{
std::ifstream conf_file(file_path);
if (!conf_file.is_open())
- {
- ParseError("appid: could not open %s", file_path.c_str());
return;
- }
LogMessage("AppId: Configuration file %s\n", file_path.c_str());
std::string line;
AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, uint32_t http2_stream_id)
: asd(asd), http2_stream_id(http2_stream_id)
{
- for ( int i = 0; i < NUM_HTTP_FIELDS; i++)
- {
- meta_offset[i].first = 0;
- meta_offset[i].second = 0;
- }
memory::MemoryCap::update_allocations(sizeof(AppIdHttpSession));
}
const char* get_cfield(HttpFieldIds id) const
{ return meta_data[id] != nullptr ? meta_data[id]->c_str() : nullptr; }
- bool get_offset(int id, uint16_t& start, uint16_t& end) const
- {
- if ( REQ_AGENT_FID <= id and id < NUM_HTTP_FIELDS )
- {
- start = meta_offset[id].first;
- end = meta_offset[id].second;
- return true;
- }
- return false;
- }
-
- bool set_offset(int id, uint16_t start, uint16_t end)
- {
- if ( REQ_AGENT_FID <= id and id < NUM_HTTP_FIELDS )
- {
- meta_offset[id].first = start;
- meta_offset[id].second = end;
- return true;
- }
- return false;
- }
-
void set_is_webdav(bool webdav)
{ is_webdav = webdav; }
// set_field() functions in AppIdHttpSession. We do need set functions
// for this array, as old pointers need to be deleted upon set().
const std::string* meta_data[NUM_METADATA_FIELDS] = { };
- pair_t meta_offset[NUM_HTTP_FIELDS];
bool is_webdav = false;
bool chp_finished = false;
const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len,
const uint8_t* needle, unsigned needle_len);
-#define MAX_ATTR_LEN 1024
-
#define SF_DEBUG_FILE stdout
#define MIN_SFTP_PACKET_COUNT 30
#define MAX_SFTP_PACKET_COUNT 55
chp_matchers[i].reload();
}
-typedef struct fieldPatternData_t
-{
- const uint8_t* payload;
- unsigned length;
- AppIdHttpSession* hsession;
-} FieldPatternData;
-
-static int http_field_pattern_match(void* id, void*, int match_end_pos, void* data, void*)
-{
- static const uint8_t crlf[] = "\r\n";
- static unsigned crlfLen = sizeof(crlf)-1;
- FieldPatternData* pFieldData = (FieldPatternData*)data;
- FieldPattern* target = (FieldPattern*)id;
- const uint8_t* p;
- unsigned fieldOffset = match_end_pos;
- unsigned remainingLength = pFieldData->length - fieldOffset;
-
- if (!(p = (const uint8_t*)service_strstr(&pFieldData->payload[fieldOffset], remainingLength,
- crlf, crlfLen)))
- {
- return 1;
- }
-
- pFieldData->hsession->set_offset(target->patternType, fieldOffset, p-pFieldData->payload);
-
- return 1;
-}
-
-// FIXIT-RC: Is this still necessary now that we use inspection events?
-void HttpPatternMatchers::get_http_offsets(Packet* pkt, AppIdHttpSession* hsession)
-{
- constexpr auto MIN_HTTP_REQ_HEADER_SIZE = (sizeof("GET /\r\n\r\n") - 1);
- static const uint8_t crlfcrlf[] = "\r\n\r\n";
- static unsigned crlfcrlfLen = sizeof(crlfcrlf) - 1;
- const uint8_t* headerEnd;
- FieldPatternData patternMatchData;
-
- for (int fieldId = REQ_AGENT_FID; fieldId <= REQ_COOKIE_FID; fieldId++)
- {
- pair_t off;
- if ( hsession->get_offset(fieldId, off.first, off.second) )
- hsession->set_offset(fieldId, 0, off.second);
- }
-
- if (!pkt->data || pkt->dsize < MIN_HTTP_REQ_HEADER_SIZE)
- return;
-
- patternMatchData.hsession = hsession;
- patternMatchData.payload = pkt->data;
-
- if (!(headerEnd = (const uint8_t*)service_strstr(pkt->data, pkt->dsize, crlfcrlf,
- crlfcrlfLen)))
- return;
-
- headerEnd += crlfcrlfLen;
- patternMatchData.length = (unsigned)(headerEnd - pkt->data);
- field_matcher.find_all((const char*)pkt->data, patternMatchData.length,
- &http_field_pattern_match, false, (void*)(&patternMatchData));
-}
-
static inline void free_matched_patterns(MatchedPatterns* mp)
{
while (mp)
AppId get_appid_by_content_type(const char*, int);
void get_server_vendor_version(const char*, int, char**, char**, AppIdServiceSubtype**);
void identify_user_agent(const char*, int, AppId&, AppId&, char**);
- void get_http_offsets(snort::Packet*, AppIdHttpSession*);
uint32_t parse_multiple_http_patterns(const char* pattern, tMlmpPattern*,
uint32_t numPartLimit, int level);
return nullptr;
}
-// Stubs for appid_http_session.cc
-static bool test_field_offset_set_done = false;
-
// Stubs for app_info_table.cc
AppInfoTableEntry* AppInfoManager::get_app_info_entry(int)
{
}
};
-TEST(http_url_patterns_tests, http_field_pattern_match)
-{
- FieldPatternData fpd;
- FieldPattern fp;
- pair_t off;
-
- // verify service_strstr getting called
- fp.patternType = REQ_HOST_FID;
- fpd.payload = (const uint8_t*)"Google";
- fpd.length = 6;
- fpd.hsession = &mock_hsession;
-
- test_service_strstr_enabled = false;
- test_field_offset_set_done = false;
- mock_hsession.set_offset(fp.patternType, 0, 5);
- CHECK_EQUAL(1, http_field_pattern_match(&fp, nullptr, 0, &fpd, nullptr));
- mock_hsession.get_offset(fp.patternType, off.first, off.second);
- CHECK_EQUAL(5, off.second); // check offset did not change
-
- test_service_strstr_enabled = true;
- CHECK_EQUAL(1, http_field_pattern_match(&fp, nullptr, 0, &fpd, nullptr));
- mock_hsession.get_offset(fp.patternType, off.first, off.second);
- CHECK_EQUAL(0, off.second); // if it changed, service_strstr was called
-}
-
TEST(http_url_patterns_tests, match_query_elements)
{
// null check
CHECK_EQUAL(match_tally[0].key_pattern_countdown, 0);
}
-TEST(http_url_patterns_tests, get_http_offsets)
-{
- // field_offset is set for small payload
- test_field_offset_set_done = false;
- pkt.data = (const uint8_t*)"Go";
- pkt.dsize = 2;
-
- pair_t off;
- mock_hsession.set_offset(REQ_AGENT_FID, 5, 0);
- hm->get_http_offsets(&pkt, &mock_hsession);
- mock_hsession.get_offset(REQ_AGENT_FID, off.first, off.second);
- CHECK_EQUAL(0, off.first);
-
- // find_all is not called for bigger payload when service_strstr returns nullptr
- test_service_strstr_enabled = false;
- test_find_all_done = false;
- pkt.data = (const uint8_t*)"GET http://www.w3.org HTTP/1.1";
- pkt.dsize = strlen((const char*)pkt.data);
- hm->get_http_offsets(&pkt, &mock_hsession);
- CHECK_EQUAL(false, test_find_all_done);
-
- // find_all is called for bigger payload when service_strstr returns something
- test_service_strstr_enabled = true;
- hm->get_http_offsets(&pkt, &mock_hsession);
- CHECK_EQUAL(true, test_find_all_done);
-}
-
TEST(http_url_patterns_tests, normalize_userid)
{
// no change
static HttpPatternMatchers* http_matchers;
DnsPatternMatchers::~DnsPatternMatchers() = default;
HttpPatternMatchers::~HttpPatternMatchers() = default;
-void HttpPatternMatchers::get_http_offsets(Packet*, AppIdHttpSession*) {}
SipPatternMatchers::~SipPatternMatchers() = default;
SslPatternMatchers::~SslPatternMatchers() = default;
meta_data[MISC_SERVER_FID] = new std::string(SERVER);
meta_data[MISC_XWW_FID] = new std::string(X_WORKING_WITH);
meta_data[MISC_URL_FID] = new std::string(URL);
-
- meta_offset[REQ_URI_FID].first = URI_OFFSET;
- meta_offset[REQ_URI_FID].second = URI_OFFSET + strlen(URI);
- meta_offset[REQ_COOKIE_FID].first = COOKIE_OFFSET;
- meta_offset[REQ_COOKIE_FID].second = COOKIE_OFFSET + strlen(NEW_COOKIE);
}
void reset()
// 3rd CHECK_EQUAL checks that AttributeData doesn't leak memory upon consecutive sets
// finally check that we don't leak or double free memory when caller owns it
#define SET_GET_MACRO(func) \
- ad.set_ ## func(abc.c_str(), abc.size()); \
+ ad.set_ ## func(abc.c_str(), abc.size(), true); \
outField=ad.func(0); \
CHECK_EQUAL(*outField,abc); \
outField=ad.func(0); \
CHECK_EQUAL(*outField,abc); \
- ad.set_ ## func(def.c_str(), def.size()); \
+ ad.set_ ## func(def.c_str(), def.size(), true); \
outField=ad.func(0); \
CHECK_EQUAL(*outField,def); \
outField=ad.func(1); \
delete outField;
-#define SET_GET_OFFSET_MACRO(func) \
- ad.set_ ## func(abc.c_str(), abc.size(), start, end); \
+#define SET_GET_MACRO_FRAGMENTED(func) \
+ ad.set_ ## func(abc.c_str(), abc.size(), false); \
outField=ad.func(0); \
CHECK_EQUAL(*outField,abc); \
outField=ad.func(0); \
CHECK_EQUAL(*outField,abc); \
- ad.set_ ## func(def.c_str(), def.size(), start, end); \
+ ad.set_ ## func(def.c_str(), def.size(), true); \
outField=ad.func(0); \
- CHECK_EQUAL(*outField,def); \
+ CHECK_EQUAL(*outField,abc+def); \
outField=ad.func(1); \
delete outField;
TEST(tp_appid_types, get_set)
{
ThirdPartyAppIDAttributeData ad;
- uint16_t start=0, end=3;
string abc("abc");
string def("def");
const string* outField=nullptr;
- SET_GET_OFFSET_MACRO(spdy_request_path);
+ SET_GET_MACRO(spdy_request_path);
SET_GET_MACRO(spdy_request_scheme);
- SET_GET_OFFSET_MACRO(spdy_request_host);
+ SET_GET_MACRO(spdy_request_host);
SET_GET_MACRO(http_request_url);
- SET_GET_OFFSET_MACRO(http_request_uri);
- SET_GET_OFFSET_MACRO(http_request_host);
- SET_GET_OFFSET_MACRO(http_request_cookie);
+ SET_GET_MACRO(http_request_uri);
+ SET_GET_MACRO(http_request_host);
+ SET_GET_MACRO(http_request_cookie);
SET_GET_MACRO(http_request_via);
SET_GET_MACRO(http_response_via);
- SET_GET_OFFSET_MACRO(http_request_user_agent);
+ SET_GET_MACRO(http_request_user_agent);
SET_GET_MACRO(http_response_code);
- SET_GET_MACRO(http_response_content);
- SET_GET_MACRO(http_response_location);
- SET_GET_MACRO(http_response_body);
- SET_GET_MACRO(http_request_body);
- SET_GET_MACRO(http_response_server);
- SET_GET_MACRO(http_request_x_working_with);
- SET_GET_MACRO(tls_host);
- SET_GET_MACRO(tls_cname);
- SET_GET_MACRO(tls_org_unit);
- SET_GET_OFFSET_MACRO(http_request_referer);
- SET_GET_MACRO(ftp_command_user);
+}
+
+TEST(tp_appid_types, get_set_fragmented)
+{
+ ThirdPartyAppIDAttributeData ad;
+ string abc("abc");
+ string def("def");
+ const string* outField=nullptr;
+
+ SET_GET_MACRO_FRAGMENTED(http_response_content);
+ SET_GET_MACRO_FRAGMENTED(http_response_location);
+ SET_GET_MACRO_FRAGMENTED(http_response_body);
+ SET_GET_MACRO_FRAGMENTED(http_request_body);
+ SET_GET_MACRO_FRAGMENTED(http_response_server);
+ SET_GET_MACRO_FRAGMENTED(http_request_x_working_with);
+ SET_GET_MACRO_FRAGMENTED(tls_host);
+ SET_GET_MACRO_FRAGMENTED(tls_cname);
+ SET_GET_MACRO_FRAGMENTED(tls_org_unit);
+ SET_GET_MACRO_FRAGMENTED(http_request_referer);
+ SET_GET_MACRO_FRAGMENTED(ftp_command_user);
+}
+
+TEST(tp_appid_types, max_len)
+{
+ ThirdPartyAppIDAttributeData ad;
+ char buf[3000];
+
+ for (int i = 0; i < 2999; i++)
+ buf[i] = 'a';
+
+ buf[2999] = '\0';
+ ad.set_http_request_body(buf, 2999, true);
+ string* req_body = ad.http_request_body();
+ CHECK_EQUAL(req_body->size(), MAX_ATTR_LEN);
+ for (int i = 0; i < MAX_ATTR_LEN; i++)
+ CHECK_EQUAL((*req_body)[i], 'a');
+
+ ad.set_http_request_body(buf, 2999, true, 2800);
+ req_body = ad.http_request_body();
+ CHECK_EQUAL(req_body->size(), 2800);
+ for (int i = 0; i < 2800; i++)
+ CHECK_EQUAL((*req_body)[i], 'a');
+
+ ad.set_http_request_body(buf, 2999, true, 3200);
+ req_body = ad.http_request_body();
+ CHECK_EQUAL(req_body->size(), 2999);
+ for (int i = 0; i < 2999; i++)
+ CHECK_EQUAL((*req_body)[i], 'a');
+
+ ad.set_http_request_body(buf, 1600, false);
+ ad.set_http_request_body(buf, 1600, true);
+ req_body = ad.http_request_body();
+ CHECK_EQUAL(req_body->size(), MAX_ATTR_LEN);
+ for (int i = 0; i < MAX_ATTR_LEN; i++)
+ CHECK_EQUAL((*req_body)[i], 'a');
+
+ ad.set_http_request_body(buf, 1600, false, 3200);
+ ad.set_http_request_body(buf, 1600, true, 3200);
+ req_body = ad.http_request_body();
+ CHECK_EQUAL(req_body->size(), 3200);
+ for (int i = 0; i < 3200; i++)
+ CHECK_EQUAL((*req_body)[i], 'a');
}
int main(int argc, char** argv)
#include <cstdint>
#include <string>
+#define MAX_ATTR_LEN 2048
+
using std::string;
enum TPFlags
TP_ATTR_COPY_RESPONSE_BODY = (1 << 3),
};
+static void set_attr(string*& attr, const char* buf, size_t len, bool flush, size_t max_len)
+{
+ if (!attr)
+ attr = new string(buf, len > max_len ? max_len : len);
+ else if (flush)
+ {
+ delete attr;
+ attr = new string(buf, len > max_len ? max_len : len);
+ }
+ else if (attr->size() < max_len)
+ {
+ size_t max_copy_len = max_len - attr->size();
+ attr->append(buf, len > max_copy_len ? max_copy_len : len);
+ }
+ // else, skip copy because the buffer is filled up to its limit
+}
+
#define TPAD_GET(func) \
string* func(bool caller_owns_it = false) \
{ \
return tmp; \
}
-#define TPAD_SET_OFFSET(func) \
- void set_ ## func(const char* buf, size_t len, uint16_t offset, uint16_t endOffset) \
- { \
- if (func ## _buf) \
- delete func ## _buf; \
- func ## _buf=new string(buf,len); \
- func ## _offset=offset; \
- func ## _end_offset=endOffset; \
- }
-
-#define TPAD_SET(func) \
- void set_ ## func(const char* buf, size_t len) \
- { \
- if (func ## _buf) \
- delete func ## _buf; \
- func ## _buf=new string(buf,len); \
+#define TPAD_SET(func) \
+ void set_ ## func(const char* buf, size_t len, bool last_fragment, size_t max_len = MAX_ATTR_LEN) \
+ { \
+ set_attr(func ## _buf, buf, len, func ## _flush, max_len); \
+ func ## _flush = last_fragment; \
}
// The ThirdPartyAppIDAttributeData class acts as a per packet cache for
string* ftp_command_user_buf = nullptr;
string* quic_sni_buf = nullptr;
- uint16_t http_request_uri_offset = 0;
- uint16_t http_request_uri_end_offset = 0;
-
- uint16_t http_request_cookie_offset = 0;
- uint16_t http_request_cookie_end_offset = 0;
-
- uint16_t http_request_user_agent_offset = 0;
- uint16_t http_request_user_agent_end_offset = 0;
-
- uint16_t http_request_host_offset = 0;
- uint16_t http_request_host_end_offset = 0;
-
- uint16_t http_request_referer_offset = 0;
- uint16_t http_request_referer_end_offset = 0;
-
- uint16_t spdy_request_host_offset = 0;
- uint16_t spdy_request_host_end_offset = 0;
-
- uint16_t spdy_request_path_offset = 0;
- uint16_t spdy_request_path_end_offset = 0;
+ // will be set to true after last fragment for a metadata field is received
+ bool spdy_request_path_flush = true;
+ bool spdy_request_scheme_flush = true;
+ bool spdy_request_host_flush = true;
+ bool http_request_url_flush = true;
+ bool http_request_uri_flush = true;
+ bool http_request_host_flush = true;
+ bool http_request_cookie_flush = true;
+ bool http_request_via_flush = true;
+ bool http_response_via_flush = true;
+ bool http_request_user_agent_flush = true;
+ bool http_response_code_flush = true;
+ bool http_response_content_flush = true;
+ bool http_response_location_flush = true;
+ bool http_response_body_flush = true;
+ bool http_request_body_flush = true;
+ bool http_response_server_flush = true;
+ bool http_request_x_working_with_flush = true;
+ bool tls_host_flush = true;
+ bool tls_cname_flush = true;
+ bool tls_org_unit_flush = true;
+ bool http_request_referer_flush = true;
+ bool ftp_command_user_flush = true;
+ bool quic_sni_flush = true;
// FIXIT-L: make these private too. Figure out how these get set in tp.
TPAD_GET(ftp_command_user)
TPAD_GET(quic_sni)
- uint16_t http_request_uri_begin() { return http_request_uri_offset; }
- uint16_t http_request_uri_end() { return http_request_uri_end_offset; }
-
- uint16_t http_request_cookie_begin() { return http_request_cookie_offset; }
- uint16_t http_request_cookie_end() { return http_request_cookie_end_offset; }
-
- uint16_t http_request_user_agent_begin() { return http_request_user_agent_offset; }
- uint16_t http_request_user_agent_end() { return http_request_user_agent_end_offset; }
-
- uint16_t http_request_host_begin() { return http_request_host_offset; }
- uint16_t http_request_host_end() { return http_request_host_end_offset; }
-
- uint16_t http_request_referer_begin() { return http_request_referer_offset; }
- uint16_t http_request_referer_end() { return http_request_referer_end_offset; }
-
- uint16_t spdy_request_host_begin() { return spdy_request_host_offset; }
- uint16_t spdy_request_host_end() { return spdy_request_host_end_offset; }
-
- uint16_t spdy_request_path_begin() { return spdy_request_path_offset; }
- uint16_t spdy_request_path_end() { return spdy_request_path_end_offset; }
-
// set functions
- TPAD_SET_OFFSET(spdy_request_path)
+ TPAD_SET(spdy_request_path)
TPAD_SET(spdy_request_scheme)
- TPAD_SET_OFFSET(spdy_request_host)
+ TPAD_SET(spdy_request_host)
TPAD_SET(http_request_url)
- TPAD_SET_OFFSET(http_request_uri)
- TPAD_SET_OFFSET(http_request_host)
- TPAD_SET_OFFSET(http_request_cookie)
+ TPAD_SET(http_request_uri)
+ TPAD_SET(http_request_host)
+ TPAD_SET(http_request_cookie)
TPAD_SET(http_request_via)
TPAD_SET(http_response_via)
- TPAD_SET_OFFSET(http_request_user_agent)
+ TPAD_SET(http_request_user_agent)
TPAD_SET(http_response_code)
TPAD_SET(http_response_content)
TPAD_SET(http_response_location)
TPAD_SET(tls_host)
TPAD_SET(tls_cname)
TPAD_SET(tls_org_unit)
- TPAD_SET_OFFSET(http_request_referer)
+ TPAD_SET(http_request_referer)
TPAD_SET(ftp_command_user)
TPAD_SET(quic_sni)
};
hsession->set_chp_finished(false);
hsession->set_field(REQ_HOST_FID, spdyRequestHost, change_bits);
- hsession->set_offset(REQ_HOST_FID,
- attribute_data.spdy_request_host_begin(),
- attribute_data.spdy_request_host_end());
}
if (spdyRequestPath)
hsession->set_chp_finished(false);
hsession->set_field(REQ_URI_FID, spdyRequestPath, change_bits);
- hsession->set_offset(REQ_URI_FID,
- attribute_data.spdy_request_path_begin(),
- attribute_data.spdy_request_path_end());
}
}
else
hsession->set_chp_finished(false);
hsession->set_field(REQ_HOST_FID, field, change_bits);
- hsession->set_offset(REQ_HOST_FID,
- attribute_data.http_request_host_begin(),
- attribute_data.http_request_host_end());
}
if ( (field=attribute_data.http_request_url(own)) != nullptr )
hsession->set_chp_finished(false);
hsession->set_field(REQ_URI_FID, field, change_bits);
- hsession->set_offset(REQ_URI_FID,
- attribute_data.http_request_uri_begin(),
- attribute_data.http_request_uri_end());
}
}
hsession->set_chp_finished(false);
hsession->set_field(REQ_AGENT_FID, field, change_bits);
- hsession->set_offset(REQ_AGENT_FID,
- attribute_data.http_request_user_agent_begin(),
- attribute_data.http_request_user_agent_end());
}
if ( (field=attribute_data.http_response_code(own)) != nullptr )
hsession->set_chp_finished(false);
hsession->set_field(REQ_REFERER_FID, field, change_bits);
- hsession->set_offset(REQ_REFERER_FID,
- attribute_data.http_request_referer_begin(),
- attribute_data.http_request_referer_end());
}
if ( (field=attribute_data.http_request_cookie(own)) != nullptr )
hsession->set_chp_finished(false);
hsession->set_field(REQ_COOKIE_FID, field, change_bits);
- hsession->set_offset(REQ_COOKIE_FID,
- attribute_data.http_request_cookie_begin(),
- attribute_data.http_request_cookie_end());
}
if ( (field=attribute_data.http_response_content(own)) != nullptr )
bool own = true;
const string* field = nullptr;
- if ( !hsession->get_field(MISC_URL_FID) )
- {
- if ( ( field=attribute_data.http_request_url(own) ) != nullptr )
- hsession->set_field(MISC_URL_FID, field, change_bits);
- }
+ if (!hsession->get_field(MISC_URL_FID) and
+ ((field = attribute_data.http_request_url(own)) != nullptr))
+ hsession->set_field(MISC_URL_FID, field, change_bits);
- if ( !asd.get_odp_ctxt().referred_appId_disabled &&
- !hsession->get_field(REQ_REFERER_FID) )
- {
- if ( ( field=attribute_data.http_request_referer(own) ) != nullptr )
- {
- hsession->set_field(REQ_REFERER_FID, field, change_bits);
- }
- }
+ if (!asd.get_odp_ctxt().referred_appId_disabled and
+ !hsession->get_field(REQ_REFERER_FID) and
+ ((field = attribute_data.http_request_referer(own)) != nullptr))
+ hsession->set_field(REQ_REFERER_FID, field, change_bits);
- if ( !hsession->get_field(REQ_AGENT_FID) )
- {
- if ( ( field=attribute_data.http_request_user_agent(own) ) != nullptr )
- {
- hsession->set_field(REQ_AGENT_FID, field, change_bits);
- hsession->set_offset(REQ_AGENT_FID,
- attribute_data.http_request_user_agent_begin(),
- attribute_data.http_request_user_agent_end());
- }
- }
+ if (!hsession->get_field(REQ_AGENT_FID) and
+ ((field = attribute_data.http_request_user_agent(own)) != nullptr))
+ hsession->set_field(REQ_AGENT_FID, field, change_bits);
asd.examine_rtmp_metadata(change_bits);
projects / thirdparty / snort3.git / commitdiff
