Pull request #3214: appid: changes to handle SNI in efp event.

Merge in SNORT/snort3 from ~PRBHALER/snort3:quic_meta to master

Squashed commit of the following:

commit 4d0950cfc918aec9104ca349d5dfa16150b5b202
Author: Pranav Bhalerao <prbhaler@cisco.com>
Date:   Fri Dec 10 15:38:16 2021 +0530

    appid: handle SNI in efp event.

diff --git a/src/network_inspectors/appid/appid_efp_process_event_handler.cc b/src/network_inspectors/appid/appid_efp_process_event_handler.cc
index 669cb7811f6fc8fb83cf56edbc2da50981bfcf5a..46a7429bb6ff1441ea01a35c0eefe516f9dde3ba 100644 (file)
--- a/src/network_inspectors/appid/appid_efp_process_event_handler.cc
+++ b/src/network_inspectors/appid/appid_efp_process_event_handler.cc
@@ -23,6 +23,7 @@
 #endif
 
 #include "appid_efp_process_event_handler.h"
+#include "detection/detection_engine.h"
 
 #include "appid_debug.h"
 #include "appid_inspector.h"
@@ -46,14 +47,40 @@ void AppIdEfpProcessEventHandler::handle(DataEvent& event, Flow* flow)
 
     const std::string& name = efp_process_event.get_process_name();
     uint8_t conf = efp_process_event.get_process_confidence();
+    const std::string& server_name = efp_process_event.get_server_name();
+    AppId app_id = APP_ID_NONE;
 
-    AppId app_id = asd->get_odp_ctxt().get_efp_ca_matchers().match_efp_ca_pattern(name,
-        conf);
+    if (!name.empty())
+    {
+        app_id = asd->get_odp_ctxt().get_efp_ca_matchers().match_efp_ca_pattern(name,
+            conf);
+
+        asd->set_efp_client_app_id(app_id);
+    }
 
     if (appidDebug->is_active())
         LogMessage("AppIdDbg %s encrypted client app %d process name '%s', "
-            "confidence: %d\n", appidDebug->get_debug_session(), app_id, name.c_str(), conf);
+            "confidence: %d, server name '%s'\n", appidDebug->get_debug_session(), app_id,
+            name.c_str(), conf, server_name.c_str());
 
-    asd->set_efp_client_app_id(app_id);
-}
+    if (!server_name.empty())
+    {
+        AppId client_id;
+        AppId payload_id;
+        AppidChangeBits change_bits;
+        snort::Packet* p = snort::DetectionEngine::get_current_packet();
+
+        if (!asd->tsession)
+            asd->tsession = new TlsSession();
 
+        asd->tsession->set_tls_host(server_name.c_str(), server_name.length(), change_bits);
+        asd->set_tls_host(change_bits);
+
+        asd->get_odp_ctxt().get_ssl_matchers().scan_hostname(reinterpret_cast<const uint8_t*>(server_name.c_str()),
+            server_name.length(), client_id, payload_id);
+        asd->set_payload_id(payload_id);
+        asd->set_ss_application_ids_payload(payload_id, change_bits);
+
+        asd->publish_appid_event(change_bits, *p);
+    }
+}

diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index fb3e752ce83a1e3aa6f25411ff0c2cf3c0e823ff..66ab5ca4b61a5d50c1c2ac6082df779ce6ea3c7e 100644 (file)
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -950,6 +950,13 @@ void AppIdSession::set_ss_application_ids(AppId client_id, AppId payload_id,
     api.set_ss_application_ids(client_id, payload_id, change_bits, *flow);
 }
 
+void AppIdSession::set_ss_application_ids_payload(AppId payload_id,
+    AppidChangeBits& change_bits)
+{
+    assert(flow);
+    api.set_ss_application_ids_payload(payload_id, change_bits, *flow);
+}
+
 void AppIdSession::set_application_ids_service(AppId service_id, AppidChangeBits& change_bits)
 {
     assert(flow);

diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 3f1da2acbdeaecffb97a7bb6b18e87df36d65a83..b95c6e4d5c9b2185e6111eb2e5eaae04eb8ac44c 100644 (file)
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -334,6 +334,7 @@ public:
     void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc,
         AppId referred, AppidChangeBits& change_bits);
     void set_ss_application_ids(AppId client, AppId payload, AppidChangeBits& change_bits);
+    void set_ss_application_ids_payload(AppId payload, AppidChangeBits& change_bits);
     void set_application_ids_service(AppId service_id, AppidChangeBits& change_bits);
 
     void examine_ssl_metadata(AppidChangeBits& change_bits);

diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc
index eff468c0bf6fb315acacdc9249d8f1271aaf8703..95d7bb41a3565319f2a1df7b99e07cc7b8ae8551 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.cc
+++ b/src/network_inspectors/appid/appid_session_api.cc
@@ -386,6 +386,18 @@ void AppIdSessionApi::set_ss_application_ids(AppId service_id, AppId client_id,
     }
 }
 
+void AppIdSessionApi::set_ss_application_ids_payload(AppId payload_id,
+    AppidChangeBits& change_bits, Flow& flow)
+{
+    if (application_ids[APP_PROTOID_PAYLOAD] != payload_id)
+    {
+        application_ids[APP_PROTOID_PAYLOAD] = payload_id;
+        change_bits.set(APPID_PAYLOAD_BIT);
+        if (flow.ha_state)
+            flow.ha_state->add(FlowHAState::MODIFIED | FlowHAState::MAJOR);
+    }
+}
+
 void AppIdSessionApi::set_ss_application_ids(AppId client_id, AppId payload_id,
     AppidChangeBits& change_bits, Flow& flow)
 {

diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index c5a96cdf1085b0b46f09542beb499de0ef630c7b..3dfed7e16e6ddeb840464791fc267fb0b594c3ec 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -183,6 +183,7 @@ private:
     void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc,
         AppId referred, AppidChangeBits& change_bits, Flow& flow);
     void set_ss_application_ids(AppId client, AppId payload, AppidChangeBits& change_bits, Flow& flow);
+    void set_ss_application_ids_payload(AppId payload, AppidChangeBits& change_bits, Flow& flow);
     void set_application_ids_service(AppId service_id, AppidChangeBits& change_bits, Flow& flow);
     void set_netbios_name(AppidChangeBits& change_bits, const char* name);
     void set_netbios_domain(AppidChangeBits& change_bits, const char* domain);

diff --git a/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc b/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc
index 63ed44503b395bd5fe10895a8343c77d38997faf..1309e6059139351b17f66db8d320a50b26f9a24e 100644 (file)
--- a/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc
+++ b/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc
@@ -52,6 +52,27 @@ AppIdSession* AppIdApi::get_appid_session(Flow const&) { return session; }
 
 Packet::Packet(bool) { }
 Packet::~Packet() = default;
+
+Packet* DetectionEngine::get_current_packet()
+{
+    static Packet p;
+    return &p;
+}
+}
+
+void AppIdSession::publish_appid_event(AppidChangeBits&, const Packet&, bool, uint32_t)
+{
+    return;
+}
+
+bool SslPatternMatchers::scan_hostname(const uint8_t*, size_t, AppId&, AppId&)
+{
+    return true;
+}
+
+void AppIdSession::set_ss_application_ids_payload(AppId, AppidChangeBits&)
+{
+    return;
 }
 
 void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection,
@@ -59,6 +80,7 @@ void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDir
 void AppIdModule::reset_stats() { }
 void AppIdDebug::activate(snort::Flow const*, AppIdSession const*, bool) { }
 
+
 AppId EfpCaPatternMatchers::match_efp_ca_pattern(const string&, uint8_t)
 {
     return APPID_UT_ID;

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index debf211ff5ce1175838e5f34b549b23ee4db691b..62c6bbdd3b81da0af6b0d4cbf5bc9751082f7862 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -409,7 +409,7 @@ static inline void process_quic(AppIdSession& asd,
     if ( !asd.tsession )
         asd.tsession = new TlsSession();
 
-    if ( (field=attribute_data.quic_sni()) != nullptr )
+    if ( !asd.tsession->get_tls_host() and (field=attribute_data.quic_sni()) != nullptr )
     {
         if ( appidDebug->is_active() )
             LogMessage("AppIdDbg %s Flow is QUIC\n", appidDebug->get_debug_session());

diff --git a/src/pub_sub/efp_process_event.h b/src/pub_sub/efp_process_event.h
index 1c0e44daf6245c9e0c4b3c0c8dd37f6221f75f47..2b9f05ed55ce382e211729e16da72007cd15689b 100644 (file)
--- a/src/pub_sub/efp_process_event.h
+++ b/src/pub_sub/efp_process_event.h
@@ -31,6 +31,8 @@ public:
     EfpProcessEvent(const snort::Packet& p, const char* process, uint8_t process_conf) :
         p(p), process_name(process), process_confidence(process_conf) { }
 
+    EfpProcessEvent(const snort::Packet& p, const char* server) : p(p), server_name(server) { }
+
     const snort::Packet* get_packet() override { return &p; }
 
     const std::string& get_process_name() const
@@ -43,10 +45,22 @@ public:
         return process_confidence;
     }
 
+    const std::string& get_server_name() const
+    {
+        return server_name;
+    }
+
+    void set_server_name(const char* server)
+    {
+        if (server)
+            server_name = server;
+    }
+
 private:
     const snort::Packet &p;
     std::string process_name;
     uint8_t process_confidence = 0;
+    std::string server_name;
 };
 
 #endif