Merge pull request #2398 in SNORT/snort3 from ~SBAIGAL/snort3:http_connect to master

Squashed commit of the following:

commit 350263720dd444e39a318419804cfc4b90d31911
Author: Steven Baigal (sbaigal) <sbaigal@cisco.com>
Date:   Wed Aug 12 13:56:06 2020 -0400

    http_inspect: implement can_start_tls(), add support of ssl search abandoned event

diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h
index 5178b09d5920a375cf46803c3b4c1d5c2eb554ea..8bc7e142e1d12eea86dfe92569e4106c2c6a1010 100644 (file)
--- a/src/service_inspectors/http_inspect/http_enum.h
+++ b/src/service_inspectors/http_inspect/http_enum.h
@@ -58,7 +58,8 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES
     PEG_GET, PEG_HEAD, PEG_POST, PEG_PUT, PEG_DELETE, PEG_CONNECT, PEG_OPTIONS, PEG_TRACE,
     PEG_OTHER_METHOD, PEG_REQUEST_BODY, PEG_CHUNKED, PEG_URI_NORM, PEG_URI_PATH, PEG_URI_CODING,
     PEG_CONCURRENT_SESSIONS, PEG_MAX_CONCURRENT_SESSIONS, PEG_DETAINED, PEG_SCRIPT_DETECTION,
-    PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_COUNT_MAX };
+    PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY,
+    PEG_COUNT_MAX };
 
 // Result of scanning by splitter
 enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE,

diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h
index 1471efa51da1300becac992d54130ed16a6675f0..a88aa3a91554686b2dd9004655a4a7403a8756e4 100644 (file)
--- a/src/service_inspectors/http_inspect/http_flow_data.h
+++ b/src/service_inspectors/http_inspect/http_flow_data.h
@@ -174,6 +174,7 @@ private:
     HttpEnums::MethodId method_id = HttpEnums::METH__NOT_PRESENT;
 
     bool cutover_on_clear = false;
+    bool ssl_search_abandoned = false;
 
     // *** Transaction management including pipelining
     static const int MAX_PIPELINE = 100;  // requests seen - responses seen <= MAX_PIPELINE

diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h
index cf5995567b173edff646e17c134d4c27ab9269e5..1eacb72808f0b48fad194221f5075671cb8b8a77 100644 (file)
--- a/src/service_inspectors/http_inspect/http_inspect.h
+++ b/src/service_inspectors/http_inspect/http_inspect.h
@@ -61,6 +61,9 @@ public:
     bool can_carve_files() const override
     { return true; }
 
+    bool can_start_tls() const override
+    { return true; }
+
     static HttpEnums::InspectSection get_latest_is(const snort::Packet* p);
     static HttpCommon::SourceId get_latest_src(const snort::Packet* p);
     void disable_detection(snort::Packet* p);

diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index ecfda91a28121638b7455b409a389039c9363e8b..e34dc66a99594c5fdb3bc1dedd42a3e3db03f600 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -191,7 +191,8 @@ void HttpMsgHeader::update_flow()
             }
             session_data->cutover_on_clear = true;
             HttpModule::increment_peg_counts(PEG_CUTOVERS);
-
+            if (session_data->ssl_search_abandoned)
+                HttpModule::increment_peg_counts(PEG_SSL_SEARCH_ABND_EARLY);
 #ifdef REG_TEST
             if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP))
             {

diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc
index 63c60f70beefe183f242bdf221c7810127eab681..9e5f278931bd23fed20831bf5d492041f53ba779 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_request.cc
+++ b/src/service_inspectors/http_inspect/http_msg_request.cc
@@ -303,6 +303,16 @@ void HttpMsgRequest::update_flow()
     session_data->method_id = method_id;
 }
 
+void HttpMsgRequest::publish()
+{
+    if (!session_data->ssl_search_abandoned && trans_num > 1 &&
+        !flow->flags.data_decrypted && get_method_id() != METH_CONNECT)
+    {
+        session_data->ssl_search_abandoned = true;
+        DataBus::publish(SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet());
+    }
+}
+
 #ifdef REG_TEST
 
 void HttpMsgRequest::print_section(FILE* output)

diff --git a/src/service_inspectors/http_inspect/http_msg_request.h b/src/service_inspectors/http_inspect/http_msg_request.h
index a8aba0fada7773f28741058305355eac3f522f1c..01e14a5cd2004070a4bcae72e7f3edb3efbc93a0 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_request.h
+++ b/src/service_inspectors/http_inspect/http_msg_request.h
@@ -41,6 +41,7 @@ public:
     ~HttpMsgRequest() override;
     void gen_events() override;
     void update_flow() override;
+    void publish() override;
     const Field& get_method() { return method; }
     const Field& get_uri();
     const Field& get_uri_norm_classic();

diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc
index 6d17143a0b72847510a031388427aa57fb527a51..a0c12f688e4ee23fa41e67590eb5de9207ac8ef5 100644 (file)
--- a/src/service_inspectors/http_inspect/http_tables.cc
+++ b/src/service_inspectors/http_inspect/http_tables.cc
@@ -428,6 +428,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] =
     { CountType::SUM, "excess_parameters", "repeat parameters exceeding max" },
     { CountType::SUM, "parameters", "HTTP parameters inspected" },
     { CountType::SUM, "connect_tunnel_cutovers", "CONNECT tunnel flow cutovers to wizard" },
+    { CountType::SUM, "ssl_srch_abandoned_early", "total SSL search abandoned too soon" },
     { CountType::END, nullptr, nullptr }
 };