{
assert(flow);
AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
- if (!asd or
- !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
- return;
+ if (!asd or !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+ return;
const DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
- if (data_decrypt_event.get_type() == DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT)
- {
+ DataDecryptEvent::StateEventType state = data_decrypt_event.get_type();
+ if (DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT== state)
asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
- }
+ // Set a do not decrypt flag, so that an event can be generated after appid processes the packet
+ else if (DataDecryptEvent::DATA_DECRYPT_DO_NOT_DECRYPT_EVENT == state)
+ asd->set_session_flags(APPID_SESSION_DO_NOT_DECRYPT);
}
};
// processing it, but can continue processing the rest of the flow since
// AppId should have seen this packet already.
if (p->is_retry())
+ {
+ // Publish an event, if this is the first packet after appid processing
+ if (asd->get_session_flags(APPID_SESSION_DO_NOT_DECRYPT))
+ {
+ AppidChangeBits change_bits;
+ asd->publish_appid_event(change_bits, *p);
+ }
return false;
+ }
if (p->ptrs.tcph and !asd->get_session_flags(APPID_SESSION_OOO))
{
bool AppIdDiscovery::detect_on_first_pkt(Packet* p, AppIdSession& asd,
IpProtocol protocol, AppidSessionDirection direction, AppId& service_id,
AppId& client_id, AppId& payload_id)
-{
+{
uint16_t port;
const SfIp* ip;
client_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(client_id);
asd.get_odp_ctxt().first_pkt_client_id = client_id;
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_CLIENT_APPID_FOUND;
- }
- if (hv->protocol_appId)
+ }
+ if (hv->protocol_appId)
{
service_id = hv->protocol_appId;
service_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id);
if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND)
{
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_CLIENT_APPID_FOUND;
- }
- else
+ }
+ else
{
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_APPID_FOUND;
}
}
- if (hv->web_appId)
+ if (hv->web_appId)
{
payload_id = hv->web_appId;
payload_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(payload_id);
if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND)
{
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_CLIENT_PAYLOAD_APPID_FOUND;
- }
+ }
else if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_SERVICE_APPID_FOUND)
{
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_PAYLOAD_APPID_FOUND;
- }
+ }
else if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_SERVICE_CLIENT_APPID_FOUND)
{
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_ALL_APPID_FOUND;
}
- else
+ else
{
asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_PAYLOAD_APPID_FOUND;
}
}
- asd.get_odp_ctxt().need_reinspection = hv->reinspect;
+ asd.get_odp_ctxt().need_reinspection = hv->reinspect;
- switch (asd.get_odp_ctxt().first_pkt_appid_prefix)
+ switch (asd.get_odp_ctxt().first_pkt_appid_prefix)
{
case FIRST_PAYLOAD_APPID_FOUND :
service_id = payload_id;
{
bool is_discovery_done = false;
- if (asd.session_packet_count == 1)
+ if (asd.session_packet_count == 1)
{
detect_on_first_pkt(p, asd, protocol, direction, service_id, client_id, payload_id);
- }
+ }
- if (asd.get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and !asd.get_odp_ctxt().need_reinspection)
+ if (asd.get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and !asd.get_odp_ctxt().need_reinspection)
{
is_discovery_done = true;
asd.set_session_flags(APPID_SESSION_SERVICE_DETECTED);
- asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
+ asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
service_id = asd.pick_service_app_id();
client_id = asd.pick_ss_client_app_id();
payload_id = asd.pick_ss_payload_app_id(service_id);
-
+
return is_discovery_done;
- }
+ }
asd.check_app_detection_restart(change_bits, tp_appid_ctxt);
}
if (PacketTracer::is_daq_activated())
- populate_trace_data(asd);
+ populate_trace_data(asd);
asd.publish_appid_event(change_bits, *p);
}
return tp_app_id;
else if (odp_ctxt.first_pkt_service_id > APP_ID_NONE)
return odp_ctxt.first_pkt_service_id;
- }
+ }
if (client_inferred_service_id > APP_ID_NONE)
return client_inferred_service_id;
AppId AppIdSession::check_first_pkt_tp_payload_app_id() const
{
- if (get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and
- (api.payload.get_id() <= APP_ID_NONE))
+ if (get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and
+ (api.payload.get_id() <= APP_ID_NONE))
{
if ((odp_ctxt.first_pkt_payload_id > APP_ID_NONE) and (tp_payload_app_id > APP_ID_NONE))
{
AppId first_pkt_payload_appid = check_first_pkt_tp_payload_app_id();
if (first_pkt_payload_appid > APP_ID_NONE)
return first_pkt_payload_appid;
-
+
if (api.payload.get_id() > APP_ID_NONE)
return api.payload.get_id();
api.flags.finished = true;
}
- if (change_bits.none())
+ // Publish an event, if this is the first packet after appid processing
+ if (get_session_flags(APPID_SESSION_DO_NOT_DECRYPT))
+ clear_session_flags(APPID_SESSION_DO_NOT_DECRYPT);
+ else if (change_bits.none())
return;
AppidEvent app_event(change_bits, is_httpx, httpx_stream_index, api, p);
projects / thirdparty / snort3.git / commitdiff
