Merge pull request #1212 in SNORT/snort3 from appid_fixes to master

Squashed commit of the following:

commit c983b7acc7ef641faa3a9d5e9ef255511b736f47
Author: deramada <deramada@cisco.com>
Date:   Wed May 2 11:06:18 2018 -0400

    appid: appid session unit test changes

commit aa89c65543a5fb16db9c692a38778138fb5d901b
Author: deramada <deramada@cisco.com>
Date:   Tue May 1 20:27:33 2018 -0400

    appid: fixed http fields, referer payload and appid debug

diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc
index dbecf5b39de99a769a697790063b0bbbb40671e5..1edd7515b68d2c87db7cadfec7a2c52ecd94e0dd 100644 (file)
--- a/src/network_inspectors/appid/appid_http_session.cc
+++ b/src/network_inspectors/appid/appid_http_session.cc
@@ -56,9 +56,6 @@ AppIdHttpSession::AppIdHttpSession(AppIdSession& asd)
     : asd(asd)
 {
     http_matchers = HttpPatternMatchers::get_instance();
-    http_fields.reserve(MAX_HTTP_FIELD_ID);
-    ptype_req_counts.assign(MAX_HTTP_FIELD_ID, 0);
-    ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0);
 }
 
 AppIdHttpSession::~AppIdHttpSession()
@@ -278,7 +275,7 @@ void AppIdHttpSession::process_chp_buffers()
             }
 
             cmd.free_rewrite_buffers();
-            ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0);
+            memset(ptype_scan_counts, 0, sizeof(ptype_scan_counts));
 
             // Make it possible for other detectors to run.
             skip_simple_detect = false;
@@ -333,7 +330,7 @@ void AppIdHttpSession::process_chp_buffers()
             asd.scan_flags &= ~SCAN_HTTP_VIA_FLAG;
             asd.scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG;
             asd.scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG;
-            ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0);
+            memset(ptype_scan_counts, 0, sizeof(ptype_scan_counts));
         }
         else /* if we have a candidate, but we're not finished */
         {
@@ -840,7 +837,7 @@ void AppIdHttpSession::update_response_code(const char* new_rc)
 
 void AppIdHttpSession::reset_ptype_scan_counts()
 {
-    ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0);
+    memset(ptype_scan_counts, 0, sizeof(ptype_scan_counts));
 }
 
 

diff --git a/src/network_inspectors/appid/appid_http_session.h b/src/network_inspectors/appid/appid_http_session.h
index 42c5249399851c481ca11bb1223bebe958c3555a..b78ee54e7135eb1d3fd91ff52551c6797ccfd5a7 100644 (file)
--- a/src/network_inspectors/appid/appid_http_session.h
+++ b/src/network_inspectors/appid/appid_http_session.h
@@ -23,12 +23,13 @@
 #define APPID_HTTP_SESSION_H
 
 #include <string>
-#include <vector>
 
 #include "flow/flow.h"
 #include "sfip/sf_ip.h"
+
 #include "appid_types.h"
 #include "application_ids.h"
+#include "detector_plugins/http_url_patterns.h"
 #include "http_xff_fields.h"
 
 class AppIdSession;
@@ -200,7 +201,6 @@ protected:
     std::string req_body;
     std::string server;
     std::string x_working_with;
-    std::vector<HttpField> http_fields;
     bool is_webdav = false;
     bool chp_finished = false;
     AppId chp_candidate = APP_ID_NONE;
@@ -215,8 +215,9 @@ protected:
     snort::SfIp* xff_addr = nullptr;
     const char** xffPrecedence = nullptr;
     unsigned numXffFields = 0;
-    std::vector<int> ptype_req_counts;
-    std::vector<int> ptype_scan_counts;
+    HttpField http_fields[MAX_HTTP_FIELD_ID];
+    int ptype_req_counts[MAX_HTTP_FIELD_ID] = {0};
+    int ptype_scan_counts[MAX_HTTP_FIELD_ID] = {0};
 #if RESPONSE_CODE_PACKET_THRESHHOLD
     unsigned response_code_packets = 0;
 #endif

diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc
index c24910f5f035988625ec233b4361390baeeb8046..e3cb5898a7a2232b40c49ab2caba3f98b185ac2a 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc
+++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc
@@ -1649,7 +1649,7 @@ bool HttpPatternMatchers::get_appid_from_url(char* host, const char* url, char**
     snort_free(temp_host);
 
     /* if referred_id feature id disabled, referer will be null */
-    if ( referer && (!payload_found ||
+    if ( referer and (referer[0] != '\0') and (!payload_found or
          AppInfoManager::get_instance().get_app_info_flags(data->payload_id,
          APPINFO_FLAG_REFERRED)) )
     {
@@ -1660,7 +1660,7 @@ bool HttpPatternMatchers::get_appid_from_url(char* host, const char* url, char**
             (const uint8_t*)URL_SCHEME_END_PATTERN, sizeof(URL_SCHEME_END_PATTERN)-1);
 
         if ( !referer_offset )
-            return false;
+            return payload_found;
 
         referer_offset += sizeof(URL_SCHEME_END_PATTERN)-1;
         referer_start = referer_offset;

diff --git a/src/network_inspectors/appid/test/appid_mock_http_session.h b/src/network_inspectors/appid/test/appid_mock_http_session.h
index fcb57e13eaccb33d3ee1229f9b62b0da61317952..1181d25d6920413a996174a6afdedf3c90071f0d 100644 (file)
--- a/src/network_inspectors/appid/test/appid_mock_http_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_http_session.h
@@ -24,9 +24,6 @@
 AppIdHttpSession::AppIdHttpSession(AppIdSession& session)
     : asd(session)
 {
-    http_fields.reserve(MAX_HTTP_FIELD_ID);
-    ptype_req_counts.assign(MAX_HTTP_FIELD_ID, 0);
-    ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0);
 }
 
 AppIdHttpSession::~AppIdHttpSession()

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index 0889118d73362d8729352bd41ed9b1a3f68d3f5e..81407024ff6ed8e72355d81ed12ccd13cea6a9a7 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -187,8 +187,9 @@ static inline void process_http_session(AppIdSession& asd,
             hsession->set_field_offset(REQ_HOST_FID, attribute_data.http_request_host_begin());
             hsession->set_field_end_offset(REQ_HOST_FID, attribute_data.http_request_host_end());
             if (appidDebug->is_active())
-                LogMessage("AppIdDbg %s HTTP host is %s\n",
-                    appidDebug->get_debug_session(), field->c_str());
+                LogMessage("AppIdDbg %s HTTP host (%u-%u) is %s\n",
+                    appidDebug->get_debug_session(), hsession->get_field_offset(REQ_HOST_FID),
+                    hsession->get_field_end_offset(REQ_HOST_FID), field->c_str());
             asd.scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
         }
 
@@ -223,7 +224,7 @@ static inline void process_http_session(AppIdSession& asd,
             hsession->set_field_offset(REQ_URI_FID, attribute_data.http_request_uri_begin());
             hsession->set_field_end_offset(REQ_URI_FID, attribute_data.http_request_uri_end());
             if (appidDebug->is_active())
-                LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", appidDebug->get_debug_session(),
+                LogMessage("AppIdDbg %s URI (%u-%u) is %s\n", appidDebug->get_debug_session(),
                     hsession->get_field_offset(REQ_URI_FID),
                     hsession->get_field_end_offset(REQ_URI_FID), hsession->get_uri());
         }
@@ -544,14 +545,14 @@ static inline void process_third_party_results(AppIdSession& asd, int confidence
     if ( contains(proto_list, APP_ID_HTTP) )
     {
         if (appidDebug->is_active())
-            LogMessage("AppIdDbg %s flow is HTTP\n", appidDebug->get_debug_session());
+            LogMessage("AppIdDbg %s Flow is HTTP\n", appidDebug->get_debug_session());
         asd.set_session_flags(APPID_SESSION_HTTP_SESSION);
     }
 
     if ( contains(proto_list, APP_ID_SPDY) )
     {
         if (appidDebug->is_active())
-            LogMessage("AppIdDbg %s flow is SPDY\n", appidDebug->get_debug_session());
+            LogMessage("AppIdDbg %s Flow is SPDY\n", appidDebug->get_debug_session());
 
         asd.set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION);
     }