From: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date: Thu, 7 Jul 2022 17:29:33 +0000 (-0400)
Subject: appid: restart inspection for ssl session inside http tunnel
X-Git-Tag: 3.1.38.0~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e1eb850c45b71e65bbf9721b9a02366bb5c42cf;p=thirdparty%2Fsnort3.git

appid: restart inspection for ssl session inside http tunnel
---

diff --git a/src/network_inspectors/appid/appid_http_session.h b/src/network_inspectors/appid/appid_http_session.h
index 2c7d80bac..2697b5280 100644
--- a/src/network_inspectors/appid/appid_http_session.h
+++ b/src/network_inspectors/appid/appid_http_session.h
@@ -147,6 +147,15 @@ public:
         return rcvd_full_req_body;
     }
 
+    void set_tunnel(bool tunnel)
+    {
+        is_tunnel = tunnel;
+    }
+
+    bool get_tunnel()
+    {
+        return is_tunnel;
+    }
 protected:
 
     void init_chp_match_descriptor(ChpMatchDescriptor& cmd);
@@ -187,6 +196,7 @@ protected:
     uint32_t http2_stream_id = 0;
     bool is_payload_processed = false;
     bool rcvd_full_req_body = false;
+    bool is_tunnel = false;
 };
 
 #endif
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 07130602b..c58def34b 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -411,6 +411,10 @@ void AppIdSession::check_tunnel_detection_restart()
     if (tp_payload_app_id != APP_ID_HTTP_TUNNEL or get_session_flags(APPID_SESSION_HTTP_TUNNEL))
         return;
 
+    AppIdHttpSession* hsession = get_http_session();
+    if (!hsession or !hsession->get_tunnel())
+        return;
+
     if (appidDebug->is_active())
         LogMessage("AppIdDbg %s Found HTTP Tunnel, restarting app Detection\n",
             appidDebug->get_debug_session());
@@ -880,8 +884,13 @@ AppId AppIdSession::pick_ss_payload_app_id(AppId service_id) const
         tmp_id = api.hsessions[0]->payload.get_id();
     if (tmp_id > APP_ID_NONE)
     {
-        if (tmp_id == APP_ID_HTTP_TUNNEL and tp_payload_app_id > APP_ID_NONE)
-            return tp_payload_app_id;
+        if (tmp_id == APP_ID_HTTP_TUNNEL)
+        {
+            if (api.payload.get_id() > APP_ID_NONE)
+                return api.payload.get_id();
+            else if (tp_payload_app_id > APP_ID_NONE)
+                return tp_payload_app_id;
+        }
         else
             return tmp_id;
     }
diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc
index 9133bd81e..b0119bf58 100644
--- a/src/network_inspectors/appid/tp_appid_utils.cc
+++ b/src/network_inspectors/appid/tp_appid_utils.cc
@@ -42,6 +42,8 @@
 #include "tp_appid_utils.h"
 #include "tp_lib_handler.h"
 
+#define HTTP_CONNECT_RESPONSE_LEN 13
+
 using namespace std;
 using namespace snort;
 
@@ -655,6 +657,14 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I
 
             hsession->process_http_packet(direction, change_bits, asd.get_odp_ctxt().get_http_matchers());
 
+            if (!hsession->get_tunnel() and (direction == APP_ID_FROM_RESPONDER)
+                and asd.get_tp_payload_app_id() == APP_ID_HTTP_TUNNEL)
+            {
+                if ((p->dsize >= HTTP_CONNECT_RESPONSE_LEN) and
+                    !strncasecmp((const char*)p->data, "HTTP/1.1 200 ", HTTP_CONNECT_RESPONSE_LEN))
+                    hsession->set_tunnel(true);
+            }
+
             if (asd.get_tp_app_id() == APP_ID_HTTP and
                 !asd.get_session_flags(APPID_SESSION_APP_REINSPECT) and
                 asd.is_tp_appid_available())