Pull request #3245: appid: give priority to custom process to app mappings over VDB...

Merge in SNORT/snort3 from ~SATHIRKA/snort3:multi_process_to_same_app_mapping to master

Squashed commit of the following:

commit 7bc7925573e5888981618557215d3398927823ce
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Wed Jan 19 16:50:51 2022 -0500

    appid: give priority to custom process to app mappings over ODP mappings

diff --git a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc
index ee047867ca889acb0b2ea70385a4ea63a754d372..ba754c5eacb2cb1ef930796aa3c096bb644340d4 100644 (file)
--- a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc
+++ b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc
@@ -24,15 +24,27 @@
 
 #include "efp_ca_patterns.h"
 
+#include <algorithm>
+
 #include "log/messages.h"
 #include "utils/util.h"
 #include "appid_debug.h"
 
 using namespace snort;
+using namespace std;
 
-void EfpCaPatternMatchers::add_efp_ca_pattern(AppId app_id, const std::string& pattern_str,
-    uint8_t confidence)
+void EfpCaPatternMatchers::add_efp_ca_pattern(AppId app_id, const string& pattern_str,
+    uint8_t confidence, const string& detector)
 {
+    auto match = find_if(efp_ca_load_list.begin(), efp_ca_load_list.end(),
+        [app_id, pattern_str] (EfpCaPattern* efp_ca)
+        { return (efp_ca->pattern == pattern_str and efp_ca->app_id != app_id); });
+
+    if (match != efp_ca_load_list.end())
+        WarningMessage("appid: detector %s - process name '%s' for client app %d is already "
+            "mapped to client app %d\n", detector.c_str(), (*match)->pattern.c_str(), app_id,
+            (*match)->app_id);
+
     EfpCaPattern* new_efp_ca_pattern = new EfpCaPattern(app_id, pattern_str, confidence);
     efp_ca_load_list.push_back(new_efp_ca_pattern);
 }
@@ -44,7 +56,7 @@ static int efp_ca_pattern_match(void* id, void*, int, void* data, void*)
     return 0;
 }
 
-AppId EfpCaPatternMatchers::match_efp_ca_pattern(const std::string& pattern,
+AppId EfpCaPatternMatchers::match_efp_ca_pattern(const string& pattern,
     uint8_t reported_confidence)
 {
     EfpCaPatternList* efp_ca_match_list = new EfpCaPatternList();
@@ -55,14 +67,19 @@ AppId EfpCaPatternMatchers::match_efp_ca_pattern(const std::string& pattern,
 
     for (auto &mp : *efp_ca_match_list)
     {
-        if (reported_confidence >= mp->confidence)
+        if (mp->pattern.size() == pattern.size())
         {
-            if (!best_match or (mp->pattern.size() > best_match->pattern.size() or
-                (mp->pattern.size() == best_match->pattern.size() and
-                mp->confidence > best_match->confidence)))
-            {
+            if (reported_confidence >= mp->confidence)
                 best_match = mp;
-            }
+            else if (best_match)
+                best_match = nullptr;
+            break;
+        }
+        else if ((reported_confidence >= mp->confidence) and
+            (!best_match or (mp->pattern.size() > best_match->pattern.size())))
+        {
+            best_match = mp;
+            continue;
         }
     }
     AppId ret_app_id = APP_ID_NONE;

diff --git a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h
index dca3167ec1762b8d8b679aa270d461e7b8265e69..dcdb1d03ec94f90595bf8c9070621459b5a30311 100644 (file)
--- a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h
+++ b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h
@@ -45,7 +45,7 @@ class EfpCaPatternMatchers
 public:
     ~EfpCaPatternMatchers();
     AppId match_efp_ca_pattern(const std::string&, uint8_t);
-    void add_efp_ca_pattern(AppId, const std::string&, uint8_t);
+    void add_efp_ca_pattern(AppId, const std::string&, uint8_t, const std::string&);
     void finalize_patterns();
     void reload_patterns();
 

diff --git a/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h b/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h
index 892440618aa56cc7810cedf686d41ecde19d22c1..95148a451c55baf886d3a481a16d4c6613f9da88 100644 (file)
--- a/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h
+++ b/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h
@@ -23,6 +23,7 @@ namespace snort
 {
 // Stubs for  messages
 void LogMessage(const char*,...) { }
+void WarningMessage(const char*,...) { }
 
 // Stubs for search_tool.cc
 SearchTool::SearchTool(char const*, bool) { }

diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc
index 2f20579adde68008df4fdf8fc9737511fd6fca6d..2fab466af904281e5ccbb3bcdce90b2a95301d3d 100644 (file)
--- a/src/network_inspectors/appid/lua_detector_api.cc
+++ b/src/network_inspectors/appid/lua_detector_api.cc
@@ -1011,9 +1011,10 @@ static int add_process_to_client_mapping(lua_State* L)
     }
     const std::string process_name(tmp_string);
     uint8_t process_score = lua_tointeger(L, ++index);
+    const std::string detector_name = ud->get_detector()->get_name();
 
     ud->get_odp_ctxt().get_efp_ca_matchers().add_efp_ca_pattern(appid, process_name,
-        process_score);
+        process_score, detector_name);
 
     ud->get_odp_ctxt().get_app_info_mgr().set_app_info_active(appid);