Merge pull request #1975 in SNORT/snort3 from ~THOPETER/snort3:h2i_xtra_data to master

Squashed commit of the following:

commit 7cd28267a8c166bc495818c24e33ebf930aeb25a
Author: Tom Peters <thopeter@cisco.com>
Date:   Tue Jan 28 13:57:41 2020 -0500

    http_inspect/http2_inspect: H2I unified2 extra data logging

diff --git a/src/service_inspectors/http2_inspect/http2_frame.h b/src/service_inspectors/http2_inspect/http2_frame.h
index d1748da8272b8bbbd276140a2b54b286d5e69f78..a3080b8839254799e111440ff8520775204b1025 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_frame.h
+++ b/src/service_inspectors/http2_inspect/http2_frame.h
@@ -42,6 +42,7 @@ public:
         HttpCommon::SourceId source_id);
     virtual void clear() { }
     virtual const Field& get_buf(unsigned id);
+    virtual uint32_t get_xtradata_mask() { return 0; }
 #ifdef REG_TEST
     virtual void print_frame(FILE* output);
 #endif

diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame.cc b/src/service_inspectors/http2_inspect/http2_headers_frame.cc
index 673acfc4f258a7ab8943c3bae6a9837a39a229e0..ddaac6e271e6250afe0ececa3843c0a411b8b0c3 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_headers_frame.cc
+++ b/src/service_inspectors/http2_inspect/http2_headers_frame.cc
@@ -148,7 +148,9 @@ Http2HeadersFrame::Http2HeadersFrame(const uint8_t* header_buffer, const int32_t
         dummy_pkt.packet_flags = (source_id == SRC_CLIENT) ? PKT_FROM_CLIENT : PKT_FROM_SERVER;
         dummy_pkt.dsize = stream_buf.length;
         dummy_pkt.data = stream_buf.data;
+        dummy_pkt.xtradata_mask = 0;
         session_data->hi->eval(&dummy_pkt);
+        xtradata_mask = dummy_pkt.xtradata_mask;
     }
 }
 

diff --git a/src/service_inspectors/http2_inspect/http2_headers_frame.h b/src/service_inspectors/http2_inspect/http2_headers_frame.h
index da3f80f94a98465632e5840ac594c2cf77f71ca5..f022ec2f21cecec0d8729c38607405906fe60dcb 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_headers_frame.h
+++ b/src/service_inspectors/http2_inspect/http2_headers_frame.h
@@ -34,6 +34,7 @@ public:
     void clear() override;    
 
     const Field& get_buf(unsigned id) override;
+    uint32_t get_xtradata_mask() override { return xtradata_mask; }
 
     friend Http2Frame* Http2Frame::new_frame(const uint8_t*, const int32_t, const uint8_t*,
         const int32_t, Http2FlowData*, HttpCommon::SourceId);
@@ -54,5 +55,6 @@ private:
     const Field* start_line = nullptr;
     bool error_during_decode = false;
     bool hi_abort = false;
+    uint32_t xtradata_mask = 0;
 };
 #endif

diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc
index 0fa6646e1477df6b0e336df56bbe5740b8c5532e..809b05b82c22770076ab330cfdcae6da8095b75a 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_inspect.cc
+++ b/src/service_inspectors/http2_inspect/http2_inspect.cc
@@ -129,6 +129,8 @@ void Http2Inspect::eval(Packet* p)
         session_data->frame_header_size[source_id], session_data->frame_data[source_id],
         session_data->frame_data_size[source_id], source_id);
 
+    p->xtradata_mask |= stream->get_xtradata_mask();
+
     // The current frame now owns these buffers, clear them from the flow data
     session_data->frame_header[source_id] = nullptr;
     session_data->frame_data[source_id] = nullptr;

diff --git a/src/service_inspectors/http2_inspect/http2_stream.h b/src/service_inspectors/http2_inspect/http2_stream.h
index 3e4ff6e133d2d45e46f2091e5f55a6fc6c21af56..8a2ebed2bee01c7c29e4a016991ae3f5b1ae7512 100644 (file)
--- a/src/service_inspectors/http2_inspect/http2_stream.h
+++ b/src/service_inspectors/http2_inspect/http2_stream.h
@@ -44,6 +44,8 @@ public:
         { assert(hi_flow_data == nullptr); hi_flow_data = flow_data; }
     HttpMsgSection* get_hi_msg_section() const { return hi_msg_section; }
     void set_hi_msg_section(HttpMsgSection* section) { hi_msg_section = section; }
+    uint32_t get_xtradata_mask() { return (current_frame != nullptr) ? 
+        current_frame->get_xtradata_mask() : 0; }
 #ifdef REG_TEST
     void print_frame(FILE* output);
 #endif

diff --git a/src/service_inspectors/http_inspect/http_context_data.cc b/src/service_inspectors/http_inspect/http_context_data.cc
index f59617a730c13344b189f388b82ed6a63c9d8643..e9b912a60567dde24d029673ce78b59d0403b0a5 100644 (file)
--- a/src/service_inspectors/http_inspect/http_context_data.cc
+++ b/src/service_inspectors/http_inspect/http_context_data.cc
@@ -33,19 +33,39 @@ unsigned HttpContextData::ips_id = 0;
 
 HttpMsgSection* HttpContextData::get_snapshot(const Packet* p)
 {
-    // FIXIT-H checking for nullptr prevents a crash but it doesn't solve the problem of making
-    // xtra data work with H2I
-    if ((p != nullptr) && (Http2FlowData::inspector_id != 0))
+    assert(p != nullptr);
+
+    if (Http2FlowData::inspector_id != 0)
     {
         const Http2FlowData* const h2i_flow_data =
-               (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
+            (Http2FlowData*)p->flow->get_flow_data(Http2FlowData::inspector_id);
         if (h2i_flow_data != nullptr)
             return h2i_flow_data->get_hi_msg_section();
     }
 
-    IpsContext* context = p ? p->context : nullptr;
     HttpContextData* hcd = (HttpContextData*)DetectionEngine::get_data(HttpContextData::ips_id,
-            context);
+        p->context);
+
+    if ( !hcd )
+        return nullptr;
+
+    return hcd->current_section;
+}
+
+HttpMsgSection* HttpContextData::get_snapshot(const Flow* flow)
+{
+    assert(flow != nullptr);
+
+    if (Http2FlowData::inspector_id != 0)
+    {
+        const Http2FlowData* const h2i_flow_data =
+            (Http2FlowData*)flow->get_flow_data(Http2FlowData::inspector_id);
+        if (h2i_flow_data != nullptr)
+            return h2i_flow_data->get_hi_msg_section();
+    }
+
+    HttpContextData* hcd = (HttpContextData*)DetectionEngine::get_data(HttpContextData::ips_id,
+        nullptr);
 
     if ( !hcd )
         return nullptr;

diff --git a/src/service_inspectors/http_inspect/http_context_data.h b/src/service_inspectors/http_inspect/http_context_data.h
index 630734532ed1059c84a1cf02d2217587dc26494c..0114d73dd728326ee87903a6b031f359e6bd4575 100644 (file)
--- a/src/service_inspectors/http_inspect/http_context_data.h
+++ b/src/service_inspectors/http_inspect/http_context_data.h
@@ -33,6 +33,7 @@ public:
     static void init()
     { ips_id = IpsContextData::get_ips_id(); }
     static HttpMsgSection* get_snapshot(const snort::Packet* p);
+    static HttpMsgSection* get_snapshot(const snort::Flow* flow);
     static void save_snapshot(HttpMsgSection* section);
     static HttpMsgSection* clear_snapshot(snort::IpsContext* context);
     static unsigned ips_id;

diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc
index 7317a1d4058af46471261eff7f877072a8651d47..653b63f554f16c3608417da6ddfe465f85e5f0fd 100644 (file)
--- a/src/service_inspectors/http_inspect/http_inspect.cc
+++ b/src/service_inspectors/http_inspect/http_inspect.cc
@@ -221,9 +221,9 @@ bool HttpInspect::get_fp_buf(InspectionBuffer::Type ibt, Packet* p, InspectionBu
     return get_buf(ibt, p, b);
 }
 
-int HttpInspect::get_xtra_trueip(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_trueip(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
 {
-    HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+    HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
 
     if (current_section == nullptr)
         return 0;
@@ -241,9 +241,9 @@ int HttpInspect::get_xtra_trueip(Flow*, uint8_t** buf, uint32_t* len, uint32_t*
     return 1;
 }
 
-int HttpInspect::get_xtra_uri(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_uri(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
 {
-    HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+    HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
 
     if (current_section == nullptr)
         return 0;
@@ -262,9 +262,9 @@ int HttpInspect::get_xtra_uri(Flow*, uint8_t** buf, uint32_t* len, uint32_t* typ
     return 1;
 }
 
-int HttpInspect::get_xtra_host(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_host(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
 {
-    HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+    HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
 
     if (current_section == nullptr)
         return 0;
@@ -286,9 +286,9 @@ int HttpInspect::get_xtra_host(Flow*, uint8_t** buf, uint32_t* len, uint32_t* ty
 // The name of this method reflects its legacy purpose. We actually return the normalized data
 // from a response message body which may include other forms of normalization in addition to
 // JavaScript normalization. But if you don't turn JavaScript normalization on you get nothing.
-int HttpInspect::get_xtra_jsnorm(Flow*, uint8_t** buf, uint32_t* len, uint32_t* type)
+int HttpInspect::get_xtra_jsnorm(Flow* flow, uint8_t** buf, uint32_t* len, uint32_t* type)
 {
-    HttpMsgSection* current_section = HttpContextData::get_snapshot(nullptr);
+    HttpMsgSection* current_section = HttpContextData::get_snapshot(flow);
 
     if ((current_section == nullptr) ||
         (current_section->get_source_id() != SRC_SERVER) ||