client_plugins/client_detector.h
client_plugins/client_discovery.cc
client_plugins/client_discovery.h
+ client_plugins/efp_ca_patterns.cc
+ client_plugins/efp_ca_patterns.h
)
set ( SP_APPID_SOURCES
appid_discovery.cc
appid_discovery.h
appid_dns_session.h
+ appid_efp_process_event_handler.cc
+ appid_efp_process_event_handler.h
appid_ha.cc
appid_ha.h
appid_http_session.cc
add_subdirectory(service_plugins/test)
add_subdirectory(detector_plugins/test)
+add_subdirectory(client_plugins/test)
add_subdirectory(test)
install (FILES ${APPID_INCLUDES}
void update_stats(AppId id, bool increment = true) override;
+ void set_efp_client_app_id(AppId id)
+ {
+ efp_client_app_id = id;
+ }
+
+ AppId get_efp_client_app_id() const
+ {
+ return efp_client_app_id;
+ }
+
private:
std::string my_username;
AppId my_user_id = APP_ID_NONE;
+ AppId efp_client_app_id = APP_ID_NONE;
};
class PayloadAppDescriptor : public ApplicationDescriptor
service_disco_mgr.finalize_service_patterns();
client_disco_mgr.finalize_client_patterns();
http_matchers.finalize_patterns();
+ efp_ca_matchers.finalize_patterns();
// sip patterns need to be finalized after http patterns because they
// are dependent on http patterns
sip_matchers.finalize_patterns(*this);
client_pattern_detector->reload_client_port_patterns();
service_disco_mgr.reload_service_patterns();
client_disco_mgr.reload_client_patterns();
+ efp_ca_matchers.reload_patterns();
http_matchers.reload_patterns();
sip_matchers.reload_patterns();
ssl_matchers.reload_patterns();
#include "app_info_table.h"
#include "client_plugins/client_discovery.h"
+#include "client_plugins/efp_ca_patterns.h"
#include "detector_plugins/dns_patterns.h"
#include "detector_plugins/http_url_patterns.h"
#include "detector_plugins/sip_patterns.h"
return http_matchers;
}
+ EfpCaPatternMatchers& get_efp_ca_matchers()
+ {
+ return efp_ca_matchers;
+ }
+
SipPatternMatchers& get_sip_matchers()
{
return sip_matchers;
LengthCache length_cache;
DnsPatternMatchers dns_matchers;
HttpPatternMatchers http_matchers;
+ EfpCaPatternMatchers efp_ca_matchers;
ServiceDiscovery service_disco_mgr;
SipPatternMatchers sip_matchers;
SslPatternMatchers ssl_matchers;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_efp_process_event_handler.cc author Cliff Judge <cljudge@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "appid_efp_process_event_handler.h"
+
+#include "appid_debug.h"
+#include "appid_inspector.h"
+#include "appid_session.h"
+
+using namespace snort;
+
+void AppIdEfpProcessEventHandler::handle(DataEvent& event, Flow* flow)
+{
+ assert(flow);
+ AppIdSession* asd = appid_api.get_appid_session(*flow);
+ if (!asd or
+ !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
+
+ if (!pkt_thread_odp_ctxt or
+ (pkt_thread_odp_ctxt->get_version() != asd->get_odp_ctxt_version()))
+ return;
+
+ const EfpProcessEvent &efp_process_event = static_cast<EfpProcessEvent&>(event);
+
+ const std::string& name = efp_process_event.get_process_name();
+ uint8_t conf = efp_process_event.get_process_confidence();
+
+ AppId app_id = asd->get_odp_ctxt().get_efp_ca_matchers().match_efp_ca_pattern(name,
+ conf);
+
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s encrypted client app %d process name '%s', "
+ "confidence: %d\n", appidDebug->get_debug_session(), app_id, name.c_str(), conf);
+
+ asd->set_efp_client_app_id(app_id);
+}
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_efp_process_event_handler.h author Cliff Judge <cljudge@cisco.com>
+
+#ifndef APPID_EFP_PROCESS_EVENT_HANDLER_H
+#define APPID_EFP_PROCESS_EVENT_HANDLER_H
+
+#include "pub_sub/efp_process_event.h"
+#include "appid_module.h"
+
+class AppIdEfpProcessEventHandler : public snort::DataHandler
+{
+public:
+ AppIdEfpProcessEventHandler() : DataHandler(MOD_NAME) { }
+
+ void handle(snort::DataEvent& event, snort::Flow* flow) override;
+};
+
+#endif
#include "appid_dcerpc_event_handler.h"
#include "appid_debug.h"
#include "appid_discovery.h"
+#include "appid_efp_process_event_handler.h"
#include "appid_ha.h"
#include "appid_http_event_handler.h"
#include "appid_http2_req_body_event_handler.h"
DataBus::subscribe_global(OPPORTUNISTIC_TLS_EVENT, new AppIdOpportunisticTlsEventHandler(), sc);
+ DataBus::subscribe_global(EFP_PROCESS_EVENT, new AppIdEfpProcessEventHandler(), sc);
+
return true;
}
if (tmp_id > APP_ID_NONE)
return tmp_id;
+ if (api.client.get_efp_client_app_id() > APP_ID_NONE and
+ (api.client.get_id() == APP_ID_SSL_CLIENT or
+ api.client.get_id() <= APP_ID_NONE))
+ return api.client.get_efp_client_app_id();
+
if (api.client.get_id() > APP_ID_NONE)
return api.client.get_id();
api.client.update_user(id, username, change_bits);
}
+ void set_efp_client_app_id(AppId id)
+ {
+ api.client.set_efp_client_app_id(id);
+ }
+
+ AppId get_efp_client_app_id() const
+ {
+ return api.client.get_efp_client_app_id();
+ }
+
AppId get_payload_id() const
{
return api.payload.get_id();
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// efp_ca_patterns.cc author Cliff Judge <cljudge@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "efp_ca_patterns.h"
+
+#include "log/messages.h"
+#include "utils/util.h"
+#include "appid_debug.h"
+
+using namespace snort;
+
+void EfpCaPatternMatchers::add_efp_ca_pattern(AppId app_id, const std::string& pattern_str,
+ uint8_t confidence)
+{
+ EfpCaPattern* new_efp_ca_pattern = new EfpCaPattern(app_id, pattern_str, confidence);
+ efp_ca_load_list.push_back(new_efp_ca_pattern);
+}
+
+static int efp_ca_pattern_match(void* id, void*, int, void* data, void*)
+{
+ EfpCaPatternList* efp_ca_match_list = (EfpCaPatternList *)data;
+ efp_ca_match_list->push_back((EfpCaPattern *)id);
+ return 0;
+}
+
+AppId EfpCaPatternMatchers::match_efp_ca_pattern(const std::string& pattern,
+ uint8_t reported_confidence)
+{
+ EfpCaPatternList* efp_ca_match_list = new EfpCaPatternList();
+ EfpCaPattern* best_match = nullptr;
+
+ efp_ca_pattern_matcher.find_all(pattern.data(), pattern.size(), efp_ca_pattern_match,
+ false, efp_ca_match_list);
+
+ for (auto &mp : *efp_ca_match_list)
+ {
+ if (reported_confidence >= mp->confidence)
+ {
+ if (!best_match or (mp->pattern.size() > best_match->pattern.size() or
+ (mp->pattern.size() == best_match->pattern.size() and
+ mp->confidence > best_match->confidence)))
+ {
+ best_match = mp;
+ }
+ }
+ }
+ AppId ret_app_id = APP_ID_NONE;
+ if (best_match)
+ ret_app_id = best_match->app_id;
+
+ delete efp_ca_match_list;
+
+ return ret_app_id;
+}
+
+EfpCaPatternMatchers::~EfpCaPatternMatchers()
+{
+ for (auto& p : efp_ca_load_list)
+ delete p;
+ efp_ca_load_list.clear();
+}
+
+void EfpCaPatternMatchers::finalize_patterns()
+{
+ for (auto& p : efp_ca_load_list)
+ {
+ efp_ca_pattern_matcher.add(p->pattern.data(), p->pattern.size(), p, true);
+
+ #ifdef REG_TEST
+ LogMessage("Adding EFP Client App pattern %d %s %d\n",
+ p->app_id, p->pattern.c_str(), p->confidence);
+ #endif
+ }
+ efp_ca_pattern_matcher.prep();
+}
+
+void EfpCaPatternMatchers::reload_patterns()
+{
+ efp_ca_pattern_matcher.reload();
+}
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// efp_ca_patterns.h author Cliff Judge <cljudge@cisco.com>
+
+#ifndef EFP_CA_PATTERNS_H
+#define EFP_CA_PATTERNS_H
+
+#include <vector>
+
+#include "search_engines/search_tool.h"
+#include "application_ids.h"
+
+struct EfpCaPattern
+{
+ const AppId app_id;
+ const std::string pattern;
+ const uint8_t confidence;
+
+ EfpCaPattern(AppId id, const std::string& name, uint8_t conf) : app_id(id), pattern(name),
+ confidence(conf) {}
+
+ ~EfpCaPattern() {}
+};
+
+typedef std::vector<EfpCaPattern*> EfpCaPatternList;
+
+class EfpCaPatternMatchers
+{
+public:
+ ~EfpCaPatternMatchers();
+ AppId match_efp_ca_pattern(const std::string&, uint8_t);
+ void add_efp_ca_pattern(AppId, const std::string&, uint8_t);
+ void finalize_patterns();
+ void reload_patterns();
+
+private:
+ snort::SearchTool efp_ca_pattern_matcher = snort::SearchTool();
+ EfpCaPatternList efp_ca_load_list;
+};
+
+#endif
+
--- /dev/null
+
+include_directories ( appid PRIVATE ${APPID_INCLUDE_DIR} )
+
+add_cpputest( efp_ca_patterns_test )
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// client_plugins_mock.h author author Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#define APPID_UT_ID 1492
+
+namespace snort
+{
+// Stubs for messages
+void LogMessage(const char*,...) { }
+
+// Stubs for search_tool.cc
+SearchTool::SearchTool(char const*, bool) { }
+SearchTool::~SearchTool() = default;
+void SearchTool::add(const char*, unsigned, int, bool) { }
+void SearchTool::add(const char*, unsigned, void*, bool) { }
+void SearchTool::add(const uint8_t*, unsigned, int, bool) { }
+void SearchTool::add(const uint8_t*, unsigned, void*, bool) { }
+void SearchTool::prep() { }
+void SearchTool::reload() { }
+}
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+//
+// efp_ca_patterns_test.cc author Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "client_plugins/efp_ca_patterns.cc"
+#include "client_plugins_mock.h"
+
+#include <CppUTest/CommandLineTestRunner.h>
+#include <CppUTest/TestHarness.h>
+#include <CppUTestExt/MockSupport.h>
+
+static EfpCaPatternMatchers* efp_matcher = nullptr;
+EfpCaPattern efp_ca(APPID_UT_ID, "firefox", 90);
+
+namespace snort
+{
+int SearchTool::find_all(const char* pattern, unsigned, MpseMatch, bool, void* data)
+{
+ if (strcmp(pattern, "firefox") == 0)
+ efp_ca_pattern_match(&efp_ca, nullptr, 0, data, nullptr);
+ return 0;
+}
+}
+
+TEST_GROUP(efp_ca_patterns_tests)
+{
+ void setup() override
+ {
+ efp_matcher = new EfpCaPatternMatchers();
+ }
+ void teardown() override
+ {
+ delete efp_matcher;
+ }
+};
+
+
+TEST(efp_ca_patterns_tests, efp_ca_pattern_match)
+{
+ EfpCaPatternList data;
+ EfpCaPattern efp1(APPID_UT_ID + 1, "firefox", 80);
+ efp_ca_pattern_match(&efp1, nullptr, 0, &data, nullptr);
+ EfpCaPattern* efp = data.back();
+ CHECK(efp->app_id == efp1.app_id);
+ CHECK(efp->pattern == efp1.pattern);
+ CHECK(efp->confidence == efp1.confidence);
+
+ EfpCaPattern efp2(APPID_UT_ID + 2, "chrome", 95);
+ efp_ca_pattern_match(&efp2, nullptr, 0, &data, nullptr);
+ efp = data.back();
+ CHECK(efp->app_id == efp2.app_id);
+ CHECK(efp->pattern == efp2.pattern);
+ CHECK(efp->confidence == efp2.confidence);
+ CHECK(data.size() == 2);
+}
+
+
+TEST(efp_ca_patterns_tests, match_efp_ca_pattern)
+{
+ // 1. pattern not present in pattern matcher list
+ CHECK(efp_matcher->match_efp_ca_pattern("chrome", 95) == 0);
+
+ // 2. pattern matches, confidence doesn't match
+ CHECK(efp_matcher->match_efp_ca_pattern("firefox", 60) == 0);
+
+ // 3. pattern and confidence matches
+ CHECK(efp_matcher->match_efp_ca_pattern("firefox", 90) == APPID_UT_ID);
+
+ // 4. pattern matches, reported confidence > existing value
+ CHECK(efp_matcher->match_efp_ca_pattern("firefox", 92) == APPID_UT_ID);
+}
+
+int main(int argc, char** argv)
+{
+ int return_value = CommandLineTestRunner::RunAllTests(argc, argv);
+ return return_value;
+}
+
int AppIdDiscovery::add_service_port(AppIdDetector*, ServiceDetectorPort const&) { return 0; }
void AppIdModule::reset_stats() {}
DnsPatternMatchers::~DnsPatternMatchers() = default;
+EfpCaPatternMatchers::~EfpCaPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
HttpPatternMatchers::~HttpPatternMatchers() = default;
void AppIdDiscovery::register_udp_pattern(AppIdDetector*, unsigned char const*, unsigned int, int, unsigned int) { }
int AppIdDiscovery::add_service_port(AppIdDetector*, ServiceDetectorPort const&) { return 0; }
DnsPatternMatchers::~DnsPatternMatchers() = default;
+EfpCaPatternMatchers::~EfpCaPatternMatchers() = default;
SipPatternMatchers::~SipPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
void AppIdModule::reset_stats() {}
static inline bool lua_params_validator(LuaDetectorParameters& ldp, bool packet_context)
{
- if ( packet_context )
+ if (packet_context)
{
assert(ldp.asd);
assert(ldp.pkt);
size_t size = lua_tonumber(L, ++index);
unsigned int position = lua_tonumber(L, ++index);
- if ( protocol == IpProtocol::TCP)
+ if (protocol == IpProtocol::TCP)
ud->get_odp_ctxt().get_service_disco_mgr().register_tcp_pattern(ud->sd, (const uint8_t*)pattern,
size, position, 0);
else
int index = 1;
AppId appId = lua_tonumber(L, ++index);
- if ( ad->is_client() )
+ if (ad->is_client())
ad->register_appid(appId, APPINFO_FLAG_CLIENT_ADDITIONAL, ud->get_odp_ctxt());
else
ad->register_appid(appId, APPINFO_FLAG_SERVICE_ADDITIONAL, ud->get_odp_ctxt());
unsigned int level = lua_tonumber(L, 2);
const char* message = lua_tostring(L, 3);
- switch ( level )
+ switch (level)
{
case LUA_LOG_CRITICAL:
FatalError("%s:%s\n", name.c_str(), message);
pp.port = lua_tonumber(L, 3);
pp.reversed_validation = lua_tonumber(L, 5);
- if ( ((pp.proto != IpProtocol::UDP) && (pp.proto != IpProtocol::TCP)) || !pp.port )
+ if (((pp.proto != IpProtocol::UDP) and (pp.proto != IpProtocol::TCP)) or !pp.port)
{
lua_pushnumber(L, -1);
return 1;
}
- if ( ud->sd->get_handler().add_service_port(ud->sd, pp) )
+ if (ud->sd->get_handler().add_service_port(ud->sd, pp))
{
lua_pushnumber(L, -1);
return 1;
ovector, // output vector for substring information
OVECCOUNT); // number of elements in the output vector
- if ( rc >= 0 )
+ if (rc >= 0)
{
if (rc == 0)
{
else
{
// log errors except no matches
- if ( rc != PCRE_ERROR_NOMATCH)
+ if (rc != PCRE_ERROR_NOMATCH)
WarningMessage("PCRE regular expression group match failed. rc: %d\n", rc);
rc = 0;
}
// Verify detector user data and that we are in packet context
LuaStateDescriptor* lsd = ud->validate_lua_state(true);
- if ( !lsd->ldp.pkt->has_ip() )
+ if (!lsd->ldp.pkt->has_ip())
{
lua_pushnumber(L, 0);
return 1;
}
// FIXIT-M is this conversion to double valid?
- lua_pushnumber(L, (double)lsd->ldp.pkt->get_ip_proto_next() );
+ lua_pushnumber(L, (double)lsd->ldp.pkt->get_ip_proto_next());
return 1;
}
/*mpse library does not hold reference to pattern therefore we don't need to allocate it. */
- if ( protocol == IpProtocol::TCP)
+ if (protocol == IpProtocol::TCP)
ud->get_odp_ctxt().get_client_disco_mgr().register_tcp_pattern(ud->cd, (const uint8_t*)pattern,
size, position, 0);
else
AppId service_id = lua_tonumber(L, 3);
const char* version = lua_tostring(L, 4);
- if ( !version )
+ if (!version)
{
lua_pushnumber(L, -1);
return 1;
return 1;
}
+/** Add a fp process to client app mapping.
+ * @param Lua_State* - Lua state variable.
+ * @param appid/stack - the AppId to map the fp data to
+ * @param process_name/stack - encrypted fingerprint process name
+ * @param process_score - encrypted fingerprint process_score
+ */
+static int client_add_fingerprint_process(lua_State* L)
+{
+ auto& ud = *UserData<LuaObject>::check(L, DETECTOR, 1);
+ // Verify detector user data and that we are NOT in packet context
+ ud->validate_lua_state(false);
+ if (!init(L)) return 0;
+ int index = 1;
+
+ uint32_t appid = lua_tointeger(L, ++index);
+
+ // Verify that process_name is a valid string
+ const char* tmp_string = lua_tostring(L, ++index);
+ if (!tmp_string)
+ {
+ ErrorMessage("appid: Invalid efp process_name string: appid %u.\n", appid);
+ return 0;
+ }
+ const std::string process_name(tmp_string);
+ uint8_t process_score = lua_tointeger(L, ++index);
+
+ ud->get_odp_ctxt().get_efp_ca_matchers().add_efp_ca_pattern(appid, process_name,
+ process_score);
+
+ ud->get_odp_ctxt().get_app_info_mgr().set_app_info_active(appid);
+
+ return 0;
+}
+
/**Get flow object from a detector object. The flow object is then used with flowApi.
* A new copy of flow object is provided with every call. This can be optimized by maintaining
* a single copy.
int index = 1;
enum httpPatternType pat_type = (enum httpPatternType)lua_tointeger(L, ++index);
- if (pat_type < HTTP_PAYLOAD || pat_type > HTTP_URL)
+ if (pat_type < HTTP_PAYLOAD or pat_type > HTTP_URL)
{
ErrorMessage("Invalid HTTP pattern type.");
return 0;
const uint8_t* pattern_str = (const uint8_t*)lua_tolstring(L, ++index, &pattern_size);
uint32_t app_id = lua_tointeger(L, ++index);
DetectorHTTPPattern pattern;
- if ( pattern.init(pattern_str, pattern_size, seq, service_id, client_id,
- payload_id, app_id) )
+ if (pattern.init(pattern_str, pattern_size, seq, service_id, client_id,
+ payload_id, app_id))
{
ud->get_odp_ctxt().get_http_matchers().insert_http_pattern(pat_type, pattern);
aim.set_app_info_active(service_id);
AppId app_id = (AppId)lua_tointeger(L, ++index);
size_t pattern_size = 0;
const char* tmp_string = lua_tolstring(L, ++index, &pattern_size);
- if (!tmp_string || !pattern_size)
+ if (!tmp_string or !pattern_size)
{
ErrorMessage("Invalid SSL Host pattern string");
return 0;
size_t pattern_size = 0;
const char* tmp_string = lua_tolstring(L, ++index, &pattern_size);
- if (!tmp_string || !pattern_size)
+ if (!tmp_string or !pattern_size)
{
ErrorMessage("LuaDetectorApi:Invalid DNS Host pattern string");
return 0;
size_t pattern_size = 0;
const char* tmp_string = lua_tolstring(L, ++index, &pattern_size);
- if (!tmp_string || !pattern_size)
+ if (!tmp_string or !pattern_size)
{
ErrorMessage("Invalid SSL Host pattern string");
return 0;
AppId app_id = (AppId)lua_tointeger(L, ++index);
size_t ipaddr_size = 0;
const char* ip_str= lua_tolstring(L, ++index, &ipaddr_size);
- if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_address))
+ if (!ip_str or !ipaddr_size or !convert_string_to_address(ip_str, &ip_address))
{
ErrorMessage("%s: Invalid IP address: %s\n",__func__, ip_str);
return 0;
AppId appid = (AppId)lua_tointeger(L, ++index);
size_t ipaddr_size = 0;
const char* ip_str = lua_tolstring(L, ++index, &ipaddr_size);
- if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_address))
+ if (!ip_str or !ipaddr_size or !convert_string_to_address(ip_str, &ip_address))
return 0;
unsigned port = lua_tointeger(L, ++index);
int index = 1;
const char* tmp_string = lua_tolstring(L, ++index, &stringSize);
- if (!tmp_string || !stringSize)
+ if (!tmp_string or !stringSize)
{
ErrorMessage("Invalid HTTP Header string");
return 0;
static inline int get_chp_pattern_type(lua_State* L, int index, HttpFieldIds* pattern_type)
{
*pattern_type = (HttpFieldIds)lua_tointeger(L, index);
- if ( *pattern_type >= NUM_HTTP_FIELDS )
+ if (*pattern_type >= NUM_HTTP_FIELDS)
{
ErrorMessage("LuaDetectorApi:Invalid CHP Action pattern type.");
return -1;
*pattern_data = nullptr;
tmp_string = lua_tolstring(L, index, pattern_size);
// non-empty pattern required
- if (!tmp_string || !*pattern_size)
+ if (!tmp_string or !*pattern_size)
{
ErrorMessage("LuaDetectorApi:Invalid CHP Action PATTERN string.");
return -1;
static inline int get_chp_action_type(lua_State* L, int index, ActionType& action_type)
{
action_type = (ActionType)lua_tointeger(L, index);
- if (action_type < NO_ACTION || action_type > MAX_ACTION_TYPE)
+ if (action_type < NO_ACTION or action_type > MAX_ACTION_TYPE)
{
WarningMessage(
"LuaDetectorApi:Unsupported CHP Action type: %d, possible version mismatch.",
unsigned precedence = chpapp->ptype_scan_counts[patternType]++;
// at runtime we'll want to know how many of each type of pattern we are looking for.
- if (actionType != ALTERNATE_APPID && actionType != DEFER_TO_SIMPLE_DETECT)
+ if (actionType != ALTERNATE_APPID and actionType != DEFER_TO_SIMPLE_DETECT)
chpapp->ptype_req_counts[patternType]++;
CHPListElement* chpa = (CHPListElement*)snort_calloc(sizeof(CHPListElement));
chpa->chp_action.chpapp = chpapp; // link this struct to the Glossary entry
odp_ctxt.get_http_matchers().insert_chp_pattern(chpa);
- if (actionType == DEFER_TO_SIMPLE_DETECT && strcmp(patternData,"<ignore-all-patterns>") == 0)
+ if (actionType == DEFER_TO_SIMPLE_DETECT and strcmp(patternData,"<ignore-all-patterns>") == 0)
odp_ctxt.get_http_matchers().remove_http_patterns_for_id(appIdInstance);
return 0;
unsigned app_type_flags = lua_tointeger(L, ++index);
int num_matches = lua_tointeger(L, ++index);
- for (instance=0; instance < CHP_APPID_INSTANCE_MAX; instance++ )
+ for (instance=0; instance < CHP_APPID_INSTANCE_MAX; instance++)
{
appIdInstance = (appId << CHP_APPID_BITS_FOR_INSTANCE) + instance;
if (CHP_glossary->find(appIdInstance) != CHP_glossary->end())
return 0;
}
- if ( create_chp_application(appIdInstance, app_type_flags, num_matches) )
+ if (create_chp_application(appIdInstance, app_type_flags, num_matches))
return 0;
lua_pushnumber(L, appIdInstance);
uint8_t sequence_cnt = lua_tonumber(L, ++index);
const char* sequence_str = lua_tostring(L, ++index);
- if (((proto != IpProtocol::TCP) && (proto != IpProtocol::UDP))
- || ((sequence_cnt == 0) || (sequence_cnt > LENGTH_SEQUENCE_CNT_MAX))
- || ((sequence_str == nullptr) || (strlen(sequence_str) == 0)))
+ if (((proto != IpProtocol::TCP) and (proto != IpProtocol::UDP))
+ or ((sequence_cnt == 0) or (sequence_cnt > LENGTH_SEQUENCE_CNT_MAX))
+ or ((sequence_str == nullptr) or (strlen(sequence_str) == 0)))
{
ErrorMessage("LuaDetectorApi:Invalid input (%d,%u,%u,\"%s\")!",
appId, (unsigned)proto, (unsigned)sequence_cnt, sequence_str ? sequence_str : "");
}
length_sequence.sequence[i].length = length;
- while ((*str_ptr != ',') && (*str_ptr != 0))
+ while ((*str_ptr != ',') and (*str_ptr != 0))
{
str_ptr++;
}
last_one = (i == (sequence_cnt - 1));
- if ( (!last_one && (*str_ptr != ','))
- || (last_one && (*str_ptr != 0)))
+ if ((!last_one and (*str_ptr != ','))
+ or (last_one and (*str_ptr != 0)))
{
ErrorMessage("LuaDetectorApi:Invalid sequence string (\"%s\")!",
sequence_str);
str_ptr++;
}
- if ( !ud->get_odp_ctxt().length_cache_add(length_sequence, appId) )
+ if (!ud->get_odp_ctxt().length_cache_add(length_sequence, appId))
{
ErrorMessage("LuaDetectorApi:Could not add entry to cache!");
lua_pushnumber(L, -1);
size_t host_pattern_size = 0;
uint8_t* host_pattern = nullptr;
const char* tmp_string = lua_tolstring(L, ++index, &host_pattern_size);
- if (!tmp_string || !host_pattern_size)
+ if (!tmp_string or !host_pattern_size)
{
ErrorMessage(
"appid: Invalid host pattern string: service_id %u; client_id %u; payload_id %u.\n",
size_t path_pattern_size = 0;
uint8_t* path_pattern = nullptr;
tmp_string = lua_tolstring(L, ++index, &path_pattern_size);
- if (!tmp_string || !path_pattern_size )
+ if (!tmp_string or !path_pattern_size)
{
ErrorMessage(
"appid: Invalid path pattern string: service_id %u; client_id %u; payload %u.\n",
size_t schemePatternSize;
uint8_t* schemePattern = nullptr;
tmp_string = lua_tolstring(L, ++index, &schemePatternSize);
- if (!tmp_string || !schemePatternSize )
+ if (!tmp_string or !schemePatternSize)
{
ErrorMessage(
"appid: Invalid scheme pattern string: service_id %u; client_id %u; payload %u.\n",
size_t query_pattern_size;
uint8_t* query_pattern = nullptr;
tmp_string = lua_tolstring(L, ++index, &query_pattern_size);
- if (tmp_string && query_pattern_size)
+ if (tmp_string and query_pattern_size)
query_pattern = (uint8_t*)snort_strdup(tmp_string);
uint32_t appId = lua_tointeger(L, ++index);
/* Verify that host pattern is a valid string */
size_t host_pattern_size = 0;
const char* tmp_string = lua_tolstring(L, ++index, &host_pattern_size);
- if (!tmp_string || !host_pattern_size)
+ if (!tmp_string or !host_pattern_size)
{
ErrorMessage(
"appid: Invalid RTMP host pattern string: service_id %u; client_id %u; payload_id %u.\n",
/* Verify that path pattern is a valid string */
size_t path_pattern_size = 0;
tmp_string = lua_tolstring(L, ++index, &path_pattern_size);
- if (!tmp_string || !path_pattern_size)
+ if (!tmp_string or !path_pattern_size)
{
ErrorMessage(
"appid: Invalid RTMP path pattern string: service_id %u; client_id %u; payload_id %u.\n",
/* Verify that scheme pattern is a valid string */
size_t schemePatternSize;
tmp_string = lua_tolstring(L, ++index, &schemePatternSize);
- if (!tmp_string || !schemePatternSize)
+ if (!tmp_string or !schemePatternSize)
{
ErrorMessage(
"appid: Invalid RTMP scheme pattern string: service_id %u; client_id %u; payload_id %u.\n",
size_t query_pattern_size;
uint8_t* query_pattern = nullptr;
tmp_string = lua_tolstring(L, ++index, &query_pattern_size);
- if (tmp_string && query_pattern_size)
+ if (tmp_string and query_pattern_size)
query_pattern = (uint8_t*)snort_strdup(tmp_string);
uint32_t appId = lua_tointeger(L, ++index);
uint32_t client_app = lua_tointeger(L, ++index);
const char* client_version = lua_tostring(L, ++index);
- if (!client_version )
+ if (!client_version)
{
ErrorMessage("Invalid sip client version string.");
return 0;
/* Verify that host pattern is a valid string */
size_t appNameLen = 0;
const char* tmp_string = lua_tolstring(L, ++index, &appNameLen);
- if (!tmp_string || !appNameLen)
+ if (!tmp_string or !appNameLen)
{
ErrorMessage("Invalid appName string.");
lua_pushnumber(L, APP_ID_NONE);
/* Verify valid pattern type */
enum httpPatternType pat_type = (enum httpPatternType)lua_tointeger(L, ++index);
- if (pat_type < HTTP_PAYLOAD || pat_type > HTTP_URL)
+ if (pat_type < HTTP_PAYLOAD or pat_type > HTTP_URL)
{
ErrorMessage("Invalid HTTP pattern type.");
return 0;
size_t pattern_size = 0;
const uint8_t* pattern_str = (const uint8_t*)lua_tolstring(L, ++index, &pattern_size);
DetectorHTTPPattern pattern;
- if ( pattern.init(pattern_str, pattern_size, seq, service_id, client_id,
- payload_id, APP_ID_NONE) )
+ if (pattern.init(pattern_str, pattern_size, seq, service_id, client_id,
+ payload_id, APP_ID_NONE))
{
ud->get_odp_ctxt().get_http_matchers().insert_http_pattern(pat_type, pattern);
AppInfoManager& app_info_manager = ud->get_odp_ctxt().get_app_info_mgr();
size_t host_pattern_size = 0;
uint8_t* host_pattern = nullptr;
const char* tmp_string = lua_tolstring(L, ++index, &host_pattern_size);
- if ( !tmp_string || !host_pattern_size )
+ if (!tmp_string or !host_pattern_size)
{
ErrorMessage(
"appid: Invalid host pattern string: service_id %u; client_id %u; payload_id %u.\n",
service_id, client_id, payload_id);
return 0;
}
- host_pattern = (uint8_t* )snort_strdup(tmp_string);
+ host_pattern = (uint8_t*)snort_strdup(tmp_string);
/* Verify that path pattern is a valid string */
size_t path_pattern_size = 0;
uint8_t* path_pattern = nullptr;
tmp_string = lua_tolstring(L, ++index, &path_pattern_size);
- if ( !tmp_string || !path_pattern_size )
+ if (!tmp_string or !path_pattern_size)
{
ErrorMessage(
"appid: Invalid path pattern string: service_id %u; client_id %u; payload_id %u.\n",
size_t schemePatternSize;
uint8_t* schemePattern = nullptr;
tmp_string = lua_tolstring(L, ++index, &schemePatternSize);
- if (!tmp_string || !schemePatternSize)
+ if (!tmp_string or !schemePatternSize)
{
ErrorMessage(
"appid: Invalid scheme pattern string: service_id %u; client_id %u; payload_id %u.\n",
const char* pattern = lua_tolstring(L, ++index, &patternSize);
unsigned position = lua_tonumber(L, ++index);
AppId appId = lua_tointeger(L, ++index);
- if (appId <= APP_ID_NONE || !pattern || !patternSize ||
- (protocol != IpProtocol::TCP && protocol != IpProtocol::UDP))
+ if (appId <= APP_ID_NONE or !pattern or !patternSize or
+ (protocol != IpProtocol::TCP and protocol != IpProtocol::UDP))
{
ErrorMessage("addPortPatternClient(): Invalid input in %s\n", ud->get_detector()->get_name().c_str());
return 0;
uint32_t client_app = lua_tointeger(L, ++index);
const char* client_version = lua_tostring(L, ++index);
- if (!client_version )
+ if (!client_version)
{
ErrorMessage("Invalid sip client version string.");
return 0;
if (hsession)
{
- if (hsession->payload.get_id() == APP_ID_HTTP_TUNNEL ||
+ if (hsession->payload.get_id() == APP_ID_HTTP_TUNNEL or
hsession->payload.get_id() == APP_ID_HTTP_SSL_TUNNEL)
lua_pushboolean(L, 1);
else
{ "client_addUser", client_add_user },
{ "client_addPayload", client_add_payload },
+ /* add client mapping for process name derived by fingerprinting */
+ { "client_addFingerprintProcess", client_add_fingerprint_process },
+
//HTTP Multi Pattern engine
{ "CHPCreateApp", detector_chp_create_application },
{ "CHPAddAction", detector_add_chp_action },
ldp.pkt = args.pkt;
const char* validateFn = package_info.validateFunctionName.c_str();
- if ( (!validateFn) || (validateFn[0] == '\0'))
+ if ((!validateFn) or (validateFn[0] == '\0'))
{
ldp.pkt = nullptr;
lua_settop(my_lua_state, 0);
lua_getfield(my_lua_state, -1, validateFn); // get the function we want to call
- if ( lua_pcall(my_lua_state, 0, 1, 0) )
+ if (lua_pcall(my_lua_state, 0, 1, 0))
{
// Runtime Lua errors are suppressed in production code since detectors are written for
// efficiency and with defensive minimum checks. Errors are dealt as exceptions
lua_detector_mgr.free_detector_flow();
/* retrieve result */
- if ( !lua_isnumber(my_lua_state, -1) )
+ if (!lua_isnumber(my_lua_state, -1))
{
ErrorMessage("lua detector %s: returned non-numeric value\n", package_info.name.c_str());
ldp.pkt = nullptr;
StashGenericObject(STASH_GENERIC_OBJECT_APPID) {}
}
+EfpCaPatternMatchers::~EfpCaPatternMatchers() { }
SslPatternMatchers::~SslPatternMatchers() { }
SipPatternMatchers::~SipPatternMatchers() { }
HttpPatternMatchers::~HttpPatternMatchers() { }
SOURCES $<TARGET_OBJECTS:appid_cpputest_deps>
)
+add_cpputest( appid_efp_process_event_handler_test
+ SOURCES $<TARGET_OBJECTS:appid_cpputest_deps>
+)
+
add_cpputest( tp_lib_handler_test
SOURCES
tp_lib_handler_test.cc
// Stubs for matchers
static HttpPatternMatchers* http_matchers;
DnsPatternMatchers::~DnsPatternMatchers() = default;
+EfpCaPatternMatchers::~EfpCaPatternMatchers() = default;
HttpPatternMatchers::~HttpPatternMatchers() = default;
SipPatternMatchers::~SipPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+//
+// appid_efp_process_event_handler_test.cc author Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "appid_efp_process_event_handler.cc"
+
+#include <string>
+
+#include "framework/data_bus.h"
+#include "protocols/protocol_ids.h"
+
+#include "appid_mock_definitions.h"
+#include "appid_mock_session.h"
+#include "appid_mock_inspector.h"
+
+#include <CppUTest/CommandLineTestRunner.h>
+#include <CppUTest/TestHarness.h>
+#include <CppUTestExt/MockSupport.h>
+
+AppIdSession *session = nullptr;
+THREAD_LOCAL AppIdDebug* appidDebug;
+
+using namespace snort;
+using namespace std;
+
+namespace snort
+{
+AppIdApi appid_api;
+AppIdSessionApi::AppIdSessionApi(const AppIdSession*, const SfIp&) :
+ StashGenericObject(STASH_GENERIC_OBJECT_APPID) { }
+AppIdSession* AppIdApi::get_appid_session(Flow const&) { return session; }
+
+Packet::Packet(bool) { }
+Packet::~Packet() = default;
+}
+
+void memory::MemoryCap::update_allocations(unsigned long) { }
+void memory::MemoryCap::update_deallocations(size_t) { }
+
+void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection,
+ AppId, AppidChangeBits&) { }
+void AppIdModule::reset_stats() { }
+void AppIdDebug::activate(snort::Flow const*, AppIdSession const*, bool) { }
+
+AppId EfpCaPatternMatchers::match_efp_ca_pattern(const string&, uint8_t)
+{
+ return APPID_UT_ID;
+}
+
+TEST_GROUP(appid_efp_process_event_handler_tests)
+{
+ void setup() override
+ {
+ SfIp ip;
+ session = new AppIdSession(IpProtocol::TCP, &ip, 0, dummy_appid_inspector, stub_odp_ctxt);
+ pkt_thread_odp_ctxt = &stub_odp_ctxt;
+ appidDebug = new AppIdDebug();
+ appidDebug->activate(nullptr, nullptr, false);
+ }
+
+ void teardown() override
+ {
+ delete &session->get_api();
+ delete session;
+ delete appidDebug;
+ }
+};
+
+TEST(appid_efp_process_event_handler_tests, efp_process_event_handler)
+{
+ Packet p;
+ EfpProcessEvent event(p, "firefox", 90);
+ AppIdEfpProcessEventHandler event_handler;
+ Flow* flow = new Flow();
+ event_handler.handle(event, flow);
+ CHECK(session->get_efp_client_app_id() == APPID_UT_ID);
+ delete flow;
+}
+
+int main(int argc, char** argv)
+{
+ int return_value = CommandLineTestRunner::RunAllTests(argc, argv);
+ return return_value;
+}
+
void AppIdDiscovery::register_udp_pattern(AppIdDetector*, unsigned char const*, unsigned int, int, unsigned int) { }
int AppIdDiscovery::add_service_port(AppIdDetector*, ServiceDetectorPort const&) { return 0; }
DnsPatternMatchers::~DnsPatternMatchers() = default;
+EfpCaPatternMatchers::~EfpCaPatternMatchers() = default;
HttpPatternMatchers::~HttpPatternMatchers() = default;
SipPatternMatchers::~SipPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
OdpContext&, uint16_t) : FlowData(inspector_id, &inspector), config(stub_config),
protocol(proto), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt)
{
+ this->set_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED);
odp_ctxt_version = odp_ctxt.get_version();
set_service_port(APPID_UT_SERVICE_PORT);
AppidChangeBits change_bits;
int ServiceDiscovery::add_service_port(AppIdDetector*,
const ServiceDetectorPort&) { return APPID_EINVALID; }
DnsPatternMatchers::~DnsPatternMatchers() = default;
+EfpCaPatternMatchers::~EfpCaPatternMatchers() = default;
HttpPatternMatchers::~HttpPatternMatchers() = default;
SipPatternMatchers::~SipPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
void AppIdDiscovery::register_udp_pattern(AppIdDetector*, unsigned char const*, unsigned int, int, unsigned int) { }
int AppIdDiscovery::add_service_port(AppIdDetector*, ServiceDetectorPort const&) { return 0; }
DnsPatternMatchers::~DnsPatternMatchers() = default;
+EfpCaPatternMatchers::~EfpCaPatternMatchers() = default;
HttpPatternMatchers::~HttpPatternMatchers() = default;
SipPatternMatchers::~SipPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
daq_message_event.h
dcerpc_events.h
dhcp_events.h
+ efp_process_event.h
expect_events.h
finalize_packet_event.h
http_events.h
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// efp_process_event.h author Cliff Judge <cljudge@cisco.com>
+
+#ifndef EFP_PROCESS_EVENT_H
+#define EFP_PROCESS_EVENT_H
+
+#include <string>
+#include "framework/data_bus.h"
+
+#define EFP_PROCESS_EVENT "efp_process_event"
+
+class EfpProcessEvent : public snort::DataEvent
+{
+public:
+ EfpProcessEvent(const snort::Packet& p, const char* process, uint8_t process_conf) :
+ p(p), process_name(process), process_confidence(process_conf) { }
+
+ const snort::Packet* get_packet() override { return &p; }
+
+ const std::string& get_process_name() const
+ {
+ return process_name;
+ }
+
+ uint8_t get_process_confidence() const
+ {
+ return process_confidence;
+ }
+
+private:
+ const snort::Packet &p;
+ std::string process_name;
+ uint8_t process_confidence = 0;
+};
+
+#endif
../http_request_body_event.cc
../../service_inspectors/http_inspect/http_msg_body_cl.cc
)
+add_cpputest( pub_sub_efp_process_event_test
+ SOURCES
+ ../efp_process_event.h
+)
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+// pub_sub_efp_process_event_test.cc author Cliff Judge <cljudge@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "pub_sub/efp_process_event.h"
+#include "protocols/packet.h"
+
+#include <CppUTest/CommandLineTestRunner.h>
+#include <CppUTest/TestHarness.h>
+#include <CppUTestExt/MockSupport.h>
+
+using namespace snort;
+
+Packet::Packet(bool) { }
+Packet::~Packet() = default;
+
+TEST_GROUP(pub_sub_efp_process_event_test)
+{
+ void teardown() override
+ {
+ mock().clear();
+ }
+};
+
+TEST(pub_sub_efp_process_event_test, efp_process_event)
+{
+ Packet p;
+ EfpProcessEvent event(p, "process", 10);
+ CHECK(event.get_process_name() == "process");
+ CHECK(event.get_process_confidence() == 10);
+ CHECK(event.get_packet() == &p);
+}
+
+int main(int argc, char** argv)
+{
+ return CommandLineTestRunner::RunAllTests(argc, argv);
+}
+
projects / thirdparty / snort3.git / commitdiff
