- return (p->packet_flags & (PKT_FROM_SERVER | PKT_FROM_CLIENT));
-}
-
-uint32_t get_session_flags(void* ssnptr)
-{
- SessionControlBlock* scb = (SessionControlBlock*)ssnptr;
- return scb->ha_state.session_flags;
-}
-
-sfaddr_t* get_session_ip_address(void* scbptr, uint32_t direction)
-{
- SessionControlBlock* scb = (SessionControlBlock*)scbptr;
-
- if (scb != nullptr)
- {
- switch (direction)
- {
- case SSN_DIR_FROM_SERVER:
- return (sfaddr_t*)(&(scb)->server_ip);
-
- case SSN_DIR_FROM_CLIENT:
- return (sfaddr_t*)(&(scb)->client_ip);
-
- default:
- break;
- }
- }
-
- return nullptr;
-}
-
-void set_application_id(void*, int16_t, int16_t, int16_t, int16_t)
-{
-}
-
-bool is_session_http2(void*)
-{
- return false;
-}
-
-int16_t get_application_protocol_id(void*)
-{
- return 0;
-}
-
-char** get_http_xff_precedence(void*, uint32_t, int*)
-{
- return nullptr;
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
-// Copyright (C) 2005-2013 Sourcefire, Inc.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// external_apis.h author Sourcefire Inc.
-
-#ifndef EXTERNAL_APIS_H
-#define EXTERNAL_APIS_H
-
-#include <cstdint>
-
-#include "flow/flow.h"
-
-struct sfaddr_t;
-struct SnortConfig;
-struct Packet;
-using tSfPolicyId = int;
-
-#define PKT_FROM_SERVER 0x00000040 /* this packet came from the server
- side of a connection (TCP) */
-#define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client
- side of a connection (TCP) */
-// _dpd APIs
-void logMsg(const char*, ...);
-void errMsg(const char*, ...);
-void debugMsg(uint64_t type, const char*, ...);
-int16_t addProtocolReference(const char* protocol);
-
-void* addPreproc(
- SnortConfig*, void (* pp_func)(void*, void*), uint16_t priority,
- uint32_t appId, uint32_t flags);
-
-tSfPolicyId getParserPolicy(SnortConfig*);
-tSfPolicyId getDefaultPolicy();
-bool isAppIdRequired();
-uint32_t getSnortInstance();
-int16_t findProtocolReference(const char* app);
-
-// Session APIs
-void enable_preproc_all_ports(SnortConfig*, uint32_t appId, uint32_t flags);
-void* get_flow_data(void* stream_session, uint32_t protocol);
-int set_flow_data(void* scbptr, uint32_t protocol, void* data, StreamAppDataFree);
-uint32_t get_packet_direction(Packet*);
-uint32_t get_session_flags(void* ssnptr);
-sfaddr_t* get_session_ip_address(void* scbptr, uint32_t direction);
-int16_t get_application_protocol_id(void* scbptr);
-char** get_http_xff_precedence(void* ssn, uint32_t flags, int* nFields);
-
-// Stream APIs
-void set_application_id(
- void* ssnptr, int16_t serviceAppid, int16_t ClientAppid,
- int16_t payloadAppId, int16_t miscAppid);
-
-bool is_session_http2(void* ssn);
-
-#endif
+++ /dev/null
-/*
-* $Id: mpse.c,v 1.2 2015/03/25 14:45:18 andrbake Exp $
-*
-* mpse.c
-*
-* An abstracted interface to the Multi-Pattern Matching routines,
-* thats why we're passing 'void *' objects around.
-*
-* Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
-* Copyright (C) 2002-2013 Sourcefire, Inc.
-* Marc A Norton <mnorton@sourcefire.com>
-*
-* Updates:
-* 3/06 - Added AC_BNFA search
-**
-** This program is free software; you can redistribute it and/or modify
-** it under the terms of the GNU General Public License Version 2 as
-** published by the Free Software Foundation. You may not use, modify or
-** distribute this program under any other version of the GNU General
-** Public License.
-**
-** This program is distributed in the hope that it will be useful,
-** but WITHOUT ANY WARRANTY; without even the implied warranty of
-** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-** GNU General Public License for more details.
-**
-** You should have received a copy of the GNU General Public License
-** along with this program; if not, write to the Free Software
-** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-**
-*/
-#include <assert.h>
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-#include "bnfa_search.h"
-#include "acsmx.h"
-#include "acsmx2.h"
-#include "sfksearch.h"
-#include "mpse.h"
-#include "snort_debug.h"
-#include "sf_types.h"
-#include "util.h"
-
-#ifdef INTEL_SOFT_CPM
-#include "intel-soft-cpm.h"
-#endif
-#include "profiler.h"
-
-#include "snort.h"
-
-static uint64_t s_bcnt=0;
-
-typedef struct _mpse_struct
-{
- int method;
- void* obj;
- int verbose;
- uint64_t bcnt;
- char inc_global_counter;
-} MPSE;
-
-void* mpseNew(int method, int use_global_counter_flag,
- void (* userfree)(void* p),
- void (* optiontreefree)(void** p),
- void (* neg_list_free)(void** p))
-{
- MPSE* p;
-
- p = (MPSE*)snort_calloc(sizeof(MPSE) );
- p->method = method;
- p->verbose = 0;
- p->obj = nullptr;
- p->bcnt = 0;
- p->inc_global_counter = (char)use_global_counter_flag;
-
- switch ( method )
- {
- case MPSE_AC_BNFA:
- p->obj=bnfaNew(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- ((bnfa_struct_t*)(p->obj))->bnfaMethod = 1;
- break;
- case MPSE_AC_BNFA_Q:
- p->obj=bnfaNew(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- ((bnfa_struct_t*)(p->obj))->bnfaMethod = 0;
- break;
- case MPSE_AC:
- p->obj = acsmNew(userfree, optiontreefree, neg_list_free);
- break;
- case MPSE_ACF:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULL);
- break;
- case MPSE_ACF_Q:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULLQ);
- break;
- case MPSE_ACS:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSE);
- break;
- case MPSE_ACB:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_BANDED);
- break;
- case MPSE_ACSB:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSEBANDS);
- break;
- case MPSE_LOWMEM:
- p->obj = KTrieNew(0,userfree, optiontreefree, neg_list_free);
- break;
- case MPSE_LOWMEM_Q:
- p->obj = KTrieNew(1,userfree, optiontreefree, neg_list_free);
- break;
- default:
- /* p is free'd below if no case */
- break;
- }
-
- if ( !p->obj )
- {
- snort_free(p);
- p = nullptr;
- }
-
- return (void*)p;
-}
-
-void* mpseNewWithSnortConfig(struct _SnortConfig* sc,
- int method, int use_global_counter_flag,
- void (* userfree)(void* p),
- void (* optiontreefree)(void** p),
- void (* neg_list_free)(void** p))
-{
- MPSE* p;
-
- p = (MPSE*)snort_calloc(sizeof(MPSE) );
- p->method = method;
- p->verbose = 0;
- p->obj = nullptr;
- p->bcnt = 0;
- p->inc_global_counter = (char)use_global_counter_flag;
-
- switch ( method )
- {
- case MPSE_AC_BNFA:
- p->obj=bnfaNew(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- ((bnfa_struct_t*)(p->obj))->bnfaMethod = 1;
- break;
- case MPSE_AC_BNFA_Q:
- p->obj=bnfaNew(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- ((bnfa_struct_t*)(p->obj))->bnfaMethod = 0;
- break;
- case MPSE_AC:
- p->obj = acsmNew(userfree, optiontreefree, neg_list_free);
- break;
- case MPSE_ACF:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULL);
- break;
- case MPSE_ACF_Q:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULLQ);
- break;
- case MPSE_ACS:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSE);
- break;
- case MPSE_ACB:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_BANDED);
- break;
- case MPSE_ACSB:
- p->obj = acsmNew2(userfree, optiontreefree, neg_list_free);
- if (p->obj)
- acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSEBANDS);
- break;
- case MPSE_LOWMEM:
- p->obj = KTrieNew(0,userfree, optiontreefree, neg_list_free);
- break;
- case MPSE_LOWMEM_Q:
- p->obj = KTrieNew(1,userfree, optiontreefree, neg_list_free);
- break;
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
- p->obj=IntelPmNew(sc, userfree, optiontreefree, neg_list_free);
- break;
-#endif
- default:
- /* p is free'd below if no case */
- break;
- }
-
- if ( !p->obj )
- {
- snort_free(p);
- p = nullptr;
- }
-
- return (void*)p;
-}
-
-void mpseVerbose(void* pvoid)
-{
- MPSE* p = (MPSE*)pvoid;
- p->verbose = 1;
-}
-
-void mpseSetOpt(void* pvoid, int flag)
-{
- MPSE* p = (MPSE*)pvoid;
-
- if (p == nullptr)
- return;
- switch ( p->method )
- {
- case MPSE_AC_BNFA_Q:
- case MPSE_AC_BNFA:
- if (p->obj)
- bnfaSetOpt((bnfa_struct_t*)p->obj,flag);
- break;
- case MPSE_ACF:
- case MPSE_ACF_Q:
- if (p->obj)
- acsmCompressStates((ACSM_STRUCT2*)p->obj, flag);
- break;
- default:
- break;
- }
-}
-
-void mpseFree(void* pvoid)
-{
- MPSE* p = (MPSE*)pvoid;
-
- if (p == nullptr)
- return;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- if (p->obj)
- bnfaFree((bnfa_struct_t*)p->obj);
- snort_free(p);
- return;
-
- case MPSE_AC:
- if (p->obj)
- acsmFree((ACSM_STRUCT*)p->obj);
- snort_free(p);
- return;
-
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- if (p->obj)
- acsmFree2((ACSM_STRUCT2*)p->obj);
- snort_free(p);
- return;
-
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- if (p->obj)
- KTrieDelete((KTRIE_STRUCT*)p->obj);
- snort_free(p);
- return;
-
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
- if (p->obj)
- IntelPmDelete((IntelPm*)p->obj);
- snort_free(p);
- break;
-#endif
-
- default:
- snort_free(p);
- assert(false);
- return;
- }
-}
-
-int mpseAddPattern(void* pvoid, void* P, int m,
- unsigned noCase, unsigned offset, unsigned depth,
- unsigned negative, void* ID, int IID)
-{
- MPSE* p = (MPSE*)pvoid;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- return bnfaAddPattern( (bnfa_struct_t*)p->obj, (unsigned char*)P, m,
- noCase, negative, ID);
-
- case MPSE_AC:
- return acsmAddPattern( (ACSM_STRUCT*)p->obj, (unsigned char*)P, m,
- noCase, offset, depth, negative, ID, IID);
-
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- return acsmAddPattern2( (ACSM_STRUCT2*)p->obj, (unsigned char*)P, m,
- noCase, offset, depth, negative, ID, IID);
-
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- return KTrieAddPattern( (KTRIE_STRUCT*)p->obj, (unsigned char*)P, m,
- noCase, negative, ID);
- default:
- return -1;
- }
-}
-
-int mpseAddPatternWithSnortConfig(SnortConfig* sc, void* pvoid, void* P, int m,
- unsigned noCase, unsigned offset, unsigned depth,
- unsigned negative, void* ID, int IID)
-{
- MPSE* p = (MPSE*)pvoid;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- return bnfaAddPattern( (bnfa_struct_t*)p->obj, (unsigned char*)P, m,
- noCase, negative, ID);
-
- case MPSE_AC:
- return acsmAddPattern( (ACSM_STRUCT*)p->obj, (unsigned char*)P, m,
- noCase, offset, depth, negative, ID, IID);
-
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- return acsmAddPattern2( (ACSM_STRUCT2*)p->obj, (unsigned char*)P, m,
- noCase, offset, depth, negative, ID, IID);
-
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- return KTrieAddPattern( (KTRIE_STRUCT*)p->obj, (unsigned char*)P, m,
- noCase, negative, ID);
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
- return IntelPmAddPattern(sc, (IntelPm*)p->obj, (unsigned char*)P, m,
- noCase, negative, ID, IID);
-#endif
- default:
- return -1;
- }
-}
-
-void mpseLargeShifts(void* pvoid, int flag)
-{
- MPSE* p = (MPSE*)pvoid;
-
- switch ( p->method )
- {
- default:
- return;
- }
-}
-
-int mpsePrepPatterns(void* pvoid,
- int ( * build_tree )(void* id, void** existing_tree),
- int ( * neg_list_func )(void* id, void** list) )
-{
- int retv;
- MPSE* p = (MPSE*)pvoid;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- retv = bnfaCompile( (bnfa_struct_t*)p->obj, build_tree, neg_list_func);
- break;
-
- case MPSE_AC:
- retv = acsmCompile( (ACSM_STRUCT*)p->obj, build_tree, neg_list_func);
- break;
-
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- retv = acsmCompile2( (ACSM_STRUCT2*)p->obj, build_tree, neg_list_func);
- break;
-
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- return KTrieCompile( (KTRIE_STRUCT*)p->obj, build_tree, neg_list_func);
-
- default:
- retv = 1;
- break;
- }
-
- return retv;
-}
-
-int mpsePrepPatternsWithSnortConf(struct _SnortConfig* sc, void* pvoid,
- int ( * build_tree )(struct _SnortConfig*, void* id, void** existing_tree),
- int ( * neg_list_func )(void* id, void** list) )
-{
- int retv;
- MPSE* p = (MPSE*)pvoid;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- retv = bnfaCompileWithSnortConf(sc, (bnfa_struct_t*)p->obj, build_tree, neg_list_func);
- break;
-
- case MPSE_AC:
- retv = acsmCompileWithSnortConf(sc, (ACSM_STRUCT*)p->obj, build_tree, neg_list_func);
- break;
-
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- retv = acsmCompile2WithSnortConf(sc, (ACSM_STRUCT2*)p->obj, build_tree, neg_list_func);
- break;
-
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- return KTrieCompileWithSnortConf(sc, (KTRIE_STRUCT*)p->obj, build_tree, neg_list_func);
-
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
- return IntelPmFinishGroup(sc, (IntelPm*)p->obj, build_tree, neg_list_func);
-#endif
-
- default:
- retv = 1;
- break;
- }
-
- return retv;
-}
-
-int mpsePrintInfo(void* pvoid)
-{
- MPSE* p = (MPSE*)pvoid;
-
- fflush(stderr);
- fflush(stdout);
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- bnfaPrintInfo( (bnfa_struct_t*)p->obj);
- break;
- case MPSE_AC:
- return acsmPrintDetailInfo( (ACSM_STRUCT*)p->obj);
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- return acsmPrintDetailInfo2( (ACSM_STRUCT2*)p->obj);
-
- default:
- return 1;
- }
- fflush(stderr);
- fflush(stdout);
-
- return 0;
-}
-
-int mpsePrintSummary(int method)
-{
- switch (method)
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- bnfaPrintSummary();
- break;
- case MPSE_AC:
- acsmPrintSummaryInfo();
- break;
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- acsmPrintSummaryInfo2();
- break;
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- if ( KTrieMemUsed() )
- {
- double x;
- x = (double)KTrieMemUsed();
- LogMessage("[ LowMem Search-Method Memory Used : %g %s ]\n",
- (x > 1.e+6) ? x/1.e+6 : x/1.e+3,
- (x > 1.e+6) ? "MBytes" : "KBytes");
- }
- break;
- default:
- break;
- }
-
- return 0;
-}
-
-int mpsePrintSummaryWithSnortConfig(SnortConfig* sc, int method)
-{
- switch (method)
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- bnfaPrintSummary();
- break;
- case MPSE_AC:
- acsmPrintSummaryInfo();
- break;
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- acsmPrintSummaryInfo2();
- break;
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- if ( KTrieMemUsed() )
- {
- double x;
- x = (double)KTrieMemUsed();
- LogMessage("[ LowMem Search-Method Memory Used : %g %s ]\n",
- (x > 1.e+6) ? x/1.e+6 : x/1.e+3,
- (x > 1.e+6) ? "MBytes" : "KBytes");
- }
- break;
- default:
- break;
- }
-
-#ifdef INTEL_SOFT_CPM
- IntelPmPrintSummary(sc);
-#endif
-
- return 0;
-}
-
-void mpseInitSummary(void)
-{
- acsm_init_summary();
- bnfaInitSummary();
- KTrieInitMemUsed();
-}
-
-int mpseSearch(void* pvoid, const unsigned char* T, int n,
- int ( * action )(void* id, void* tree, int index, void* data, void* neg_list),
- void* data, int* current_state)
-{
- MPSE* p = (MPSE*)pvoid;
- int ret;
- PROFILE_VARS;
-
- PREPROC_PROFILE_START(mpsePerfStats);
-
- p->bcnt += n;
-
- if (p->inc_global_counter)
- s_bcnt += n;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- /* return is actually the state */
- ret = bnfaSearch((bnfa_struct_t*)p->obj, (unsigned char*)T, n,
- action, data, 0 /* start-state */, current_state);
- PREPROC_PROFILE_END(mpsePerfStats);
- return ret;
-
- case MPSE_AC:
- ret = acsmSearch( (ACSM_STRUCT*)p->obj, (unsigned char*)T, n, action, data, current_state);
- PREPROC_PROFILE_END(mpsePerfStats);
- return ret;
-
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- ret = acsmSearch2( (ACSM_STRUCT2*)p->obj, (unsigned char*)T, n, action, data,
- current_state);
- PREPROC_PROFILE_END(mpsePerfStats);
- return ret;
-
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- ret = KTrieSearch( (KTRIE_STRUCT*)p->obj, (unsigned char*)T, n, action, data);
- *current_state = 0;
- PREPROC_PROFILE_END(mpsePerfStats);
- return ret;
-
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
- ret = IntelPmSearch((IntelPm*)p->obj, (unsigned char*)T, n, action, data);
- *current_state = 0;
- PREPROC_PROFILE_END(mpsePerfStats);
- return ret;
-#endif
-
- default:
- PREPROC_PROFILE_END(mpsePerfStats);
- return 1;
- }
-}
-
-int mpseSearchAll(void* pvoid, const unsigned char* T, int n,
- int ( * action )(void* id, void* tree, int index, void* data, void* neg_list),
- void* data, int* current_state)
-{
- MPSE* p = (MPSE*)pvoid;
- int ret;
- PROFILE_VARS;
-
- PREPROC_PROFILE_START(mpsePerfStats);
-
- p->bcnt += n;
-
- if (p->inc_global_counter)
- s_bcnt += n;
-
- switch ( p->method )
- {
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- ret = acsmSearchAll2( (ACSM_STRUCT2*)p->obj, (unsigned char*)T, n, action, data,
- current_state);
- PREPROC_PROFILE_END(mpsePerfStats);
- return ret;
-
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- case MPSE_AC:
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
-#endif
- default:
- //search all not implemented.
- PREPROC_PROFILE_END(mpsePerfStats);
- return 1;
- }
-}
-
-int mpseGetPatternCount(void* pvoid)
-{
- MPSE* p = (MPSE*)pvoid;
-
- if (p == nullptr)
- return 0;
-
- switch ( p->method )
- {
- case MPSE_AC_BNFA:
- case MPSE_AC_BNFA_Q:
- return bnfaPatternCount((bnfa_struct_t*)p->obj);
- case MPSE_AC:
- return acsmPatternCount((ACSM_STRUCT*)p->obj);
- case MPSE_ACF:
- case MPSE_ACF_Q:
- case MPSE_ACS:
- case MPSE_ACB:
- case MPSE_ACSB:
- return acsmPatternCount2((ACSM_STRUCT2*)p->obj);
- case MPSE_LOWMEM:
- case MPSE_LOWMEM_Q:
- return KTriePatternCount((KTRIE_STRUCT*)p->obj);
-#ifdef INTEL_SOFT_CPM
- case MPSE_INTEL_CPM:
- return IntelGetPatternCount((IntelPm*)p->obj);
-#endif
- }
- return 0;
-}
-
-uint64_t mpseGetPatByteCount(void)
-{
- return s_bcnt;
-}
-
-void mpseResetByteCount(void)
-{
- s_bcnt = 0;
-}
-
-void mpse_print_qinfo(void)
-{
- sfksearch_print_qinfo();
- bnfa_print_qinfo();
- acsmx2_print_qinfo();
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2016-2016 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-#include "appid_api.h"
-#include "fw_appid.h"
-
-extern void appIdApiInit(struct AppIdApi*);
-
-AppIdApi appIdApi;
-
-static void appIdTestSetup()
-{
-#ifdef REMOVED_WHILE_NOT_IN_USE
-
- testFilesPath = getenv("APPID_TESTS_PATH");
-
- if (testFilesPath == nullptr)
- {
- printf("Env variable APPID_TESTS_PATH is not set. Exiting ...\n");
- exit(-1);
- }
-
- strcpy(rnaConfPath, testFilesPath);
- strcat(rnaConfPath, "/rna.conf");
-
-#endif
-
-}
-
-#ifdef REMOVED_WHILE_NOT_IN_USE
-#include <stdio.h>
-#include <stdlib.h>
-#include <assert.h>
-
-#include <check.h>
-
-#include "parser/mstring.h"
-
-#include "appid_config.h"
-
-#include "external_apis.h"
-#include "fw_appid.h"
-#include "session_file.h"
-
-#if 1 // FIXIT-M hacks
-// not sure where this is defined; outside the appid tree probably
-using ControlDataSendFunc = void (*)();
-#endif
-
-extern void AppIdReload(struct _SnortConfig* sc, char* args, void** new_config);
-extern void* AppIdReloadSwap(struct _SnortConfig* sc, void* swap_config);
-extern void AppIdReloadFree(void* old_context);
-extern int AppIdReconfigure(uint16_t type, const uint8_t* data, uint32_t length,
- void** new_context,
- char* statusBuf, int statusBuf_len);
-extern int AppIdReconfigureSwap(uint16_t type, void* new_context, void** old_context);
-extern void AppIdReconfigureFree(uint16_t type, void* old_context, struct _THREAD_ELEMENT* te,
- ControlDataSendFunc f);
-#endif
-
-#ifdef REMOVED_WHILE_NOT_IN_USE
-extern int processHTTPPacket(Packet* p, AppIdData* session, int direction,
- HttpParsedHeaders* const headers, const AppIdConfig* pConfig);
-extern void sfiph_build(Packet* p, const void* hdr, int family);
-extern void pickHttpXffAddress(Packet* p, AppIdData* appIdSession,
- ThirdPartyAppIDAttributeData* attribute_data);
-
-// FIXIT: use APIs instead of using global
-extern AppIdData* pAppIdData;
-
-static char* testFilesPath = nullptr;
-static char rnaConfPath[PATH_MAX] = { 0 };
-
-static void testProcessHttpPacket(const char* useragent, const char* host, const char* referer,
- const char* trailer)
-{
- // FIXIT-M J these need to be cleared, probably
- Packet p;
- AppIdData session;
-
- char buf[1024];
- int bufLen;
-
- session.common.flags = 0x311380;
- session.hsession = (decltype(session.hsession))snort_calloc(sizeof(httpSession));
- if (host)
- {
- session.hsession->host = snort_strdup(host);
- strcpy(buf, "http://");
- strcat(buf, host);
- if (trailer)
- strcat(buf, trailer);
- else
- strcat(buf, "/");
- session.hsession->url = snort_strdup(buf);
- }
- if (useragent)
- session.hsession->useragent = snort_strdup(useragent);
- if (referer)
- session.hsession->referer = snort_strdup(referer);
- session.hsession->uri = snort_strdup("/");
- session.hsession->cookie = snort_strdup(
- "s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug="
- "4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C"
- "1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13");
- session.serviceAppId = APP_ID_NONE;
- session.payloadAppId = APP_ID_NONE;
- session.tpPayloadAppId = 1190;
- session.scan_flags = 0x26;
- session.ClientAppId = 0;
-
- strcpy(buf, "GET / HTTP/1.1\r\n");
- strcat(buf, "Host: ");
- strcat(buf, host);
- strcat(buf, "\r\nUser-Agent: ");
- strcat(buf, useragent);
- if (referer)
- {
- strcat(buf, "\r\nReferer: ");
- strcat(buf, referer);
- }
- strcat(buf, "\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
- strcat(buf,
- "Accept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n");
- strcat(buf, "Keep-Alive: 115\r\nConnection: keep-alive\r\n");
- bufLen = strlen(buf);
- strncat(buf,
- "Cookie: s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug=4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13\r\n\r\n",
- sizeof(buf) - bufLen - 1);
-
- p.data = (decltype(p.data))snort_strdup(buf);
- p.dsize = strlen((const char*)p.data);
-
- processHTTPPacket(&p, &session, APP_ID_FROM_INITIATOR, nullptr, pAppidActiveConfig);
-
- if (host)
- {
- snort_free(session.hsession->host);
- snort_free(session.hsession->url);
- }
- if (referer)
- snort_free(session.hsession->referer);
- if (useragent)
- snort_free(session.hsession->useragent);
- snort_free(session.hsession->uri);
- snort_free(session.hsession->cookie);
- snort_free(session.hsession);
-
- snort_free((uint8_t*)p.data);
-}
-
-START_TEST(HttpTest)
-{
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- testProcessHttpPacket(
- "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
- "www.cnn.com",
- nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST
-
-#ifdef REMOVED_WHILE_NOT_IN_USE
-START_TEST(HttpAfterReloadTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReload(nullptr, nullptr, (void**)&pNewConfig);
- pOldConfig = AppIdReloadSwap(nullptr, pNewConfig);
- AppIdReloadFree(pOldConfig);
-
- testProcessHttpPacket(
- "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
- "www.cnn.com",
- nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpAfterReconfigureTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0);
- AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig);
- AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr);
-
- testProcessHttpPacket("Wget/1.9.1",
- "www.cnn.com",
- nullptr, nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
- "www.cnn.com",
- nullptr, nullptr);
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpAfterReloadReconfigureTest)
-{
- AppIdConfig* pNewConfig = nullptr;
- AppIdConfig* pOldConfig = nullptr;
-
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-
- AppIdReload(nullptr, nullptr, (void**)&pNewConfig);
- pOldConfig = AppIdReloadSwap(nullptr, pNewConfig);
- AppIdReloadFree(pOldConfig);
-
- pNewConfig = nullptr;
- pOldConfig = nullptr;
-
- AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0);
- AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig);
- AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr);
-
- testProcessHttpPacket(
- "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30",
- "www.123.com",
- "http://www.cnn.com", nullptr);
- testProcessHttpPacket(
- "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7",
- "www.cnn.com",
- nullptr, "/tech?a=1&b=2");
-
- AppIdCommonFini();
-}
-
-END_TEST START_TEST(HttpXffTest)
-{
- Packet p = { 0 };
- AppIdData session = { 0 };
- httpSession hsession = { 0 };
- ThirdPartyAppIDAttributeData tpData = { 0 };
- SFIP_RET status;
- sfaddr_t* xffAddr = sfaddr_alloc("1.1.1.1", &status);
-
- // Only X-Forwarded-For
- session.hsession = &hsession;
- tpData.numXffFields = 1;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[0].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- // Only True-Client-IP
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- tpData.numXffFields = 1;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP;
- tpData.xffFieldValue[0].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- // X-Forwarded-For and True-Client-IP
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- tpData.numXffFields = 2;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP;
- tpData.xffFieldValue[0].value = "2.2.2.2";
- tpData.xffFieldValue[1].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[1].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- // Comma-separated list in X-Forwarded-For
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- tpData.numXffFields = 1;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[0].value = snort_strdup("1.1.1.1, 2.2.2.2");
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- snort_free(tpData.xffFieldValue[0].value);
- sfaddr_free(session.hsession->xffAddr);
-
- // Custom XFF
- static char* defaultXffPrecedence[] = { "Custom-XFF", HTTP_XFF_FIELD_X_FORWARDED_FOR,
- HTTP_XFF_FIELD_TRUE_CLIENT_IP };
- memset(&p, 0, sizeof(p));
- memset(&session, 0, sizeof(session));
- memset(&hsession, 0, sizeof(hsession));
- memset(&tpData, 0, sizeof(tpData));
- session.hsession = &hsession;
- session.hsession->xffPrecedence = defaultXffPrecedence;
- session.hsession->numXffFields = 3;
- tpData.numXffFields = 2;
- tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR;
- tpData.xffFieldValue[0].value = "2.2.2.2";
- tpData.xffFieldValue[1].field = "Custom-XFF";
- tpData.xffFieldValue[1].value = "1.1.1.1";
- pickHttpXffAddress(&p, &session, &tpData);
- ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL);
- sfaddr_free(session.hsession->xffAddr);
-
- sfaddr_free(xffAddr);
-
- snort_free((uint8_t*)p.data);
-}
-
-#endif
-
-static void sessionTcaseSetup(void)
-{
- memset(&appidStaticConfig, 0, sizeof(appidStaticConfig));
-
- strcpy(appidStaticConfig.conf_file, rnaConfPath);
- strcpy(appidStaticConfig.app_id_detector_path, testFilesPath);
-
- AppIdCommonInit(&appidStaticConfig);
-}
-
-static void sessionTcaseClean(void)
-{
- AppIdCommonFini();
-}
-
-static Suite* setupAppIdSuite(void)
-{
- Suite* appIdSuite;
- TCase* frameworkTcase;
- TCase* httpTcase;
- TCase* sessionTcase;
-
- appIdSuite = suite_create("AppId");
-
- // Create Framework test case
- frameworkTcase = tcase_create("FrameworkTestCase");
- tcase_add_checked_fixture(frameworkTcase, nullptr, nullptr);
-
- // Add tests to Framework test case
- tcase_add_test(frameworkTcase, ConfigParseTest);
- tcase_add_test(frameworkTcase, InitFiniTest);
- tcase_add_test(frameworkTcase, ReloadTest);
- tcase_add_test(frameworkTcase, ReconfigureTest);
-
- suite_add_tcase(appIdSuite, frameworkTcase);
-
- // Create Http test case
- httpTcase = tcase_create("HttpTestCase");
- tcase_add_checked_fixture(httpTcase, nullptr, nullptr);
-
- // Add tests to Http test case
- tcase_add_test(httpTcase, HttpTest);
- tcase_add_test(httpTcase, HttpAfterReloadTest);
- tcase_add_test(httpTcase, HttpAfterReconfigureTest);
- tcase_add_test(httpTcase, HttpAfterReloadReconfigureTest);
- tcase_add_test(httpTcase, HttpXffTest);
-
- suite_add_tcase(appIdSuite, httpTcase);
-
- // Create Session test case
- sessionTcase = tcase_create("SessionTestCase");
- tcase_add_checked_fixture(sessionTcase, nullptr, nullptr);
-
- // Add tests to Session test case
- tcase_add_test(sessionTcase, AimSessionTest);
- tcase_add_test(sessionTcase, CnnSessionTest);
- tcase_add_test(sessionTcase, DnsSessionTest);
- tcase_add_test(sessionTcase, ImapSessionTest);
- tcase_add_test(sessionTcase, MdnsSessionTest);
- tcase_add_test(sessionTcase, MsnSessionTest);
- tcase_add_test(sessionTcase, NetbiosNsSessionTest);
- tcase_add_test(sessionTcase, NetbiosSsSessionTest);
- tcase_add_test(sessionTcase, PatternSessionTest);
- tcase_add_test(sessionTcase, Pop3SessionTest);
- tcase_add_test(sessionTcase, RfbSessionTest);
- tcase_add_test(sessionTcase, RtpSessionTest);
- tcase_add_test(sessionTcase, SmtpSessionTest);
- tcase_add_test(sessionTcase, TimbuktuSessionTest);
- tcase_add_test(sessionTcase, WebexSessionTest);
- tcase_add_test(sessionTcase, YmSessionTest);
-
- suite_add_tcase(appIdSuite, sessionTcase);
-
- return appIdSuite;
-}
-
-#endif
-
-int main()
-{
-#ifdef REMOVED_WHILE_NOT_IN_USE
- int opt, debug = 0;
- int numberFailed;
- Suite* appIdSuite;
- SRunner* appIdRunner;
-
- while ((opt = getopt(argc, argv, "dh")) != -1)
- {
- switch (opt)
- {
- case 'd':
- debug = 1;
- break;
- case 'h':
- printf(
- "Usage:\n\
- -d: Run test in no fork mode for debugging in gdb.\n\
- -h: This text.\n");
- return EXIT_SUCCESS;
- }
- }
-#endif
-
- appIdTestSetup();
-
-#ifdef REMOVED_WHILE_NOT_IN_USE
- // Create a test runner for AppId suite
- appIdSuite = setupAppIdSuite();
- appIdRunner = srunner_create(appIdSuite);
-
- if (debug)
- {
- srunner_set_fork_status(appIdRunner, CK_NOFORK);
- }
-
- // Set test results format to TAP and specify file name
- srunner_set_tap(appIdRunner, "AppIdTests.tap~");
-
- // Run test cases in AppId suite
- srunner_run(appIdRunner, nullptr, "FrameworkTestCase", CK_NORMAL);
-
- system("cp AppIdTests.tap~ AppIdTests.tap");
-
- srunner_run(appIdRunner, nullptr, "HttpTestCase", CK_NORMAL);
-
- system("cat AppIdTests.tap~ >> AppIdTests.tap");
-
- sessionTcaseSetup();
- srunner_run(appIdRunner, nullptr, "SessionTestCase", CK_NORMAL);
- sessionTcaseClean();
-
- system("cat AppIdTests.tap~ >> AppIdTests.tap");
-
- numberFailed = srunner_ntests_failed(appIdRunner);
- srunner_free(appIdRunner);
- return (numberFailed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
-#endif
-}
-
+++ /dev/null
-#
-# Configuration generated for NetworkDiscovery
-#
-# FIXIT - Look into converting these configuration options to lua
-#
-config ModuleDirectory /var/sf/detection_engines/812d18e2-1851-11e6-9201-d085f23f50f8/libs/rna
-config OutputMethod serial -f rna.bin -t 86400 -s 20
-config Database sfsnort correlator correlator
-
-config MaxHostClientApps 16
-config MaxHostServices 100
-config MaxPayloads 100
-config MaxHostServiceInfo 16
-
-protoid BannerGrab 0
-pnd UpdateTimeout 3600
-userConfig captureFailedLoginAttempts 1
-# START Export Rule - 1 (5e30e278-1852-11e6-a7db-e1e48cc1c54d)
-# Device Analyze
-config AnalyzeApplication 0.0.0.0/0 -1
-config AnalyzeApplication ::/0 -1
-# Device Source Service Exclusion
-# Device Destination Service Exclusion
-# END
-
-
+++ /dev/null
-#include <stdio.h>
-#include "session_file.h"
-
-static void sessionFileAdd(void* session, SessionFileData* data);
-static SessionFileData* sessionFileFind(void* session);
-static void sessionDataDump(FILE* file, SessionControlBlock* scb);
-static void packetDataDump(FILE* file, uint32_t packetCount, Packet* pkt);
-static void sessionDataRead(FILE* file, SessionControlBlock* scb);
-static int packetDataRead(FILE* file, Packet* pkt, HttpParsedHeaders** pHttpHeader);
-static void readHttpHeaderItem(FILE* file, HEADER_LOCATION* headerLocation);
-
-static SFXHASH* sessionFiles = nullptr;
-
-void sessionFileInit(void)
-{
- sessionFiles = sfxhash_new(2048,
- sizeof(void*),
- sizeof(SessionFileData),
- 0,
- 0,
- nullptr,
- nullptr,
- 0);
-}
-
-void sessionFileFini(void)
-{
- SFXHASH_NODE* node;
- SessionFileData* data;
-
- for (node = sfxhash_findfirst(sessionFiles);
- node;
- node = sfxhash_findnext(sessionFiles))
- {
- data = (SessionFileData*)node->data;
- fclose(data->file);
- }
-
- sfxhash_delete(sessionFiles);
- sessionFiles = nullptr;
-}
-
-FILE* sessionFileProcess(Packet* pkt)
-{
- static uint32_t packetCount = 0;
- static uint32_t sessionCount = 0;
- SessionFileData* pSessionFileData;
- SessionFileData sessionFileData;
- SessionControlBlock* scb = (SessionControlBlock*)pkt->stream_session;
-
- packetCount++;
-
- if (!scb)
- {
- printf("Ignoring packet %d\n", packetCount);
- return nullptr;
- }
-
- pSessionFileData = sessionFileFind(scb);
-
- if (!pSessionFileData)
- {
- pSessionFileData = &sessionFileData;
-
- sessionCount++;
- sprintf(pSessionFileData->fileName, "session%d.ssn", sessionCount);
- pSessionFileData->file = fopen(pSessionFileData->fileName, "w");
- pSessionFileData->packetCount = 1;
-
- sessionFileAdd(scb, pSessionFileData);
- }
- else
- {
- pSessionFileData->packetCount++;
- }
-
- sessionDataDump(pSessionFileData->file, scb);
-
- packetDataDump(pSessionFileData->file, pSessionFileData->packetCount, pkt);
-
- return pSessionFileData->file;
-}
-
-void sessionFileProcessHttp(Packet* pkt, HttpParsedHeaders* headers)
-{
- FILE* file = sessionFileProcess(pkt);
-
- if (file == nullptr)
- return;
-
- if (headers->host.len > 0)
- {
- fprintf(file, " %u %d ", PACKET_HTTP_HOST, headers->host.len);
- fwrite(headers->host.start, 1, headers->host.len, file);
- }
- if (headers->url.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_URL, headers->url.len);
- fwrite(headers->url.start, 1, headers->url.len, file);
- }
- if (headers->method.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_METHOD, headers->method.len);
- fwrite(headers->method.start, 1, headers->method.len, file);
- }
- if (headers->userAgent.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_USER_AGENT, headers->userAgent.len);
- fwrite(headers->userAgent.start, 1, headers->userAgent.len, file);
- }
- if (headers->referer.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_REFERER, headers->referer.len);
- fwrite(headers->referer.start, 1, headers->referer.len, file);
- }
- if (headers->via.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_VIA, headers->via.len);
- fwrite(headers->via.start, 1, headers->via.len, file);
- }
- if (headers->responseCode.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_RESPONSE_CODE, headers->responseCode.len);
- fwrite(headers->responseCode.start, 1, headers->responseCode.len, file);
- }
- if (headers->server.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_SERVER, headers->server.len);
- fwrite(headers->server.start, 1, headers->server.len, file);
- }
- if (headers->xWorkingWith.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_X_WORKING_WITH, headers->xWorkingWith.len);
- fwrite(headers->xWorkingWith.start, 1, headers->xWorkingWith.len, file);
- }
- if (headers->contentType.len > 0)
- {
- fprintf(file, "\n %u %d ", PACKET_HTTP_CONTENT_TYPE, headers->contentType.len);
- fwrite(headers->contentType.start, 1, headers->contentType.len, file);
- }
- fprintf(file, "\n");
-}
-
-void sessionFileReadSession(FILE* file, SessionControlBlock* scb)
-{
- char buf[16];
-
- while (true)
- {
- fscanf(file, "%s\n", buf);
-
- if (strcmp(buf, "Session:") == 0)
- {
- sessionDataRead(file, scb);
- return;
- }
- }
-}
-
-int sessionFileReadPacket(FILE* file, Packet* pkt, HttpParsedHeaders** pHttpHeader)
-{
- char buf[16];
-
- while (true)
- {
- fscanf(file, "%s\n", buf);
-
- if (strncmp(buf, "Packet", 6) == 0)
- {
- fgets(buf, 16, file);
- return packetDataRead(file, pkt, pHttpHeader);
- }
- }
-}
-
-static void sessionFileAdd(void* session, SessionFileData* data)
-{
- sfxhash_add(sessionFiles, &session, data);
-}
-
-static SessionFileData* sessionFileFind(void* session)
-{
- return (SessionFileData*)sfxhash_find(sessionFiles, &session);
-}
-
-static void sessionDataDump(FILE* file, SessionControlBlock* scb)
-{
- fprintf(file, "Session:\n");
- fprintf(file, " %u %08X %08X %08X %08X\n", SESSION_CLIENT_IP_IA32,
- scb->client_ip.ia32[0],
- scb->client_ip.ia32[1],
- scb->client_ip.ia32[2],
- scb->client_ip.ia32[3]);
- fprintf(file, " %u %u\n", SESSION_CLIENT_PORT, scb->client_port);
- fprintf(file, " %u %u\n", SESSION_HA_STATE_SESSION_FLAGS, scb->ha_state.session_flags);
-}
-
-static void packetDataDump(FILE* file, uint32_t packetCount, Packet* pkt)
-{
- fprintf(file, "Packet %d:\n", packetCount);
-
- if (pkt->pkt_header)
- {
- fprintf(file, " %u %u\n", PACKET_PKT_HEADER_TS_TV_SEC, (unsigned
- int)pkt->pkt_header->ts.tv_sec);
- fprintf(file, " %u %d\n", PACKET_PKT_HEADER_INGRESS_GROUP,
- pkt->pkt_header->ingress_group);
- fprintf(file, " %u %u\n", PACKET_PKT_HEADER_PKTLEN, pkt->pkt_header->pktlen);
- }
-
- if (pkt->tcp_header)
- {
- fprintf(file, " %u %u\n", PACKET_TCP_HEADER_SOURCE_PORT, pkt->tcp_header->source_port);
- fprintf(file, " %u %u\n", PACKET_TCP_HEADER_FLAGS, pkt->tcp_header->flags);
- }
-
- if (pkt->udp_header)
- {
- fprintf(file, " %u %u\n", PACKET_UDP_HEADER_SOURCE_PORT, pkt->udp_header->source_port);
- }
-
- if (pkt->is_ip4())
- {
- fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP4H_IP_ADDRS_IP_SRC_IA32,
- pkt->ip4h->ip_addrs->ip_src.ia32[0],
- pkt->ip4h->ip_addrs->ip_src.ia32[1],
- pkt->ip4h->ip_addrs->ip_src.ia32[2],
- pkt->ip4h->ip_addrs->ip_src.ia32[3]);
- fprintf(file, " %u %u\n", PACKET_IP4H_IP_ADDRS_IP_SRC_FAMILY,
- pkt->ip4h->ip_addrs->ip_src.family);
- fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP4H_IP_ADDRS_IP_DST_IA32,
- pkt->ip4h->ip_addrs->ip_dst.ia32[0],
- pkt->ip4h->ip_addrs->ip_dst.ia32[1],
- pkt->ip4h->ip_addrs->ip_dst.ia32[2],
- pkt->ip4h->ip_addrs->ip_dst.ia32[3]);
- fprintf(file, " %u %u\n", PACKET_IP4H_IP_ADDRS_IP_DST_FAMILY,
- pkt->ip4h->ip_addrs->ip_dst.family);
- fprintf(file, " %u %u\n", PACKET_IP4H_IP_PROTO, pkt->ip4h->ip_proto);
- }
-
- if (pkt->ip6h)
- {
- fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP6H_IP_ADDRS_IP_SRC_IA32,
- pkt->ip6h->ip_addrs->ip_src.ia32[0],
- pkt->ip6h->ip_addrs->ip_src.ia32[1],
- pkt->ip6h->ip_addrs->ip_src.ia32[2],
- pkt->ip6h->ip_addrs->ip_src.ia32[3]);
- fprintf(file, " %u %u\n", PACKET_IP6H_IP_ADDRS_IP_SRC_FAMILY,
- pkt->ip6h->ip_addrs->ip_src.family);
- fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP6H_IP_ADDRS_IP_DST_IA32,
- pkt->ip6h->ip_addrs->ip_dst.ia32[0],
- pkt->ip6h->ip_addrs->ip_dst.ia32[1],
- pkt->ip6h->ip_addrs->ip_dst.ia32[2],
- pkt->ip6h->ip_addrs->ip_dst.ia32[3]);
- fprintf(file, " %u %u\n", PACKET_IP6H_IP_ADDRS_IP_DST_FAMILY,
- pkt->ip6h->ip_addrs->ip_dst.family);
- }
-
- fprintf(file, " %u %u\n", PACKET_FAMILY, pkt->family);
- fprintf(file, " %u %08X\n", PACKET_FLAGS, pkt->flags);
- fprintf(file, " %u %u\n", PACKET_SRC_PORT, pkt->src_port);
- fprintf(file, " %u %u\n", PACKET_DST_PORT, pkt->dst_port);
- if (pkt->payload_size)
- {
- fprintf(file, " %u %u ", PACKET_PAYLOAD, pkt->payload_size);
- fwrite(pkt->payload, 1, pkt->payload_size, file);
- fprintf(file, "\n");
- }
-}
-
-void sessionDataRead(FILE* file, SessionControlBlock* scb)
-{
- int match;
- uint32_t type;
-
- while (true)
- {
- match = fscanf(file, "%u", &type);
-
- if ((match == EOF) || (match == 0))
- return;
-
- switch (type)
- {
- case SESSION_CLIENT_IP_IA32:
- fscanf(file, "%x", &scb->client_ip.ia32[0]);
- fscanf(file, "%x", &scb->client_ip.ia32[1]);
- fscanf(file, "%x", &scb->client_ip.ia32[2]);
- fscanf(file, "%x\n", &scb->client_ip.ia32[3]);
- break;
- case SESSION_CLIENT_PORT:
- fscanf(file, "%u\n", (unsigned int*)&scb->client_port);
- break;
- case SESSION_HA_STATE_SESSION_FLAGS:
- fscanf(file, "%u\n", &scb->ha_state.session_flags);
- break;
- default:
- printf("Unknown session field\n");
- break;
- }
- }
-}
-
-// FIXIT - M Must check to ensure memory allocated by snort_calloc's below is freed when
-// the tests complete
-static int packetDataRead(FILE* file, Packet* pkt, HttpParsedHeaders** pHttpHeader)
-{
- static SFDAQ_PktHdr_t pkt_header = { 0 };
- static TCPHeader tcp_header = { 0 };
- static UDPHeader udp_header = { 0 };
- static IP4Hdr ip4h = { 0 };
- static IP6Hdr ip6h = { 0 };
- static IPAddresses ip4_addrs = { 0 };
- static IPAddresses ip6_addrs = { 0 };
- int match;
- uint32_t type;
-
- memset(&pkt_header, 0, sizeof(pkt_header));
- memset(&tcp_header, 0, sizeof(tcp_header));
- memset(&udp_header, 0, sizeof(udp_header));
- memset(&ip4h, 0, sizeof(ip4h));
- memset(&ip6h, 0, sizeof(ip6h));
- memset(&ip4_addrs, 0, sizeof(ip4_addrs));
- memset(&ip6_addrs, 0, sizeof(ip6_addrs));
-
- while (true)
- {
- match = fscanf(file, "%u", &type);
-
- if (match == EOF)
- return -1;
- if (match == 0)
- return 0;
-
- switch (type)
- {
- case PACKET_PKT_HEADER_TS_TV_SEC:
- pkt->pkt_header = &pkt_header;
- fscanf(file, "%u\n", (unsigned int*)&pkt_header.ts.tv_sec);
- break;
- case PACKET_PKT_HEADER_INGRESS_GROUP:
- pkt->pkt_header = &pkt_header;
- fscanf(file, "%u\n", &pkt_header.ingress_group);
- break;
- case PACKET_PKT_HEADER_PKTLEN:
- pkt->pkt_header = &pkt_header;
- fscanf(file, "%u\n", &pkt_header.pktlen);
- break;
- case PACKET_TCP_HEADER_SOURCE_PORT:
- pkt->tcp_header = &tcp_header;
- fscanf(file, "%u\n", (unsigned int*)&tcp_header.source_port);
- break;
- case PACKET_TCP_HEADER_FLAGS:
- pkt->tcp_header = &tcp_header;
- fscanf(file, "%u\n", (unsigned int*)&tcp_header.flags);
- break;
- case PACKET_UDP_HEADER_SOURCE_PORT:
- pkt->udp_header = &udp_header;
- fscanf(file, "%u\n", (unsigned int*)&udp_header.source_port);
- break;
- case PACKET_IP4H_IP_ADDRS_IP_SRC_IA32:
- ip4h.ip_addrs = &ip4_addrs;
- pkt->ip4h = &ip4h;
-
- fscanf(file, "%x", &ip4_addrs.ip_src.ia32[0]);
- fscanf(file, "%x", &ip4_addrs.ip_src.ia32[1]);
- fscanf(file, "%x", &ip4_addrs.ip_src.ia32[2]);
- fscanf(file, "%x\n", &ip4_addrs.ip_src.ia32[3]);
- break;
- case PACKET_IP4H_IP_ADDRS_IP_SRC_FAMILY:
- ip4h.ip_addrs = &ip4_addrs;
- pkt->ip4h = &ip4h;
-
- fscanf(file, "%u\n", (unsigned int*)&ip4_addrs.ip_src.family);
- break;
- case PACKET_IP4H_IP_ADDRS_IP_DST_IA32:
- ip4h.ip_addrs = &ip4_addrs;
- pkt->ip4h = &ip4h;
-
- fscanf(file, "%x", &ip4_addrs.ip_dst.ia32[0]);
- fscanf(file, "%x", &ip4_addrs.ip_dst.ia32[1]);
- fscanf(file, "%x", &ip4_addrs.ip_dst.ia32[2]);
- fscanf(file, "%x\n", &ip4_addrs.ip_dst.ia32[3]);
- break;
- case PACKET_IP4H_IP_ADDRS_IP_DST_FAMILY:
- ip4h.ip_addrs = &ip4_addrs;
- pkt->ip4h = &ip4h;
-
- fscanf(file, "%u\n", (unsigned int*)&ip4_addrs.ip_dst.family);
- break;
- case PACKET_IP4H_IP_PROTO:
- ip4h.ip_addrs = &ip4_addrs;
- pkt->ip4h = &ip4h;
-
- fscanf(file, "%u\n", (unsigned int*)&ip4h.ip_proto);
- break;
- case PACKET_IP6H_IP_ADDRS_IP_SRC_IA32:
- ip6h.ip_addrs = &ip6_addrs;
- pkt->ip6h = &ip6h;
-
- fscanf(file, "%x", &ip6_addrs.ip_src.ia32[0]);
- fscanf(file, "%x", &ip6_addrs.ip_src.ia32[1]);
- fscanf(file, "%x", &ip6_addrs.ip_src.ia32[2]);
- fscanf(file, "%x\n", &ip6_addrs.ip_src.ia32[3]);
- break;
- case PACKET_IP6H_IP_ADDRS_IP_SRC_FAMILY:
- ip6h.ip_addrs = &ip6_addrs;
- pkt->ip6h = &ip6h;
-
- fscanf(file, "%u\n", (unsigned int*)&ip6_addrs.ip_src.family);
- break;
- case PACKET_IP6H_IP_ADDRS_IP_DST_IA32:
- ip6h.ip_addrs = &ip6_addrs;
- pkt->ip6h = &ip6h;
-
- fscanf(file, "%x", &ip6_addrs.ip_dst.ia32[0]);
- fscanf(file, "%x", &ip6_addrs.ip_dst.ia32[1]);
- fscanf(file, "%x", &ip6_addrs.ip_dst.ia32[2]);
- fscanf(file, "%x\n", &ip6_addrs.ip_dst.ia32[3]);
- break;
- case PACKET_IP6H_IP_ADDRS_IP_DST_FAMILY:
- ip6h.ip_addrs = &ip6_addrs;
- pkt->ip6h = &ip6h;
-
- fscanf(file, "%u\n", (unsigned int*)&ip6_addrs.ip_dst.family);
- break;
- case PACKET_FAMILY:
- fscanf(file, "%u\n", &pkt->family);
- break;
- case PACKET_FLAGS:
- fscanf(file, "%x\n", &pkt->flags);
- break;
- case PACKET_SRC_PORT:
- fscanf(file, "%u\n", (unsigned int*)&pkt->src_port);
- break;
- case PACKET_DST_PORT:
- fscanf(file, "%u\n", (unsigned int*)&pkt->dst_port);
- break;
- case PACKET_PAYLOAD:
- fscanf(file, "%u", (unsigned int*)&pkt->payload_size);
- fgetc(file);
- pkt->payload = snort_calloc(sizeof(char)* pkt->payload_size);
- fread((uint8_t*)pkt->payload, 1, pkt->payload_size, file);
- break;
- case PACKET_HTTP_HOST:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->host);
- break;
- case PACKET_HTTP_URL:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->url);
- break;
- case PACKET_HTTP_METHOD:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->method);
- break;
- case PACKET_HTTP_USER_AGENT:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->userAgent);
- break;
- case PACKET_HTTP_REFERER:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->referer);
- break;
- case PACKET_HTTP_VIA:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->via);
- break;
- case PACKET_HTTP_RESPONSE_CODE:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->responseCode);
- break;
- case PACKET_HTTP_SERVER:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->server);
- break;
- case PACKET_HTTP_X_WORKING_WITH:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->xWorkingWith);
- break;
- case PACKET_HTTP_CONTENT_TYPE:
- if (!(*pHttpHeader))
- *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders));
- readHttpHeaderItem(file, &(*pHttpHeader)->contentType);
- break;
- default:
- printf("Unknown packet field\n");
- break;
- }
- }
-}
-
-static void readHttpHeaderItem(FILE* file, HEADER_LOCATION* headerLocation)
-{
- uint8_t* start;
-
- fscanf(file, "%u", &headerLocation->len);
- start = snort_calloc(headerLocation->len + 1);
- fgetc(file);
- fread(start, 1, headerLocation->len, file);
- start[headerLocation->len] = '\0';
- headerLocation->start = start;
-}
-
+++ /dev/null
-//--------------------------------------------------------------------------
-// Copyright (C) 2015-2016 Cisco and/or its affiliates. All rights reserved.
-//
-// This program is free software; you can redistribute it and/or modify it
-// under the terms of the GNU General Public License Version 2 as published
-// by the Free Software Foundation. You may not use, modify or distribute
-// this program under any other version of the GNU General Public License.
-//
-// This program is distributed in the hope that it will be useful, but
-// WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-// General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-//--------------------------------------------------------------------------
-
-// session_file.h author Shravan Rangarajuvenkata <shrarang@cisco.com>
-
-#ifndef SESSION_FILE_H
-#define SESSION_FILE_H
-
-#include <stdio.h>
-
-#define MAX_APP_PROTOCOL_ID 4
-
-struct HttpParsedHeaders;
-struct Packet;
-struct SessionKey;
-struct StreamAppData;
-
-enum SessionField
-{
- SESSION_CLIENT_IP_IA32 = 1000,
- SESSION_CLIENT_PORT,
- SESSION_HA_STATE_SESSION_FLAGS
-};
-
-enum tPktField
-{
- PACKET_PKT_HEADER_TS_TV_SEC = 1000,
- PACKET_PKT_HEADER_INGRESS_GROUP,
- PACKET_PKT_HEADER_PKTLEN,
-
- PACKET_TCP_HEADER_SOURCE_PORT = 2000,
- PACKET_TCP_HEADER_FLAGS,
- PACKET_UDP_HEADER_SOURCE_PORT,
-
- PACKET_IP4H_IP_ADDRS_IP_SRC_IA32 = 3000,
- PACKET_IP4H_IP_ADDRS_IP_SRC_FAMILY,
- PACKET_IP4H_IP_ADDRS_IP_DST_IA32,
- PACKET_IP4H_IP_ADDRS_IP_DST_FAMILY,
- PACKET_IP4H_IP_PROTO,
-
- PACKET_FAMILY = 4000,
- PACKET_FLAGS,
- PACKET_SRC_PORT,
- PACKET_DST_PORT,
- PACKET_PAYLOAD,
-
- PACKET_HTTP_HOST = 5000,
- PACKET_HTTP_URL,
- PACKET_HTTP_METHOD,
- PACKET_HTTP_USER_AGENT,
- PACKET_HTTP_REFERER,
- PACKET_HTTP_VIA,
- PACKET_HTTP_RESPONSE_CODE,
- PACKET_HTTP_SERVER,
- PACKET_HTTP_X_WORKING_WITH,
- PACKET_HTTP_CONTENT_TYPE,
-
- PACKET_IP6H_IP_ADDRS_IP_SRC_IA32 = 6000,
- PACKET_IP6H_IP_ADDRS_IP_SRC_FAMILY,
- PACKET_IP6H_IP_ADDRS_IP_DST_IA32,
- PACKET_IP6H_IP_ADDRS_IP_DST_FAMILY
-};
-
-struct SessionFileData
-{
- uint32_t packetCount;
- FILE* file;
- char fileName[16];
-};
-
-struct MPLS_Hdr
-{
- uint16_t length;
- uint8_t* start;
-};
-
-// FIXIT-M: Temporary structs and defines for initial appid port.
-using tSfPolicyId = int;
-#define SE_MAX 255
-struct StreamHAState { };
-// END FIXIT-M
-
-struct SessionControlBlock
-{
- SessionKey* key;
-
- //MemBucket *proto_specific_data;
- void* proto_specific_data;
- StreamAppData* appDataList;
-
- //MemBucket *flowdata; /* add flowbits */
- void* flowdata; /* add flowbits */
-
- long last_data_seen;
- uint64_t expire_time;
-
- tSfPolicyId napPolicyId;
- tSfPolicyId ipsPolicyId;
- bool ips_os_selected;
- //SessionConfiguration *session_config;
- void* session_config;
- void* stream_config;
- void* proto_policy;
-
- //PreprocEnableMask enabled_pps;
- uint32_t enabled_pps;
- //PreprocEvalFuncNode *initial_pp;
- void* initial_pp;
-
- uint16_t session_state;
- uint8_t handler[SE_MAX];
- sfaddr_t client_ip; // FIXTHIS family and bits should be changed to uint16_t
- sfaddr_t server_ip; // or uint8_t to reduce sizeof from 24 to 20
- uint16_t client_port;
- uint16_t server_port;
- bool port_guess;
-
- uint8_t protocol;
-
- uint8_t inner_client_ttl;
- uint8_t inner_server_ttl;
- uint8_t outer_client_ttl;
- uint8_t outer_server_ttl;
-
- StreamHAState ha_state;
- StreamHAState cached_ha_state;
-
- struct timeval ha_next_update;
- uint8_t ha_pending_mask;
- uint8_t ha_flags;
-
- bool session_established;
- bool new_session;
-
- // pointers for linking into list of oneway sessions
- struct _SessionControlBlock* ows_prev;
- struct _SessionControlBlock* ows_next;
- bool in_oneway_list;
-
- int16_t app_protocol_id[MAX_APP_PROTOCOL_ID];
-
- MPLS_Hdr* clientMplsHeader;
- MPLS_Hdr* serverMplsHeader;
-};
-
-void sessionFileInit();
-void sessionFileFini();
-FILE* sessionFileProcess(Packet*);
-void sessionFileProcessHttp(Packet*, HttpParsedHeaders*);
-void sessionFileReadSession(FILE*, SessionControlBlock*);
-int sessionFileReadPacket(FILE*, Packet*, HttpParsedHeaders**);
-
-#endif
-
+++ /dev/null
-/* $Id: sf_iph.c,v 1.2 2015/03/25 14:45:18 andrbake Exp $ */
-/****************************************************************************
- *
- * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
- * Copyright (C) 2007-2013 Sourcefire, Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License Version 2 as
- * published by the Free Software Foundation. You may not use, modify or
- * distribute this program under any other version of the GNU General
- * Public License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- ****************************************************************************/
-
-#include <string.h>
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-#include "decode.h"
-
-#define FAILURE -1
-#define SUCCESS 0
-#define IP6_HEADER_LEN 40
-
-/* Version is the first four bits of the uint32_t passed in */
-#define IP6_VER(x) \
- (ntohl(x) >> 28)
-
-/* The 'Packet' structure is almost always allocated on the stack.
- * Likewise, return buffers will almost always be aswell.
- * So, for performance reasons, argument validation can be disabled
- * and removed from the code at compile time to prevent unecessary extra
- * conditionals from being checked at run-time. */
-#define ERR_CHK_LVL 0
-#if ERR_CHK_LVL == 2
-#define VALIDATE(x,y) if (!x || !y) return FAILURE;
-#elif ERR_CHK_LVL == 1
-#define VALIDATE(x,y) if (!y) return FAILURE;
-#else
-#define VALIDATE(x,y)
-#endif
-
-sfaddr_t* ip6_ret_src(const Packet* p)
-{
- VALIDATE(p, 1);
-
- return &p->ip6h->ip_addrs->ip_src;
-}
-
-sfaddr_t* orig_ip6_ret_src(const Packet* p)
-{
- VALIDATE(p, 1);
-
- return &p->orig_ip6h->ip_addrs->ip_src;
-}
-
-sfaddr_t* ip6_ret_dst(const Packet* p)
-{
- VALIDATE(p, 1);
-
- return &p->ip6h->ip_addrs->ip_dst;
-}
-
-sfaddr_t* orig_ip6_ret_dst(const Packet* p)
-{
- VALIDATE(p, 1);
-
- return &p->orig_ip6h->ip_addrs->ip_dst;
-}
-
-uint16_t ip6_ret_toc(const Packet* p)
-{
- uint16_t toc;
- VALIDATE(p,1);
-
- toc = (uint16_t)((ntohl(p->ip6h->vcl) & 0x0FF00000) >> 20);
-
- return toc;
-}
-
-uint16_t orig_ip6_ret_toc(const Packet* p)
-{
- uint16_t toc;
- VALIDATE(p,1);
-
- toc = (uint16_t)((ntohl(p->orig_ip6h->vcl) & 0x0FF00000) >> 20);
- return toc;
-}
-
-uint8_t ip6_ret_hops(const Packet* p)
-{
-// VALIDATE(p,1);
-
- return p->ip6h->hop_lmt;
-}
-
-uint8_t orig_ip6_ret_hops(const Packet* p)
-{
-// VALIDATE(p,1);
-
- return p->orig_ip6h->hop_lmt;
-}
-
-uint16_t ip6_ret_len(const Packet* p)
-{
- VALIDATE(p,1);
-
- /* The length field does not include the header in IPv6, but does in IPv4.
- * To make this analogous to IPv4, for Snort's purposes, we need to tack
- * on the difference. */
- return p->ip6h->len;
-}
-
-uint16_t orig_ip6_ret_len(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->orig_ip6h->len;
-}
-
-uint32_t ip6_ret_id(const Packet* p)
-{
- IP6Frag* frag_hdr;
- if (p->ip6_extension_count == 0)
- return 0;
-
- frag_hdr = (IP6Frag*)p->ip6_extensions[p->ip6_frag_index].data;
-
- return frag_hdr->ip6f_ident;
-}
-
-uint32_t orig_ip6_ret_id(const Packet* p)
-{
-// XXX-IPv6 "NOT YET IMPLEMENTED - IP6 identification"
- return 0;
-}
-
-uint8_t ip6_ret_next(const Packet* p)
-{
- VALIDATE(p,1);
- return p->ip6h->next;
-}
-
-uint8_t orig_ip6_ret_next(const Packet* p)
-{
- VALIDATE(p,1);
- return p->orig_ip6h->next;
-}
-
-uint16_t ip6_ret_off(const Packet* p)
-{
- IP6Frag* frag_hdr;
- if (p->ip6_extension_count == 0)
- return 0;
-
- frag_hdr = (IP6Frag*)p->ip6_extensions[p->ip6_frag_index].data;
-
- return frag_hdr->ip6f_offlg;
-}
-
-uint16_t orig_ip6_ret_off(const Packet* p)
-{
-// XXX-IPv6 "NOT YET IMPLEMENTED - IP6 frag offset"
- return 0;
-}
-
-uint8_t ip6_ret_ver(const Packet* p)
-{
- return (uint8_t)IP6_VER(p->ip6h->vcl);
-}
-
-uint8_t orig_ip6_ret_ver(const Packet* p)
-{
- return (uint8_t)IP6_VER(p->orig_ip6h->vcl);
-}
-
-sfaddr_t* ip4_ret_dst(const Packet* p)
-{
- VALIDATE(p,1);
- return &p->ip4h->ip_addrs->ip_dst;
-}
-
-sfaddr_t* orig_ip4_ret_dst(const Packet* p)
-{
- VALIDATE(p,1);
- return &p->orig_ip4h->ip_addrs->ip_dst;
-}
-
-sfaddr_t* ip4_ret_src(const Packet* p)
-{
- VALIDATE(p,1);
- return &p->ip4h->ip_addrs->ip_src;
-}
-
-sfaddr_t* orig_ip4_ret_src(const Packet* p)
-{
- VALIDATE(p,1);
- return &p->orig_ip4h->ip_addrs->ip_src;
-}
-
-uint16_t ip4_ret_tos(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->ip4h->ip_tos;
-}
-
-uint16_t orig_ip4_ret_tos(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->orig_ip4h->ip_tos;
-}
-
-uint8_t ip4_ret_ttl(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->ip4h->ip_ttl;
-}
-
-uint8_t orig_ip4_ret_ttl(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->orig_ip4h->ip_ttl;
-}
-
-uint16_t ip4_ret_len(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->ip4h->ip_len;
-}
-
-uint16_t orig_ip4_ret_len(const Packet* p)
-{
- VALIDATE(p,1);
-
- return p->orig_ip4h->ip_len;
-}
-
-uint32_t ip4_ret_id(const Packet* p)
-{
- VALIDATE(p,1);
-
- return (uint32_t)p->ip4h->ip_id;
-}
-
-uint32_t orig_ip4_ret_id(const Packet* p)
-{
- VALIDATE(p,1);
-
- return (uint32_t)p->orig_ip4h->ip_id;
-}
-
-uint8_t ip4_ret_proto(const Packet* p)
-{
- // VALIDATION()
-
- return p->ip4h->ip_proto;
-}
-
-uint8_t orig_ip4_ret_proto(const Packet* p)
-{
- // VALIDATION()
-
- return p->orig_ip4h->ip_proto;
-}
-
-uint16_t ip4_ret_off(const Packet* p)
-{
- return p->ip4h->ip_off;
-}
-
-uint16_t orig_ip4_ret_off(const Packet* p)
-{
- return p->orig_ip4h->ip_off;
-}
-
-uint8_t ip4_ret_ver(const Packet* p)
-{
- return IP_VER(p->iph);
-}
-
-uint8_t orig_ip4_ret_ver(const Packet* p)
-{
- return IP_VER(p->orig_iph);
-}
-
-uint8_t ip4_ret_hlen(const Packet* p)
-{
- return IP_HLEN(p->iph);
-}
-
-uint8_t orig_ip4_ret_hlen(const Packet* p)
-{
- return IP_HLEN(p->orig_iph);
-}
-
-uint8_t ip6_ret_hlen(const Packet* p)
-{
- /* Snort is expecting this number to be in terms of 32 bit words */
- return IP6_HDR_LEN / 4;
-}
-
-uint8_t orig_ip6_ret_hlen(const Packet* p)
-{
- return IP6_HDR_LEN / 4;
-}
-
-IPH_API ip4 =
-{
- ip4_ret_src,
- ip4_ret_dst,
- ip4_ret_tos,
- ip4_ret_ttl,
- ip4_ret_len,
- ip4_ret_id,
- ip4_ret_proto,
- ip4_ret_off,
- ip4_ret_ver,
- ip4_ret_hlen,
-
- orig_ip4_ret_src,
- orig_ip4_ret_dst,
- orig_ip4_ret_tos,
- orig_ip4_ret_ttl,
- orig_ip4_ret_len,
- orig_ip4_ret_id,
- orig_ip4_ret_proto,
- orig_ip4_ret_off,
- orig_ip4_ret_ver,
- orig_ip4_ret_hlen,
-
- IPH_API_V4
-};
-
-IPH_API ip6 =
-{
- ip6_ret_src,
- ip6_ret_dst,
- ip6_ret_toc,
- ip6_ret_hops,
- ip6_ret_len,
- ip6_ret_id,
- ip6_ret_next,
- ip6_ret_off,
- ip6_ret_ver,
- ip6_ret_hlen,
-
- orig_ip6_ret_src,
- orig_ip6_ret_dst,
- orig_ip6_ret_toc,
- orig_ip6_ret_hops,
- orig_ip6_ret_len,
- orig_ip6_ret_id,
- orig_ip6_ret_next,
- orig_ip6_ret_off,
- orig_ip6_ret_ver,
- orig_ip6_ret_hlen,
-
- IPH_API_V6
-};
-
-static inline void _set_callbacks(struct _Packet* p, int family, char orig)
-{
- if ( !orig )
- {
- if (family == AF_INET)
- p->iph_api = &ip4;
- else
- p->iph_api = &ip6;
-
- p->family = family;
- }
- else
- {
- if (family == AF_INET)
- p->orig_iph_api = &ip4;
- else
- p->orig_iph_api = &ip6;
-
- p->orig_family = family;
- }
-}
-
-void set_callbacks(struct _Packet* p, int family, char orig)
-{
- _set_callbacks(p, family, orig);
-}
-
-void sfiph_build(Packet* p, const void* hdr, int family)
-{
- if (!p)
- return;
-
- _set_callbacks(p, family, CALLBACK_IP);
-}
-
-void sfiph_orig_build(Packet* p, const void* hdr, int family)
-{
- IP6RawHdr* hdr6;
- IPHdr* hdr4;
-
- if (!p || !hdr)
- return;
-
- /* If iph_api is already set, we've been here before.
- * That means this is a nested IP. */
- if (p->orig_iph_api)
- {
- memcpy(&p->outer_orig_ips, &p->inner_orig_ips, sizeof(p->outer_orig_ips));
- if (p->orig_iph_api->ver == IPH_API_V4)
- {
- memcpy(&p->outer_orig_ip4h, &p->inner_orig_ip4h,
- sizeof(p->outer_orig_ip4h) - sizeof(p->outer_orig_ip4h.ip_addrs));
- p->outer_orig_ip4h.ip_addrs = &p->outer_orig_ips;
- p->outer_orig_iph_api = p->orig_iph_api;
- }
- else if (p->orig_iph_api->ver == IPH_API_V6)
- {
- memcpy(&p->outer_orig_ip6h, &p->inner_orig_ip6h,
- sizeof(p->outer_orig_ip6h) - sizeof(p->outer_orig_ip6h.ip_addrs));
- p->outer_orig_ip6h.ip_addrs = &p->outer_orig_ips;
- p->outer_orig_iph_api = p->orig_iph_api;
- }
- }
-
- _set_callbacks(p, family, CALLBACK_ICMP_ORIG);
-
- if (family == AF_INET)
- {
- hdr4 = (IPHdr*)hdr;
-
- /* The struct Snort uses is identical to the actual IP6 struct,
- * with the exception of the IP addresses. Copy over everything but
- * the IPs */
- memcpy(&p->inner_orig_ip4h, hdr4, sizeof(IPHdr) - 8);
- sfip_set_raw(&p->inner_orig_ips.ip_src, &hdr4->ip_src, family);
- sfip_set_raw(&p->inner_orig_ips.ip_dst, &hdr4->ip_dst, family);
- p->inner_orig_ip4h.ip_addrs = &p->inner_orig_ips;
- p->actual_ip_len = ntohs(p->inner_orig_ip4h.ip_len);
- p->orig_ip4h = &p->inner_orig_ip4h;
- }
- else
- {
- hdr6 = (IP6RawHdr*)hdr;
-
- /* The struct Snort uses is identical to the actual IP6 struct,
- * with the exception of the IP addresses. Copy over everything but
- * the IPs*/
- memcpy(&p->inner_orig_ip6h, hdr6, sizeof(IP6RawHdr) - 32);
- sfip_set_raw(&p->inner_orig_ips.ip_src, &hdr6->ip6_src, family);
- sfip_set_raw(&p->inner_orig_ips.ip_dst, &hdr6->ip6_dst, family);
- p->inner_orig_ip6h.ip_addrs = &p->inner_orig_ips;
- p->actual_ip_len = ntohs(p->inner_orig_ip6h.len) + IP6_HDR_LEN;
- p->orig_ip6h = &p->inner_orig_ip6h;
- }
-}
-
-#ifdef TESTER
-int main()
-{
- Packet p;
- IP4Hdr i4;
- IP6Hdr i6;
-
- /* This test assumes we get an IPv4 packet and verifies
- * that the correct callbacks are setup, and they return
- * the correct values. */
-
- _set_callbacks(&p, AF_INET, CALLBACK_IP);
-
- /* Same test as above, but with IPv6 */
- _set_callbacks(&p, AF_INET6, CALLBACK_IP);
-
- return 0;
-}
-
-#endif
-
+++ /dev/null
----------------------------------------------------------------------------
--- Snort++ prototype configuration
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
--- setup environment
----------------------------------------------------------------------------
--- given:
--- export DIR=/install/path
--- configure --prefix=$DIR
--- make install
---
--- then:
--- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
--- export SNORT_LUA_PATH=$DIR/conf/
----------------------------------------------------------------------------
-
-
-
-require("snort_config")
-
-dir = os.getenv('SNORT_LUA_PATH')
-
-if ( not dir ) then
- dir = '.'
-end
-
-dofile(dir .. '/snort_defaults.lua')
-
-
-appid =
-{
- conf = 'rna.conf',
- memcap = 15856401,
- app_detector_dir = '/var/sf/appid',
- thirdparty_appid_dir = '/var/sf/appid/thirdparty_appid',
- app_stats_filename = '/var/sf/appid/appid_stats.log',
- app_stats_period = 3600,
- app_stats_rollover_size = 100000000,
- app_stats_rollover_time = 12,
- instance_id = 222,
- debug = true,
- dump_ports = true,
-}
-
-
-
using ThirdPartyAppIDModFini = int(*)();
using ThirdPartyAppIDSessionCreate = void*(*)();
using ThirdPartyAppIDSessionDelete = int(*)(void* tpsession, int just_reset_state);
-// FIXIT-L J use references for output parameters
-using ThirdPartyAppIDSessionProcess = int(*)(
- void* tpsession, // in
- Packet*, // in
- int direction, // in
- AppId*, // out
- int* confidence, // out
- AppId** proto_list, // out
- ThirdPartyAppIDAttributeData** attribute_data // out
-);
+using ThirdPartyAppIDSessionProcess = int(*)( void* tpsession, Packet*, int direction, // in
+ AppId*, int* confidence, AppId** proto_list, ThirdPartyAppIDAttributeData** attribute_data );
using ThirdPartyAppIDPrintStats = int(*)();
using ThirdPartyAppIDResetStats = int(*)();
using ThirdPartyAppIDDisableFlags = int(*)(void* tpsession, uint32_t session_flags);
#define THIRDPARTY_APPID_TYPES_H
#include <stdint.h>
-
-// FIXIT-H J pulled from session_api.h include tree.
-// this belongs somewhere else...
-#define HTTP_MAX_XFF_FIELDS 255
+#include "http_common.h"
#define TP_SESSION_FLAG_DPI 0x00000001
#define TP_SESSION_FLAG_MUTABLE 0x00000002
THREAD_LOCAL struct ThirdPartyConfig thirdpartyConfig;
THREAD_LOCAL ThirdPartyAppIDModule* thirdparty_appid_module = nullptr;
-// FIXIT-L: these need to be define or otherwise obtained...
-static char* defaultXffFields[] = { nullptr /* HTTP_XFF_FIELD_X_FORWARDED_FOR, */
- /* HTTP_XFF_FIELD_TRUE_CLIENT_IP */ };
+static char* defaultXffFields[] = { (char*)HTTP_XFF_FIELD_X_FORWARDED_FOR,
+ (char*)HTTP_XFF_FIELD_TRUE_CLIENT_IP };
#ifdef APPID_UNUSED_CODE
static int LoadCallback(const char* const path, int /* indent */)
{
|| ( thirdparty_appid_dir[0] == 0 ) )
return;
- // FIXIT-L: need to port loadAllLibs function to snort3
+ // FIXIT-L need to port loadAllLibs function to snort3
// _dpd.loadAllLibs(thirdparty_appid_dir, LoadCallback);
if (thirdparty_appid_module == nullptr)
{
thirdpartyConfig.http_upgrade_reporting_enabled = 0;
thirdpartyConfig.appid_tp_dir[0] = '\0'; // use default path
- // FIXIT-L: need to provide log function and getSnortInstance function to 3rd party utils
+ // FIXIT-M need to provide log function and getSnortInstance function to 3rd party utils
#ifdef REMOVED_WHILE_NOT_IN_USE
thirdpartyUtils.logMsg = &DebugFormat;
thirdpartyUtils.getSnortInstance = _dpd.getSnortInstance;
- // FIXIT-L: need to get xff fields from http config
+ // FIXIT-M need to get xff fields from http config
thirdpartyConfig.xffFields = _dpd.getHttpXffFields(&thirdpartyConfig.numXffFields);
#endif
thirdpartyConfig.oldNumXffFields = thirdpartyConfig.numXffFields;
thirdpartyConfig.oldXffFields = thirdpartyConfig.xffFields;
- // FIXIT-L: need to get xff fields from http config
+ // FIXIT-L need to get xff fields from http config
// thirdpartyConfig.xffFields = _dpd.getHttpXffFields(&thirdpartyConfig.numXffFields);
if (!thirdpartyConfig.xffFields)
{
uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
uint8_t num_layers; /* index into layers for next encap */
- // FIXIT-M: Consider moving ip_proto_next below `pkth`.
+ // FIXIT-M Consider moving ip_proto_next below `pkth`.
IpProtocol ip_proto_next; /* the protocol ID after IP and all IP6 extension */
bool disable_inspect;
// nothing after this point is zeroed ...
obj, T, n, match, context, 0 /* start-state */, current_state);
}
- // FIXIT-L: Implement search_all method for AC_BNFA.
+ // FIXIT-L Implement search_all method for AC_BNFA.
int print_info() override
{
{
if (dce2_set_co_config(v,config.common))
return true;
-
- return false;
+
+ return false;
}
void Dce2TcpModule::get_data(dce2TcpProtoConf& dce2_tcp_config)
/* Converts string IP format to an array of values. Also checks IP address format.
Specifically look for issues that inet_pton either overlooks or is inconsistent
about. */
-static inline SFIP_RET sfip_convert_ip_text_to_binary(const int family, const char* ip, void* dst)
+SFIP_RET sfip_convert_ip_text_to_binary(const int family, const char* ip, void* dst)
{
const char* my_ip = ip;
/* IP allocations and setting ******************************************/
+/* Converts string IP format to an array of values. Also checks IP address format. */
+SO_PUBLIC SFIP_RET sfip_convert_ip_text_to_binary(const int family, const char* ip, void* dst);
+
/* Parses "src" and stores results in "dst"
If the conversion is invalid, returns SFIP_FAILURE */
SO_PUBLIC SFIP_RET sfip_pton(const char* src, sfip_t* dst);
{
if ( trk.session->config->midstream_allowed(tsd.get_pkt()) )
{
- // FIXIT-M: there may be an issue when syn/ack from server is seen
+ // FIXIT-M there may be an issue when syn/ack from server is seen
// after ack from client which causes some tracker state variables to
// not be initialized... update_tracker_ack_sent may fix that but needs
// more testing
projects / thirdparty / snort3.git / commitdiff
