Pull request #3879: appid: fix for opportunistic tls detected as ssl

Merge in SNORT/snort3 from ~LCZARNIK/snort3:appid_imaps to master

Squashed commit of the following:

commit 50fc3462f4f62ad0039e21ff8a103dc80fd65311
Author: Lukasz Czarnik <lczarnik@cisco.com>
Date:   Wed Jun 7 10:53:33 2023 -0400

    appid: fix for opportunistic tls detected as ssl

diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 9f4da772af1c797c462443491d17626fc978899d..b89aa8fc10500b591075f8f790ca04d3b41a071c 100644 (file)
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -713,6 +713,11 @@ public:
         return cip_msp;
     }
 
+    inline bool is_encrypted_oportunistic_tls_session()
+    {
+        return get_session_flags(APPID_SESSION_OPPORTUNISTIC_TLS) and !flow->flags.data_decrypted;
+    }
+    
 private:
     uint16_t prev_httpx_raw_packet = 0;
 

diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc
index 003f6ab4fe286a85cc9e483fcb43ea9dc1a5c98d..a69b8cb18395c7d842c485a7bda8527016cdd4c2 100644 (file)
--- a/src/network_inspectors/appid/client_plugins/client_discovery.cc
+++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc
@@ -333,6 +333,13 @@ bool ClientDiscovery::do_client_discovery(AppIdSession& asd, Packet* p,
         }
     }
 
+    if (asd.is_encrypted_oportunistic_tls_session() and asd.encrypted.client_id > 0)
+    {
+        asd.set_client_id(asd.encrypted.client_id);
+        asd.set_client_detected();
+        asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
+    }
+
     if (asd.client_disco_state == APPID_DISCO_STATE_STATEFUL)
     {
         if (asd.client_candidates.empty() and tp_app_id > APP_ID_NONE and

diff --git a/src/network_inspectors/appid/detector_plugins/detector_imap.cc b/src/network_inspectors/appid/detector_plugins/detector_imap.cc
index c31a0361b9759d4734b4152b0ab7b8eb6d2f47ab..3abc62ef46807e8c4607e797609355217fcd5c4b 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_imap.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_imap.cc
@@ -425,7 +425,7 @@ static int imap_server_validate(ImapDetectorData* dd, const uint8_t* data, uint1
         if (id->flags & IMAP_FLAG_RESULT_OK)
         {
             // FIXIT-L - this may be called from server side
-            //add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr);
+            detector->add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr, change_bits);
             asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
         }
         else

diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc
index 797bd25e69400dd9b73cf25a4bf0615e643ffbaf..65bf6820ad35047f2cc396877040a09d9cf26f63 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_discovery.cc
+++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc
@@ -637,6 +637,12 @@ bool ServiceDiscovery::do_service_discovery(AppIdSession& asd, Packet* p,
         }
     }
 
+    if (asd.is_encrypted_oportunistic_tls_session() and asd.encrypted.service_id > 0)
+    {
+        asd.set_service_id(asd.encrypted.service_id, asd.get_odp_ctxt());
+        asd.stop_service_inspection(p, direction);
+    }
+
     //stop inspection as soon as tp has classified a valid AppId later in the session
     if ( tp_app_id > APP_ID_NONE and
          asd.service_disco_state == APPID_DISCO_STATE_STATEFUL and