Merge pull request #1752 in SNORT/snort3 from ~SATHIRKA/snort3:bittorrent_wildcard...

author Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>

Mon, 23 Sep 2019 21:49:10 +0000 (17:49 -0400)

committer Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>

Mon, 23 Sep 2019 21:49:10 +0000 (17:49 -0400)
author Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Mon, 23 Sep 2019 21:49:10 +0000 (17:49 -0400)
committer Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Mon, 23 Sep 2019 21:49:10 +0000 (17:49 -0400)
diff --git a/src/host_tracker/host_tracker.cc b/src/host_tracker/host_tracker.cc

index 6a3bc8a092d6726c494801c5b685c7562a04ab27..c8ae5a7db360187a481db21a65306f56b4464c6c 100644 (file)
--- a/src/host_tracker/host_tracker.cc
+++ b/src/host_tracker/host_tracker.cc
@@ -101,15 +101,15 @@ bool HostTracker::add_service(Port port, IpProtocol proto, AppId appid, bool inf
      return true;
  }
  
-AppId HostTracker::get_appid(Port port, IpProtocol proto, bool inferred_only)
+AppId HostTracker::get_appid(Port port, IpProtocol proto, bool inferred_only, bool allow_port_wildcard)
  {
      host_tracker_stats.service_finds++;
      std::lock_guard<std::mutex> lck(host_tracker_lock);
  
      for ( const auto& s : services )
      {
-        if ( s.port == port and s.proto == proto and
-            (!inferred_only or s.inferred_appid == inferred_only) )
+        bool matched = (s.port == port and s.proto == proto and (!inferred_only or s.inferred_appid == inferred_only));
+        if ( matched or ( allow_port_wildcard and s.inferred_appid ) )
              return s.appid;
      }
  
diff --git a/src/host_tracker/host_tracker.h b/src/host_tracker/host_tracker.h

index ff46f9adc1de36397b49df65848c36b4a34fefa5..5d45a11acc3df11ae3e4f7e3bf875d0078a13d2d 100644 (file)
--- a/src/host_tracker/host_tracker.h
+++ b/src/host_tracker/host_tracker.h
@@ -108,7 +108,7 @@ public:
      bool add_service(Port port, IpProtocol proto,
          AppId appid = APP_ID_NONE, bool inferred_appid = false);
  
-    AppId get_appid(Port port, IpProtocol proto, bool inferred_only = false);
+    AppId get_appid(Port port, IpProtocol proto, bool inferred_only = false, bool allow_port_wildcard = false);
  
      //  This should be updated whenever HostTracker data members are changed
      void stringify(std::string& str);
diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc

index 9992d0149bd8045276ffcf69c95c24a158777f0f..77267a07b53a626b2b4a2ab0c1aecb0ac2e1d64f 100644 (file)
--- a/src/network_inspectors/appid/app_info_table.cc
+++ b/src/network_inspectors/appid/app_info_table.cc
@@ -366,6 +366,34 @@ void AppInfoManager::load_appid_config(AppIdModuleConfig* config, const char* pa
                      config->is_host_port_app_cache_runtime = true;
                  }
              }
+            else if (!(strcasecmp(conf_key, "allow_port_wildcard_host_cache")))
+            {
+                if (!(strcasecmp(conf_val, "enabled")))
+                {
+                    config->allow_port_wildcard_host_cache = true;
+                }
+            }
+            else if (!(strcasecmp(conf_key, "bittorrent_aggressiveness")))
+            {
+                int aggressiveness = atoi(conf_val);
+                LogMessage("AppId: bittorrent_aggressiveness %d\n", aggressiveness);
+                if (aggressiveness >= 50)
+                {
+                    config->host_port_app_cache_lookup_interval = 5;
+                    set_app_info_flags(APP_ID_BITTORRENT, APPINFO_FLAG_DEFER);
+                    set_app_info_flags(APP_ID_BITTORRENT, APPINFO_FLAG_DEFER_PAYLOAD);
+                    config->max_tp_flow_depth = 25;
+                    LogMessage("AppId: host_port_app_cache_lookup_interval %d\n", config->host_port_app_cache_lookup_interval);
+                    LogMessage("AppId: defer_to_thirdparty %d\n", APP_ID_BITTORRENT);
+                    LogMessage("AppId: defer_payload_to_thirdparty %d\n", APP_ID_BITTORRENT);
+                    LogMessage("AppId: max_tp_flow_depth %d\n", config->max_tp_flow_depth);
+                }
+                if (aggressiveness >= 80)
+                {
+                    config->allow_port_wildcard_host_cache = true;
+                    LogMessage("AppId: allow_port_wildcard_host_cache enabled\n");
+                }
+            }
              else if (!(strcasecmp(conf_key, "tp_allow_probes")))
              {
                  if (!(strcasecmp(conf_val, "enabled")))
diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h

index 561c2b36f6e16f57dbb5f501b723913afbb2f0b7..14f7f8749813cc03f07f22708b0bc235b5ea738e 100644 (file)
--- a/src/network_inspectors/appid/appid_config.h
+++ b/src/network_inspectors/appid/appid_config.h
@@ -102,6 +102,7 @@ public:
      uint32_t host_port_app_cache_lookup_interval = 10;
      uint32_t host_port_app_cache_lookup_range = 100000;
      uint32_t http_response_version_enabled = 0;
+    bool allow_port_wildcard_host_cache = false;
  };
  
  typedef std::array<SF_LIST*, APP_ID_PORT_ARRAY_SIZE> AppIdPortExclusions;
diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc

index fb0d0d378d15a58aa71fc7df594e1e0b7bc7bece..40ba7b1ef610e70fa21a435b6d27db464847c975 100644 (file)
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -917,7 +917,7 @@ bool AppIdDiscovery::do_host_port_based_discovery(Packet* p, AppIdSession& asd,
          auto ht = host_cache.find(*ip);
          if (ht)
          {
-            AppId appid = ht->get_appid(port, protocol, true);
+            AppId appid = ht->get_appid(port, protocol, true, asd.config->mod_config->allow_port_wildcard_host_cache);
              if (appid > APP_ID_NONE)
              {
                  // FIXIT-L: Make this more generic to support service and payload IDs
diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc

index e5da21705b684c298fc7192eb8aa8eec650ed178..fbd703e97155472d0cc0b426d50216ede19da3a3 100644 (file)
--- a/src/network_inspectors/appid/test/appid_discovery_test.cc
+++ b/src/network_inspectors/appid/test/appid_discovery_test.cc
@@ -220,7 +220,7 @@ ServiceDiscovery& ServiceDiscovery::get_instance()
  }
  
  HostCacheIp host_cache(50);
-AppId HostTracker::get_appid(Port, IpProtocol, bool)
+AppId HostTracker::get_appid(Port, IpProtocol, bool, bool)
  {
      return APP_ID_NONE;
  }
author	Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
	Mon, 23 Sep 2019 21:49:10 +0000 (17:49 -0400)
committer	Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
	Mon, 23 Sep 2019 21:49:10 +0000 (17:49 -0400)
src/host_tracker/host_tracker.cc		patch \| blob \| blame \| history
src/host_tracker/host_tracker.h		patch \| blob \| blame \| history
src/network_inspectors/appid/app_info_table.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_config.h		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_discovery.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/test/appid_discovery_test.cc		patch \| blob \| blame \| history