Merge in SNORT/snort3 from ~SATHIRKA/snort3:custom_process_mapping to master
Squashed commit of the following:
commit
41b88649edd815ed38aa25641a360bf18ebac711
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date: Thu Mar 3 16:29:30 2022 -0500
appid: do not add duplicate process to client app mapping for the same process name
uint8_t confidence, const string& detector)
{
auto match = find_if(eve_ca_load_list.begin(), eve_ca_load_list.end(),
- [app_id, pattern_str] (EveCaPattern* eve_ca)
- { return (eve_ca->pattern == pattern_str and eve_ca->app_id != app_id); });
-
+ [pattern_str] (EveCaPattern* eve_ca) { return eve_ca->pattern == pattern_str; });
if (match != eve_ca_load_list.end())
- WarningMessage("appid: detector %s - process name '%s' for client app %d is already "
- "mapped to client app %d\n", detector.c_str(), (*match)->pattern.c_str(), app_id,
- (*match)->app_id);
-
- EveCaPattern* new_eve_ca_pattern = new EveCaPattern(app_id, pattern_str, confidence);
- eve_ca_load_list.push_back(new_eve_ca_pattern);
+ {
+ if ((*match)->app_id != app_id)
+ WarningMessage("appid: detector %s - process name '%s' for client app %d is already "
+ "mapped to client app %d\n", detector.c_str(), (*match)->pattern.c_str(), app_id,
+ (*match)->app_id);
+ }
+ else
+ {
+ EveCaPattern* new_eve_ca_pattern = new EveCaPattern(app_id, pattern_str, confidence);
+ eve_ca_load_list.push_back(new_eve_ca_pattern);
+ }
}
static int eve_ca_pattern_match(void* id, void*, int, void* data, void*)
void finalize_patterns();
void reload_patterns();
+ const EveCaPatternList& get_eve_ca_load_list() const { return eve_ca_load_list; }
+
private:
snort::SearchTool eve_ca_pattern_matcher = snort::SearchTool();
EveCaPatternList eve_ca_load_list;
CHECK(eve_matcher->match_eve_ca_pattern("firefox", 92) == APPID_UT_ID);
}
+TEST(eve_ca_patterns_tests, add_eve_ca_pattern)
+{
+ // same process name mapped to different app
+ eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 1, "firefox", 40, "custom_detector.lua");
+ eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 2, "firefox", 90, "odp_detector.lua");
+
+ CHECK(eve_matcher->get_eve_ca_load_list().size() == 1);
+ CHECK(eve_matcher->get_eve_ca_load_list()[0]->app_id == APPID_UT_ID + 1);
+ CHECK(eve_matcher->get_eve_ca_load_list()[0]->confidence == 40);
+
+ // same process name mapped to an existing app, but with different confidence
+ eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 1, "chrome", 80, "custom_detector.lua");
+ eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 1, "chrome", 90, "odp_detector.lua");
+
+ CHECK(eve_matcher->get_eve_ca_load_list().size() == 2);
+ CHECK(eve_matcher->get_eve_ca_load_list()[1]->app_id == APPID_UT_ID + 1);
+ CHECK(eve_matcher->get_eve_ca_load_list()[1]->confidence == 80);
+}
+
int main(int argc, char** argv)
{
int return_value = CommandLineTestRunner::RunAllTests(argc, argv);
projects / thirdparty / snort3.git / commitdiff
