Merge pull request #1262 in SNORT/snort3 from decrypted_flow_debug to master

Squashed commit of the following:

commit aa433636da1c056cc3ba6f8993304d54b67441f9
Author: Masud Hasan <mashasan@cisco.com>
Date:   Fri Jun 8 12:31:40 2018 -0400

    appid: Support for restart app detection for decrypted flow

diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h
index 6a641d9ccd8b3eeec5d67b2cfd55a283b048093a..6f500669af508c784069ddec0007b1fb211e3a71 100644 (file)
--- a/src/network_inspectors/appid/appid_config.h
+++ b/src/network_inspectors/appid/appid_config.h
@@ -62,6 +62,13 @@ public:
 
 #ifdef USE_RNA_CONFIG
     const char* conf_file = nullptr;
+#endif
+    // FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module
+#ifdef REG_TEST
+    // To manually restart appid detection for an SSL-decrypted flow (single session only),
+    // indicate the first packet from where the flow is decrypted (usually immediately
+    // after certificate-exchange). Such manual detection is disabled by default (0).
+    uint32_t first_decrypted_packet_debug = 0;
 #endif
     bool stats_logging_enabled = false;
     unsigned long app_stats_period = 0;

diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index d5b291e535fb3ac654558f1a8374b4251addc233..3f13f8e9ed6b085c3291055a3a199b1097a156ae 100644 (file)
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -789,6 +789,19 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession** p_asd, AppIdInsp
         }
     }
 
+    // FIXIT-L: DECRYPT_DEBUG - Move set_proxied and first_decrypted_packet_debug to ssl-module
+    // after ssl-module's decryption capability is implemented
+#ifdef REG_TEST
+    uint32_t fdpd = inspector.get_appid_config()->mod_config->first_decrypted_packet_debug;
+    if (fdpd and (fdpd == asd->session_packet_count))
+    {
+        p->flow->set_proxied();
+        if (appidDebug->is_active())
+            LogMessage("AppIdDbg %s Marked the flow as decrypted at packet number %lu\n",
+                appidDebug->get_debug_session(), (long unsigned)fdpd);
+    }
+#endif
+
     return true;
 }
 

diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc
index 4b65ac6472e12f6e3cdcf37b91925fadeb668219..756ef073aafc553ef72e4f7ef5f7d6a2409c0081 100644 (file)
--- a/src/network_inspectors/appid/appid_module.cc
+++ b/src/network_inspectors/appid/appid_module.cc
@@ -54,6 +54,11 @@ static const Parameter s_params[] =
 #ifdef USE_RNA_CONFIG
     { "conf", Parameter::PT_STRING, nullptr, nullptr,
       "RNA configuration file" },  // FIXIT-L eliminate reference to "RNA"
+#endif
+    // FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module
+#ifdef REG_TEST
+    { "first_decrypted_packet_debug", Parameter::PT_INT, "0:", "0",
+      "the first packet of an already decrypted SSL flow (debug single session only)" },
 #endif
     { "memcap", Parameter::PT_INT, "0:", "0",
       "disregard - not implemented" },  // FIXIT-M implement or delete appid.memcap
@@ -223,6 +228,12 @@ bool AppIdModule::set(const char* fqn, Value& v, SnortConfig* c)
     if ( v.is("conf") )
         config->conf_file = snort_strdup(v.get_string());
     else
+#endif
+    // FIXIT-L: DECRYPT_DEBUG - Move this to ssl-module
+#ifdef REG_TEST
+    if ( v.is("first_decrypted_packet_debug") )
+        config->first_decrypted_packet_debug = v.get_long();
+    else
 #endif
     if ( v.is("memcap") )
         config->memcap = v.get_long();

diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 26bbe1dd2d27bdf9f468c1cda1f5f7bdbb92f226..5bcd44a18021efe4748cb470d77ad44dd2846b9a 100644 (file)
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -317,17 +317,9 @@ void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p)
     }
 }
 
-bool AppIdSession::is_ssl_decryption_enabled()
-{
-    if (get_session_flags(APPID_SESSION_DECRYPTED))
-        return true;
-
-    return flow->is_proxied();
-}
-
 void AppIdSession::check_app_detection_restart()
 {
-    if (get_session_flags(APPID_SESSION_DECRYPTED) || !is_ssl_decryption_enabled() )
+    if (get_session_flags(APPID_SESSION_DECRYPTED) || !flow->is_proxied())
         return;
 
     AppId service_id = pick_service_app_id();

diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index edd2bbfe26a11435bdfc10a73dbb775194624788..bcd005cea90bcccdced092c6d9f653465e5d01f5 100644 (file)
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -333,7 +333,6 @@ private:
 
     void reinit_session_data();
     void delete_session_data();
-    bool is_ssl_decryption_enabled();
 
     static THREAD_LOCAL uint32_t appid_flow_data_id;
     AppId application_ids[APP_PROTOID_MAX];

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index b25a9cb87dcbd891d561b29dbf369559d0d6ccb2..e185b56c340137d230d82d445f22311e591424ab 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -193,13 +193,13 @@ static inline void process_http_session(AppIdSession& asd,
 
             // Change http to https if session was decrypted.
             if (asd.get_session_flags(APPID_SESSION_DECRYPTED) and
-                memcmp(field->c_str(), httpScheme, sizeof(httpScheme)-1)==0)
+                memcmp(field->c_str(), httpScheme, sizeof(httpScheme)-1) == 0)
             {
                 // This is the only instance that requires that field be
                 // non const and the reason TPAD_GET in tp_appid_types.h
                 // returns string* rather than const string*.
                 // In all other cases field can be const string*.
-                field->insert(4,'s',1);
+                field->insert(4, 1, 's');
             }
             hsession->update_url(field);
 
@@ -306,9 +306,6 @@ static inline void process_http_session(AppIdSession& asd,
 
     if ( (field=attribute_data.http_request_referer(own)) != nullptr )
     {
-        if (appidDebug->is_active())
-            LogMessage("AppIdDbg %s referrer is %s\n",
-                appidDebug->get_debug_session(), field->c_str());
         if (hsession->get_referer())
             if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT))
                 hsession->set_chp_finished(false);
@@ -317,7 +314,7 @@ static inline void process_http_session(AppIdSession& asd,
         hsession->set_field_offset(REQ_REFERER_FID, attribute_data.http_request_referer_begin());
         hsession->set_field_end_offset(REQ_REFERER_FID, attribute_data.http_request_referer_end());
         if (appidDebug->is_active())
-            LogMessage("AppIdDbg %s Referer (%u-%u) is %s\n", appidDebug->get_debug_session(),
+            LogMessage("AppIdDbg %s Referrer (%u-%u) is %s\n", appidDebug->get_debug_session(),
                 hsession->get_field_offset(REQ_REFERER_FID),
                 hsession->get_field_end_offset(REQ_REFERER_FID),
                 hsession->get_referer());
@@ -337,7 +334,7 @@ static inline void process_http_session(AppIdSession& asd,
         // attribute_data.httpRequestCookieOffset = 0;
         // attribute_data.httpRequestCookieEndOffset = 0;
         if (appidDebug->is_active())
-            LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", appidDebug->get_debug_session(),
+            LogMessage("AppIdDbg %s Cookie (%u-%u) is %s\n", appidDebug->get_debug_session(),
                 hsession->get_field_offset(REQ_COOKIE_FID),
                 hsession->get_field_offset(REQ_COOKIE_FID),
                 hsession->get_cookie());
@@ -366,7 +363,7 @@ static inline void process_http_session(AppIdSession& asd,
     if ( (field=attribute_data.http_request_body(own)) != nullptr )
     {
         if (appidDebug->is_active())
-            LogMessage("AppIdDbg %s got a request body %s\n",
+            LogMessage("AppIdDbg %s Got a request body %s\n",
                 appidDebug->get_debug_session(), field->c_str());
         if (hsession->get_req_body())
             if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT))