Pull request #3967: http2_inspect: add frame when logging a packet

Merge in SNORT/snort3 from ~ADMAMOLE/snort3:h2_pkt to master

Squashed commit of the following:

commit 6a79c665c90e29c2025376c56ee1be5ef6d49e68
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Wed Aug 23 15:16:33 2023 -0400

    http2_inspect: address comments from Oleksii

commit 038f465bd138fbc9eb17fa661a9161cdd5235cbe
Author: Adrian Mamolea <admamole@cisco.com>
Date:   Wed Jul 5 16:59:08 2023 -0400

    http2_inspect: add frame when logging a packet

diff --git a/src/service_inspectors/http2_inspect/http2_data_frame.cc b/src/service_inspectors/http2_inspect/http2_data_frame.cc
index fb529169f68776feff26dbb77846c4794ee331ca..256a5fbdb0d547be054692df2294ccf1c84da47f 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_data_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_data_frame.cc
@@ -103,3 +103,9 @@ void Http2DataFrame::print_frame(FILE* output)
     Http2Frame::print_frame(output);
 }
 #endif
+
+const uint8_t* Http2DataFrame::get_frame_data(uint32_t& length) const
+{
+    length = data_length;
+    return data_buffer;
+}

diff --git a/src/service_inspectors/http2_inspect/http2_data_frame.h b/src/service_inspectors/http2_inspect/http2_data_frame.h
index 6224ce4e58b20f1bbc7ac984b100a61eb64ff072..e9c82b721ab1a21a3b9d5fb5fcace429eb9344fa 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_data_frame.h
+++ b/src/service_inspectors/http2_inspect/http2_data_frame.h
@@ -35,6 +35,7 @@ public:
 
     bool is_detection_required() const override { return false; }
     void update_stream_state() override;
+    virtual const uint8_t* get_frame_data(uint32_t& length) const override;
 
     friend Http2Frame* Http2Frame::new_frame(const uint8_t*, const uint32_t, const uint8_t*,
         const uint32_t, Http2FlowData*, HttpCommon::SourceId, Http2Stream* stream);

diff --git a/src/service_inspectors/http2_inspect/http2_frame.cc b/src/service_inspectors/http2_inspect/http2_frame.cc
index f8a4ac9313835fd8b6a1a7e2901487c4bb4fd55c..813a27316d552eb0dc687a9699926cfbb221e16e 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_frame.cc
@@ -154,3 +154,32 @@ void Http2Frame::print_frame(FILE* output)
     data.print(output, "Frame Data");
 }
 #endif
+
+const uint8_t* Http2Frame::get_frame_pdu(uint16_t& length) const
+{
+    int32_t hlen = header.length();
+    if (hlen != FRAME_HEADER_LENGTH)
+        return nullptr;
+
+    uint32_t dlen;
+    const uint8_t* data = get_frame_data(dlen);
+    if (!data or (hlen + dlen > UINT16_MAX))
+        return nullptr;
+
+    length = (uint16_t)(hlen + dlen);
+    uint8_t* pdu = new uint8_t[length];
+    memcpy(pdu, header.start(), hlen);
+    if (dlen)
+        memcpy(&pdu[hlen], data, dlen);
+    return pdu;
+}
+
+const uint8_t* Http2Frame::get_frame_data(uint32_t& length) const
+{
+    int32_t dlen = data.length();
+    if (dlen < 0)
+        return nullptr;
+
+    length = (uint32_t)dlen;
+    return data.start();
+}

diff --git a/src/service_inspectors/http2_inspect/http2_frame.h b/src/service_inspectors/http2_inspect/http2_frame.h
index ccaccfbe2624bd152109a9068d4ca33d067f85ec..5389ca0eb62234cea1912da378939bb0399fcb34 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_frame.h
+++ b/src/service_inspectors/http2_inspect/http2_frame.h
@@ -50,7 +50,8 @@ public:
     virtual const Field& get_buf(unsigned id);
     virtual bool is_detection_required() const { return true; }
     virtual void update_stream_state() { }
-
+    const uint8_t* get_frame_pdu(uint16_t& length) const;
+    virtual const uint8_t* get_frame_data(uint32_t& length) const;
 #ifdef REG_TEST
     virtual void print_frame(FILE* output);
 #endif

diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc
index 01443ce1e9784ed15141588841a732e518abdc09..feed041f1ebe1a86d142e7cc41fb97415e6f79dc 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_inspect.cc
+++ b/src/service_inspectors/http2_inspect/http2_inspect.cc
@@ -214,3 +214,20 @@ static void print_flow_issues(FILE* output, Http2Infractions* const infractions,
         infractions->get_raw(0), events->get_raw(0));
 }
 #endif
+
+const uint8_t* Http2Inspect::adjust_log_packet(Packet* p, uint16_t& length)
+{
+    auto* const session_data = (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
+    if (!session_data)
+        return nullptr;
+
+    auto* stream = session_data->find_processing_stream();
+    if (!stream)
+        return nullptr;
+
+    auto* frame = stream->get_current_frame();
+    if (!frame)
+        return nullptr;
+
+    return frame->get_frame_pdu(length);
+}

diff --git a/src/service_inspectors/http2_inspect/http2_inspect.h b/src/service_inspectors/http2_inspect/http2_inspect.h
index ba7cd58a3630dfbb12995f7e994e6b616a17e2ae..7b971357b7fbc58a944071517fa529406734d84d 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_inspect.h
+++ b/src/service_inspectors/http2_inspect/http2_inspect.h
@@ -55,6 +55,7 @@ public:
     bool can_carve_files() const override
     { return true; }
 
+    const uint8_t* adjust_log_packet(snort::Packet* p, uint16_t& length) override;
 private:
     friend Http2Api;