appid_app_descriptor.h
appid_config.cc
appid_config.h
+ appid_data_decrypt_event_handler.h
appid_debug.cc
appid_debug.h
appid_detector.cc
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_data_decrypt_event_handler.h author Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
+
+#ifndef APPID_DATA_DECRYPT_EVENT_HANDLER_H
+#define APPID_DATA_DECRYPT_EVENT_HANDLER_H
+
+#include "pub_sub/data_decrypt_event.h"
+
+#include "appid_session.h"
+
+class DataDecryptEventHandler : public snort::DataHandler
+{
+public:
+ DataDecryptEventHandler() : DataHandler(MOD_NAME)
+ {
+ }
+
+ void handle(snort::DataEvent& event, snort::Flow* flow) override
+ {
+ assert(flow);
+ AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
+ if (!asd)
+ return;
+ DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
+ if (data_decrypt_event.get_type() == DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT)
+ {
+ asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
+ }
+ }
+
+};
+
+#endif
+
static bool is_packet_ignored(AppIdSession* asd, Packet* p, AppidSessionDirection direction)
{
- if ( p->is_rebuilt() && !p->flow->is_proxied() )
+ if ( p->is_rebuilt() and !p->flow->is_proxied())
{
// FIXIT-M: In snort2x, a rebuilt packet was ignored whether it had a session or not.
// Here, we are ignoring rebuilt packet only if it has a session. Why?
if (asd.misc_app_id == APP_ID_NONE)
asd.update_encrypted_app_id(service_id);
}
-// FIXIT-M Need to determine what api to use for this _dpd function
-#if 1
- UNUSED(is_discovery_done);
-#else
- else if (is_discovery_done && isSslServiceAppId(service_id) &&
- _dpd.isSSLPolicyEnabled(nullptr))
+ else if (is_discovery_done and asd.get_session_flags(APPID_SESSION_DECRYPT_MONITOR))
asd.set_session_flags(APPID_SESSION_CONTINUE);
-#endif
}
// Set the field that the Firewall queries to see if we have a search engine
#include "profiler/profiler.h"
#include "app_forecast.h"
+#include "appid_data_decrypt_event_handler.h"
#include "appid_debug.h"
#include "appid_discovery.h"
#include "appid_http_event_handler.h"
DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(
HttpEventHandler::RESPONSE_EVENT), sc);
}
+ DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), sc);
return true;
}
void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits)
{
- if (get_session_flags(APPID_SESSION_DECRYPTED) || !flow->is_proxied())
+ if (get_session_flags(APPID_SESSION_DECRYPTED) or !flow->is_proxied())
return;
AppId service_id = pick_service_app_id();
#define APPID_SESSION_OOO_CHECK_TP (1ULL << 41)
#define APPID_SESSION_PAYLOAD_SEEN (1ULL << 42)
#define APPID_SESSION_HOST_CACHE_MATCHED (1ULL << 43)
+#define APPID_SESSION_DECRYPT_MONITOR (1ULL << 44)
#define APPID_SESSION_IGNORE_ID_FLAGS \
(APPID_SESSION_IGNORE_FLOW | \
APPID_SESSION_NOT_A_SERVICE | \
{
dd->client.flags |= CLIENT_FLAG_STARTTLS_SUCCESS;
- // FIXIT-M: Revisit SSL decryption countdown after isSSLPolicyEnabled()
- // is ported. Can we use Flow::is_proxied() here?
-#if 0
- if (_dpd.isSSLPolicyEnabled(NULL))
-#endif
-
+ #ifndef REG_TEST
+ if (args.asd.get_session_flags(APPID_SESSION_DECRYPT_MONITOR))
+ #endif
dd->client.decryption_countdown = SSL_WAIT_PACKETS; // start a countdown
-#if 0
+ #ifndef REG_TEST
else
- dd->client.decryption_countdown = 1
-#endif
+ dd->client.decryption_countdown = 1;
+ #endif
add_service(args.change_bits, args.asd, args.pkt, args.dir, APP_ID_SMTPS);
set (PUB_SUB_INCLUDES
appid_events.h
cip_events.h
+ data_decrypt_event.h
daq_message_event.h
expect_events.h
finalize_packet_event.h
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
+//--------------------------------------------------------------------------
+
+#ifndef DATA_DECRYPT_EVENT_H
+#define DATA_DECRYPT_EVENT_H
+
+#define DATA_DECRYPT_EVENT "Data Decrypt event"
+
+class DataDecryptEvent : public snort::DataEvent
+{
+public:
+
+ enum StateEventType : uint16_t
+ {
+ DATA_DECRYPT_MONITOR_EVENT,
+ DATA_DECRYPT_DO_NOT_DECRYPT_EVENT,
+ DATA_DECRYPT_START_EVENT
+ };
+
+ DataDecryptEvent(const StateEventType& type) : m_type(type) { }
+ StateEventType get_type(void) const { return m_type; }
+
+private:
+ StateEventType m_type;
+};
+
+
+#endif //DATA_DECRYPT_EVENT_H
+
projects / thirdparty / snort3.git / commitdiff
