config->is_host_port_app_cache_runtime = true;
}
}
+ else if (!(strcasecmp(conf_key, "check_host_port_app_cache")))
+ {
+ if (!(strcasecmp(conf_val, "enabled")))
+ {
+ config->check_host_port_app_cache = true;
+ }
+ }
+ else if (!(strcasecmp(conf_key, "check_host_cache_unknown_ssl")))
+ {
+ if (!(strcasecmp(conf_val, "enabled")))
+ {
+ config->check_host_cache_unknown_ssl = true;
+ }
+ }
else if (!(strcasecmp(conf_key, "allow_port_wildcard_host_cache")))
{
if (!(strcasecmp(conf_val, "enabled")))
LogMessage("AppId: allow_port_wildcard_host_cache enabled\n");
}
}
+ else if (!(strcasecmp(conf_key, "ultrasurf_aggressiveness")))
+ {
+ int aggressiveness = atoi(conf_val);
+ LogMessage("AppId: ultrasurf_aggressiveness %d\n", aggressiveness);
+ if (aggressiveness >= 50)
+ {
+ config->check_host_cache_unknown_ssl = true;
+ set_app_info_flags(APP_ID_ULTRASURF, APPINFO_FLAG_DEFER);
+ set_app_info_flags(APP_ID_ULTRASURF, APPINFO_FLAG_DEFER_PAYLOAD);
+ config->max_tp_flow_depth = 25;
+ LogMessage("AppId: check_host_cache_unknown_ssl enabled\n");
+ LogMessage("AppId: defer_to_thirdparty %d\n", APP_ID_ULTRASURF);
+ LogMessage("AppId: defer_payload_to_thirdparty %d\n", APP_ID_ULTRASURF);
+ LogMessage("AppId: max_tp_flow_depth %d\n", config->max_tp_flow_depth);
+ }
+ if (aggressiveness >= 80)
+ {
+ config->allow_port_wildcard_host_cache = true;
+ LogMessage("AppId: allow_port_wildcard_host_cache enabled\n");
+ }
+ }
+ else if (!(strcasecmp(conf_key, "psiphon_aggressiveness")))
+ {
+ int aggressiveness = atoi(conf_val);
+ LogMessage("AppId: psiphon_aggressiveness %d\n", aggressiveness);
+ if (aggressiveness >= 50)
+ {
+ config->check_host_cache_unknown_ssl = true;
+ set_app_info_flags(APP_ID_PSIPHON, APPINFO_FLAG_DEFER);
+ set_app_info_flags(APP_ID_PSIPHON, APPINFO_FLAG_DEFER_PAYLOAD);
+ config->max_tp_flow_depth = 25;
+ LogMessage("AppId: check_host_cache_unknown_ssl enabled\n");
+ LogMessage("AppId: defer_to_thirdparty %d\n", APP_ID_PSIPHON);
+ LogMessage("AppId: defer_payload_to_thirdparty %d\n", APP_ID_PSIPHON);
+ LogMessage("AppId: max_tp_flow_depth %d\n", config->max_tp_flow_depth);
+ }
+ if (aggressiveness >= 80)
+ {
+ config->allow_port_wildcard_host_cache = true;
+ LogMessage("AppId: allow_port_wildcard_host_cache enabled\n");
+ }
+ }
else if (!(strcasecmp(conf_key, "tp_allow_probes")))
{
if (!(strcasecmp(conf_val, "enabled")))
bool chp_userid_disabled = false;
bool http2_detection_enabled = false;
bool is_host_port_app_cache_runtime = false;
+ bool check_host_port_app_cache = false;
+ bool check_host_cache_unknown_ssl = false;
uint32_t ftp_userid_disabled = 0;
uint32_t chp_body_collection_disabled = 0;
uint32_t chp_body_collection_max = 0;
asd.payload.set_id(payload_id);
}
-void AppIdDetector::add_app(AppIdSession& asd, AppId service_id, AppId client_id,
- const char* version, AppidChangeBits& change_bits)
+void AppIdDetector::add_app(const Packet& p, AppIdSession& asd, AppidSessionDirection dir, AppId service_id,
+ AppId client_id, const char* version, AppidChangeBits& change_bits)
{
if ( version )
asd.client.set_version(version, change_bits);
asd.set_client_detected();
asd.client_inferred_service_id = service_id;
- asd.client.set_id(client_id);
+ asd.client.set_id(p, asd, dir, client_id, change_bits);
}
const char* AppIdDetector::get_code_string(APPID_STATUS_CODE code) const
virtual void add_info(AppIdSession&, const char*, AppidChangeBits&);
virtual void add_user(AppIdSession&, const char*, AppId, bool);
virtual void add_payload(AppIdSession&, AppId);
- virtual void add_app(AppIdSession&, AppId, AppId, const char*, AppidChangeBits&);
+ virtual void add_app(AppIdSession& asd, AppId service_id, AppId client_id, const char* version, AppidChangeBits& change_bits)
+ {
+ if ( version )
+ asd.client.set_version(version, change_bits);
+
+ asd.set_client_detected();
+ asd.client_inferred_service_id = service_id;
+ asd.client.set_id(client_id);
+ }
+ virtual void add_app(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppId, const char*, AppidChangeBits&);
virtual void finalize_patterns() {}
const char* get_code_string(APPID_STATUS_CODE) const;
return false;
}
+static inline bool is_check_host_cache_valid(AppIdSession& asd, AppId service_id, AppId client_id, AppId payload_id, AppId misc_id)
+{
+ bool is_payload_client_misc_none = (payload_id <= APP_ID_NONE and client_id <= APP_ID_NONE and misc_id <= APP_ID_NONE);
+ bool is_appid_none = is_payload_client_misc_none and (service_id <= APP_ID_NONE or service_id == APP_ID_UNKNOWN_UI or
+ (asd.config->mod_config->recheck_for_portservice_appid and service_id == asd.service.get_port_service_id()));
+ bool is_ssl_none = asd.config->mod_config->check_host_cache_unknown_ssl and asd.get_session_flags(APPID_SESSION_SSL_SESSION) and
+ (not(asd.tsession and asd.tsession->get_tls_host() and asd.tsession->get_tls_cname()));
+ if (is_appid_none or is_ssl_none or asd.config->mod_config->check_host_port_app_cache)
+ return true;
+ return false;
+}
+
bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol protocol,
AppidSessionDirection direction, AppId& service_id, AppId& client_id, AppId& payload_id,
AppId& misc_id, AppidChangeBits& change_bits)
misc_id = asd.pick_misc_app_id();;
bool is_http_tunnel = ((asd.payload.get_id() == APP_ID_HTTP_TUNNEL) || (asd.payload.get_id() == APP_ID_HTTP_SSL_TUNNEL)) ? true:false;
- bool is_appid_none = (client_id <= APP_ID_NONE and payload_id <= APP_ID_NONE and misc_id <= APP_ID_NONE);
- if ((is_appid_none and (service_id == APP_ID_UNKNOWN_UI or service_id <= APP_ID_NONE or
- (asd.config->mod_config->recheck_for_portservice_appid and service_id == asd.service.get_port_service_id())))
- or (is_http_tunnel))
+ if (is_check_host_cache_valid(asd, service_id, client_id, payload_id, misc_id) or (is_http_tunnel))
{
if(is_http_tunnel)
{
#define SCAN_HTTP_VIA_FLAG (1<<0)
#define SCAN_HTTP_USER_AGENT_FLAG (1<<1)
#define SCAN_HTTP_HOST_URL_FLAG (1<<2)
+#define SCAN_SSL_CERTIFICATE_FLAG (1<<3)
#define SCAN_SSL_HOST_FLAG (1<<4)
#define SCAN_HOST_PORT_FLAG (1<<5)
#define SCAN_HTTP_VENDOR_FLAG (1<<6)
}
scan_flags &= ~SCAN_SSL_HOST_FLAG;
}
- if ((tls_str = tsession->get_tls_cname()))
+ if ((scan_flags & SCAN_SSL_CERTIFICATE_FLAG) and (tls_str = tsession->get_tls_cname()))
{
size_t size = strlen(tls_str);
if ((ret = ssl_scan_cname((const uint8_t*)tls_str, size,
set_payload_appid_data(payload_id, change_bits);
setSSLSquelch(p, ret, (ret == 1 ? payload_id : client_id));
}
- tsession->set_tls_cname(nullptr, 0);
+ scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG;
}
if ((tls_str = tsession->get_tls_org_unit()))
{
return true;
}
+ if (asd->config->mod_config->check_host_port_app_cache)
+ return true;
+
return false;
}
APP_ID_HTTP_SSL_TUNNEL = 3860,
APP_ID_FTP_ACTIVE = 4002,
APP_ID_FTP_PASSIVE = 4003,
+ APP_ID_PSIPHON = 4075,
#ifdef REG_TEST
APP_ID_REGTEST = 10000,
APP_ID_REGTEST1 = 10001,
unsigned int service_id = lua_tonumber(L, 2);
unsigned int productId = lua_tonumber(L, 4);
const char* version = lua_tostring(L, 5);
- ud->cd->add_app(*lsd->ldp.asd,
+ ud->cd->add_app(*lsd->ldp.pkt, *lsd->ldp.asd, lsd->ldp.dir,
AppInfoManager::get_instance().get_appid_by_service_id(service_id),
AppInfoManager::get_instance().get_appid_by_client_id(productId), version,
*lsd->ldp.change_bits);
/* TLS Common Name */
if (ss->common_name)
+ {
args.asd.tsession->set_tls_cname(ss->common_name, 0);
-
+ args.asd.scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
+ }
/* TLS Org Unit */
if (ss->org_name)
args.asd.tsession->set_tls_org_unit(ss->org_name, 0);
AppIdSession* mock_session = nullptr;
AppIdSessionApi* appid_session_api = nullptr;
+//Stub for config
+AppIdConfig::AppIdConfig(AppIdModuleConfig* mod)
+{
+ this->mod_config = mod;
+ this->mod_config->check_host_port_app_cache = false;
+}
+
TEST_GROUP(appid_session_api)
{
void setup() override
mock_session->set_tp_app_id(APP_ID_SSH);
val = appid_session_api->is_appid_inspecting_session();
CHECK_TRUE(val);
+
+ // 4th if in is_appid_inspecting_session
+ mock_session->set_tp_app_id(APP_ID_NONE);
+ mock_session->config->mod_config->check_host_port_app_cache = true;
+ val = appid_session_api->is_appid_inspecting_session();
+ CHECK_TRUE(val);
}
TEST(appid_session_api, get_user_name)
{
mock_init_appid_pegs();
mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector);
+ AppIdModuleConfig *mod_config = new AppIdModuleConfig();
+ mock_session->config = new AppIdConfig(mod_config);
int rc = CommandLineTestRunner::RunAllTests(argc, argv);
mock_cleanup_appid_pegs();
return rc;
AppId tmpAppId = APP_ID_NONE;
int tmpConfidence = 0;
const string* field = 0;
+ int reinspect_ssl_appid = 0;
// if (tp_appid_module && asd.tpsession)
tmpAppId = asd.tpsession->get_appid(tmpConfidence);
if (!asd.client.get_id())
asd.set_client_appid_data(APP_ID_SSL_CLIENT, change_bits);
- if ( (field=attribute_data.tls_host(false)) != nullptr )
+ reinspect_ssl_appid = check_ssl_appid_for_reinspect(tmpAppId);
+
+ if ((field=attribute_data.tls_host(false)) != nullptr)
{
asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits);
- if (check_ssl_appid_for_reinspect(tmpAppId))
+ if (reinspect_ssl_appid)
asd.scan_flags |= SCAN_SSL_HOST_FLAG;
}
- if (check_ssl_appid_for_reinspect(tmpAppId))
+ if ((field=attribute_data.tls_cname()) != nullptr)
{
- if ( (field=attribute_data.tls_cname()) != nullptr )
- {
- asd.tsession->set_tls_cname(field->c_str(), field->size());
- }
+ asd.tsession->set_tls_cname(field->c_str(), field->size());
+ if (reinspect_ssl_appid)
+ asd.scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
+ }
- if ( (field=attribute_data.tls_org_unit()) != nullptr )
+ if (reinspect_ssl_appid)
+ {
+ if ((field=attribute_data.tls_org_unit()) != nullptr)
{
asd.tsession->set_tls_org_unit(field->c_str(), field->size());
}
projects / thirdparty / snort3.git / commitdiff
