#define SCAN_HTTP_URI_FLAG (1<<9)
#define SCAN_CERTVIZ_ENABLED_FLAG (1<<10)
#define SCAN_SPOOFED_SNI_FLAG (1<<11)
+#define SCAN_SSL_VERSION_FLAG (1<<12)
enum FirstPktAppIdDiscovered
{
bool get_tls_handshake_done() const { return tls_handshake_done; }
+ uint16_t get_tls_version() const { return tls_version; }
+
// Duplicate only if len > 0, otherwise simply set (i.e., own the argument)
void set_tls_host(const char* new_tls_host, uint32_t len, bool published=false)
{
bool is_tls_host_unpublished() const { return tls_host_unpublished; }
+ void set_tls_version(const char* value, uint32_t length, AppidChangeBits& change_bits)
+ {
+ if (value and length == sizeof(uint16_t))
+ {
+ tls_version = *reinterpret_cast<const uint16_t*>(value);
+ change_bits.set(AppidChangeBit::APPID_TLS_VERSION_BIT);
+ }
+ }
+
private:
char* tls_host = nullptr;
char* tls_host_mismatch = nullptr;
char* tls_org_unit = nullptr;
bool tls_handshake_done = false;
bool tls_host_unpublished = false;
+ uint16_t tls_version = 0;
MatchedTlsType matched_tls_type = MATCHED_TLS_NONE;
};
return tls_host;
}
+uint16_t AppIdSessionApi::get_tls_version() const
+{
+ if (asd and asd->tsession)
+ {
+ return asd->tsession->get_tls_version();
+ }
+ return 0;
+}
+
const SfIp* AppIdSessionApi::get_initiator_ip() const
{
return &initiator_ip;
const AppIdHttpSession* get_http_session(uint32_t stream_index = 0) const;
const AppIdHttpSession* get_matching_http_session(int64_t stream_id) const;
const char* get_tls_host() const;
+ uint16_t get_tls_version() const;
bool is_http_inspection_done() const;
const char* get_netbios_name() const;
const char* get_netbios_domain() const;
CHECK_EQUAL(service, APPID_UT_ID);
CHECK_EQUAL(client, APPID_UT_ID);
CHECK_EQUAL(payload, APPID_UT_ID);
- STRCMP_EQUAL("Published change_bits == 00000000000000000000", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000000000000", test_log);
// Server name based detection
service = APP_ID_NONE;
STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_sni(), APPID_UT_TLS_HOST);
- STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000100011000", test_log);
// Common name based detection
mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits);
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco");
- STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000100011000", test_log);
// First alt name based detection
change_bits.reset();
CHECK_EQUAL(payload, APPID_UT_ID + 1);
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
- STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000100011000", test_log);
// Org unit based detection
string host = "";
CHECK_EQUAL(client, APPID_UT_ID + 3);
CHECK_EQUAL(payload, APPID_UT_ID + 3);
STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), APPID_UT_ORG_UNIT);
- STRCMP_EQUAL("Published change_bits == 00000000000000011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000000011000", test_log);
// Override client id found by SSL pattern matcher with the client id provided by
// Encrypted Visibility Engine if available
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
- STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000100011000", test_log);
//check for sni mismatch being stored in sni field
change_bits.reset();
// Detect changes in service, client, payload, and misc appid
mock().checkExpectations();
- STRCMP_EQUAL("Published change_bits == 00000000000001111100", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000001111100", test_log);
delete &asd->get_api();
delete asd;
// Detect changes in service, client, payload, and misc appid
mock().checkExpectations();
- STRCMP_EQUAL("Published change_bits == 00000000000001111100", test_log);
+ STRCMP_EQUAL("Published change_bits == 000000000000001111100", test_log);
delete &asd->get_api();
delete asd;
delete flow;
change_bits_to_string(change_bits, str);
STRCMP_EQUAL(str.c_str(), "created, reset, service, client, payload, misc, referred, host,"
" tls-host, url, user-agent, response, referrer, dns-host, service-info, client-info,"
- " user-info, netbios-name, netbios-domain, finished");
+ " user-info, netbios-name, netbios-domain, finished, tls-version");
// Failure of this test is a reminder that enum is changed, hence translator needs update
- CHECK_EQUAL(APPID_MAX_BIT, 20);
+ CHECK_EQUAL(APPID_MAX_BIT, 21);
}
int main(int argc, char** argv)
STRCMP_EQUAL(val, APPID_UT_TLS_HOST);
}
+TEST(appid_session_api, get_tls_version)
+{
+ AppidChangeBits change_bits;
+ mock_session->tsession->set_tls_version(nullptr, 0, change_bits);
+ CHECK_EQUAL(mock_session->get_api().get_tls_version(), 0);
+ CHECK_FALSE(change_bits.test(AppidChangeBit::APPID_TLS_VERSION_BIT));
+ const char tls_version[] = {0x03, 0x02};
+ mock_session->tsession->set_tls_version(tls_version, sizeof(tls_version), change_bits);
+ CHECK_EQUAL(mock_session->get_api().get_tls_version(), 0x0203);
+ CHECK_TRUE(change_bits.test(AppidChangeBit::APPID_TLS_VERSION_BIT));
+}
+
TEST(appid_session_api, get_initiator_ip)
{
SfIp expected_ip;
string* tls_host_buf = nullptr;
string* tls_cname_buf = nullptr;
string* tls_org_unit_buf = nullptr;
+ string* tls_version_buf = nullptr;
string* http_request_referer_buf = nullptr;
string* ftp_command_user_buf = nullptr;
string* quic_sni_buf = nullptr;
bool tls_host_flush = true;
bool tls_cname_flush = true;
bool tls_org_unit_flush = true;
+ bool tls_version_flush = true;
bool http_request_referer_flush = true;
bool ftp_command_user_flush = true;
bool quic_sni_flush = true;
if (tls_host_buf) delete tls_host_buf;
if (tls_cname_buf) delete tls_cname_buf;
if (tls_org_unit_buf) delete tls_org_unit_buf;
+ if (tls_version_buf) delete tls_version_buf;
if (http_request_referer_buf) delete http_request_referer_buf;
if (ftp_command_user_buf) delete ftp_command_user_buf;
if (quic_sni_buf) delete quic_sni_buf;
TPAD_GET(tls_host)
TPAD_GET(tls_cname)
TPAD_GET(tls_org_unit)
+ TPAD_GET(tls_version)
TPAD_GET(http_request_referer)
TPAD_GET(ftp_command_user)
TPAD_GET(quic_sni)
TPAD_SET(tls_host)
TPAD_SET(tls_cname)
TPAD_SET(tls_org_unit)
+ TPAD_SET(tls_version)
TPAD_SET(http_request_referer)
TPAD_SET(ftp_command_user)
TPAD_SET(quic_sni)
asd.tsession->set_tls_org_unit(field->c_str(), field->size());
}
}
+
+ if (asd.tsession->get_tls_version() == 0 and
+ (field = attribute_data.tls_version(false)) != nullptr)
+ {
+ asd.tsession->set_tls_version(field->c_str(), field->size(), change_bits);
+ if (reinspect_ssl_appid)
+ {
+ asd.scan_flags |= SCAN_SSL_VERSION_FLAG;
+ }
+ }
}
static inline void process_ftp_control(AppIdSession& asd,
APPID_NETBIOS_NAME_BIT,
APPID_NETBIOS_DOMAIN_BIT,
APPID_DISCOVERY_FINISHED_BIT,
+ APPID_TLS_VERSION_BIT,
APPID_MAX_BIT
};
--n? str.append("netbios-domain, ") : str.append("netbios-domain");
if (change_bits.test(APPID_DISCOVERY_FINISHED_BIT))
--n? str.append("finished, ") : str.append("finished");
+ if (change_bits.test(APPID_TLS_VERSION_BIT))
+ --n? str.append("tls-version, ") : str.append("tls-version");
if (n != 0) // make sure all bits from AppidChangeBit enum get translated
str.append("change_bits_to_string error!");
}
projects / thirdparty / snort3.git / commitdiff
