Merge pull request #3116 in SNORT/snort3 from ~CLJUDGE/snort3:snort3_client_app_detec...

Squashed commit of the following:

commit f3a0f5e68a64507125b1acce375ebaf7c708c063
Author: cljudge <cljudge@cisco.com>
Date:   Thu Oct 7 04:55:54 2021 -0400

    appid: provide API to give client_app_detection_type

diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h
index d7f85d3e317e95e6a9321553fc4fd89e8e55b39a..6e19081bda44364353bfc18bd464fb22257f2492 100644 (file)
--- a/src/network_inspectors/appid/appid_app_descriptor.h
+++ b/src/network_inspectors/appid/appid_app_descriptor.h
@@ -238,6 +238,7 @@ public:
         ApplicationDescriptor::reset();
         my_username.clear();
         my_user_id = APP_ID_NONE;
+        my_client_detect_type = CLIENT_APP_DETECT_APPID;
     }
 
     void update_user(AppId app_id, const char* username, AppidChangeBits& change_bits);
@@ -264,10 +265,21 @@ public:
         return efp_client_app_id;
     }
 
+    void set_efp_client_app_detect_type(ClientAppDetectType client_app_detect_type)
+    {
+        my_client_detect_type = client_app_detect_type;
+    }
+
+    ClientAppDetectType get_client_app_detect_type() const
+    {
+        return my_client_detect_type;
+    }
+
 private:
     std::string my_username;
     AppId my_user_id = APP_ID_NONE;
     AppId efp_client_app_id = APP_ID_NONE;
+    ClientAppDetectType my_client_detect_type = CLIENT_APP_DETECT_APPID;
 };
 
 class PayloadAppDescriptor : public ApplicationDescriptor

diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index f874e573fdc9b1ee8e9f6fee8a977c9459d19e3d..904b9ee4573024122a0f31e3287aa2fb4e0d39ac 100644 (file)
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -854,16 +854,26 @@ AppId AppIdSession::pick_ss_client_app_id() const
     if (!api.hsessions.empty())
         tmp_id = api.hsessions[0]->client.get_id();
     if (tmp_id > APP_ID_NONE)
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
         return tmp_id;
+    }
 
     if (api.client.get_efp_client_app_id() > APP_ID_NONE and
         (api.client.get_id() == APP_ID_SSL_CLIENT or
             api.client.get_id() <= APP_ID_NONE))
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
         return api.client.get_efp_client_app_id();
+    }
 
     if (api.client.get_id() > APP_ID_NONE)
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
         return api.client.get_id();
+    }
 
+    api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
     return encrypted.client_id;
 }
 

diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc
index 69936d2c71c238583c8aee896217f8a952245fc1..eff468c0bf6fb315acacdc9249d8f1271aaf8703 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.cc
+++ b/src/network_inspectors/appid/appid_session_api.cc
@@ -29,6 +29,7 @@
 #include "managers/inspector_manager.h"
 #include "appid_inspector.h"
 #include "appid_session.h"
+#include "appid_types.h"
 #include "service_plugins/service_bootp.h"
 #include "service_plugins/service_netbios.h"
 
@@ -318,6 +319,11 @@ const char* AppIdSessionApi::get_netbios_domain() const
     return netbios_domain;
 }
 
+ClientAppDetectType AppIdSessionApi::get_client_app_detect_type() const
+{
+    return client.get_client_app_detect_type();
+}
+
 void AppIdSessionApi::set_netbios_name(AppidChangeBits& change_bits, const char* name)
 {
     if (netbios_name)

diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index 585a78627081dd6da9046bdc9a7cd489f101587d..159d3dbaa7fdff3b12fbf361adf11f43effa1574 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -127,6 +127,7 @@ public:
     bool is_http_inspection_done() const;
     const char* get_netbios_name() const;
     const char* get_netbios_domain() const;
+    ClientAppDetectType get_client_app_detect_type() const;
 
     // For protocols such as HTTP2 which can have multiple streams within a single flow,
     // get_first_stream_* methods return the appids in the first stream seen in a packet.

diff --git a/src/network_inspectors/appid/appid_types.h b/src/network_inspectors/appid/appid_types.h
index d569c5b3f5b6db743b0eb197c0fae66e8d8cdc9d..58e2157c2cd3c39b4ff67e0c0e75b0b7554b5014 100644 (file)
--- a/src/network_inspectors/appid/appid_types.h
+++ b/src/network_inspectors/appid/appid_types.h
@@ -65,4 +65,10 @@ enum AppidSessionDirection
     APP_ID_APPID_SESSION_DIRECTION_MAX
 };
 
+enum ClientAppDetectType
+{
+    CLIENT_APP_DETECT_APPID = 0,
+    CLIENT_APP_DETECT_TLS_FP
+};
+
 #endif

diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h
index 7f50b82c863ef86d8a7c8a6527d71c1a23e39a2c..cc03b14d06e5dc6027293fbd4512241c3222d1a5 100644 (file)
--- a/src/network_inspectors/appid/test/appid_mock_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_session.h
@@ -141,7 +141,16 @@ AppId AppIdSession::pick_ss_misc_app_id() const
 
 AppId AppIdSession::pick_ss_client_app_id() const
 {
-    return get_client_id();
+    if (get_efp_client_app_id() > APP_ID_NONE and get_client_id() <= APP_ID_NONE)
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
+        return get_efp_client_app_id();
+    }
+    else
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
+        return get_client_id();
+    }
 }
 
 AppId AppIdSession::pick_ss_payload_app_id() const

diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc
index eff13f484a9d5796d402106a202c17ef718e12fa..b0053459546b5fa0799e61de960c681a8b886b76 100644 (file)
--- a/src/network_inspectors/appid/test/appid_session_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_session_api_test.cc
@@ -340,6 +340,30 @@ TEST(appid_session_api, is_http_inspection_done)
     CHECK_TRUE(val);
 }
 
+TEST(appid_session_api, get_client_app_detect_type)
+{
+    // Confirm that default detect type is APPID.
+    ClientAppDetectType detect_type = mock_session->get_api().get_client_app_detect_type();
+    CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_APPID);
+
+    /* Set efp client app to some appid, but keep normal client id set to none.
+       The efp_client app should be picked, but the detect type should be TLS_FP.  */
+    mock_session->set_client_id(APP_ID_NONE);
+    mock_session->set_efp_client_app_id(638);
+    AppId id = mock_session->pick_ss_client_app_id();
+    CHECK_EQUAL(id, 638);
+    detect_type = mock_session->get_api().get_client_app_detect_type();   
+    CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_TLS_FP);
+
+    /* Now set the normal client id to something. That is the appid that should be picked,
+       and the detect type should be APPID once more. */
+    mock_session->set_client_id(APP_ID_HTTP2);
+    id = mock_session->pick_ss_client_app_id();
+    CHECK_EQUAL(id, APP_ID_HTTP2);
+    detect_type = mock_session->get_api().get_client_app_detect_type();
+    CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_APPID);
+}
+
 int main(int argc, char** argv)
 {
     mock_init_appid_pegs();