Pull request #3780: appid: give precedence to eve detected client over appid when...

author Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>

Fri, 17 Mar 2023 18:00:30 +0000 (18:00 +0000)

committer Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>

Fri, 17 Mar 2023 18:00:30 +0000 (18:00 +0000)
author Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Fri, 17 Mar 2023 18:00:30 +0000 (18:00 +0000)
committer Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Fri, 17 Mar 2023 18:00:30 +0000 (18:00 +0000)
diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc

index 8adfb3f8425f77a5b26b8f206a299581b995ea57..d84bedb3a4cc16c947a880c1e8be8bd54d2b3b59 100644 (file)
--- a/src/network_inspectors/appid/app_info_table.cc
+++ b/src/network_inspectors/appid/app_info_table.cc
@@ -609,6 +609,10 @@ void AppInfoManager::load_odp_config(OdpContext& odp_ctxt, const char* path)
              {
                  set_app_info_flags(atoi(conf_val), APPINFO_FLAG_IGNORE);
              }
+            else if (!(strcasecmp(conf_key, "eve_http_client")))
+            {
+                odp_ctxt.eve_http_client = atoi(conf_val) ? true : false;
+            }
              else
                  ParseWarning(WARN_CONF, "appid: unsupported configuration: %s\n", conf_key);
          }
diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h

index f3164b2b7d096c671abdbb8190154990b7ed0711..d3cf8c756ff11f5a53eab2924ea763abc3125655 100644 (file)
--- a/src/network_inspectors/appid/appid_app_descriptor.h
+++ b/src/network_inspectors/appid/appid_app_descriptor.h
@@ -79,6 +79,11 @@ public:
              my_version = version;
      }
  
+    void reset_version()
+    {
+        my_version.clear();
+    }
+
  private:
      AppId my_id = APP_ID_NONE;
      std::string my_version;
diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h

index e26d55aefadca61ef38c9a5ae73387509952d41a..76e845ef67760d6e47f4b36388b757decd6ff173 100644 (file)
--- a/src/network_inspectors/appid/appid_config.h
+++ b/src/network_inspectors/appid/appid_config.h
@@ -133,6 +133,7 @@ public:
      uint16_t max_packet_before_service_fail = MIN_MAX_PKTS_BEFORE_SERVICE_FAIL;
      uint16_t max_packet_service_fail_ignore_bytes = MIN_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES;
      FirstPktAppIdDiscovered first_pkt_appid_prefix = NO_APPID_FOUND;
+    bool eve_http_client = true;
  
      OdpContext(const AppIdConfig&, snort::SnortConfig*);
      void initialize(AppIdInspector& inspector);
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc

index b12c756de8b8e7f81d5ab4f14125ad2ce9b85b96..2c833519c77fbc853fa9563307ee8a1c68fcb5a8 100644 (file)
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -862,6 +862,12 @@ AppId AppIdSession::pick_ss_client_app_id() const
          (api.service.get_id() == APP_ID_HTTP3 and !api.hsessions.empty()))
          return APP_ID_NONE;
  
+    if (use_eve_client_app_id())
+    {
+        api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
+        return api.client.get_eve_client_app_id();
+    }
+
      AppId tmp_id = APP_ID_NONE;
      if (!api.hsessions.empty())
          tmp_id = api.hsessions[0]->client.get_id();
@@ -871,12 +877,6 @@ AppId AppIdSession::pick_ss_client_app_id() const
          return tmp_id;
      }
  
-    if (use_eve_client_app_id())
-    {
-        api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
-        return api.client.get_eve_client_app_id();
-    }
-
      if (api.client.get_id() > APP_ID_NONE)
      {
          api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_APPID);
diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h

index a57a20b8ea4902a85a3d31a3fad9e35c899d8b35..5f57ecb358360163ad3ed1c21f7461fd762abd89 100644 (file)
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -540,8 +540,17 @@ public:
  
      bool use_eve_client_app_id() const
      {
-        return (api.client.get_eve_client_app_id() > APP_ID_NONE and
-            (api.client.get_id() == APP_ID_SSL_CLIENT or api.client.get_id() <= APP_ID_NONE));
+        if (api.client.get_eve_client_app_id() <= APP_ID_NONE)
+            return false;
+
+        if (get_session_flags(APPID_SESSION_HTTP_SESSION))
+        {
+            if (odp_ctxt.eve_http_client)
+                api.client.reset_version();
+            return odp_ctxt.eve_http_client;
+        }
+        else
+            return (api.client.get_id() == APP_ID_SSL_CLIENT or api.client.get_id() <= APP_ID_NONE);
      }
  
      void set_alpn_service_app_id(AppId id)
diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc

index adfb5f6a435247be3110f60005e6e989d4f1926d..8e7d2a13bfb251d9f335fec7b30272c507b64066 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.cc
+++ b/src/network_inspectors/appid/appid_session_api.cc
@@ -258,6 +258,9 @@ bool AppIdSessionApi::is_appid_available(uint32_t stream_index) const
  
  const char* AppIdSessionApi::get_client_info(uint32_t stream_index) const
  {
+    if (client.get_eve_client_app_id() > APP_ID_NONE and pkt_thread_odp_ctxt and
+        pkt_thread_odp_ctxt->eve_http_client)
+        return client.get_version();
      if (uint32_t num_hsessions = get_hsessions_size())
      {
          if (stream_index >= num_hsessions)
diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc

index 08f94d884d4dfaa23205a35a42be2e0e518f1e9e..d25de9927b50c7dae00f1e64ae4300a377b261e5 100644 (file)
--- a/src/network_inspectors/appid/test/appid_session_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_session_api_test.cc
@@ -250,6 +250,7 @@ TEST(appid_session_api, is_appid_available)
  TEST(appid_session_api, get_client_info)
  {
      const char* val;
+    mock_session->get_odp_ctxt().eve_http_client = false;
      val = mock_session->get_api().get_client_info();
      STRCMP_EQUAL(val, APPID_UT_CLIENT_VERSION);
      mock_session->create_http_session();
author	Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
	Fri, 17 Mar 2023 18:00:30 +0000 (18:00 +0000)
committer	Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
	Fri, 17 Mar 2023 18:00:30 +0000 (18:00 +0000)
src/network_inspectors/appid/app_info_table.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_app_descriptor.h		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_config.h		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_session.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_session.h		patch \| blob \| blame \| history
src/network_inspectors/appid/appid_session_api.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/test/appid_session_api_test.cc		patch \| blob \| blame \| history