Pull request #3579: appid: Added a snort config to control client-process mapping

author Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>

Wed, 14 Sep 2022 16:50:16 +0000 (16:50 +0000)

committer Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>

Wed, 14 Sep 2022 16:50:16 +0000 (16:50 +0000)
author Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Wed, 14 Sep 2022 16:50:16 +0000 (16:50 +0000)
committer Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Wed, 14 Sep 2022 16:50:16 +0000 (16:50 +0000)
diff --git a/src/network_inspectors/appid/appid_eve_process_event_handler.cc b/src/network_inspectors/appid/appid_eve_process_event_handler.cc

index e3bcf76fbc86575b35ff27f588991d73cb35dd1b..ad88cbe798cb4a460915867f954d4b555fd9de4a 100644 (file)
--- a/src/network_inspectors/appid/appid_eve_process_event_handler.cc
+++ b/src/network_inspectors/appid/appid_eve_process_event_handler.cc
@@ -73,6 +73,7 @@ void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow)
      const std::string& user_agent = eve_process_event.get_user_agent();
      std::vector<std::string> alpn_vec = eve_process_event.get_alpn();
      const bool is_quic = eve_process_event.is_flow_quic();
+    const bool is_client_process_flag = eve_process_event.is_client_process_mapping();
  
      AppidChangeBits change_bits;
  
@@ -106,7 +107,7 @@ void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow)
  
          snort_free(version);
      }
-    else if (!name.empty())
+    else if (!name.empty() and is_client_process_flag)
      {
          client_id = asd->get_odp_ctxt().get_eve_ca_matchers().match_eve_ca_pattern(name,
              conf);
diff --git a/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc b/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc

index 9b59fbb95aafd04dad346bb68ea3ec7c6dd864f8..0819f0ddf705d7628b89c2d4d9510b41b61cbbc9 100644 (file)
--- a/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc
+++ b/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc
@@ -139,6 +139,7 @@ TEST(appid_eve_process_event_handler_tests, eve_process_event_handler)
  {
      Packet p;
      EveProcessEvent event(p, "firefox", 90);
+    event.set_client_process_mapping(true);
      AppIdEveProcessEventHandler event_handler(dummy_appid_inspector);
      Flow* flow = new Flow();
      event_handler.handle(event, flow);
diff --git a/src/pub_sub/eve_process_event.h b/src/pub_sub/eve_process_event.h

index 62d94ce4eccd72c414722b00ffcf33347ce4cacb..65fc66aa693ea0d349c842054b4b0b5d7addaa96 100644 (file)
--- a/src/pub_sub/eve_process_event.h
+++ b/src/pub_sub/eve_process_event.h
@@ -87,6 +87,16 @@ public:
      {
          return is_quic;
      }
+    
+    bool is_client_process_mapping() const
+    {
+        return client_process_mapping;
+    }
+
+    void set_client_process_mapping(bool flag)
+    {
+        client_process_mapping = flag;
+    }
  
  private:
      const snort::Packet &p;
@@ -96,5 +106,6 @@ private:
      std::string user_agent;
      std::vector<std::string> alpn;
      bool is_quic = false;
+    bool client_process_mapping = true;
  };
  #endif
author	Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
	Wed, 14 Sep 2022 16:50:16 +0000 (16:50 +0000)
committer	Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
	Wed, 14 Sep 2022 16:50:16 +0000 (16:50 +0000)
src/network_inspectors/appid/appid_eve_process_event_handler.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc		patch \| blob \| blame \| history
src/pub_sub/eve_process_event.h		patch \| blob \| blame \| history