Merge pull request #2098 in SNORT/snort3 from ~SAARAYA/snort3:http2_app_detection...

Squashed commit of the following:

commit 472fe39ed1ec39a11bbc0748b4f1368b8a7d6a1e
Author: Oleksii Zaika <ozaika@cisco.com>
Date:   Mon Mar 23 06:13:16 2020 -0400

    appid: use http2 inspector for detection even if third-party module is present

diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc
index cea15369e940bbf6dca73111923b60bb81d7e8f5..e2b7576251611956d4a985eacd97dae0ef91dcfb 100644 (file)
--- a/src/network_inspectors/appid/appid_http_event_handler.cc
+++ b/src/network_inspectors/appid/appid_http_event_handler.cc
@@ -51,6 +51,9 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow)
     HttpEvent* http_event = (HttpEvent*)&event;
     AppidChangeBits change_bits;
 
+    if (asd->ctxt.get_tp_appid_ctxt() && !http_event->get_is_http2())
+        return;
+
     if (appidDebug->is_active())
         LogMessage("AppIdDbg %s Processing HTTP metadata from HTTP Inspector\n",
             appidDebug->get_debug_session());

diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc
index c240838c3ae86cad893a0c22197a993e4797b8e1..ea04bd0823c9ea377ad53306c8d816aa5e34ed87 100644 (file)
--- a/src/network_inspectors/appid/appid_inspector.cc
+++ b/src/network_inspectors/appid/appid_inspector.cc
@@ -116,14 +116,12 @@ bool AppIdInspector::configure(SnortConfig* sc)
 
     ctxt->init_appid(sc);
 
-    if (!ctxt->get_tp_appid_ctxt())
-    {
-        DataBus::subscribe_global(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler(
-            HttpEventHandler::REQUEST_EVENT), sc);
+    DataBus::subscribe_global(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler(
+        HttpEventHandler::REQUEST_EVENT), sc);
+
+    DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(
+        HttpEventHandler::RESPONSE_EVENT), sc);
 
-        DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(
-            HttpEventHandler::RESPONSE_EVENT), sc);
-    }
     DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), sc);
 
     return true;

diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc
index 277b3ea7da639b874f5477266581f1bc27f8ac77..95d3415f9ae8b3fc975a7ac46a5b7f521ef13ce1 100644 (file)
--- a/src/network_inspectors/appid/test/appid_http_event_test.cc
+++ b/src/network_inspectors/appid/test/appid_http_event_test.cc
@@ -41,6 +41,7 @@
 #include <CppUTestExt/MockSupport.h>
 
 THREAD_LOCAL AppIdDebug* appidDebug = nullptr;
+ThirdPartyAppIdContext* AppIdContext::tp_appid_ctxt = nullptr;
 void AppIdDebug::activate(const Flow*, const AppIdSession*, bool) { active = true; }
 void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { }
 

diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index 3b56257ac65ef3a7623727acb714cbfafd18af7e..310b5fff2438870e0fcdcb5c1267cbfe25409b05 100644 (file)
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -704,11 +704,6 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
                 // some cases.  Treat it like HTTP w/ is_http2 flag set.
                 if ((tp_app_id == APP_ID_HTTP2) && (tp_confidence == 100))
                 {
-                    if (appidDebug->is_active())
-                        LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n",
-                            appidDebug->get_debug_session());
-
-                    tp_app_id = APP_ID_HTTP;
                     asd.is_http2 = true;
                 }
                 // if the third-party appId must be treated as a client, do it now