From: Umang Sharma (umasharm) Date: Wed, 5 Jul 2023 18:42:52 +0000 (+0000) Subject: Pull request #3891: appid: Early detection of ssh and ignoring NAVL detection X-Git-Tag: 3.1.66.0~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=152da5914587499ae973d3fa70580b9de3190642;p=thirdparty%2Fsnort3.git Pull request #3891: appid: Early detection of ssh and ignoring NAVL detection Merge in SNORT/snort3 from ~UMASHARM/snort3:ssh to master Squashed commit of the following: commit 4e2f347496653738e8aaac683b157664ce24fceb Author: Umang Sharma Date: Wed Jun 21 22:14:38 2023 -0400 appid: Early detection of ssh and ignoring NAVL detection --- diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index c516feb8f..684feda22 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -93,6 +93,7 @@ namespace snort #define APPID_SESSION_OPPORTUNISTIC_TLS (1ULL << 44) #define APPID_SESSION_FIRST_PKT_CACHE_MATCHED (1ULL << 45) #define APPID_SESSION_DO_NOT_DECRYPT (1ULL << 46) +#define APPID_SESSION_EARLY_SSH_DETECTED (1ULL << 47) #define APPID_SESSION_IGNORE_ID_FLAGS \ (APPID_SESSION_FUTURE_FLOW | \ APPID_SESSION_NOT_A_SERVICE | \ diff --git a/src/network_inspectors/appid/appid_ssh_event_handler.cc b/src/network_inspectors/appid/appid_ssh_event_handler.cc index 693928a8b..a59930fd9 100644 --- a/src/network_inspectors/appid/appid_ssh_event_handler.cc +++ b/src/network_inspectors/appid/appid_ssh_event_handler.cc @@ -197,16 +197,29 @@ void SshEventHandler::handle(DataEvent& event, Flow* flow) if (fd->finished) return; + AppidChangeBits change_bits; + switch(ssh_event.get_event_type()) { case SSH_VERSION_STRING: - if (!handle_protocol(ssh_event, fd) and appidDebug->is_active()) + if (handle_protocol(ssh_event, fd)) + { + if (asd->get_session_flags(APPID_SESSION_EARLY_SSH_DETECTED)) + { + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Early detection of SSH\n", appidDebug->get_debug_session()); + handle_success(*data, ssh_event, *asd, change_bits); + asd->publish_appid_event(change_bits, *ssh_event.get_packet()); + asd->clear_session_flags(APPID_SESSION_EARLY_SSH_DETECTED); + } + } + else if (appidDebug->is_active()) LogMessage("AppIdDbg %s SSH event handler received unsupported protocol %s\n", appidDebug->get_debug_session(), ssh_event.get_version_str().c_str()); + break; case SSH_VALIDATION: - AppidChangeBits change_bits; switch (ssh_event.get_validation_result()) { case SSH_VALID_KEXINIT: diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 3f24dcc84..42f64b9dd 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -522,7 +522,7 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I { AppId tp_app_id = asd.get_tp_app_id(); - if (tp_app_id == APP_ID_SSH && asd.get_payload_id() != APP_ID_SFTP && + if ((tp_app_id == APP_ID_SSH or asd.get_service_id() == APP_ID_SSH) && asd.get_payload_id() != APP_ID_SFTP && asd.session_packet_count >= MIN_SFTP_PACKET_COUNT && asd.session_packet_count < MAX_SFTP_PACKET_COUNT) { @@ -601,6 +601,15 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I assert(hsession); } + if (tp_app_id == APP_ID_SSH) + { + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Setting the ignore and early detection flag\n", + appidDebug->get_debug_session()); + asd.get_odp_ctxt().get_app_info_mgr().set_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE); + asd.set_session_flags(APPID_SESSION_EARLY_SSH_DETECTED); + } + unsigned app_info_flags = asd.get_odp_ctxt().get_app_info_mgr().get_app_info_flags(tp_app_id, APPINFO_FLAG_TP_CLIENT | APPINFO_FLAG_IGNORE );