}
}
-void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits)
+void AppIdSession::check_ssl_detection_restart(AppidChangeBits& change_bits)
{
if (get_session_flags(APPID_SESSION_DECRYPTED) or !flow->is_proxied())
return;
}
}
+void AppIdSession::check_tunnel_detection_restart()
+{
+ if (tp_payload_app_id != APP_ID_HTTP_TUNNEL or get_session_flags(APPID_SESSION_HTTP_TUNNEL))
+ return;
+
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Found HTTP Tunnel, restarting app Detection\n",
+ appidDebug->get_debug_session());
+
+ // service
+ if (service.get_id() == service.get_port_service_id())
+ service.set_id(APP_ID_NONE, ctxt.get_odp_ctxt());
+ service.set_port_service_id(APP_ID_NONE);
+ service.reset();
+ service_ip.clear();
+ service_port = 0;
+ service_disco_state = APPID_DISCO_STATE_NONE;
+ service_detector = nullptr;
+ free_flow_data_by_mask(APPID_SESSION_DATA_SERVICE_MODSTATE_BIT);
+
+ // client
+ client.reset();
+ client_inferred_service_id = APP_ID_NONE;
+ client_disco_state = APPID_DISCO_STATE_NONE;
+ free_flow_data_by_mask(APPID_SESSION_DATA_CLIENT_MODSTATE_BIT);
+ client_candidates.clear();
+
+ init_tpPackets = 0;
+ resp_tpPackets = 0;
+ scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG;
+ clear_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CLIENT_DETECTED |
+ APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT);
+
+ set_session_flags(APPID_SESSION_HTTP_TUNNEL);
+
+}
+
+void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits)
+{
+ check_ssl_detection_restart(change_bits);
+ check_tunnel_detection_restart();
+}
+
void AppIdSession::update_encrypted_app_id(AppId service_id)
{
switch (service_id)
void set_referred_payload_app_id_data(AppId, AppidChangeBits& change_bits);
void set_payload_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr);
void check_app_detection_restart(AppidChangeBits& change_bits);
+ void check_ssl_detection_restart(AppidChangeBits& change_bits);
+ void check_tunnel_detection_restart();
void update_encrypted_app_id(AppId);
void examine_rtmp_metadata(AppidChangeBits& change_bits);
void sync_with_snort_protocol_id(AppId, snort::Packet*);
const string* field = 0;
int reinspect_ssl_appid = 0;
+ if (asd.get_session_flags(APPID_SESSION_HTTP_TUNNEL))
+ {
+ if (!asd.service_detector)
+ asd.service_detector = asd.ctxt.get_odp_ctxt().get_app_info_mgr().
+ get_app_info_entry(APP_ID_SSL)->service_detector;
+ if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION))
+ asd.clear_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION);
+ }
+
tmpAppId = asd.tpsession->get_appid(tmpConfidence);
asd.set_session_flags(APPID_SESSION_SSL_SESSION);
asd.set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION);
}
+ if (contains(proto_list, APP_ID_SSL))
+ process_ssl(asd, attribute_data, change_bits);
+
if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION))
process_http_session(asd, attribute_data, change_bits);
contains(proto_list, APP_ID_RTSP) )
process_rtmp(asd, attribute_data, confidence, change_bits);
- else if (contains(proto_list, APP_ID_SSL))
- process_ssl(asd, attribute_data, change_bits);
-
else if (contains(proto_list, APP_ID_FTP_CONTROL))
process_ftp_control(asd, attribute_data);
asd.set_tp_app_id(APP_ID_HTTP);
- // Handle HTTP tunneling and SSL possibly then being used in that tunnel
if (tp_app_id == APP_ID_HTTP_TUNNEL)
asd.set_payload_appid_data(APP_ID_HTTP_TUNNEL, change_bits);
- else if (asd.payload.get_id() == APP_ID_HTTP_TUNNEL)
- {
- if (tp_app_id == APP_ID_SSL)
- asd.set_payload_appid_data(APP_ID_HTTP_SSL_TUNNEL, change_bits);
- else
- asd.set_payload_appid_data(tp_app_id, change_bits);
- }
+ else if (asd.payload.get_id() == APP_ID_HTTP_TUNNEL and tp_app_id != APP_ID_SSL)
+ asd.set_payload_appid_data(tp_app_id, change_bits);
AppIdHttpSession* hsession = asd.get_http_session();
if (!hsession)
hsession = asd.create_http_session();
hsession->process_http_packet(direction, change_bits, asd.ctxt.get_odp_ctxt().get_http_matchers());
- // If SSL over HTTP tunnel, make sure Snort knows that it's encrypted.
- if (asd.payload.get_id() == APP_ID_HTTP_SSL_TUNNEL)
- snort_app_id = APP_ID_SSL;
-
if (asd.get_tp_app_id() == APP_ID_HTTP and
!asd.get_session_flags(APPID_SESSION_APP_REINSPECT) and
asd.is_tp_appid_available())
projects / thirdparty / snort3.git / commitdiff
