From: Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Date: Thu, 18 May 2023 15:16:52 +0000 (+0000)
Subject: Pull request #3844: appid: Added fallback check for encrypted appid before port check... 
X-Git-Tag: 3.1.62.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05268713149dfeff9913d9c0eaffa4317d47a30b;p=thirdparty%2Fsnort3.git

Pull request #3844: appid: Added fallback check for encrypted appid before port check in SSL inspection flow

Merge in SNORT/snort3 from ~OSTEPANO/snort3:ssl_fallback_to_encrypted_appid to master

Squashed commit of the following:

commit 32a0e9b13a63fe5ccf2c9b74ca1e264b846b4f6b
Author: Oleksandr Stepanov <ostepano@cisco.com>
Date:   Wed May 10 08:59:16 2023 -0400

    appid: Added logic to check for encrypted appid before assigning SSL service based on port
---

diff --git a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
index 0439e6971..45e7f6b49 100644
--- a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
@@ -797,11 +797,7 @@ int SmtpServiceDetector::validate(AppIdDiscoveryArgs& args)
         {
             if (!(dd->client.flags & CLIENT_FLAG_STARTTLS_SUCCESS))
                 goto fail;
-            else if (args.asd.get_session_flags(APPID_SESSION_CLIENT_DETECTED))
-            {
-                args.asd.clear_session_flags(APPID_SESSION_CONTINUE);
-                return APPID_SUCCESS;
-            }
+            
             goto inprocess;
         }
         if (!fd->code)
diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc
index f5aa165d1..e8e058779 100644
--- a/src/network_inspectors/appid/service_plugins/service_ssl.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc
@@ -692,7 +692,6 @@ AppId getSslServiceAppId(short srcPort)
         return APP_ID_HTTPS;
     case 448:
         return APP_ID_DDM_SSL;
-    case 25:
     case 465:
         return APP_ID_SMTPS;
     case 563:
diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index a2719e557..3f24dcc84 100644
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -691,7 +691,14 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
             portAppId = getSslServiceAppId(serverPort);
             if (tp_app_id == APP_ID_SSL)
             {
-                tp_app_id = portAppId;
+                if (asd.encrypted.service_id > 0)
+                {
+                    tp_app_id = asd.encrypted.service_id;
+                }
+                else
+                {
+                    tp_app_id = portAppId;
+                }
                 //SSL policy determines IMAPS/POP3S etc before appId sees first server
                 // packet
                 asd.set_port_service_id(portAppId);