From: Shravan Rangarajuvenkata (shrarang) Date: Wed, 20 May 2020 18:29:25 +0000 (+0000) Subject: Merge pull request #2207 in SNORT/snort3 from ~SHRARANG/snort3:avc_http2 to master X-Git-Tag: 3.0.1-5~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=18bfb4ccc34c8656bbe0baeaa6ff42d74e06a6bf;p=thirdparty%2Fsnort3.git Merge pull request #2207 in SNORT/snort3 from ~SHRARANG/snort3:avc_http2 to master Squashed commit of the following: commit 48e8c835b254ee3a0b3bb8bd986e204d4b6a1534 Author: Shravan Rangaraju Date: Tue May 12 00:51:08 2020 -0400 appid: add api to check if appid needs inspection --- diff --git a/src/framework/inspector.h b/src/framework/inspector.h index 1ff8e6d24..0e64f9534 100644 --- a/src/framework/inspector.h +++ b/src/framework/inspector.h @@ -104,7 +104,7 @@ public: void set_service(SnortProtocolId snort_protocol_id_param) { snort_protocol_id = snort_protocol_id_param; } - SnortProtocolId get_service() { return snort_protocol_id; } + SnortProtocolId get_service() const { return snort_protocol_id; } // for well known buffers // well known buffers may be included among generic below, @@ -132,7 +132,7 @@ public: const InspectApi* get_api() { return api; } - const char* get_name(); + const char* get_name() const; virtual bool is_control_channel() const { return false; } @@ -197,7 +197,7 @@ struct InspectApi InspectFunc reset; // clear stats }; -inline const char* Inspector::get_name() +inline const char* Inspector::get_name() const { return api->base.name; } } diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index aada456bc..13b51a12b 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -25,6 +25,7 @@ #include "appid_api.h" +#include "framework/inspector.h" #include "managers/inspector_manager.h" #include "utils/util.h" @@ -309,3 +310,15 @@ void AppIdApi::free_appid_session_api(AppIdSessionApi* api) { delete api; } + +bool AppIdApi::is_inspection_needed(const Inspector& inspector) const +{ + AppIdInspector* appid_inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, + true); + + if (appid_inspector and + (inspector.get_service() == appid_inspector->get_ctxt().config.snortId_for_http2)) + return true; + + return false; +} diff --git a/src/network_inspectors/appid/appid_api.h b/src/network_inspectors/appid/appid_api.h index fd5e175db..f0850af26 100644 --- a/src/network_inspectors/appid/appid_api.h +++ b/src/network_inspectors/appid/appid_api.h @@ -63,6 +63,7 @@ public: AppId& client_id, AppId& payload_id, const char* org_unit = nullptr); AppIdSessionApi* create_appid_session_api(const Flow& flow); void free_appid_session_api(AppIdSessionApi* api); + bool is_inspection_needed(const Inspector& g) const; }; SO_PUBLIC extern AppIdApi appid_api; diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index c6a1e4354..8617fbcfb 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -44,10 +44,6 @@ #define MIN_MAX_PKTS_BEFORE_SERVICE_FAIL 5 #define MIN_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES 15 -extern SnortProtocolId snortId_for_unsynchronized; -extern SnortProtocolId snortId_for_ftp_data; -extern SnortProtocolId snortId_for_http2; - class PatternClientDetector; class PatternServiceDetector; diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 89791988b..f6aac46e2 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -46,13 +46,22 @@ using namespace snort; +static SnortProtocolId dummy_http2_protocol_id = 1; + namespace snort { -class Inspector* InspectorManager::get_inspector(char const*, bool, const SnortConfig*) -{ return nullptr; } +class Inspector* InspectorManager::get_inspector(const char*, bool, const SnortConfig*) +{ return &dummy_appid_inspector; } + } +class DummyInspector : public snort::Inspector +{ +public: + void eval(Packet*) override {}; +}; + void DataBus::publish(const char*, DataEvent& event, Flow*) { AppidEvent* appid_event = (AppidEvent*)&event; @@ -175,8 +184,7 @@ TEST(appid_api, produce_ha_state) ip.pton(AF_INET, "192.168.1.222"); val = appid_api.consume_ha_state(*flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066); CHECK_TRUE(val == sizeof(appHA)); - // FIXIT-E refactor below code to test AppId consume functionality - /* + AppIdSession* session = (AppIdSession*)flow->get_flow_data(AppIdSession::inspector_id); CHECK_TRUE(session); CHECK_TRUE(session->get_tp_app_id() == appHA.appId[0]); @@ -184,21 +192,19 @@ TEST(appid_api, produce_ha_state) CHECK_TRUE(session->client_inferred_service_id == appHA.appId[2]); CHECK_TRUE(session->service.get_port_service_id() == appHA.appId[3]); CHECK_TRUE(session->payload.get_id() == appHA.appId[4]); - CHECK_TRUE(session->tp_payload_app_id == appHA.appId[5]); + CHECK_TRUE(session->get_tp_payload_app_id() == appHA.appId[5]); CHECK_TRUE(session->client.get_id() == appHA.appId[6]); CHECK_TRUE(session->misc_app_id == appHA.appId[7]); CHECK_TRUE(session->service_disco_state == APPID_DISCO_STATE_FINISHED); CHECK_TRUE(session->client_disco_state == APPID_DISCO_STATE_FINISHED); delete session; - */ // test logic when service app is ftp control appHA.appId[1] = APP_ID_FTP_CONTROL; mock_flow_data= nullptr; val = appid_api.consume_ha_state(*flow, (uint8_t*)&appHA, 0, IpProtocol::TCP, &ip, 1066); CHECK_TRUE(val == sizeof(appHA)); - // FIXIT-E refactor below code to test AppId consume functionality - /* + session = (AppIdSession*)flow->get_flow_data(AppIdSession::inspector_id); CHECK_TRUE(session); uint64_t flags = session->get_session_flags(APPID_SESSION_CLIENT_DETECTED | @@ -209,7 +215,6 @@ TEST(appid_api, produce_ha_state) CHECK_TRUE(session->service_disco_state == APPID_DISCO_STATE_STATEFUL); CHECK_TRUE(session->client_disco_state == APPID_DISCO_STATE_FINISHED); delete session; - */ } TEST(appid_api, ssl_app_group_id_lookup) @@ -283,7 +288,7 @@ TEST(appid_api, create_appid_session_api) appid_session_api = appid_api.create_appid_session_api(*flow); CHECK_FALSE(appid_session_api); - AppIdSession ignore_asd(IpProtocol::TCP, nullptr, 1492, appid_inspector); + AppIdSession ignore_asd(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); ignore_asd.common.flow_type = APPID_FLOW_TYPE_IGNORE; flow->set_flow_data(&ignore_asd); appid_session_api = appid_api.create_appid_session_api(*flow); @@ -293,10 +298,21 @@ TEST(appid_api, create_appid_session_api) flow = old_flow; } +TEST(appid_api, is_inspection_needed) +{ + DummyInspector inspector; + inspector.set_service(dummy_http2_protocol_id); + dummy_appid_inspector.get_ctxt().config.snortId_for_http2 = dummy_http2_protocol_id; + CHECK_TRUE(appid_api.is_inspection_needed(inspector)); + + inspector.set_service(dummy_http2_protocol_id + 1); + CHECK_FALSE(appid_api.is_inspection_needed(inspector)); +} + int main(int argc, char** argv) { mock_init_appid_pegs(); - mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector); + mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); int rc = CommandLineTestRunner::RunAllTests(argc, argv); mock_cleanup_appid_pegs(); return rc; diff --git a/src/network_inspectors/appid/test/appid_detector_test.cc b/src/network_inspectors/appid/test/appid_detector_test.cc index 923a5b944..1bd157065 100644 --- a/src/network_inspectors/appid/test/appid_detector_test.cc +++ b/src/network_inspectors/appid/test/appid_detector_test.cc @@ -62,7 +62,7 @@ TEST_GROUP(appid_detector_tests) void setup() override { MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); - mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector); + mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); mock_session->get_http_session(); flow = new Flow; flow->set_flow_data(mock_session); diff --git a/src/network_inspectors/appid/test/appid_expected_flags_test.cc b/src/network_inspectors/appid/test/appid_expected_flags_test.cc index 175c69215..5cfcfedb8 100644 --- a/src/network_inspectors/appid/test/appid_expected_flags_test.cc +++ b/src/network_inspectors/appid/test/appid_expected_flags_test.cc @@ -62,8 +62,8 @@ TEST_GROUP(appid_expected_flags) void setup() override { MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); - parent = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector); - expected = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector); + parent = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); + expected = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); } void teardown() override diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index 3b2dd62ab..80186dfb2 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -215,7 +215,7 @@ TEST_GROUP(appid_http_event) { MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); flow = new Flow; - mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector); + mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); mock_session->create_http_session(); flow->set_flow_data(mock_session); appidDebug = new AppIdDebug(); diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc index f6fd78cc0..156648dd7 100644 --- a/src/network_inspectors/appid/test/appid_http_session_test.cc +++ b/src/network_inspectors/appid/test/appid_http_session_test.cc @@ -162,7 +162,7 @@ unsigned AppIdSession::inspector_id = 0; THREAD_LOCAL AppIdDebug* appidDebug = nullptr; const SfIp* sfip = nullptr; -AppIdSession session(IpProtocol::IP, sfip, 0, appid_inspector); +AppIdSession session(IpProtocol::IP, sfip, 0, dummy_appid_inspector); AppIdHttpSession mock_hsession(session, 0); TEST_GROUP(appid_http_session) diff --git a/src/network_inspectors/appid/test/appid_mock_definitions.h b/src/network_inspectors/appid/test/appid_mock_definitions.h index d41b20ed8..2e343a153 100644 --- a/src/network_inspectors/appid/test/appid_mock_definitions.h +++ b/src/network_inspectors/appid/test/appid_mock_definitions.h @@ -27,7 +27,6 @@ #include "service_inspectors/http_inspect/http_msg_header.h" #include "utils/stats.h" -class Inspector; class ThirdPartyAppIdContext; ThirdPartyAppIdContext* tp_appid_ctxt = nullptr; diff --git a/src/network_inspectors/appid/test/appid_mock_inspector.h b/src/network_inspectors/appid/test/appid_mock_inspector.h index 66eb7a794..9a9aeea9d 100644 --- a/src/network_inspectors/appid/test/appid_mock_inspector.h +++ b/src/network_inspectors/appid/test/appid_mock_inspector.h @@ -60,7 +60,6 @@ snort::ProfileStats* AppIdModule::get_profile() const { return nullptr; } void AppIdModule::set_trace(const Trace*) const { } const TraceOption* AppIdModule::get_trace_options() const { return nullptr; } -AppIdInspector::AppIdInspector(AppIdModule& ) { } AppIdInspector::~AppIdInspector() { } void AppIdInspector::eval(snort::Packet*) { } bool AppIdInspector::configure(snort::SnortConfig*) { return true; } @@ -70,6 +69,10 @@ void AppIdInspector::tterm() { } AppIdContext& AppIdInspector::get_ctxt() const { return *ctxt; } AppIdModule appid_mod; -AppIdInspector appid_inspector( appid_mod ); +AppIdInspector dummy_appid_inspector( appid_mod ); +AppIdConfig appid_config; +AppIdContext appid_ctxt(appid_config); + +AppIdInspector::AppIdInspector(AppIdModule& ) { ctxt = &appid_ctxt; } #endif diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index d33119946..1a2fee506 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -57,7 +57,7 @@ TEST_GROUP(appid_session_api) void setup() override { MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); - mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, appid_inspector); + mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); appid_session_api = new AppIdSessionApi(mock_session); }