virtual FlowData* get_stream_flow_data(const Flow* flow) = 0;
virtual void set_stream_flow_data(Flow* flow, FlowData* flow_data) = 0;
virtual void get_stream_id(const Flow* flow, int64_t& stream_id) = 0;
+ virtual void* get_hi_msg_section(const Flow* flow) = 0;
+ virtual void set_hi_msg_section(Flow* flow, void* section) = 0;
virtual AppId get_appid_from_stream(const Flow*) { return APP_ID_NONE; }
// Stream based flows should override this interface to return parent flow
// when child flow is passed as input
appid_config.h
appid_cip_event_handler.cc
appid_cip_event_handler.h
+ appid_data_decrypt_event_handler.cc
appid_data_decrypt_event_handler.h
appid_debug.cc
appid_debug.h
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2023 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_data_decrypt_event_handler.cc author Shibin <shikv@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "appid_data_decrypt_event_handler.h"
+
+#include "pub_sub/data_decrypt_event.h"
+
+#include "app_info_table.h"
+#include "appid_debug.h"
+#include "appid_discovery.h"
+#include "appid_http_session.h"
+#include "appid_inspector.h"
+#include "appid_session.h"
+#include "appid_session_api.h"
+#include "detection/detection_engine.h"
+
+using namespace snort;
+
+void DataDecryptEventHandler::handle(snort::DataEvent& event, snort::Flow* flow)
+{
+ assert(flow);
+ AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
+ if (!asd)
+ {
+ Packet* p = DetectionEngine::get_current_packet();
+ auto direction = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER;
+ asd = AppIdSession::allocate_session( p, p->get_ip_proto_next(), direction,
+ inspector, *pkt_thread_odp_ctxt );
+ if (appidDebug->is_enabled())
+ {
+ appidDebug->activate(flow, asd, inspector.get_ctxt().config.log_all_sessions);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s New AppId session at Decryption event\n",
+ appidDebug->get_debug_session());
+ }
+ }
+
+ if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
+
+ const DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
+ DataDecryptEvent::StateEventType state = data_decrypt_event.get_type();
+ if (DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT == state)
+ asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
+ // Set a do not decrypt flag, so that an event can be generated after appid processes the packet
+ else if (DataDecryptEvent::DATA_DECRYPT_DO_NOT_DECRYPT_EVENT == state)
+ asd->set_session_flags(APPID_SESSION_DO_NOT_DECRYPT);
+}
+
#ifndef APPID_DATA_DECRYPT_EVENT_HANDLER_H
#define APPID_DATA_DECRYPT_EVENT_HANDLER_H
-#include "pub_sub/data_decrypt_event.h"
+#include "framework/data_bus.h"
-#include "appid_session.h"
+#include "appid_module.h"
class DataDecryptEventHandler : public snort::DataHandler
{
public:
- DataDecryptEventHandler() : DataHandler(MOD_NAME){ }
-
- void handle(snort::DataEvent& event, snort::Flow* flow) override
- {
- assert(flow);
- AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
- if (!asd or !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
- return;
- const DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
- DataDecryptEvent::StateEventType state = data_decrypt_event.get_type();
- if (DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT== state)
- asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
- // Set a do not decrypt flag, so that an event can be generated after appid processes the packet
- else if (DataDecryptEvent::DATA_DECRYPT_DO_NOT_DECRYPT_EVENT == state)
- asd->set_session_flags(APPID_SESSION_DO_NOT_DECRYPT);
- }
+ DataDecryptEventHandler(AppIdInspector& inspector) : DataHandler(MOD_NAME), inspector(inspector)
+ { }
+
+ void handle(snort::DataEvent& event, snort::Flow* flow) override;
+
+private:
+ AppIdInspector& inspector;
};
#endif
asd.set_service_id(APP_ID_HTTP, asd.get_odp_ctxt());
asd.set_session_flags(APPID_SESSION_SERVICE_DETECTED);
asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
+ if (asd.get_service_id() == APP_ID_HTTP3)
+ {
+ if(asd.misc_app_id == APP_ID_NONE)
+ {
+ asd.update_encrypted_app_id(APP_ID_HTTP3);
+ misc_app_id = APP_ID_QUIC;
+ change_bits.set(APPID_MISC_BIT);
+ }
+ }
}
if (!chp_finished or chp_hold_flow)
DataBus::subscribe_global(dce_tcp_pub_key, DceTcpEventIds::EXP_SESSION, new DceExpSsnEventHandler(), *sc);
DataBus::subscribe_global(ssh_pub_key, SshEventIds::STATE_CHANGE, new SshEventHandler(), *sc);
DataBus::subscribe_global(cip_pub_key, CipEventIds::DATA, new CipEventHandler(*this), *sc);
- DataBus::subscribe_global(external_pub_key, ExternalEventIds::DATA_DECRYPT, new DataDecryptEventHandler(), *sc);
+ DataBus::subscribe_global(external_pub_key, ExternalEventIds::DATA_DECRYPT, new DataDecryptEventHandler(*this), *sc);
DataBus::subscribe_global(external_pub_key, ExternalEventIds::EVE_PROCESS,
new AppIdEveProcessEventHandler(*this), *sc);
case APP_ID_MSFT_GC_SSL:
case APP_ID_SF_APPLIANCE_MGMT:
case APP_ID_SSL:
+ case APP_ID_QUIC:
return true;
}
return true;
}
+void AppIdSession::update_encrypted_app_id(AppId)
+{
+}
+
void AppIdModule::reset_stats() {}
// AppIdDebug mock functions
bool get_tunnel_bypass() const
{ return active_tunnel_bypass > 0; }
+ ActiveActionType get_delayed_action() const
+ { return delayed_active_action; }
+
void set_delayed_action(ActiveActionType, bool force = false);
void set_delayed_action(ActiveActionType, ActiveAction* act, bool force = false);
void apply_delayed_action(Packet*);
#include "main/snort_types.h"
#include "service_inspectors/http_inspect/http_inspect.h"
+#include "service_inspectors/http_inspect/http_msg_section.h"
#include "service_inspectors/http_inspect/http_test_manager.h"
#include "http2_enum.h"
return APP_ID_HTTP2;
}
+
+void* Http2FlowStreamIntf::get_hi_msg_section(const Flow* flow)
+{
+ const Http2FlowData* const h2i_flow_data =
+ (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ HttpMsgSection* current_section = nullptr;
+ if (h2i_flow_data)
+ current_section = h2i_flow_data->get_hi_msg_section();
+ return current_section;
+}
+
+void Http2FlowStreamIntf::set_hi_msg_section(Flow* flow, void* section)
+{
+ Http2FlowData* h2i_flow_data =
+ (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+ if (h2i_flow_data)
+ h2i_flow_data->set_hi_msg_section((HttpMsgSection*)section);
+
+}
void set_stream_flow_data(snort::Flow* flow, snort::FlowData* flow_data) override;
void get_stream_id(const snort::Flow* flow, int64_t& stream_id) override;
AppId get_appid_from_stream(const snort::Flow* flow) override;
+ void* get_hi_msg_section(const snort::Flow* flow) override;
+ void set_hi_msg_section(snort::Flow* flow, void* section) override;
};
#endif
{
assert(flow != nullptr);
- if (Http2FlowData::inspector_id != 0)
+ if (flow->stream_intf)
{
- const Http2FlowData* const h2i_flow_data =
- (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
- if (h2i_flow_data != nullptr)
- return h2i_flow_data->get_hi_msg_section();
+ return (HttpMsgSection*)flow->stream_intf->get_hi_msg_section(flow);
}
HttpContextData* hcd = (HttpContextData*)DetectionEngine::get_data(HttpContextData::ips_id,
return;
}
- Http2FlowData* h2i_flow_data = nullptr;
- if (Http2FlowData::inspector_id != 0)
- {
- h2i_flow_data = (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
- }
-
HttpMsgSection* current_section = nullptr;
- if (h2i_flow_data != nullptr)
+ if(p->flow->stream_intf)
{
- current_section = h2i_flow_data->get_hi_msg_section();
+ current_section = (HttpMsgSection*)p->flow->stream_intf->get_hi_msg_section(p->flow);
assert(current_section != nullptr);
- h2i_flow_data->set_hi_msg_section(nullptr);
+ p->flow->stream_intf->set_hi_msg_section(p->flow, nullptr);
}
else
current_section = HttpContextData::clear_snapshot(p->context);
{
assert((source_id == SRC_CLIENT) || (source_id == SRC_SERVER));
- if (Http2FlowData::inspector_id != 0)
+ if (flow->stream_intf)
{
- Http2FlowData* const h2i_flow_data = (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
- if (h2i_flow_data != nullptr)
- {
- h2i_flow_data->set_hi_msg_section(this);
- return;
- }
+ flow->stream_intf->set_hi_msg_section(flow, this);
+ return;
}
HttpContextData::save_snapshot(this);
projects / thirdparty / snort3.git / commitdiff
