Merge in SNORT/snort3 from ~SATHIRKA/snort3:eve_process_client_mapping_log to master
Squashed commit of the following:
commit
d30d6a49e5e64f14b96d461eb9d284ebf6d9a2ce
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date: Fri Jun 3 15:02:36 2022 -0400
appid: config for logging eve process to client mappings
// indicate the first packet from where the flow is decrypted (usually immediately
// after certificate-exchange). Such manual detection is disabled by default (0).
uint32_t first_decrypted_packet_debug = 0;
+ bool log_eve_process_client_mappings = false;
#endif
bool log_stats = false;
uint32_t app_stats_period = 300;
#ifdef REG_TEST
{ "first_decrypted_packet_debug", Parameter::PT_INT, "0:max32", "0",
"the first packet of an already decrypted SSL flow (debug single session only)" },
+ { "log_eve_process_client_mappings", Parameter::PT_BOOL, nullptr, "false",
+ "enable logging of encrypted visibility engine process to client mappings" },
#endif
{ "memcap", Parameter::PT_INT, "1024:maxSZ", "1048576",
"max size of the service cache before we start pruning the cache" },
#ifdef REG_TEST
if ( v.is("first_decrypted_packet_debug") )
config->first_decrypted_packet_debug = v.get_uint32();
+ else if ( v.is("log_eve_process_client_mappings") )
+ config->log_eve_process_client_mappings = v.get_bool();
else
#endif
if ( v.is("memcap") )
#include <algorithm>
#include "log/messages.h"
+#include "managers/inspector_manager.h"
#include "utils/util.h"
#include "appid_debug.h"
+#include "appid_inspector.h"
using namespace snort;
using namespace std;
eve_ca_pattern_matcher.add(p->pattern.data(), p->pattern.size(), p, true);
#ifdef REG_TEST
+ AppIdInspector* inspector =
+ (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true);
+ if (inspector and inspector->get_ctxt().config.log_eve_process_client_mappings)
LogMessage("Adding EVE Client App pattern %d %s %d\n",
p->app_id, p->pattern.c_str(), p->confidence);
#endif
#endif
#include "client_plugins/eve_ca_patterns.cc"
+#include "appid_inspector.h"
#include "client_plugins_mock.h"
#include <CppUTest/CommandLineTestRunner.h>
}
}
+Inspector* InspectorManager::get_inspector(char const*, bool, const snort::SnortConfig*)
+{
+ return nullptr;
+}
+
+AppIdContext* ctxt;
+AppIdContext& AppIdInspector::get_ctxt() const { return *ctxt; }
+
TEST_GROUP(eve_ca_patterns_tests)
{
void setup() override
projects / thirdparty / snort3.git / commitdiff
