netflow: pass a flag if the initiator and responder were swapped

diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc
index c9e0ff2ff36b65a28ac63ab5e5ca35080c34bf20..0d5458504833b1bffad598b8d505dd53f9566452 100644 (file)
--- a/src/network_inspectors/rna/rna_pnd.cc
+++ b/src/network_inspectors/rna/rna_pnd.cc
@@ -254,14 +254,22 @@ void RnaPnd::analyze_netflow_service(NetFlowEvent* nfe)
     const auto& src_ip = nfe->get_record()->initiator_ip;
     const auto& mac_addr = layer::get_eth_layer(p)->ether_src;
     uint32_t service = nfe->get_service_id();
-    uint16_t port = nfe->get_record()->responder_port;
+    uint16_t port = 0;
     IpProtocol proto = (IpProtocol) nfe->get_record()->proto;
 
+    if (nfe->is_initiator_swapped())
+        port = nfe->get_record()->initiator_port;
+    else
+        port = nfe->get_record()->responder_port;
+
     auto ht = find_or_create_host_tracker(src_ip, new_host);
     ht->update_last_seen();
 
     bool is_new = false;
     auto ha = ht->add_service(port, proto, (uint32_t) packet_time(), is_new, service);
+
+    ht->update_service_info(ha, nullptr, nullptr, conf->max_host_service_info);
+
     if ( is_new )
     {
         if ( proto == IpProtocol::TCP )

diff --git a/src/pub_sub/netflow_event.h b/src/pub_sub/netflow_event.h
index 82aa601582593400fa9b6dd91887055e0d72f626..4be64a503b336d45d175ca5002be37f0e1b6c5ad 100644 (file)
--- a/src/pub_sub/netflow_event.h
+++ b/src/pub_sub/netflow_event.h
@@ -32,9 +32,9 @@ class NetFlowEvent : public DataEvent
 {
 public:
     NetFlowEvent(const snort::Packet* p, const NetFlowSessionRecord* rec,
-        bool cre_host, bool cre_serv, uint32_t s_id)
+        bool cre_host, bool cre_serv, bool swp_initiator, uint32_t s_id)
         : pkt(p), record(rec), create_host(cre_host),
-          create_service(cre_serv), serviceID(s_id) { }
+          create_service(cre_serv), swapped(swp_initiator), serviceID(s_id) { }
 
     const Packet* get_packet() override
     { return pkt; }
@@ -48,6 +48,9 @@ public:
     bool get_create_service()
     { return create_service; }
 
+    bool is_initiator_swapped()
+    { return swapped; }
+
     uint32_t get_service_id()
     { return serviceID; }
 
@@ -56,6 +59,7 @@ private:
     const NetFlowSessionRecord* record;
     bool create_host;
     bool create_service;
+    bool swapped;
     uint32_t serviceID = 0;
 };
 

diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc
index f20ee21244f199385f0db47b7f11e4fc7df01bf0..80df669518975706b8bc49aeda19551505d2a244 100644 (file)
--- a/src/service_inspectors/netflow/netflow.cc
+++ b/src/service_inspectors/netflow/netflow.cc
@@ -109,6 +109,7 @@ static const NetFlowRule* filter_record(const NetFlowRules* rules, const int zon
 static void publish_netflow_event(const Packet* p, const NetFlowRule* match, NetFlowSessionRecord& record)
 {
     uint32_t serviceID = 0;
+    bool swapped = false;
 
     std::unordered_map<int, int>* service_mappings = nullptr;
 
@@ -134,14 +135,21 @@ static void publish_netflow_event(const Packet* p, const NetFlowRule* match, Net
 
         // Use only the known port. If both are known, take the lower numbered port.
         if (sid_responder && !sid_initiator)
+        {
             serviceID = sid_responder;
+        }
         else if (sid_initiator && !sid_responder)
+        {
             serviceID = sid_initiator;
+            swapped = true;
+        }
         else
+        {
             serviceID = (record.initiator_port > record.responder_port) ? sid_responder : sid_initiator;
+        }
     }
 
-    NetFlowEvent event(p, &record, match->create_host, match->create_service, serviceID);
+    NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID);
     DataBus::publish(NETFLOW_EVENT, event);
 }