#include "detection/detection_engine.h"
#include "network_inspectors/appid/appid_session_api.h"
-#include "rna_fingerprint_ua.h"
#include "rna_logger_common.h"
using namespace snort;
if ( p->is_from_client() and ( appid_change_bits[APPID_HOST_BIT] or
appid_change_bits[APPID_USERAGENT_BIT] ) )
{
- const AppIdHttpSession* hsession;
-
- if ( appid_event->get_is_http2() )
- hsession = appid_session_api.get_http_session(appid_event->get_http2_stream_index());
- else
- hsession = appid_session_api.get_http_session();
-
- if ( hsession )
+ auto processor = get_ua_fp_processor();
+ if ( processor and processor->has_pattern() )
{
- const char* host = hsession->get_cfield(REQ_HOST_FID);
- const char* uagent = hsession->get_cfield(REQ_AGENT_FID);
- analyze_user_agent_fingerprint(p, host, uagent, ht, src_ip, src_mac, logger);
+ const AppIdHttpSession* hsession;
+
+ if ( appid_event->get_is_http2() )
+ hsession = appid_session_api.get_http_session(appid_event->get_http2_stream_index());
+ else
+ hsession = appid_session_api.get_http_session();
+
+ if ( hsession )
+ {
+ const char* host = hsession->get_cfield(REQ_HOST_FID);
+ const char* uagent = hsession->get_cfield(REQ_AGENT_FID);
+ analyze_user_agent_fingerprint(p, host, uagent, ht, src_ip, src_mac,
+ logger, *processor);
+ }
}
}
}
}
void RnaAppDiscovery::analyze_user_agent_fingerprint(const Packet* p, const char* host,
- const char* uagent, RnaTracker& rt, const SfIp* ip, const uint8_t* src_mac, RnaLogger& logger)
+ const char* uagent, RnaTracker& rt, const SfIp* ip, const uint8_t* src_mac,
+ RnaLogger& logger, UaFpProcessor& processor)
{
if ( !host or !uagent )
return;
- const auto& processor = get_ua_fp_processor();
- if ( !processor )
- return;
-
const UaFingerprint* uafp = nullptr;
const char* device_info = nullptr;
bool jail_broken = false;
- processor->match_mpse(host, uagent, uafp, device_info, jail_broken);
+ processor.match_mpse(host, uagent, uafp, device_info, jail_broken);
if ( uafp and rt->add_ua_fingerprint(uafp->fpid, uafp->fp_type, jail_broken,
device_info, MAX_USER_AGENT_DEVICES) )
#ifndef RNA_APP_DISCOVERY_H
#define RNA_APP_DISCOVERY_H
+#include "rna_fingerprint_ua.h"
#include "rna_pnd.h"
class RnaAppDiscovery
static void process(AppidEvent*, DiscoveryFilter&, RnaConfig*, RnaLogger&);
static void discover_service(const snort::Packet*, IpProtocol, RnaTracker&,
- const struct in6_addr*, const uint8_t*, RnaConfig*, RnaLogger&, uint16_t,
+ const struct in6_addr*, const uint8_t*, RnaConfig*, RnaLogger&, uint16_t port,
AppId service = APP_ID_NONE);
static void discover_payload(const snort::Packet*, IpProtocol, RnaTracker&,
const struct in6_addr*, const uint8_t*, RnaConfig*, RnaLogger&,
AppId service, AppId payload);
- static void discover_client(const snort::Packet* p, RnaTracker& rt,
- const struct in6_addr* src_ip, const uint8_t* src_mac, RnaConfig* conf,
- RnaLogger& logger, const char* version, AppId client, AppId service);
+ static void discover_client(const snort::Packet*, RnaTracker&,
+ const struct in6_addr*, const uint8_t*, RnaConfig*,
+ RnaLogger&, const char*, AppId client, AppId service);
static void discover_user(const snort::Packet*, RnaTracker&, const struct in6_addr*,
const uint8_t* src_mac, RnaLogger&, const char* username, AppId, IpProtocol);
static void analyze_user_agent_fingerprint(const snort::Packet*, const char* host,
const char* uagent, RnaTracker&, const snort::SfIp*, const uint8_t*,
- RnaLogger&);
+ RnaLogger&, snort::UaFpProcessor&);
};
#endif
{
unsigned len = strlen(uagent);
osfp = search_ua_fp(os_mpse, uagent, len);
+ if ( !osfp )
+ return;
auto devicefp = search_ua_fp(device_mpse, uagent, len);
if ( devicefp )
public:
~UaFpProcessor();
+ bool has_pattern()
+ { return os_mpse != nullptr; }
+
void make_mpse(SnortConfig* sc = nullptr);
- void match_mpse(const char* host, const char* uagent, const UaFingerprint*& osfp,
- const char*& device_info, bool& jail_broken);
+ void match_mpse(const char*, const char*, const UaFingerprint*&, const char*&, bool&);
- void push(const RawFingerprint& rfp);
+ void push(const RawFingerprint&);
void push_agent(const UaFingerprint& uafp)
{ os_fps.emplace_back(uafp); }
projects / thirdparty / snort3.git / commitdiff
