Pull request #4574: hosts: added check to verify ip protocol match on hosts lookup

author Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>

Tue, 21 Jan 2025 18:14:11 +0000 (18:14 +0000)

committer Chris Sherwin (chsherwi) <chsherwi@cisco.com>

Tue, 21 Jan 2025 18:14:11 +0000 (18:14 +0000)
author Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>
Tue, 21 Jan 2025 18:14:11 +0000 (18:14 +0000)
committer Chris Sherwin (chsherwi) <chsherwi@cisco.com>
Tue, 21 Jan 2025 18:14:11 +0000 (18:14 +0000)
diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc

index 5481d0215731b3aba6338888363a7ba348d5914c..afbb7de36bbfaf6a8a34479ccc8e2bad45c18539 100644 (file)
--- a/src/network_inspectors/binder/binder.cc
+++ b/src/network_inspectors/binder/binder.cc
@@ -733,7 +733,8 @@ void Binder::handle_flow_setup(Flow& flow, bool standby)
      // in binder, but it *does* need to occur before the binding lookup (for service information)
      HostAttriInfo host;
      HostAttriInfo* p_host = nullptr;
-    if ( HostAttributesManager::get_host_attributes(flow.server_ip, flow.server_port, &host) )
+
+    if ( HostAttributesManager::get_host_attributes(flow.server_ip, flow.pkt_type, flow.server_port, &host) )
          p_host = &host;
  
      if (p_host)
diff --git a/src/stream/stream.cc b/src/stream/stream.cc

index d003386cbe052b87345acbd3d33a6b641fc50d2c..b31818564067ae075ba2efade87f50ea5ba521a9 100644 (file)
--- a/src/stream/stream.cc
+++ b/src/stream/stream.cc
@@ -433,7 +433,7 @@ SnortProtocolId Stream::get_snort_protocol_id(Flow* flow)
          set_ip_protocol(flow);
  
      HostAttriInfo host;
-    if (HostAttributesManager::get_host_attributes(flow->server_ip, flow->server_port, &host))
+    if (HostAttributesManager::get_host_attributes(flow->server_ip, flow->ssn_state.ipprotocol, flow->server_port, &host))
      {
          set_snort_protocol_id_from_ha(flow, host.snort_protocol_id);
  
@@ -441,7 +441,7 @@ SnortProtocolId Stream::get_snort_protocol_id(Flow* flow)
              return flow->ssn_state.snort_protocol_id;
      }
  
-    if (HostAttributesManager::get_host_attributes(flow->client_ip, flow->client_port, &host))
+    if (HostAttributesManager::get_host_attributes(flow->client_ip, flow->ssn_state.ipprotocol, flow->client_port, &host))
      {
          set_snort_protocol_id_from_ha(flow, host.snort_protocol_id);
  
diff --git a/src/target_based/host_attributes.cc b/src/target_based/host_attributes.cc

index e854a5cbe3f456f52a5be807e2f55cf3c2a1f437..921a5d359aeda881ab318d03a1a8806b393bc24d 100644 (file)
--- a/src/target_based/host_attributes.cc
+++ b/src/target_based/host_attributes.cc
@@ -126,14 +126,14 @@ void HostAttributesDescriptor::clear_appid_services()
      }
  }
  
-void HostAttributesDescriptor::get_host_attributes(uint16_t port,HostAttriInfo* host_info) const
+void HostAttributesDescriptor::get_host_attributes(uint16_t protocol, uint16_t port, HostAttriInfo* host_info) const
  {
      std::lock_guard<std::mutex> slk(host_attributes_lock);
      host_info->frag_policy = policies.fragPolicy;
      host_info->stream_policy = policies.streamPolicy;
      host_info->snort_protocol_id = UNKNOWN_PROTOCOL_ID;
      auto it = std::find_if(services.cbegin(), services.cend(),
-        [port](const HostServiceDescriptor &s){ return s.port == port; });
+        [protocol,port](const HostServiceDescriptor &s){ return protocol == s.ipproto and s.port == port; });
      if (it != services.cend())
          host_info->snort_protocol_id = (*it).snort_protocol_id;
  }
@@ -193,7 +193,7 @@ void HostAttributesManager::swap_cleanup()
  void HostAttributesManager::term()
  { delete active_cache; }
  
-bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, uint16_t port, HostAttriInfo* host_info)
+bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, uint16_t protocol, uint16_t port, HostAttriInfo* host_info)
  {
      if ( !active_cache )
          return false;
@@ -201,12 +201,40 @@ bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, uint
      HostAttributesEntry h = active_cache->find(host_ip);
      if (h)
      {
-        h->get_host_attributes(port, host_info);
+        h->get_host_attributes(protocol, port, host_info);
          return true;
      }
      return false;
  }
  
+bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, PktType pkt_type, uint16_t port, HostAttriInfo* host_info)
+{
+    if ( !active_cache )
+        return false;
+
+    uint16_t ipproto = 0;
+
+    switch (pkt_type)
+    {
+        case PktType::TCP:
+            ipproto = SNORT_PROTO_TCP;
+            break;
+    
+        case PktType::UDP:
+            ipproto = SNORT_PROTO_UDP;
+            break;
+    
+        case PktType::ICMP:
+            ipproto = SNORT_PROTO_ICMP;
+            break;
+    
+        default:
+            break;
+    }
+
+    return get_host_attributes(host_ip, ipproto, port, host_info);
+}
+
  void HostAttributesManager::update_service(const snort::SfIp& host_ip, uint16_t port,
      uint16_t protocol, SnortProtocolId snort_protocol_id, bool is_appid_service)
  {
diff --git a/src/target_based/host_attributes.h b/src/target_based/host_attributes.h

index 3df8ce0a04eb6880b2928435575346cbc60f68aa..bba991bbf2a75da6ccf0493343c324e74c654f02 100644 (file)
--- a/src/target_based/host_attributes.h
+++ b/src/target_based/host_attributes.h
@@ -30,6 +30,7 @@
  #include <vector>
  
  #include "framework/counts.h"
+#include "framework/decode_data.h"
  #include "sfip/sf_ip.h"
  #include "target_based/snort_protocols.h"
  
@@ -93,7 +94,7 @@ public:
      bool update_service(uint16_t port, uint16_t protocol, SnortProtocolId, bool& updated,
          bool is_appid_service = false);
      void clear_appid_services();
-    void get_host_attributes(uint16_t, HostAttriInfo*) const;
+    void get_host_attributes(uint16_t protocol, uint16_t port, HostAttriInfo*) const;
  
      // Note: the following get/set are only called from main thread on a temp LRU table
      const snort::SfIp& get_ip_addr() const
@@ -149,7 +150,8 @@ public:
      static void term();
  
      static bool add_host(HostAttributesEntry, snort::SnortConfig*);
-    static bool get_host_attributes(const snort::SfIp&, uint16_t, HostAttriInfo*);
+    static bool get_host_attributes(const snort::SfIp&, uint16_t protocol, uint16_t port, HostAttriInfo*);
+    static bool get_host_attributes(const snort::SfIp&, PktType pkt_type, uint16_t port, HostAttriInfo*);
      static void update_service(const snort::SfIp&, uint16_t port, uint16_t protocol,
          SnortProtocolId, bool is_appid_service = false);
      static void clear_appid_services();
author	Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) <ostepano@cisco.com>
	Tue, 21 Jan 2025 18:14:11 +0000 (18:14 +0000)
committer	Chris Sherwin (chsherwi) <chsherwi@cisco.com>
	Tue, 21 Jan 2025 18:14:11 +0000 (18:14 +0000)
src/network_inspectors/binder/binder.cc		patch \| blob \| blame \| history
src/stream/stream.cc		patch \| blob \| blame \| history
src/target_based/host_attributes.cc		patch \| blob \| blame \| history
src/target_based/host_attributes.h		patch \| blob \| blame \| history