]> git.ipfire.org Git - thirdparty/snort3.git/commitdiff
Pull request #3456: appid: config for logging eve process to client mappings
authorMasud Hasan (mashasan) <mashasan@cisco.com>
Mon, 6 Jun 2022 20:46:46 +0000 (20:46 +0000)
committerMasud Hasan (mashasan) <mashasan@cisco.com>
Mon, 6 Jun 2022 20:46:46 +0000 (20:46 +0000)
Merge in SNORT/snort3 from ~SATHIRKA/snort3:eve_process_client_mapping_log to master

Squashed commit of the following:

commit d30d6a49e5e64f14b96d461eb9d284ebf6d9a2ce
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Fri Jun 3 15:02:36 2022 -0400

    appid: config for logging eve process to client mappings

src/network_inspectors/appid/appid_config.h
src/network_inspectors/appid/appid_module.cc
src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc
src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc

index 1573fd5000f9f20d182151ba6f0982fec06370fd..4aaffcffd25dfd7889843828e46e3351ac8a7b5b 100644 (file)
@@ -83,6 +83,7 @@ public:
     // indicate the first packet from where the flow is decrypted (usually immediately
     // after certificate-exchange). Such manual detection is disabled by default (0).
     uint32_t first_decrypted_packet_debug = 0;
+    bool log_eve_process_client_mappings = false;
 #endif
     bool log_stats = false;
     uint32_t app_stats_period = 300;
index aba51255dd83c4ff8975fbb6fe62986ef0a671bb..46b59b3e2f7f9e441e5dbfcac30f94711b95be72 100644 (file)
@@ -69,6 +69,8 @@ static const Parameter s_params[] =
 #ifdef REG_TEST
     { "first_decrypted_packet_debug", Parameter::PT_INT, "0:max32", "0",
       "the first packet of an already decrypted SSL flow (debug single session only)" },
+    { "log_eve_process_client_mappings", Parameter::PT_BOOL, nullptr, "false",
+      "enable logging of encrypted visibility engine process to client mappings" },
 #endif
     { "memcap", Parameter::PT_INT, "1024:maxSZ", "1048576",
       "max size of the service cache before we start pruning the cache" },
@@ -476,6 +478,8 @@ bool AppIdModule::set(const char*, Value& v, SnortConfig*)
 #ifdef REG_TEST
     if ( v.is("first_decrypted_packet_debug") )
         config->first_decrypted_packet_debug = v.get_uint32();
+    else if ( v.is("log_eve_process_client_mappings") )
+        config->log_eve_process_client_mappings = v.get_bool();
     else
 #endif
     if ( v.is("memcap") )
index 0a68935d37e8af81096d8485e7e9c57044bc59f9..3ff4d5e4d8dcd89fb74593a5a20d21b1392c0904 100644 (file)
 #include <algorithm>
 
 #include "log/messages.h"
+#include "managers/inspector_manager.h"
 #include "utils/util.h"
 #include "appid_debug.h"
+#include "appid_inspector.h"
 
 using namespace snort;
 using namespace std;
@@ -108,6 +110,9 @@ void EveCaPatternMatchers::finalize_patterns()
         eve_ca_pattern_matcher.add(p->pattern.data(), p->pattern.size(), p, true);
 
         #ifdef REG_TEST
+        AppIdInspector* inspector =
+            (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true);
+        if (inspector and inspector->get_ctxt().config.log_eve_process_client_mappings)
             LogMessage("Adding EVE Client App pattern %d %s %d\n",
                 p->app_id, p->pattern.c_str(), p->confidence);
         #endif
index a47d9a8d36cb4e50557e832f154555efd533a32f..1304d1b6b3105033ef692bb0e3cc18bac7a80230 100644 (file)
@@ -23,6 +23,7 @@
 #endif
 
 #include "client_plugins/eve_ca_patterns.cc"
+#include "appid_inspector.h"
 #include "client_plugins_mock.h"
 
 #include <CppUTest/CommandLineTestRunner.h>
@@ -42,6 +43,14 @@ int SearchTool::find_all(const char* pattern, unsigned, MpseMatch, bool, void* d
 }
 }
 
+Inspector* InspectorManager::get_inspector(char const*, bool, const snort::SnortConfig*)
+{
+    return nullptr;
+}
+
+AppIdContext* ctxt;
+AppIdContext& AppIdInspector::get_ctxt() const { return *ctxt; }
+
 TEST_GROUP(eve_ca_patterns_tests)
 {
     void setup() override