Merge pull request #2167 in SNORT/snort3 from ~SATHIRKA/snort3:quic_url to master

Squashed commit of the following:

commit e860159967cce1faafd932e2684fc88f8d9fabe1
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Wed Aug 28 10:35:10 2019 -0400

    appid: Populate url for QUIC sessions by extracting QUIC SNI metadata from third-party

diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index d68c70adadc7ac6cf3ed36fdff0c6bd2e7f3e81f..dd1c1cd3b809de0fc62789a0ebbf17fdfbc15796 100644 (file)
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -417,6 +417,7 @@ static inline bool is_svc_http_type(AppId serviceId)
         case APP_ID_SMTPS:
         case APP_ID_SSHELL:
         case APP_ID_SSL:
+        case APP_ID_QUIC:
             return true;
     }
     return false;

diff --git a/src/network_inspectors/appid/application_ids.h b/src/network_inspectors/appid/application_ids.h
index 28255ab93732e7cb38b8728e97ff48876d519bc6..2e80f56dd498379b420801d55721535419f98075 100644 (file)
--- a/src/network_inspectors/appid/application_ids.h
+++ b/src/network_inspectors/appid/application_ids.h
@@ -1013,6 +1013,7 @@ enum ApplicationIds : AppId
     APP_ID_HTTP_SSL_TUNNEL                = 3860,
     APP_ID_FTP_ACTIVE                     = 4002,
     APP_ID_FTP_PASSIVE                    = 4003,
+    APP_ID_QUIC                           = 4023,
     APP_ID_PSIPHON                        = 4075,
     APP_ID_DNS_OVER_TLS                   = 4615,
 #ifdef REG_TEST

diff --git a/src/network_inspectors/appid/tp_appid_types.h b/src/network_inspectors/appid/tp_appid_types.h
index 9e839e4edc2bb0dce6997b1b8fc5afcaf6b9f368..78b55a0e5ec5804f5e0cdbe631463ccdb665df1a 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_types.h
+++ b/src/network_inspectors/appid/tp_appid_types.h
@@ -125,6 +125,7 @@ class ThirdPartyAppIDAttributeData
     string* tls_org_unit_buf = nullptr;
     string* http_request_referer_buf = nullptr;
     string* ftp_command_user_buf = nullptr;
+    string* quic_sni_buf = nullptr;
 
     uint16_t http_request_uri_offset = 0;
     uint16_t http_request_uri_end_offset = 0;
@@ -179,6 +180,7 @@ public:
         if (tls_org_unit_buf) delete tls_org_unit_buf;
         if (http_request_referer_buf) delete http_request_referer_buf;
         if (ftp_command_user_buf) delete ftp_command_user_buf;
+        if (quic_sni_buf) delete quic_sni_buf;
     }
 
     // Note: calling these 2 times in a row, the 2nd time it returns null.
@@ -206,6 +208,7 @@ public:
     TPAD_GET(tls_org_unit)
     TPAD_GET(http_request_referer)
     TPAD_GET(ftp_command_user)
+    TPAD_GET(quic_sni)
 
     uint16_t http_request_uri_begin() { return http_request_uri_offset; }
     uint16_t http_request_uri_end() { return http_request_uri_end_offset; }
@@ -253,6 +256,7 @@ public:
     TPAD_SET(tls_org_unit)
     TPAD_SET_OFFSET(http_request_referer)
     TPAD_SET(ftp_command_user)
+    TPAD_SET(quic_sni)
 };
 
 #endif

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index 4cede174872be9a659c927752a8449fbf7b0febd..81a737d2a61f976798215c77847af9560ec403c6 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -552,6 +552,23 @@ static inline void process_ftp_control(AppIdSession& asd,
     }
 }
 
+static inline void process_quic(AppIdSession& asd,
+    ThirdPartyAppIDAttributeData& attribute_data, AppidChangeBits& change_bits)
+{
+    const string* field = 0;
+    if ( !asd.tsession )
+        asd.tsession = (TlsSession*)snort_calloc(sizeof(TlsSession));
+
+    if ( (field=attribute_data.quic_sni()) != nullptr )
+    {
+        if ( appidDebug->is_active() )
+            LogMessage("AppIdDbg %s Flow is QUIC\n", appidDebug->get_debug_session());
+        asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits);
+        if ( asd.service.get_id() <= APP_ID_NONE )
+            asd.set_service_appid_data(APP_ID_QUIC, change_bits);
+    }
+}
+
 static inline void process_third_party_results(AppIdSession& asd, int confidence,
     const vector<AppId>& proto_list, ThirdPartyAppIDAttributeData& attribute_data,
     AppidChangeBits& change_bits)
@@ -586,6 +603,9 @@ static inline void process_third_party_results(AppIdSession& asd, int confidence
 
     else if (contains(proto_list, APP_ID_FTP_CONTROL))
         process_ftp_control(asd, attribute_data);
+
+    else if (contains(proto_list, APP_ID_QUIC))
+        process_quic(asd, attribute_data, change_bits);
 }
 
 static inline void check_terminate_tp_module(AppIdSession& asd, uint16_t tpPktCount)
@@ -749,7 +769,7 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
                 && (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT)
                 || asd.payload.get_id() > APP_ID_NONE) )
             {
-                AppId snort_app_id;
+                AppId snort_app_id = APP_ID_NONE;
 
                 // if the packet is HTTP, then search for via pattern
                 if ( asd.get_session_flags(APPID_SESSION_HTTP_SESSION) )
@@ -836,6 +856,8 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
                     }
                     snort_app_id = APP_ID_SSL;
                 }
+                else if (asd.service.get_id() == APP_ID_QUIC)
+                    asd.set_tp_payload_app_id(*p, direction, tp_app_id, change_bits);
                 else
                 {
                     //for non-http protocols, tp id is treated like serviceId