}
map_app_names_to_snort_ids(sc, config);
+ if (config.enable_rna_filter)
+ discovery_filter = new DiscoveryFilter(config.rna_conf_path);
return true;
}
#include <array>
#include <string>
+#include "helpers/discovery_filter.h"
#include "target_based/snort_protocols.h"
#include "app_info_table.h"
size_t memcap = 0;
bool list_odp_detectors = false;
bool log_all_sessions = false;
+ bool enable_rna_filter = false;
+ std::string rna_conf_path = "";
SnortProtocolId snort_proto_ids[PROTO_INDEX_MAX];
void show() const;
};
AppIdContext(AppIdConfig& config) : config(config)
{ }
- ~AppIdContext() = default;
+ ~AppIdContext()
+ {
+ if (discovery_filter)
+ delete discovery_filter;
+ }
OdpContext& get_odp_ctxt() const
{
assert(odp_ctxt);
return *odp_ctxt;
}
+ DiscoveryFilter* get_discovery_filter() const
+ {
+ return discovery_filter;
+ }
ThirdPartyAppIdContext* get_tp_appid_ctxt() const
{ return tp_appid_ctxt; }
AppIdConfig& config;
private:
+ DiscoveryFilter* discovery_filter = nullptr;
static OdpContext* odp_ctxt;
static ThirdPartyAppIdContext* tp_appid_ctxt;
};
class DataDecryptEventHandler : public snort::DataHandler
{
public:
- DataDecryptEventHandler() : DataHandler(MOD_NAME)
- {
- }
+ DataDecryptEventHandler() : DataHandler(MOD_NAME){ }
void handle(snort::DataEvent& event, snort::Flow* flow) override
{
assert(flow);
AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
- if (!asd)
- return;
+ if (!asd or
+ !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
const DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
if (data_decrypt_event.get_type() == DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT)
{
asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
}
}
-
};
#endif
assert(flow);
AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
- if (!asd)
- return; // appid disabled
+ if (!asd or
+ !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
else
{
// Skip sessions using old odp context after reload detectors
if (fp) // initialize data session
{
fp->set_service_id(APP_ID_DCE_RPC, asd->get_odp_ctxt());
- asd->initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS,
- APP_ID_FROM_RESPONDER);
+ asd->initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS);
}
}
};
change_bits);
}
-static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst)
-{
- const SfIp* sf_ip;
-
- if (!dst)
- {
- sf_ip = p->ptrs.ip_api.get_src();
- }
- else
- {
- int32_t intf = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ?
- p->pkth->ingress_index : p->pkth->egress_index;
- if (intf == DAQ_PKTHDR_FLOOD)
- return 0;
- sf_ip = p->ptrs.ip_api.get_dst();
- }
-
- if (sf_ip->is_ip4() && sf_ip->get_ip4_value() == 0xFFFFFFFF)
- return IPFUNCS_CHECKED;
-
- // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented
- return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION | IPFUNCS_CHECKED;
-}
-
-static inline bool is_special_session_monitored(const Packet* p)
-{
- if (p->is_ip4())
- {
- if (p->is_udp() && ((p->ptrs.sp == 68 && p->ptrs.dp == 67)
- || (p->ptrs.sp == 67 && p->ptrs.dp == 68)))
- {
- return true;
- }
- }
- return false;
-}
-
static bool set_network_attributes(AppIdSession* asd, Packet* p, IpProtocol& protocol,
IpProtocol& outer_protocol, AppidSessionDirection& direction)
{
return false;
}
-static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p,
- AppidSessionDirection dir)
-{
- uint64_t flags;
- uint64_t flow_flags = APPID_SESSION_DISCOVER_APP;
-
- flow_flags |= asd.flags;
-
- // FIXIT-M - Re-check a flow after snort is reloaded. RNA policy might have changed
- if (asd.get_session_flags(APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
- APPID_SESSION_BIDIRECTIONAL_CHECKED)
- return flow_flags;
-
- if (dir == APP_ID_FROM_INITIATOR)
- {
- if (!asd.get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
- {
- flags = get_ipfuncs_flags(p, false);
- flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
- if (flags & IPFUNCS_USER_IP)
- flow_flags |= APPID_SESSION_DISCOVER_USER;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (is_special_session_monitored(p))
- flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
- }
-
- if (!(flow_flags & APPID_SESSION_DISCOVER_APP)
- && !asd.get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
- {
- flags = get_ipfuncs_flags(p, true);
- if (flags & IPFUNCS_CHECKED)
- flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (is_special_session_monitored(p))
- flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
- }
- }
- else
- {
- if (!asd.get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
- {
- flags = get_ipfuncs_flags(p, false);
- flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (is_special_session_monitored(p))
- flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
- }
-
- if (!(flow_flags & APPID_SESSION_DISCOVER_APP)
- && !asd.get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
- {
- flags = get_ipfuncs_flags(p, true);
- if (flags & IPFUNCS_CHECKED)
- flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
- if (flags & IPFUNCS_USER_IP)
- flow_flags |= APPID_SESSION_DISCOVER_USER;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (is_special_session_monitored(p))
- flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
- }
- }
-
- return flow_flags;
-}
-
-static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir)
-{
- uint64_t flags;
- uint64_t flow_flags = APPID_SESSION_DISCOVER_APP;
-
- if (dir == APP_ID_FROM_INITIATOR)
- {
- flags = get_ipfuncs_flags(p, false);
- flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
- if (flags & IPFUNCS_USER_IP)
- flow_flags |= APPID_SESSION_DISCOVER_USER;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (!(flow_flags & APPID_SESSION_DISCOVER_APP))
- {
- flags = get_ipfuncs_flags(p, true);
- if (flags & IPFUNCS_CHECKED)
- flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- }
- if (is_special_session_monitored(p))
- flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
- }
- else
- {
- flags = get_ipfuncs_flags(p, false);
- flow_flags |= APPID_SESSION_RESPONDER_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_RESPONDER_MONITORED;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- if (!(flow_flags & APPID_SESSION_DISCOVER_APP))
- {
- flags = get_ipfuncs_flags(p, true);
- if (flags & IPFUNCS_CHECKED)
- flow_flags |= APPID_SESSION_INITIATOR_CHECKED;
- if (flags & IPFUNCS_HOSTS_IP)
- flow_flags |= APPID_SESSION_INITIATOR_MONITORED;
- if (flags & IPFUNCS_USER_IP)
- flow_flags |= APPID_SESSION_DISCOVER_USER;
- if (flags & IPFUNCS_APPLICATION)
- flow_flags |= APPID_SESSION_DISCOVER_APP;
- }
-
- if (is_special_session_monitored(p))
- flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
- }
-
- return flow_flags;
-}
-
// Return false if the packet or the session doesn't need to be inspected
bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspector& inspector,
IpProtocol& protocol, IpProtocol& outer_protocol, AppidSessionDirection& direction,
if (is_packet_ignored(p))
return false;
- uint64_t flow_flags;
- if (asd)
- flow_flags = is_session_monitored(*asd, p, direction);
- else
- flow_flags = is_session_monitored(p, direction);
-
- if ( !(flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) )
- return false;
-
if (!asd)
{
asd = AppIdSession::allocate_session(p, protocol, direction, inspector, odp_ctxt);
if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
{
- flow_flags |= APPID_SESSION_MID;
+ asd->flags |= APPID_SESSION_MID;
if (appidDebug->is_active())
LogMessage("AppIdDbg %s New AppId mid-stream session\n",
appidDebug->get_debug_session());
else if (appidDebug->is_active())
LogMessage("AppIdDbg %s New AppId session\n", appidDebug->get_debug_session());
}
+ if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return false;
// FIXIT-L - from this point on we always have a valid ptr to a Packet
// refactor to pass this as ref and delete any checks for null
}
}
- asd->flags = flow_flags;
if (!asd->get_session_flags(APPID_SESSION_PAYLOAD_SEEN) and p->dsize)
asd->set_session_flags(APPID_SESSION_PAYLOAD_SEEN);
#define APPID_HA_FLAGS_TP_DONE ( 1 << 0 )
#define APPID_HA_FLAGS_SVC_DONE ( 1 << 1 )
#define APPID_HA_FLAGS_HTTP ( 1 << 2 )
+#define APPID_HA_FLAGS_DISC_APP ( 1 << 3 )
+#define APPID_HA_FLAGS_SPL_MONI ( 1 << 4 )
using namespace snort;
if (appHA->flags & APPID_HA_FLAGS_HTTP)
asd->set_session_flags(APPID_SESSION_HTTP_SESSION);
+ if (appHA->flags & APPID_HA_FLAGS_DISC_APP)
+ asd->set_session_flags(APPID_SESSION_DISCOVER_APP);
+ if (appHA->flags & APPID_HA_FLAGS_SPL_MONI)
+ asd->set_session_flags(APPID_SESSION_SPECIAL_MONITORED);
asd->set_service_id(appHA->appId[APPID_HA_APP_SERVICE], asd->get_odp_ctxt());
AppIdHttpSession* hsession = nullptr;
if (appHA->appId[APPID_HA_APP_SERVICE] == APP_ID_HTTP or
appHA->flags |= APPID_HA_FLAGS_SVC_DONE;
if (asd->get_session_flags(APPID_SESSION_HTTP_SESSION))
appHA->flags |= APPID_HA_FLAGS_HTTP;
+ if (asd->get_session_flags(APPID_SESSION_DISCOVER_APP))
+ appHA->flags |= APPID_HA_FLAGS_DISC_APP;
+ if (asd->get_session_flags(APPID_SESSION_SPECIAL_MONITORED))
+ appHA->flags |= APPID_HA_FLAGS_SPL_MONI;
appHA->appId[APPID_HA_APP_SERVICE] = asd->get_service_id();
const AppIdHttpSession* hsession = asd->get_http_session(0);
if (hsession)
}
else if ( asd->get_odp_ctxt_version() != pkt_thread_odp_ctxt->get_version() )
return; // Skip detection for sessions using old odp context after odp reload
+ if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
const uint8_t* header_start;
int32_t header_length;
"print third party configuration on startup" },
{ "log_all_sessions", Parameter::PT_BOOL, nullptr, "false",
"enable logging of all appid sessions" },
+ { "enable_rna_filter", Parameter::PT_BOOL, nullptr, "false",
+ "monitor only the networks specified in rna configuration" },
+ { "rna_conf_path", Parameter::PT_STRING, nullptr, nullptr,
+ "path to rna configuration file" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
config->list_odp_detectors = v.get_bool();
else if ( v.is("log_all_sessions") )
config->log_all_sessions = v.get_bool();
+ else if ( v.is("enable_rna_filter") )
+ config->enable_rna_filter = v.get_bool();
+ else if ( v.is("rna_conf_path") )
+ config->rna_conf_path = std::string(v.get_string());
return true;
}
{
assert(flow);
AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
- if (!asd)
- return;
+ if (!asd or
+ !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
// Skip sessions using old odp context after reload detectors
if (!pkt_thread_odp_ctxt or
return nullptr;
}
+static inline bool is_special_session_monitored(const Packet* p)
+{
+ if (p->is_ip4())
+ {
+ if (p->is_udp() && ((p->ptrs.sp == 68 && p->ptrs.dp == 67)
+ || (p->ptrs.sp == 67 && p->ptrs.dp == 68)))
+ {
+ return true;
+ }
+ }
+ return false;
+}
+
+static void is_session_monitored(uint64_t& flow_flags, const Packet* p,
+ AppIdInspector& inspector)
+{
+
+ DiscoveryFilter* filter = inspector.get_ctxt().get_discovery_filter();
+ if (filter and filter->is_app_monitored(p))
+ {
+ flow_flags |= APPID_SESSION_DISCOVER_APP;
+ flow_flags |= APPID_SESSION_DISCOVER_USER;
+ if (is_special_session_monitored(p))
+ flow_flags |= APPID_SESSION_SPECIAL_MONITORED;
+ }
+ else if (!filter)
+ flow_flags |= (APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER |
+ APPID_SESSION_DISCOVER_APP);
+
+}
+
AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto,
AppidSessionDirection direction, AppIdInspector& inspector, OdpContext& odp_context)
{
AppIdSession* asd = new AppIdSession(proto, ip, port, inspector, odp_context,
p->pkth->address_space_id);
+ is_session_monitored(asd->flags, p, inspector);
asd->flow = p->flow;
asd->stats.first_packet_second = p->pkth->ts.tv_sec;
asd->snort_protocol_id = asd->config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED];
return asd;
}
-void AppIdSession::initialize_future_session(AppIdSession& expected, uint64_t flags,
- AppidSessionDirection dir)
+void AppIdSession::initialize_future_session(AppIdSession& expected, uint64_t flags)
{
- if (dir == APP_ID_FROM_INITIATOR)
- {
- expected.set_session_flags(flags |
- get_session_flags(
- APPID_SESSION_INITIATOR_CHECKED |
- APPID_SESSION_INITIATOR_MONITORED |
- APPID_SESSION_RESPONDER_CHECKED |
- APPID_SESSION_RESPONDER_MONITORED));
- }
- else if (dir == APP_ID_FROM_RESPONDER)
- {
- if (get_session_flags(APPID_SESSION_INITIATOR_CHECKED))
- flags |= APPID_SESSION_RESPONDER_CHECKED;
-
- if (get_session_flags(APPID_SESSION_INITIATOR_MONITORED))
- flags |= APPID_SESSION_RESPONDER_MONITORED;
-
- if (get_session_flags(APPID_SESSION_RESPONDER_CHECKED))
- flags |= APPID_SESSION_INITIATOR_CHECKED;
-
- if (get_session_flags(APPID_SESSION_RESPONDER_MONITORED))
- flags |= APPID_SESSION_INITIATOR_MONITORED;
- }
expected.set_session_flags(flags |
get_session_flags(
#define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT 0x20000000
#define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT 0x40000000
#define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000
-#define APPID_SESSION_BIDIRECTIONAL_CHECKED \
- (APPID_SESSION_INITIATOR_CHECKED | \
- APPID_SESSION_RESPONDER_CHECKED)
-#define APPID_SESSION_DO_RNA \
- (APPID_SESSION_RESPONDER_MONITORED | \
- APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | \
- APPID_SESSION_SPECIAL_MONITORED)
enum APPID_DISCOVERY_STATE
{
AppidSessionDirection, AppIdInspector&, OdpContext&);
static AppIdSession* create_future_session(const snort::Packet*, const snort::SfIp*, uint16_t,
const snort::SfIp*, uint16_t, IpProtocol, SnortProtocolId, bool swap_app_direction=false);
- void initialize_future_session(AppIdSession&, uint64_t, AppidSessionDirection);
+ void initialize_future_session(AppIdSession&, uint64_t);
size_t size_of() override
{ return sizeof(*this); }
// FIXIT-M : snort 2.9.x updated the flag to APPID_SESSION_EXPECTED_EVALUATE.
// Check if it is needed here as well.
- // asd.initialize_future_session(*fp, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX);
+ // asd.initialize_future_session(*fp, APPID_SESSION_EXPECTED_EVALUATE);
- asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS,
- APP_ID_APPID_SESSION_DIRECTION_MAX);
+ asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS);
}
// create an RTCP flow as well
fp2->set_service_id(APP_ID_RTCP, asd.get_odp_ctxt());
// FIXIT-M : same comment as above
- // asd.initialize_future_session(*fp2, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX);
+ // asd.initialize_future_session(*fp2, APPID_SESSION_EXPECTED_EVALUATE);
- asd.initialize_future_session(*fp2, APPID_SESSION_IGNORE_ID_FLAGS,
- APP_ID_APPID_SESSION_DIRECTION_MAX);
+ asd.initialize_future_session(*fp2, APPID_SESSION_IGNORE_ID_FLAGS);
}
}
SipEvent& sip_event = (SipEvent&)event;
const Packet* p = sip_event.get_packet();
assert(p);
+
if ( !asd )
{
IpProtocol protocol = p->is_tcp() ? IpProtocol::TCP : IpProtocol::UDP;
asd = AppIdSession::allocate_session(p, protocol, direction, inspector,
inspector.get_ctxt().get_odp_ctxt());
}
+ if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
AppidChangeBits change_bits;
client_handler(sip_event, *asd, change_bits);
return p;
}
}
-
+DiscoveryFilter::~DiscoveryFilter(){}
void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { }
void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { }
ud->validate_lua_state(false);
if (!init(L)) return 0;
- SfIp ip_addr;
+ SfIp ip_address;
int index = 1;
uint8_t type = lua_tointeger(L, ++index);
AppId app_id = (AppId)lua_tointeger(L, ++index);
size_t ipaddr_size = 0;
const char* ip_str= lua_tolstring(L, ++index, &ipaddr_size);
- if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_addr))
+ if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_address))
{
ErrorMessage("%s: Invalid IP address: %s\n",__func__, ip_str);
return 0;
if (toipprotocol(L, ++index, proto))
return 0;
- if (!ud->get_odp_ctxt().host_port_cache_add(&ip_addr, (uint16_t)port, proto, type, app_id))
+ if (!ud->get_odp_ctxt().host_port_cache_add(&ip_address, (uint16_t)port, proto, type, app_id))
ErrorMessage("%s:Failed to backend call\n",__func__);
return 0;
if (!ud->get_odp_ctxt().is_host_port_app_cache_runtime)
return 0;
- SfIp ip_addr;
+ SfIp ip_address;
int index = 1;
uint8_t type = lua_tointeger(L, ++index);
AppId appid = (AppId)lua_tointeger(L, ++index);
size_t ipaddr_size = 0;
const char* ip_str = lua_tolstring(L, ++index, &ipaddr_size);
- if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_addr))
+ if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_address))
return 0;
unsigned port = lua_tointeger(L, ++index);
bool added = false;
std::lock_guard<std::mutex> lck(AppIdSession::inferred_svcs_lock);
- host_cache[ip_addr]->add_service(port, proto, appid, true, &added);
+ host_cache[ip_address]->add_service(port, proto, appid, true, &added);
if (added)
{
}
}
-static unsigned isIPv4HostMonitored(uint32_t, int32_t)
-{
- // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented
- return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION;
-}
-
void BootpServiceDetector::add_new_dhcp_lease(AppIdSession& asd, const uint8_t* mac, uint32_t ip,
int32_t zone,
uint32_t subnetmask, uint32_t leaseSecs, uint32_t router)
if (memcmp(mac, zeromac, 6) == 0 || ip == 0)
return;
- if (!asd.get_session_flags(APPID_SESSION_DO_RNA)
- || asd.get_session_flags(APPID_SESSION_HAS_DHCP_INFO))
- return;
-
- unsigned flags = isIPv4HostMonitored(ntohl(ip), zone);
- if (!(flags & IPFUNCS_HOSTS_IP))
+ if (asd.get_session_flags(APPID_SESSION_HAS_DHCP_INFO))
return;
asd.set_session_flags(APPID_SESSION_HAS_DHCP_INFO);
fp->set_service_id(APP_ID_FTP_DATA, asd.get_odp_ctxt());
}
- asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS | encrypted_flags, dir);
+ asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS | encrypted_flags);
}
}
}
pf->service_disco_state = APPID_DISCO_STATE_STATEFUL;
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
- args.asd.initialize_future_session(*pf, REXEC_EXPECTED_SESSION_FLAGS, APP_ID_FROM_RESPONDER);
+ args.asd.initialize_future_session(*pf, REXEC_EXPECTED_SESSION_FLAGS);
pf->service_disco_state = APPID_DISCO_STATE_STATEFUL;
rd->child = tmp_rd;
rd->state = REXEC_STATE_SERVER_CONNECT;
pf->add_flow_data_id((uint16_t)tmp, this);
pf->service_disco_state = APPID_DISCO_STATE_STATEFUL;
pf->set_session_flags(asd.get_session_flags(
- APPID_SESSION_RESPONDER_MONITORED |
- APPID_SESSION_INITIATOR_MONITORED |
APPID_SESSION_SPECIAL_MONITORED |
- APPID_SESSION_RESPONDER_CHECKED |
- APPID_SESSION_INITIATOR_CHECKED |
APPID_SESSION_DISCOVER_APP |
APPID_SESSION_DISCOVER_USER));
}
}
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
args.asd.initialize_future_session(*pf, APPID_SESSION_CONTINUE | APPID_SESSION_REXEC_STDERR | APPID_SESSION_NO_TPI |
- APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_PORT_SERVICE_DONE,
- APP_ID_FROM_RESPONDER);
+ APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_PORT_SERVICE_DONE);
pf->service_disco_state = APPID_DISCO_STATE_STATEFUL;
rd->child = tmp_rd;
tmp_sd->state = SNMP_STATE_ERROR;
return APPID_ENULL;
}
- args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX);
+ args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE);
pf->service_disco_state = APPID_DISCO_STATE_STATEFUL;
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
pf->set_initiator_ip(*sip);
tmp_td->state = TFTP_STATE_ERROR;
return APPID_ENOMEM;
}
- args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_FROM_RESPONDER);
+ args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE);
pf->set_initiator_ip(*sip);
pf->service_disco_state = APPID_DISCO_STATE_STATEFUL;
pf->scan_flags |= SCAN_HOST_PORT_FLAG;
OdpContext&, uint16_t) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector),
config(stub_config), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { }
AppIdSession::~AppIdSession() = default;
+DiscoveryFilter::~DiscoveryFilter(){}
void AppIdSession::free_flow_data()
{
snort_free(smb_data);
#define APPID_MOCK_INSPECTOR_H // avoiding mocked inspector
+#include "helpers/discovery_filter.h"
#include "host_tracker/host_cache.h"
#include "network_inspectors/appid/appid_discovery.cc"
#include "network_inspectors/appid/appid_peg_counts.h"
StashGenericObject(STASH_GENERIC_OBJECT_APPID) {}
} // namespace snort
void AppIdModule::reset_stats() {}
-
+DiscoveryFilter::~DiscoveryFilter() {}
// Stubs for publish
void DataBus::publish(const char*, DataEvent& event, Flow*)
{
assert(ctxt);
return *ctxt;
}
+bool DiscoveryFilter::is_app_monitored(const snort::Packet*, uint8_t*){return true;}
// Stubs for AppInfoManager
AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId)
AppIdModule app_module;
AppIdInspector ins(app_module);
AppIdSession* asd = new AppIdSession(IpProtocol::TCP, &ip, 21, ins, app_ctxt.get_odp_ctxt());
+ asd->flags |= APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER |
+ APPID_SESSION_DISCOVER_APP;
Flow* flow = new Flow;
flow->set_flow_data(asd);
p.flow = flow;
AppIdModule app_module;
AppIdInspector ins(app_module);
AppIdSession* asd = new AppIdSession(IpProtocol::TCP, &ip, 21, ins, app_ctxt.get_odp_ctxt());
+ asd->flags |= APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER |
+ APPID_SESSION_DISCOVER_APP;
Flow* flow = new Flow;
flow->set_flow_data(asd);
p.flow = flow;
AppIdModule app_module;
AppIdInspector ins(app_module);
AppIdSession* asd = new AppIdSession(IpProtocol::TCP, &ip, 21, ins, app_ctxt.get_odp_ctxt());
+ asd->flags |= APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER |
+ APPID_SESSION_DISCOVER_APP;
Flow* flow = new Flow;
flow->set_flow_data(asd);
p.flow = flow;
THREAD_LOCAL AppIdDebug* appidDebug = nullptr;
ThirdPartyAppIdContext* AppIdContext::tp_appid_ctxt = nullptr;
THREAD_LOCAL bool ThirdPartyAppIdContext::tp_reload_in_progress = false;
+bool DiscoveryFilter::is_app_monitored(const snort::Packet*, uint8_t*){return true;}
void AppIdDebug::activate(const Flow*, const AppIdSession*, bool) { active = true; }
void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { }
pkt_thread_odp_ctxt = &mock_session->get_odp_ctxt();
mock_session->create_http_session();
flow->set_flow_data(mock_session);
+ mock_session->flags = APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED;
appidDebug = new AppIdDebug();
appidDebug->activate(nullptr, nullptr, false);
}
SearchTool::SearchTool(char const*, bool) { }
SearchTool::~SearchTool() = default;
}
-
+DiscoveryFilter::~DiscoveryFilter(){}
void ApplicationDescriptor::set_id(AppId app_id){ my_id = app_id;}
void ServiceAppDescriptor::set_id(AppId app_id, OdpContext&){ set_id(app_id); }
void ServiceAppDescriptor::update_stats(AppId, bool){}
StashGenericObject(STASH_GENERIC_OBJECT_APPID) {}
}
+DiscoveryFilter::~DiscoveryFilter(){}
// Stubs for AppInfoManager
AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId)
{
snort::SearchTool::~SearchTool() = default;
AppIdDiscovery::~AppIdDiscovery() = default;
+DiscoveryFilter::~DiscoveryFilter(){}
void ClientDiscovery::initialize(AppIdInspector&) { }
void ClientDiscovery::reload() { }
void AppIdDiscovery::register_detector(const string&, AppIdDetector*, IpProtocol) { }
projects / thirdparty / snort3.git / commitdiff
