From: Russ Combs (rucombs) Date: Thu, 13 Oct 2016 20:01:01 +0000 (-0400) Subject: Merge pull request #668 in SNORT/snort3 from appid_triage_fixits to master X-Git-Tag: 3.0.0-233~222 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b6adc836d276d7378d5a7e30af08a9aa778e13b;p=thirdparty%2Fsnort3.git Merge pull request #668 in SNORT/snort3 from appid_triage_fixits to master Squashed commit of the following: commit d52f891ae706f2ab5ea303a9b204e2589bfedb4c Author: davis mcpherson Date: Tue Sep 27 16:26:08 2016 -0400 only log unknow appid if it is non-zero fix snort2lua to output 'log_stats true' for appid 'app_stats_filename' option' init static thread local variable for client app config fix issues from code review comments, u_int8_t->uint8_t, type/var/field renames to conform to coding style fix coding style naming issue refactor function/var names to meet snort3 coding style change smOrderList to be std::vector to eliminate calloc/realloc logic for dynamic array convert chp match tally to use std::vector convert app info tables to std::map container improve implementation of lua detector manager, add custom lua detectors fix threading issues with add snort protocol references workaround for bogus ASAN mem leak detected updates from PR review comments test dir is old deprecated code for the most part, deleting to reduce appid cruft! 'session' has a specific meaning in snort3 so change vars named 'session' to 'asd' (appid session data) update unit test to conform with change to assert if args parameter is null restore correct snort_manual.html document --- diff --git a/src/flow/flow.h b/src/flow/flow.h index a0819b61c..3ed21a398 100644 --- a/src/flow/flow.h +++ b/src/flow/flow.h @@ -83,7 +83,7 @@ #define STREAM_STATE_IGNORE 0x1000 #define STREAM_STATE_NO_PICKUP 0x2000 -// FIXIT-L: move to appid class if/when the application ids array +// FIXIT-L move to appid class if/when the application ids array // is moved typedef int32_t AppId; enum AppProtoIdIndex diff --git a/src/log/unified2.h b/src/log/unified2.h index 4fb0e3b5a..fac1640da 100644 --- a/src/log/unified2.h +++ b/src/log/unified2.h @@ -46,6 +46,7 @@ #define UNIFIED2_IDS_EVENT_VLAN 104 #define UNIFIED2_IDS_EVENT_IPV6_VLAN 105 #define UNIFIED2_EXTRA_DATA 110 +#define UNIFIED2_IDS_EVENT_APPSTAT 113 /* Data structure used for serialization of Unified2 Records */ typedef struct _Serial_Unified2_Header diff --git a/src/network_inspectors/appid/app_forecast.cc b/src/network_inspectors/appid/app_forecast.cc index e3cea62d0..2313e6ea0 100644 --- a/src/network_inspectors/appid/app_forecast.cc +++ b/src/network_inspectors/appid/app_forecast.cc @@ -24,7 +24,6 @@ #include "hash/sfxhash.h" #include "time/packet_time.h" #include "log/messages.h" - #include "application_ids.h" static AFActKey master_key; @@ -83,7 +82,7 @@ void add_af_indicator(ApplicationId indicator, ApplicationId forecast, Applicati ErrorMessage("LuaDetectorApi:Failed to add AFElement for appId %d", indicator); } -static inline void rekeyMasterAFActKey(Packet* p, int dir, ApplicationId forecast) +static inline void rekey_master_AF_key(Packet* p, int dir, ApplicationId forecast) { const sfip_t* src = dir ? p->ptrs.ip_api.get_dst() : p->ptrs.ip_api.get_src(); @@ -93,13 +92,13 @@ static inline void rekeyMasterAFActKey(Packet* p, int dir, ApplicationId forecas master_key.forecast = forecast; } -void checkSessionForAFIndicator(Packet* p, int dir, ApplicationId indicator) +void check_session_for_AF_indicator(Packet* p, int dir, ApplicationId indicator) { AFElement* ind_element; if (!(ind_element = (AFElement*)sfxhash_find(AF_indicators, &indicator))) return; - rekeyMasterAFActKey(p, dir, ind_element->forecast); + rekey_master_AF_key(p, dir, ind_element->forecast); AFActVal* test_active_value; if ((test_active_value = (AFActVal*)sfxhash_find(AF_actives, &master_key))) @@ -116,11 +115,11 @@ void checkSessionForAFIndicator(Packet* p, int dir, ApplicationId indicator) sfxhash_add(AF_actives, &master_key, &new_active_value); } -AppId checkSessionForAFForecast(AppIdSession* session, Packet* p, int dir, ApplicationId forecast) +AppId check_session_for_AF_forecast(AppIdSession* asd, Packet* p, int dir, ApplicationId forecast) { AFActVal* check_act_val; - rekeyMasterAFActKey(p, dir, forecast); + rekey_master_AF_key(p, dir, forecast); //get out if there is no value if (!(check_act_val = (AFActVal*)sfxhash_find(AF_actives, &master_key))) @@ -135,7 +134,7 @@ AppId checkSessionForAFForecast(AppIdSession* session, Packet* p, int dir, Appli return APP_ID_UNKNOWN; } - session->payload_app_id = check_act_val->target; + asd->payload_app_id = check_act_val->target; return forecast; } diff --git a/src/network_inspectors/appid/app_forecast.h b/src/network_inspectors/appid/app_forecast.h index ffb26f20c..37eefca0d 100644 --- a/src/network_inspectors/appid/app_forecast.h +++ b/src/network_inspectors/appid/app_forecast.h @@ -27,7 +27,6 @@ #include #include "appid_api.h" -#include "appid_config.h" #include "protocols/packet.h" #include "appid_session.h" @@ -63,10 +62,9 @@ struct AFActVal int init_appid_forecast(); void clean_appid_forecast(); -void add_af_indicator(ApplicationId indicator, ApplicationId forecast, ApplicationId target ); - -void checkSessionForAFIndicator(Packet*, int, ApplicationId); -AppId checkSessionForAFForecast(AppIdSession*, Packet*, int, ApplicationId); +void add_af_indicator(ApplicationId, ApplicationId, ApplicationId); +void check_session_for_AF_indicator(Packet*, int, ApplicationId); +AppId check_session_for_AF_forecast(AppIdSession*, Packet*, int, ApplicationId); #endif diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 8af7c8562..735298ec1 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -26,136 +26,23 @@ #endif #include "application_ids.h" - #include "log/messages.h" -#include "hash/sfghash.h" #include "main/snort_debug.h" -#include "target_based/snort_protocols.h" #include "utils/util.h" +#include "service_plugins/service_util.h" #define MAX_TABLE_LINE_LEN 1024 #define CONF_SEPARATORS "\t\n\r" #define MIN_MAX_TP_FLOW_DEPTH 1 #define MAX_MAX_TP_FLOW_DEPTH 1000000 -struct DynamicArray -{ - AppInfoTableEntry** table; - size_t indexStart; - size_t indexCurrent; - size_t usedCount; - size_t allocatedCount; - size_t stepSize; -}; - -static AppInfoTableEntry* AppInfoList = nullptr; -static AppInfoTableEntry* AppInfoTable[SF_APPID_MAX] = { nullptr }; -static AppInfoTableEntry* AppInfoTableByService[SF_APPID_MAX] = { nullptr }; -static AppInfoTableEntry* AppInfoTableByClient[SF_APPID_MAX] = { nullptr }; -static AppInfoTableEntry* AppInfoTableByPayload[SF_APPID_MAX] = { nullptr }; -static SFGHASH* AppNameHash = nullptr; -static THREAD_LOCAL DynamicArray* AppInfoTableDyn = nullptr; - -static inline DynamicArray* dynamicArrayCreate(unsigned indexStart) -{ - DynamicArray* array; - - array = (DynamicArray*)snort_calloc(sizeof(DynamicArray)); - array->stepSize = 1; - array->indexStart = indexStart; - return array; -} - -static inline void dynamicArrayDestroy(DynamicArray* array) -{ - unsigned i; - AppInfoTableEntry* entry; - - if (!array) - return; - for (i = 0; i < array->usedCount; i++) - { - entry = array->table[i]; - snort_free(entry->appName); - snort_free(entry); - } - - // FIXIT - array table is still alloc'ed with calloc/realloc - free(array->table); - snort_free(array); -} - -static inline void dynamicArraySetIndex(DynamicArray* array, unsigned index, - AppInfoTableEntry* data) -{ - if (index >= array->indexStart && index < (array->indexStart + array->usedCount)) - array->table[index - array->indexStart] = data; -} - -static inline AppInfoTableEntry* dynamicArrayGetIndex(DynamicArray* array, unsigned index) -{ - // FIXIT-H: appid stats dumped from main thread at snort exit happens after the array has been - // freed - if(!array) - return nullptr; - - if (index >= array->indexStart && index < (array->indexStart + array->usedCount)) - return array->table[index - array->indexStart]; - return nullptr; -} - -static inline bool dynamicArrayCreateIndex(DynamicArray* array, unsigned* index) -{ - if (array->usedCount == array->allocatedCount) - { - AppInfoTableEntry** tmp = - (AppInfoTableEntry**)realloc(array->table, - (array->allocatedCount + array->stepSize) * sizeof(*tmp)); - if (!tmp) - { - return false; - } - array->table = tmp; - array->allocatedCount += array->stepSize; - } - *index = array->indexStart + (array->usedCount++); - return true; -} - -static inline void* dynamicArrayGetFirst(DynamicArray* array) -{ - AppInfoTableEntry* entry; - for (array->indexCurrent = 0; array->indexCurrent < array->usedCount; array->indexCurrent++) - { - if ((entry = array->table[array->indexCurrent])) - return entry; - } - return nullptr; -} - -static inline void* dynamicArrayGetNext(DynamicArray* array) -{ - AppInfoTableEntry* entry; - for (array->indexCurrent++; array->indexCurrent < array->usedCount; array->indexCurrent++) - { - if ((entry = array->table[array->indexCurrent])) - return entry; - } - return nullptr; -} - -static SFGHASH* appNameHashInit() -{ - SFGHASH* appNameHash; - appNameHash = sfghash_new(65, 0, 0 /* alloc copies of lowercased keys */, nullptr); - return appNameHash; -} - -void appNameHashFini() -{ - if (AppNameHash) - sfghash_delete(AppNameHash); -} +static AppInfoTable app_info_table; +static AppInfoTable app_info_service_table; +static AppInfoTable app_info_client_table; +static AppInfoTable app_info_payload_table; +static AppInfoNameTable app_info_name_table; +static AppId next_custom_appid = SF_APPID_DYNAMIC_MIN; +static AppInfoTable custom_app_info_table; static inline char* strdupToLower(const char* source) { @@ -171,62 +58,38 @@ static inline char* strdupToLower(const char* source) return dest; } -static void appNameHashAdd(SFGHASH* appNameHash, const char* appName, void* data) +static bool is_existing_entry(AppInfoTableEntry* entry) { - char* searchName; - int errCode; + AppInfoNameTable::iterator app; - if (!appName || !appNameHash) - return; - - searchName = strdupToLower(appName); - if (SFGHASH_OK == (errCode = sfghash_add(appNameHash, searchName, data))) - { - DebugFormat(DEBUG_INSPECTOR, "App name added for %s\n", appName); - } - else if (SFGHASH_INTABLE == errCode) - { - /* Note that, although this entry is not placed in the hash table, - being a duplicate, it remains in the list of allocated entries - for cleanup by appInfoTableFini() */ - - // Rediscover the existing, hashed entry for the purpose of a complete error message. - AppInfoTableEntry* tableEntry = (AppInfoTableEntry*)sfghash_find(appNameHash, searchName); - - if (tableEntry) - { - ErrorMessage("App name, \"%s\", is a duplicate of \"%s\" and has been ignored.\n", - appName, tableEntry->appName); - } - else - { - ErrorMessage("App name, \"%s\", has been ignored. Hash key \"%s\" is not unique.\n", - appName, searchName); - } - } - snort_free(searchName); + app = app_info_name_table.find(entry->app_name_key); + return app != app_info_name_table.end(); } -static void* appNameHashFind(SFGHASH* appNameHash, const char* appName) +static AppInfoTableEntry* find_app_info_by_name(const char* app_name) { - void* data; - char* searchName; - - if (!appName || !appNameHash) - return nullptr; + AppInfoTableEntry* entry = nullptr; + AppInfoNameTable::iterator app; + const char* search_name = strdupToLower(app_name); - searchName = strdupToLower(appName); - data = sfghash_find(appNameHash, searchName); - snort_free(searchName); + app = app_info_name_table.find(search_name); + if( app != app_info_name_table.end() ) + entry = app->second; - return data; + snort_free((void*)search_name); + return entry; } -// End of appName hash - -static void load_appid_config(const char* path); +static void add_entry_to_app_info_hash(const char* app_name, AppInfoTableEntry* entry) +{ + if( !is_existing_entry(entry) ) + app_info_name_table[app_name] = entry; + else + WarningMessage("App name, \"%s\"is a duplicate existing entry will be shared by each detector.\n", + app_name); +} -static AppId getAppIdStaticIndex(AppId appid) +static AppId get_static_app_info_entry(AppId appid) { if (appid > 0 && appid < SF_APPID_BUILDIN_MAX) return appid; @@ -235,290 +98,129 @@ static AppId getAppIdStaticIndex(AppId appid) return 0; } -AppInfoTableEntry* appInfoEntryGet(AppId appId) +AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId appId, const AppInfoTable& lookup_table) { AppId tmp; - if ((tmp = getAppIdStaticIndex(appId))) - return AppInfoTable[tmp]; - return dynamicArrayGetIndex(AppInfoTableDyn, appId); -} + AppInfoTable::const_iterator app; -AppInfoTableEntry* appInfoEntryCreate(const char* appName) -{ - AppId appId; - AppInfoTableEntry* entry; - - if (!appName || strlen(appName) >= MAX_EVENT_APPNAME_LEN) + if ((tmp = get_static_app_info_entry(appId))) { - ErrorMessage("Appname invalid or too long: %s\n", appName); - return nullptr; + app = lookup_table.find(tmp); + if( app != lookup_table.end() ) + return app->second; + else + return nullptr; } - - entry = static_cast(appNameHashFind(AppNameHash, appName)); - - if (!entry) + else { - if (!dynamicArrayCreateIndex(AppInfoTableDyn, (uint32_t*)&appId)) + app = custom_app_info_table.find(appId); + if( app != custom_app_info_table.end() ) + return app->second; + else return nullptr; - - entry = static_cast(snort_calloc(sizeof(AppInfoTableEntry))); - entry->appId = appId; - entry->serviceId = entry->appId; - entry->clientId = entry->appId; - entry->payloadId = entry->appId; - entry->appName = snort_strdup(appName); - dynamicArraySetIndex(AppInfoTableDyn, appId, entry); } - return entry; } -void init_dynamic_app_info_table() +AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId appId) { - AppInfoTableDyn = dynamicArrayCreate(SF_APPID_DYNAMIC_MIN); + return get_app_info_entry(appId, app_info_table); } -void free_dynamic_app_info_table() +AppInfoTableEntry* AppInfoManager::add_dynamic_app_entry(const char* app_name) { - dynamicArrayDestroy(AppInfoTableDyn); - AppInfoTableDyn = nullptr; -} - -void init_appid_info_table(const char* path) -{ - FILE* tableFile; - const char* token; - char buf[MAX_TABLE_LINE_LEN]; - AppInfoTableEntry* entry; - AppId appId; - uint32_t clientId, serviceId, payloadId; - char filepath[PATH_MAX]; - char* appName; - char* snortName = nullptr; - char* context; - - snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_MAPPING_FILE); - - tableFile = fopen(filepath, "r"); - if (tableFile == nullptr) + if (!app_name || strlen(app_name) >= MAX_EVENT_APPNAME_LEN) { - ErrorMessage("Could not open RnaAppMapping Table file: %s\n", filepath); - return; + ErrorMessage("Appname invalid or too long: %s\n", app_name); + return nullptr; } - DebugFormat(DEBUG_INSPECTOR, "AppInfo read from %s\n", filepath); - - while (fgets(buf, sizeof(buf), tableFile)) + custom_app_mutex.lock(); + AppInfoTableEntry* entry = find_app_info_by_name(app_name); + if (!entry) { - token = strtok_r(buf, CONF_SEPARATORS, &context); - if (!token) - { - ErrorMessage("Could not read id for Rna Id\n"); - continue; - } - - appId = strtol(token, nullptr, 10); - - token = strtok_r(nullptr, CONF_SEPARATORS, &context); - if (!token) - { - ErrorMessage("Could not read appName. Line %s\n", buf); - continue; - } - - appName = snort_strdup(token); - token = strtok_r(nullptr, CONF_SEPARATORS, &context); - if (!token) - { - ErrorMessage("Could not read service id for Rna Id\n"); - snort_free(appName); - continue; - } - - serviceId = strtol(token, nullptr, 10); - - token = strtok_r(nullptr, CONF_SEPARATORS, &context); - if (!token) - { - ErrorMessage("Could not read client id for Rna Id\n"); - snort_free(appName); - continue; - } - - clientId = strtol(token, nullptr, 10); - - token = strtok_r(nullptr, CONF_SEPARATORS, &context); - if (!token) - { - ErrorMessage("Could not read payload id for Rna Id\n"); - snort_free(appName); - continue; - } - - payloadId = strtol(token, nullptr, 10); - - /* snort service key, if it exists */ - token = strtok_r(nullptr, CONF_SEPARATORS, &context); - if (token) - snortName = snort_strdup(token); - - entry = static_cast(snort_calloc(sizeof(AppInfoTableEntry))); - entry->next = AppInfoList; - AppInfoList = entry; - entry->snortId = AddProtocolReference(snortName); - snort_free(snortName); - snortName = nullptr; - entry->appName = appName; - entry->appId = appId; - entry->serviceId = serviceId; - entry->clientId = clientId; - entry->payloadId = payloadId; - entry->priority = APP_PRIORITY_DEFAULT; - - if ((appId = getAppIdStaticIndex(entry->appId))) - AppInfoTable[appId] = entry; - if ((appId = getAppIdStaticIndex(entry->serviceId))) - AppInfoTableByService[appId] = entry; - if ((appId = getAppIdStaticIndex(entry->clientId))) - AppInfoTableByClient[appId] = entry; - if ((appId = getAppIdStaticIndex(entry->payloadId))) - AppInfoTableByPayload[appId] = entry; - - if (!AppNameHash) - AppNameHash = appNameHashInit(); - - appNameHashAdd(AppNameHash, appName, entry); + entry = new AppInfoTableEntry(next_custom_appid++, snort_strdup(app_name)); + entry->app_name_key = strdupToLower(app_name); + entry->serviceId = entry->appId; + entry->clientId = entry->appId; + entry->payloadId = entry->appId; + custom_app_info_table[entry->appId] = entry; + add_entry_to_app_info_hash(entry->app_name_key, entry); } - fclose(tableFile); - - /* Configuration defaults. */ - pAppidActiveConfig->mod_config->rtmp_max_packets = 15; - pAppidActiveConfig->mod_config->mdns_user_reporting = 1; - pAppidActiveConfig->mod_config->dns_host_reporting = 1; - pAppidActiveConfig->mod_config->max_tp_flow_depth = 5; - pAppidActiveConfig->mod_config->http2_detection_enabled = false; - snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_CONFIG_FILE); - load_appid_config (filepath); - snprintf(filepath, sizeof(filepath), "%s/custom/%s", path, USR_CONFIG_FILE); - load_appid_config (filepath); + custom_app_mutex.unlock(); + return entry; } -void cleanup_appid_info_table() +void AppInfoManager::cleanup_appid_info_table() { - AppInfoTableEntry* entry; + for (auto& kv: app_info_table) + delete(kv.second); - while ((entry = AppInfoList)) - { - AppInfoList = entry->next; - snort_free(entry->appName); - snort_free(entry); - } + app_info_table.erase(app_info_table.begin(), app_info_table.end()); + + for (auto& kv: custom_app_info_table) + delete(kv.second); - appNameHashFini(); + custom_app_info_table.erase(custom_app_info_table.begin(), custom_app_info_table.end()); + app_info_name_table.erase(app_info_name_table.begin(), app_info_name_table.end()); } -void dump_app_info_table() +void AppInfoManager::dump_app_info_table() { - AppInfoTableEntry* entry; - AppId appId; - LogMessage("Cisco provided detectors:\n"); - for (appId = 1; appId < SF_APPID_MAX; appId++) - { - entry = AppInfoTable[appId]; - if (entry) - LogMessage("%s\t%d\t%s\n", entry->appName, entry->appId, (entry->flags & - APPINFO_FLAG_ACTIVE) ? "active" : "inactive"); - } + for (auto& kv: app_info_table) + LogMessage("%s\t%d\t%s\n", kv.second->app_name, kv.second->appId, + (kv.second->flags & APPINFO_FLAG_ACTIVE) ? "active" : "inactive"); LogMessage("User provided detectors:\n"); - for (entry = (decltype(entry))dynamicArrayGetFirst(AppInfoTableDyn); - entry; - entry = (decltype(entry))dynamicArrayGetNext(AppInfoTableDyn)) - { - LogMessage("%s\t%d\t%s\n", entry->appName, entry->appId, (entry->flags & - APPINFO_FLAG_ACTIVE) ? "active" : "inactive"); - } + for (auto& kv: custom_app_info_table) + LogMessage("%s\t%d\t%s\n", kv.second->app_name, kv.second->appId, + (kv.second->flags & APPINFO_FLAG_ACTIVE) ? "active" : "inactive"); } -AppId get_appid_by_service_id(uint32_t appId) +AppId AppInfoManager::get_appid_by_service_id(uint32_t id) { - AppInfoTableEntry* entry; - AppId tmp; - - if ((tmp = getAppIdStaticIndex(appId))) - entry = AppInfoTableByService[tmp]; - else - entry = dynamicArrayGetIndex(AppInfoTableDyn, appId); - + AppInfoTableEntry* entry = get_app_info_entry(id, app_info_service_table); return entry ? entry->appId : APP_ID_NONE; } -AppId get_appid_by_client_id(uint32_t appId) +AppId AppInfoManager::get_appid_by_client_id(uint32_t id) { - AppInfoTableEntry* entry; - AppId tmp; - - if ((tmp = getAppIdStaticIndex(appId))) - entry = AppInfoTableByClient[tmp]; - else - entry = dynamicArrayGetIndex(AppInfoTableDyn, appId); - + AppInfoTableEntry* entry = get_app_info_entry(id, app_info_client_table); return entry ? entry->appId : APP_ID_NONE; } -AppId get_appid_by_payload_id(uint32_t appId) +AppId AppInfoManager::get_appid_by_payload_id(uint32_t id) { - AppInfoTableEntry* entry; - AppId tmp; - - if ((tmp = getAppIdStaticIndex(appId))) - entry = AppInfoTableByPayload[tmp]; - else - entry = dynamicArrayGetIndex(AppInfoTableDyn, appId); - + AppInfoTableEntry* entry = get_app_info_entry(id, app_info_payload_table); return entry ? entry->appId : APP_ID_NONE; } -const char* get_app_name(int32_t appId) +const char* AppInfoManager::get_app_name(int32_t id) { - AppInfoTableEntry* entry; - AppId tmp; - - if ((tmp = getAppIdStaticIndex(appId))) - entry = AppInfoTable[tmp]; - else - entry = dynamicArrayGetIndex(AppInfoTableDyn, appId); - - return entry ? entry->appName : nullptr; + AppInfoTableEntry* entry = get_app_info_entry(id); + return entry ? entry->app_name : nullptr; } -int32_t get_appid_by_name(const char* appName) +int32_t AppInfoManager::get_appid_by_name(const char* app_name) { - AppInfoTableEntry* entry = (decltype(entry))appNameHashFind(AppNameHash, appName); - return entry ? entry->appId : 0; + AppInfoTableEntry* entry = find_app_info_by_name(app_name); + return entry ? entry->appId : APP_ID_NONE; } -void set_app_info_active(AppId appId) +void AppInfoManager::set_app_info_active(AppId appId) { - AppInfoTableEntry* entry = nullptr; - AppId tmp; - if (appId == APP_ID_NONE) return; - if ((tmp = getAppIdStaticIndex(appId))) - entry = AppInfoTable[tmp]; - else - entry = dynamicArrayGetIndex(AppInfoTableDyn, appId); - + AppInfoTableEntry* entry = get_app_info_entry(appId); if (entry) entry->flags |= APPINFO_FLAG_ACTIVE; else ErrorMessage("AppInfo: AppId %d is UNKNOWN\n", appId); } -static void load_appid_config(const char* path) +void AppInfoManager::load_appid_config(const char* path) { FILE* config_file; char* token; @@ -583,7 +285,7 @@ static void load_appid_config(const char* path) DebugFormat(DEBUG_INSPECTOR, "AppId: setting max thirdparty inspection flow depth to %d packets.\n", max_tp_flow_depth); - pAppidActiveConfig->mod_config->max_tp_flow_depth = max_tp_flow_depth; + AppIdConfig::get_appid_config()->mod_config->max_tp_flow_depth = max_tp_flow_depth; } } else if (!(strcasecmp(conf_key, "tp_allow_probes"))) @@ -593,7 +295,7 @@ static void load_appid_config(const char* path) DebugMessage(DEBUG_INSPECTOR, "AppId: TCP probes will be analyzed by NAVL.\n"); - pAppidActiveConfig->mod_config->tp_allow_probes = 1; + AppIdConfig::get_appid_config()->mod_config->tp_allow_probes = 1; } } else if (!(strcasecmp(conf_key, "tp_client_app"))) @@ -601,14 +303,14 @@ static void load_appid_config(const char* path) DebugFormat(DEBUG_INSPECTOR, "AppId: if thirdparty reports app %d, we will use it as a client.\n", atoi(conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_TP_CLIENT); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_TP_CLIENT); } else if (!(strcasecmp(conf_key, "ssl_reinspect"))) { DebugFormat(DEBUG_INSPECTOR, "AppId: adding app %d to list of SSL apps that get more granular inspection.\n", atoi(conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_SSL_INSPECT); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_INSPECT); } else if (!(strcasecmp(conf_key, "disable_safe_search"))) { @@ -616,7 +318,7 @@ static void load_appid_config(const char* path) { DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, "AppId: disabling safe search enforcement.\n"); ); - pAppidActiveConfig->mod_config->disable_safe_search = 1; + AppIdConfig::get_appid_config()->mod_config->disable_safe_search = 1; } } else if (!(strcasecmp(conf_key, "ssl_squelch"))) @@ -624,14 +326,14 @@ static void load_appid_config(const char* path) DebugFormat(DEBUG_INSPECTOR, "AppId: adding app %d to list of SSL apps that may open a second SSL connection.\n", atoi(conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_SSL_SQUELCH); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_SSL_SQUELCH); } else if (!(strcasecmp(conf_key, "defer_to_thirdparty"))) { DebugFormat(DEBUG_INSPECTOR, "AppId: adding app %d to list of apps where we should take thirdparty ID over the NDE's.\n", atoi(conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_DEFER); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_DEFER); } else if (!(strcasecmp(conf_key, "defer_payload_to_thirdparty"))) { @@ -639,7 +341,7 @@ static void load_appid_config(const char* path) "AppId: adding app %d to list of apps where we should take " "thirdparty payload ID over the NDE's.\n", atoi(conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_DEFER_PAYLOAD); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_DEFER_PAYLOAD); } else if (!(strcasecmp(conf_key, "chp_userid"))) { @@ -647,7 +349,7 @@ static void load_appid_config(const char* path) { DebugMessage(DEBUG_INSPECTOR, "AppId: HTTP UserID collection disabled.\n"); - pAppidActiveConfig->mod_config->chp_userid_disabled = 1; + AppIdConfig::get_appid_config()->mod_config->chp_userid_disabled = 1; continue; } } @@ -657,7 +359,7 @@ static void load_appid_config(const char* path) { DebugMessage(DEBUG_INSPECTOR, "AppId: HTTP Body header reading disabled.\n"); - pAppidActiveConfig->mod_config->chp_body_collection_disabled = 1; + AppIdConfig::get_appid_config()->mod_config->chp_body_collection_disabled = 1; continue; } } @@ -667,7 +369,7 @@ static void load_appid_config(const char* path) { DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, "AppId: HTTP future flow creation disabled.\n"); ); - pAppidActiveConfig->mod_config->chp_fflow_disabled = 1; + AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled = 1; continue; } } @@ -676,7 +378,7 @@ static void load_appid_config(const char* path) if (!(strcasecmp(conf_val, "disabled"))) { DEBUG_WRAP(DebugMessage(DEBUG_INSPECTOR, "AppId: FTP userID disabled.\n"); ); - pAppidActiveConfig->mod_config->ftp_userid_disabled = 1; + AppIdConfig::get_appid_config()->mod_config->ftp_userid_disabled = 1; continue; } } @@ -694,7 +396,7 @@ static void load_appid_config(const char* path) conf_val = token; uint8_t temp_val; temp_val = strtol(conf_val, nullptr, 10); - appInfoEntryPrioritySet (temp_appid, temp_val); + set_app_info_priority (temp_appid, temp_val); DebugFormat(DEBUG_INSPECTOR,"AppId: %d Setting priority bit %d .\n", temp_appid, temp_val); } @@ -702,20 +404,20 @@ static void load_appid_config(const char* path) { if (!(strcasecmp(conf_val, "disabled"))) { - pAppidActiveConfig->mod_config->referred_appId_disabled = 1; + AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled = 1; continue; } - else if (!pAppidActiveConfig->mod_config->referred_appId_disabled) + else if (!AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled) { referred_app_index=0; referred_app_index += sprintf(referred_app_list, "%d ", atoi(conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_REFERRED); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_REFERRED); while ((token = strtok_r(nullptr, CONF_SEPARATORS, &context)) != nullptr) { referred_app_index += sprintf(referred_app_list+referred_app_index, "%d ", atoi(token)); - appInfoEntryFlagSet(atoi(token), APPINFO_FLAG_REFERRED); + set_app_info_flags(atoi(token), APPINFO_FLAG_REFERRED); } DebugFormat(DEBUG_INSPECTOR, "AppId: adding appIds to list of referred web apps: %s\n", @@ -724,25 +426,25 @@ static void load_appid_config(const char* path) } else if (!(strcasecmp(conf_key, "rtmp_max_packets"))) { - pAppidActiveConfig->mod_config->rtmp_max_packets = atoi(conf_val); + AppIdConfig::get_appid_config()->mod_config->rtmp_max_packets = atoi(conf_val); } else if (!(strcasecmp(conf_key, "mdns_user_report"))) { - pAppidActiveConfig->mod_config->mdns_user_reporting = atoi(conf_val); + AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting = atoi(conf_val); } else if (!(strcasecmp(conf_key, "dns_host_report"))) { - pAppidActiveConfig->mod_config->dns_host_reporting = atoi(conf_val); + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting = atoi(conf_val); } else if (!(strcasecmp(conf_key, "chp_body_max_bytes"))) { - pAppidActiveConfig->mod_config->chp_body_collection_max = atoi(conf_val); + AppIdConfig::get_appid_config()->mod_config->chp_body_collection_max = atoi(conf_val); } else if (!(strcasecmp(conf_key, "ignore_thirdparty_appid"))) { LogMessage("AppId: adding app %d to list of ignore thirdparty apps.\n", atoi( conf_val)); - appInfoEntryFlagSet(atoi(conf_val), APPINFO_FLAG_IGNORE); + set_app_info_flags(atoi(conf_val), APPINFO_FLAG_IGNORE); } else if (!(strcasecmp(conf_key, "http2_detection"))) { @@ -754,12 +456,12 @@ static void load_appid_config(const char* path) if (!(strcasecmp(conf_val, "disabled"))) { LogMessage("AppId: disabling internal HTTP/2 detection.\n"); - pAppidActiveConfig->mod_config->http2_detection_enabled = false; + AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = false; } else if (!(strcasecmp(conf_val, "enabled"))) { LogMessage("AppId: enabling internal HTTP/2 detection.\n"); - pAppidActiveConfig->mod_config->http2_detection_enabled = true; + AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = true; } else { @@ -772,3 +474,116 @@ static void load_appid_config(const char* path) fclose(config_file); } +void AppInfoManager::init_appid_info_table(const char* path) +{ + FILE* tableFile; + const char* token; + char buf[MAX_TABLE_LINE_LEN]; + AppInfoTableEntry* entry; + AppId appId; + uint32_t clientId, serviceId, payloadId; + char filepath[PATH_MAX]; + char* app_name; + char* snortName = nullptr; + char* context; + + snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_MAPPING_FILE); + + tableFile = fopen(filepath, "r"); + if (tableFile == nullptr) + { + ErrorMessage("Could not open RnaAppMapping Table file: %s\n", filepath); + return; + } + + DebugFormat(DEBUG_INSPECTOR, "AppInfo read from %s\n", filepath); + + while (fgets(buf, sizeof(buf), tableFile)) + { + token = strtok_r(buf, CONF_SEPARATORS, &context); + if (!token) + { + ErrorMessage("Could not read id for Rna Id\n"); + continue; + } + + appId = strtol(token, nullptr, 10); + + token = strtok_r(nullptr, CONF_SEPARATORS, &context); + if (!token) + { + ErrorMessage("Could not read app_name. Line %s\n", buf); + continue; + } + + app_name = snort_strdup(token); + token = strtok_r(nullptr, CONF_SEPARATORS, &context); + if (!token) + { + ErrorMessage("Could not read service id for Rna Id\n"); + snort_free(app_name); + continue; + } + + serviceId = strtol(token, nullptr, 10); + + token = strtok_r(nullptr, CONF_SEPARATORS, &context); + if (!token) + { + ErrorMessage("Could not read client id for Rna Id\n"); + snort_free(app_name); + continue; + } + + clientId = strtol(token, nullptr, 10); + + token = strtok_r(nullptr, CONF_SEPARATORS, &context); + if (!token) + { + ErrorMessage("Could not read payload id for Rna Id\n"); + snort_free(app_name); + continue; + } + + payloadId = strtol(token, nullptr, 10); + + /* snort service key, if it exists */ + token = strtok_r(nullptr, CONF_SEPARATORS, &context); + if (token) + snortName = snort_strdup(token); + + entry = new AppInfoTableEntry(appId, app_name); + entry->snortId = add_appid_protocol_reference(snortName); + snort_free(snortName); + snortName = nullptr; + entry->app_name_key = strdupToLower(app_name); + entry->serviceId = serviceId; + entry->clientId = clientId; + entry->payloadId = payloadId; + + if ((appId = get_static_app_info_entry(entry->appId))) + app_info_table[appId] = entry; + if ((appId = get_static_app_info_entry(entry->serviceId))) + app_info_service_table[appId] = entry; + if ((appId = get_static_app_info_entry(entry->clientId))) + app_info_client_table[appId] = entry; + if ((appId = get_static_app_info_entry(entry->payloadId))) + app_info_payload_table[appId] = entry; + + add_entry_to_app_info_hash(entry->app_name_key, entry); + } + fclose(tableFile); + + /* Configuration defaults. */ + AppIdConfig::get_appid_config()->mod_config->rtmp_max_packets = 15; + AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting = 1; + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting = 1; + AppIdConfig::get_appid_config()->mod_config->max_tp_flow_depth = 5; + AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled = false; + + snprintf(filepath, sizeof(filepath), "%s/odp/%s", path, APP_CONFIG_FILE); + load_appid_config (filepath); + snprintf(filepath, sizeof(filepath), "%s/custom/%s", path, USR_CONFIG_FILE); + load_appid_config (filepath); +} + diff --git a/src/network_inspectors/appid/app_info_table.h b/src/network_inspectors/appid/app_info_table.h index 6af24452a..19a480d51 100644 --- a/src/network_inspectors/appid/app_info_table.h +++ b/src/network_inspectors/appid/app_info_table.h @@ -23,9 +23,13 @@ #define APP_INFO_TABLE_H #include +#include +#include +#include "application_ids.h" #include "appid_api.h" #include "appid_config.h" +#include "utils/util.h" #define APP_PRIORITY_DEFAULT 2 @@ -52,72 +56,103 @@ enum AppInfoFlags APPINFO_FLAG_SUPPORTED_SEARCH = (1<<14) }; -struct AppInfoTableEntry +class AppInfoTableEntry { - AppInfoTableEntry* next; - AppId appId; - uint32_t serviceId; - uint32_t clientId; - uint32_t payloadId; - int16_t snortId; - uint32_t flags; - const RNAClientAppModule* clntValidator; - const RNAServiceElement* svrValidator; - uint32_t priority; - char* appName; +public: + AppInfoTableEntry(AppId id, char* name) + : appId(id), app_name(name) + { + + } + + ~AppInfoTableEntry() + { + if( app_name ) + snort_free(app_name); + if( app_name_key ) + snort_free(app_name_key); + } + + AppId appId = APP_ID_NONE; + uint32_t serviceId = APP_ID_NONE; + uint32_t clientId = APP_ID_NONE; + uint32_t payloadId = APP_ID_NONE; + int16_t snortId = 0; + uint32_t flags = 0; + uint32_t priority = APP_PRIORITY_DEFAULT; + const RNAClientAppModule* clntValidator = nullptr; + const RNAServiceElement* svrValidator = nullptr; + char* app_name = nullptr; + char* app_name_key = nullptr; }; -void appNameHashFini(); - -void init_appid_info_table(const char* path); -void cleanup_appid_info_table(); -void init_dynamic_app_info_table(); -void free_dynamic_app_info_table(); - -AppInfoTableEntry* appInfoEntryGet(AppId); -AppInfoTableEntry* appInfoEntryCreate(const char* appName); -AppId appGetSnortIdFromAppId(AppId); -AppId get_appid_by_service_id(uint32_t appId); -AppId get_appid_by_client_id(uint32_t appId); -AppId get_appid_by_payload_id(uint32_t appId); -void AppIdDumpStats(int exit_flag); -void dump_app_info_table(); -void set_app_info_active(AppId); -const char* get_app_name(int32_t appId); -int32_t get_appid_by_name(const char* appName); - -inline void appInfoEntryFlagSet(AppId appId, unsigned flags) -{ - AppInfoTableEntry* entry = appInfoEntryGet(appId); - if ( entry ) - entry->flags |= flags; -} - -inline void appInfoEntryFlagClear(AppId appId, unsigned flags) -{ - AppInfoTableEntry* entry = appInfoEntryGet(appId); - if ( entry ) - entry->flags &= (~flags); -} +typedef std::map AppInfoTable; +typedef std::map AppInfoNameTable; -inline unsigned appInfoEntryFlagGet(AppId app_id, unsigned flags) +class AppInfoManager { - AppInfoTableEntry* entry = appInfoEntryGet(app_id); - return entry ? entry->flags & flags : 0; -} +public: + ~AppInfoManager() {} + + static AppInfoManager& get_instance() + { + static AppInfoManager instance; + return instance; + } + + AppInfoTableEntry* get_app_info_entry(AppId); + AppInfoTableEntry* add_dynamic_app_entry(const char* app_name); + AppId get_appid_by_service_id(uint32_t); + AppId get_appid_by_client_id(uint32_t); + AppId get_appid_by_payload_id(uint32_t); + void set_app_info_active(AppId); + const char* get_app_name(AppId); + int32_t get_appid_by_name(const char* app_name); + + void set_app_info_flags(AppId appId, unsigned flags) + { + AppInfoTableEntry* entry = get_app_info_entry(appId); + if ( entry ) + entry->flags |= flags; + } + + void clear_app_info_flags(AppId appId, unsigned flags) + { + AppInfoTableEntry* entry = get_app_info_entry(appId); + if ( entry ) + entry->flags &= (~flags); + } + + unsigned get_app_info_flags(AppId app_id, unsigned flags) + { + AppInfoTableEntry* entry = get_app_info_entry(app_id); + return entry ? entry->flags & flags : 0; + } + + void set_app_info_priority(AppId appId, unsigned priority) + { + AppInfoTableEntry* entry = get_app_info_entry(appId); + if ( entry ) + entry->priority |= priority; + } + + unsigned get_app_info_priority(AppId app_id) + { + AppInfoTableEntry* entry = get_app_info_entry(app_id); + return entry ? entry->priority : 0; + } + + void init_appid_info_table(const char* path); + void cleanup_appid_info_table(); + void dump_app_info_table(); + +private: + AppInfoManager() {} + void load_appid_config(const char* path); + AppInfoTableEntry* get_app_info_entry(AppId appId, const AppInfoTable& lookup_table); + std::mutex custom_app_mutex; -inline void appInfoEntryPrioritySet(AppId appId, unsigned priority) -{ - AppInfoTableEntry* entry = appInfoEntryGet(appId); - if ( entry ) - entry->priority |= priority; -} - -inline unsigned appInfoEntryPriorityGet(AppId app_id) -{ - AppInfoTableEntry* entry = appInfoEntryGet(app_id); - return entry ? entry->priority : 0; -} +}; #endif diff --git a/src/network_inspectors/appid/appid.h b/src/network_inspectors/appid/appid.h index 50268e7ac..8bc04016e 100644 --- a/src/network_inspectors/appid/appid.h +++ b/src/network_inspectors/appid/appid.h @@ -22,19 +22,15 @@ #ifndef APPID_H #define APPID_H -#include "thirdparty_appid_types.h" - #define SF_APPID_MAX 40000 #define SF_APPID_BUILDIN_MAX 30000 #define APPID_MAX_PRIORITY 3 #define SF_APPID_CSD_MIN 1000000 #define SF_APPID_DYNAMIC_MIN 2000000 -#define NUMBER_OF_PTYPES 9 +#define NUMBER_OF_PTYPES 9 -// FIXIT-H J stuff like this needs to be defined in config.h #define RESPONSE_CODE_PACKET_THRESHHOLD 0 -// FIXIT-L J properly scoped enum would be more appropriate enum APPID_SESSION_DIRECTION { APP_ID_FROM_INITIATOR, @@ -42,15 +38,11 @@ enum APPID_SESSION_DIRECTION APP_ID_APPID_SESSION_DIRECTION_MAX // Maximum value of a direction (must be last in the list) }; -// FIXIT-M J this doesn't seem appropriate for an enum enum SERVICE_HOST_INFO_CODE { SERVICE_HOST_INFO_NETBIOS_NAME = 1 }; -// FIXIT-M J this should go in a separate header -#define DHCP_OPTION55_LEN_MAX 255 - #define FINGERPRINT_UDP_FLAGS_XENIX 0x00000800 #define FINGERPRINT_UDP_FLAGS_NT 0x00001000 #define FINGERPRINT_UDP_FLAGS_MASK (FINGERPRINT_UDP_FLAGS_XENIX | FINGERPRINT_UDP_FLAGS_NT) diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index 3e7050085..c7798a0b5 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -21,6 +21,7 @@ #include "appid_api.h" +#include "app_info_table.h" #include "appid.h" #include "service_plugins/service_base.h" #include "app_info_table.h" @@ -34,142 +35,142 @@ AppIdApi appid_api; const char* AppIdApi::get_application_name(int32_t app_id) { - return get_app_name(app_id); + return AppInfoManager::get_instance().get_app_name(app_id); } AppId AppIdApi::get_application_id(const char* appName) { - return get_appid_by_name(appName); + return AppInfoManager::get_instance().get_appid_by_name(appName); } -AppId AppIdApi::get_service_app_id(AppIdSession* session) +AppId AppIdApi::get_service_app_id(AppIdSession* asd) { - if (session) - return session->pick_service_app_id(); + if (asd) + return asd->pick_service_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_port_service_app_id(AppIdSession* session) +AppId AppIdApi::get_port_service_app_id(AppIdSession* asd) { - if (session) - return session->portServiceAppId; + if (asd) + return asd->portServiceAppId; return APP_ID_NONE; } -AppId AppIdApi::get_only_service_app_id(AppIdSession* session) +AppId AppIdApi::get_only_service_app_id(AppIdSession* asd) { - if (session) - return session->pick_only_service_app_id(); + if (asd) + return asd->pick_only_service_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_misc_app_id(AppIdSession* session) +AppId AppIdApi::get_misc_app_id(AppIdSession* asd) { - if (session) - return session->pick_misc_app_id(); + if (asd) + return asd->pick_misc_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_client_app_id(AppIdSession* session) +AppId AppIdApi::get_client_app_id(AppIdSession* asd) { - if (session) - return session->pick_client_app_id(); + if (asd) + return asd->pick_client_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_payload_app_id(AppIdSession* session) +AppId AppIdApi::get_payload_app_id(AppIdSession* asd) { - if (session) - return session->pick_payload_app_id(); + if (asd) + return asd->pick_payload_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_referred_app_id(AppIdSession* session) +AppId AppIdApi::get_referred_app_id(AppIdSession* asd) { - if (session) - return session->pick_referred_payload_app_id(); + if (asd) + return asd->pick_referred_payload_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_fw_service_app_id(AppIdSession* session) +AppId AppIdApi::get_fw_service_app_id(AppIdSession* asd) { - if (session) - return session->fw_pick_service_app_id(); + if (asd) + return asd->fw_pick_service_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_fw_misc_app_id(AppIdSession* session) +AppId AppIdApi::get_fw_misc_app_id(AppIdSession* asd) { - if (session) - return session->fw_pick_misc_app_id(); + if (asd) + return asd->fw_pick_misc_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_fw_client_app_id(AppIdSession* session) +AppId AppIdApi::get_fw_client_app_id(AppIdSession* asd) { - if (session) - return session->fw_pick_client_app_id(); + if (asd) + return asd->fw_pick_client_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_fw_payload_app_id(AppIdSession* session) +AppId AppIdApi::get_fw_payload_app_id(AppIdSession* asd) { - if (session) - return session->fw_pick_payload_app_id(); + if (asd) + return asd->fw_pick_payload_app_id(); return APP_ID_NONE; } -AppId AppIdApi::get_fw_referred_app_id(AppIdSession* session) +AppId AppIdApi::get_fw_referred_app_id(AppIdSession* asd) { - if (session) - return session->fw_pick_referred_payload_app_id(); + if (asd) + return asd->fw_pick_referred_payload_app_id(); return APP_ID_NONE; } -bool AppIdApi::is_ssl_session_decrypted(AppIdSession* session) +bool AppIdApi::is_ssl_session_decrypted(AppIdSession* asd) { - if (session) - return session->is_ssl_session_decrypted(); + if (asd) + return asd->is_ssl_session_decrypted(); return false; } AppIdSession* AppIdApi::get_appid_data(Flow* flow) { - AppIdSession* session = (AppIdSession*) flow->get_flow_data(AppIdSession::flow_id); + AppIdSession* asd = (AppIdSession*) flow->get_flow_data(AppIdSession::flow_id); - return (session && session->common.fsf_type.flow_type == APPID_SESSION_TYPE_NORMAL) ? - session : nullptr; + return (asd && asd->common.flow_type == APPID_FLOW_TYPE_NORMAL) ? + asd : nullptr; } bool AppIdApi::is_appid_inspecting_session(AppIdSession* appIdSession) { - if (appIdSession && appIdSession->common.fsf_type.flow_type == APPID_SESSION_TYPE_NORMAL) + if (appIdSession && appIdSession->common.flow_type == APPID_FLOW_TYPE_NORMAL) { if (appIdSession->rnaServiceState != RNA_STATE_FINISHED || !TPIsAppIdDone(appIdSession->tpsession) || - appIdSession->getAppIdFlag(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) || - (appIdSession->getAppIdFlag(APPID_SESSION_ENCRYPTED) && - (appIdSession->getAppIdFlag(APPID_SESSION_DECRYPTED) || + appIdSession->get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) || + (appIdSession->get_session_flags(APPID_SESSION_ENCRYPTED) && + (appIdSession->get_session_flags(APPID_SESSION_DECRYPTED) || appIdSession->session_packet_count < SSL_WHITELIST_PKT_LIMIT))) { return true; } if (appIdSession->rna_client_state != RNA_STATE_FINISHED && - (!appIdSession->getAppIdFlag(APPID_SESSION_CLIENT_DETECTED) || + (!appIdSession->get_session_flags(APPID_SESSION_CLIENT_DETECTED) || (appIdSession->rnaServiceState != RNA_STATE_STATEFUL - && appIdSession->getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)))) + && appIdSession->get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)))) { return true; } @@ -182,54 +183,54 @@ bool AppIdApi::is_appid_inspecting_session(AppIdSession* appIdSession) return false; } -char* AppIdApi::get_user_name(AppIdSession* session, AppId* service, bool* isLoginSuccessful) +char* AppIdApi::get_user_name(AppIdSession* asd, AppId* service, bool* isLoginSuccessful) { char* userName = nullptr; - if (session) + if (asd) { - userName = session->username; - *service = session->username_service; - *isLoginSuccessful = session->getAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED) ? true : false; - session->username = nullptr; //transfer ownership to caller. + userName = asd->username; + *service = asd->username_service; + *isLoginSuccessful = asd->get_session_flags(APPID_SESSION_LOGIN_SUCCEEDED) ? true : false; + asd->username = nullptr; //transfer ownership to caller. return userName; } return nullptr; } -bool AppIdApi::is_appid_available(AppIdSession* session) +bool AppIdApi::is_appid_available(AppIdSession* asd) { - if (session) + if (asd) { - if (session->getAppIdFlag(APPID_SESSION_NO_TPI)) + if (asd->get_session_flags(APPID_SESSION_NO_TPI)) return true; - return TPIsAppIdAvailable(session->tpsession); + return TPIsAppIdAvailable(asd->tpsession); } return false; } -char* AppIdApi::get_client_version(AppIdSession* session) +char* AppIdApi::get_client_version(AppIdSession* asd) { - return session ? session->client_version : nullptr; + return asd ? asd->client_version : nullptr; } -uint64_t AppIdApi::get_appid_session_attribute(AppIdSession* session, uint64_t flags) +uint64_t AppIdApi::get_appid_session_attribute(AppIdSession* asd, uint64_t flags) { - return session ? session->getAppIdFlag(flags) : 0; + return asd ? asd->get_session_flags(flags) : 0; } -APPID_FLOW_TYPE AppIdApi::get_flow_type(AppIdSession* session) +APPID_FLOW_TYPE AppIdApi::get_flow_type(AppIdSession* asd) { - return session ? session->common.fsf_type.flow_type : APPID_FLOW_TYPE_IGNORE; + return asd ? asd->common.flow_type : APPID_FLOW_TYPE_IGNORE; } -void AppIdApi::get_service_info(AppIdSession* session, char** serviceVendor, char** serviceVersion, +void AppIdApi::get_service_info(AppIdSession* asd, char** serviceVendor, char** serviceVersion, RNAServiceSubtype** serviceSubtype) { - if (session) + if (asd) { - *serviceVendor = session->serviceVendor; - *serviceVersion = session->serviceVersion; - *serviceSubtype = session->subtype; + *serviceVendor = asd->serviceVendor; + *serviceVersion = asd->serviceVersion; + *serviceSubtype = asd->subtype; } else { @@ -239,246 +240,243 @@ void AppIdApi::get_service_info(AppIdSession* session, char** serviceVendor, cha } } -short AppIdApi::get_service_port(AppIdSession* session) +short AppIdApi::get_service_port(AppIdSession* asd) { - if (session) - return session->service_port; + if (asd) + return asd->service_port; return 0; } -char* AppIdApi::get_http_user_agent(AppIdSession* session) +char* AppIdApi::get_http_user_agent(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->useragent; + if (asd && asd->hsession) + return asd->hsession->useragent; return nullptr; } -char* AppIdApi::get_http_host(AppIdSession* session) +char* AppIdApi::get_http_host(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->host; + if (asd && asd->hsession) + return asd->hsession->host; return nullptr; } -char* AppIdApi::get_http_url(AppIdSession* session) +char* AppIdApi::get_http_url(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->url; + if (asd && asd->hsession) + return asd->hsession->url; return nullptr; } -char* AppIdApi::get_http_referer(AppIdSession* session) +char* AppIdApi::get_http_referer(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->referer; + if (asd && asd->hsession) + return asd->hsession->referer; return nullptr; } -char* AppIdApi::get_http_new_url(AppIdSession* session) +char* AppIdApi::get_http_new_url(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->new_field[REQ_URI_FID]; + if (asd && asd->hsession) + return asd->hsession->new_field[REQ_URI_FID]; return nullptr; } -char* AppIdApi::get_http_uri(AppIdSession* session) +char* AppIdApi::get_http_uri(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->uri; + if (asd && asd->hsession) + return asd->hsession->uri; return nullptr; } -char* AppIdApi::get_http_response_code(AppIdSession* session) +char* AppIdApi::get_http_response_code(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->response_code; + if (asd && asd->hsession) + return asd->hsession->response_code; return nullptr; } -char* AppIdApi::get_http_cookie(AppIdSession* session) +char* AppIdApi::get_http_cookie(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->cookie; + if (asd && asd->hsession) + return asd->hsession->cookie; return nullptr; } -char* AppIdApi::get_http_new_cookie(AppIdSession* session) +char* AppIdApi::get_http_new_cookie(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->new_field[REQ_COOKIE_FID]; + if (asd && asd->hsession) + return asd->hsession->new_field[REQ_COOKIE_FID]; return nullptr; } -char* AppIdApi::get_http_new_field(AppIdSession* session, HTTP_FIELD_ID fieldId) +char* AppIdApi::get_http_new_field(AppIdSession* asd, HTTP_FIELD_ID fieldId) { - if (session && session->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX) - return session->hsession->new_field[fieldId]; + if (asd && asd->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX) + return asd->hsession->new_field[fieldId]; return nullptr; } -void AppIdApi::free_http_new_field(AppIdSession* session, HTTP_FIELD_ID fieldId) +void AppIdApi::free_http_new_field(AppIdSession* asd, HTTP_FIELD_ID fieldId) { - if (session && session->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX && - nullptr != session->hsession->new_field[fieldId]) + if (asd && asd->hsession && fieldId >= 0 && fieldId <= HTTP_FIELD_MAX && + nullptr != asd->hsession->new_field[fieldId]) { - snort_free(session->hsession->new_field[fieldId]); - session->hsession->new_field[fieldId] = nullptr; + snort_free(asd->hsession->new_field[fieldId]); + asd->hsession->new_field[fieldId] = nullptr; } } -char* AppIdApi::get_http_content_type(AppIdSession* session) +char* AppIdApi::get_http_content_type(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->content_type; + if (asd && asd->hsession) + return asd->hsession->content_type; return nullptr; } -char* AppIdApi::get_http_location(AppIdSession* session) +char* AppIdApi::get_http_location(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->location; + if (asd && asd->hsession) + return asd->hsession->location; return nullptr; } -char* AppIdApi::get_http_body(AppIdSession* session) +char* AppIdApi::get_http_body(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->body; + if (asd && asd->hsession) + return asd->hsession->body; return nullptr; } -char* AppIdApi::get_http_request_body(AppIdSession* session) +char* AppIdApi::get_http_request_body(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->req_body; + if (asd && asd->hsession) + return asd->hsession->req_body; return nullptr; } -uint16_t AppIdApi::get_http_uri_offset(AppIdSession* session) +uint16_t AppIdApi::get_http_uri_offset(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->uriOffset; + if (asd && asd->hsession) + return asd->hsession->uriOffset; return 0; } -uint16_t AppIdApi::get_http_uri_end_offset(AppIdSession* session) +uint16_t AppIdApi::get_http_uri_end_offset(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->uriEndOffset; + if (asd && asd->hsession) + return asd->hsession->uriEndOffset; return 0; } -uint16_t AppIdApi::get_http_cookie_offset(AppIdSession* session) +uint16_t AppIdApi::get_http_cookie_offset(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->cookieOffset; + if (asd && asd->hsession) + return asd->hsession->cookieOffset; return 0; } -uint16_t AppIdApi::get_http_cookie_end_offset(AppIdSession* session) +uint16_t AppIdApi::get_http_cookie_end_offset(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->cookieEndOffset; + if (asd && asd->hsession) + return asd->hsession->cookieEndOffset; return 0; } -SEARCH_SUPPORT_TYPE AppIdApi::get_http_search(AppIdSession* session) +SEARCH_SUPPORT_TYPE AppIdApi::get_http_search(AppIdSession* asd) { - if (session) - return (session->search_support_type != SEARCH_SUPPORT_TYPE_UNKNOWN) ? - session->search_support_type : NOT_A_SEARCH_ENGINE; + if (asd) + return (asd->search_support_type != UNKNOWN_SEARCH_ENGINE) ? + asd->search_support_type : NOT_A_SEARCH_ENGINE; return NOT_A_SEARCH_ENGINE; } -// FIXIT used to be sfaddr_t -sfip_t* AppIdApi::get_http_xff_addr(AppIdSession* session) +sfip_t* AppIdApi::get_http_xff_addr(AppIdSession* asd) { - if (session && session->hsession) - return session->hsession->xffAddr; + if (asd && asd->hsession) + return asd->hsession->xffAddr; return nullptr; } -char* AppIdApi::get_tls_host(AppIdSession* session) +char* AppIdApi::get_tls_host(AppIdSession* asd) { - if (session && session->tsession) - return session->tsession->tls_host; + if (asd && asd->tsession) + return asd->tsession->tls_host; return nullptr; } -// FIXIT used to be sfaddr_t -sfip_t* AppIdApi::get_service_ip(AppIdSession* session) +sfip_t* AppIdApi::get_service_ip(AppIdSession* asd) { - if (session) - return &session->service_ip; + if (asd) + return &asd->service_ip; return nullptr; } -// FIXIT used to be sfaddr_t -sfip_t* AppIdApi::get_initiator_ip(AppIdSession* session) +sfip_t* AppIdApi::get_initiator_ip(AppIdSession* asd) { - return session ? &session->common.initiator_ip : nullptr; + return asd ? &asd->common.initiator_ip : nullptr; } -DhcpFPData* AppIdApi::get_dhcp_fp_data(AppIdSession* session) +DHCPData* AppIdApi::get_dhcp_fp_data(AppIdSession* asd) { - if (session && session->getAppIdFlag(APPID_SESSION_HAS_DHCP_FP)) - return static_cast( - session->remove_flow_data(APPID_SESSION_DATA_DHCP_FP_DATA)); + if (asd && asd->get_session_flags(APPID_SESSION_HAS_DHCP_FP)) + return static_cast( + asd->remove_flow_data(APPID_SESSION_DATA_DHCP_FP_DATA)); return nullptr; } -void AppIdApi::free_dhcp_fp_data(AppIdSession* session, DhcpFPData* data) +void AppIdApi::free_dhcp_fp_data(AppIdSession* asd, DHCPData* data) { - if (session) + if (asd) { - session->clearAppIdFlag(APPID_SESSION_HAS_DHCP_FP); + asd->clear_session_flags(APPID_SESSION_HAS_DHCP_FP); AppIdFreeDhcpData(data); } } -DHCPInfo* AppIdApi::get_dhcp_info(AppIdSession* session) +DHCPInfo* AppIdApi::get_dhcp_info(AppIdSession* asd) { - if (session && session->getAppIdFlag(APPID_SESSION_HAS_DHCP_INFO)) + if (asd && asd->get_session_flags(APPID_SESSION_HAS_DHCP_INFO)) return static_cast( - session->remove_flow_data(APPID_SESSION_DATA_DHCP_INFO)); + asd->remove_flow_data(APPID_SESSION_DATA_DHCP_INFO)); return nullptr; } -void AppIdApi::free_dhcp_info(AppIdSession* session, DHCPInfo* data) +void AppIdApi::free_dhcp_info(AppIdSession* asd, DHCPInfo* data) { - if (session) + if (asd) { - session->clearAppIdFlag(APPID_SESSION_HAS_DHCP_INFO); + asd->clear_session_flags(APPID_SESSION_HAS_DHCP_INFO); AppIdFreeDhcpInfo(data); } } -FpSMBData* AppIdApi::get_smb_fp_data(AppIdSession* session) +FpSMBData* AppIdApi::get_smb_fp_data(AppIdSession* asd) { - if (session && session->getAppIdFlag(APPID_SESSION_HAS_SMB_INFO)) + if (asd && asd->get_session_flags(APPID_SESSION_HAS_SMB_INFO)) return static_cast( - session->remove_flow_data(APPID_SESSION_DATA_SMB_DATA)); + asd->remove_flow_data(APPID_SESSION_DATA_SMB_DATA)); return nullptr; } -void AppIdApi::free_smb_fp_data(AppIdSession* session, FpSMBData* data) +void AppIdApi::free_smb_fp_data(AppIdSession* asd, FpSMBData* data) { - if (session) + if (asd) { - session->clearAppIdFlag(APPID_SESSION_HAS_SMB_INFO); + asd->clear_session_flags(APPID_SESSION_HAS_SMB_INFO); AppIdFreeSMBData(data); } } -char* AppIdApi::get_netbios_name(AppIdSession* session) +char* AppIdApi::get_netbios_name(AppIdSession* asd) { - if (session) + if (asd) { - char* netbiosName = session->netbios_name; - session->netbios_name = nullptr; //transfer ownership to caller. + char* netbiosName = asd->netbios_name; + asd->netbios_name = nullptr; //transfer ownership to caller. return netbiosName; } return nullptr; @@ -489,31 +487,30 @@ char* AppIdApi::get_netbios_name(AppIdSession* session) #define APPID_HA_FLAGS_SVC_DONE (1<<2) #define APPID_HA_FLAGS_HTTP (1<<3) -uint32_t AppIdApi::produce_ha_state(void* lwssn, uint8_t* buf) +uint32_t AppIdApi::produce_ha_state(Flow* flow, uint8_t* buf) { AppIdSessionHA* appHA = (AppIdSessionHA*)buf; - AppIdSession* session = (AppIdSession*)(((Flow*)lwssn)->get_flow_data(AppIdSession::flow_id)); + AppIdSession* asd = (AppIdSession*)(flow->get_flow_data(AppIdSession::flow_id)); - // FIXIT - getFlowType should be a class member - if (session && get_flow_type(session) != APPID_FLOW_TYPE_NORMAL) - session = nullptr; - if (session) + if ( get_flow_type(asd) != APPID_FLOW_TYPE_NORMAL ) + asd = nullptr; + if ( asd ) { appHA->flags = APPID_HA_FLAGS_APP; - if (TPIsAppIdAvailable(session->tpsession)) + if (TPIsAppIdAvailable(asd->tpsession)) appHA->flags |= APPID_HA_FLAGS_TP_DONE; - if (session->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) appHA->flags |= APPID_HA_FLAGS_SVC_DONE; - if (session->getAppIdFlag(APPID_SESSION_HTTP_SESSION)) + if (asd->get_session_flags(APPID_SESSION_HTTP_SESSION)) appHA->flags |= APPID_HA_FLAGS_HTTP; - appHA->appId[0] = session->tp_app_id; - appHA->appId[1] = session->serviceAppId; - appHA->appId[2] = session->client_service_app_id; - appHA->appId[3] = session->portServiceAppId; - appHA->appId[4] = session->payload_app_id; - appHA->appId[5] = session->tp_payload_app_id; - appHA->appId[6] = session->client_app_id; - appHA->appId[7] = session->misc_app_id; + appHA->appId[0] = asd->tp_app_id; + appHA->appId[1] = asd->serviceAppId; + appHA->appId[2] = asd->client_service_app_id; + appHA->appId[3] = asd->portServiceAppId; + appHA->appId[4] = asd->payload_app_id; + appHA->appId[5] = asd->tp_payload_app_id; + appHA->appId[6] = asd->client_app_id; + appHA->appId[7] = asd->misc_app_id; } else { @@ -522,104 +519,103 @@ uint32_t AppIdApi::produce_ha_state(void* lwssn, uint8_t* buf) return sizeof(*appHA); } -// FIXIT last arg used to be sfaddr_t -uint32_t AppIdApi::consume_ha_state(void* lwssn, const uint8_t* buf, uint8_t, IpProtocol proto, +uint32_t AppIdApi::consume_ha_state(Flow* flow, const uint8_t* buf, uint8_t, IpProtocol proto, sfip_t* ip) { AppIdSessionHA* appHA = (AppIdSessionHA*)buf; if (appHA->flags & APPID_HA_FLAGS_APP) { - AppIdSession* session = (AppIdSession*)(((Flow*)lwssn)->get_flow_data( - AppIdSession::flow_id)); + AppIdSession* asd = + (AppIdSession*)(flow->get_flow_data(AppIdSession::flow_id)); - if (!session) + if (!asd) { - session = new AppIdSession(proto, ip); - ((Flow*)lwssn)->set_flow_data(session); - if (session->serviceAppId == APP_ID_FTP_CONTROL) + asd = new AppIdSession(proto, ip); + flow->set_flow_data(asd); + if (asd->serviceAppId == APP_ID_FTP_CONTROL) { - session->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_SERVICE_DETECTED); - if (!AddFTPServiceState(session)) + if (!AddFTPServiceState(asd)) { - session->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); } - session->rnaServiceState = RNA_STATE_STATEFUL; + asd->rnaServiceState = RNA_STATE_STATEFUL; } else - session->rnaServiceState = RNA_STATE_FINISHED; - session->rna_client_state = RNA_STATE_FINISHED; + asd->rnaServiceState = RNA_STATE_FINISHED; + asd->rna_client_state = RNA_STATE_FINISHED; if (thirdparty_appid_module) - thirdparty_appid_module->session_state_set(session->tpsession, TP_STATE_HA); + thirdparty_appid_module->session_state_set(asd->tpsession, TP_STATE_HA); } if ( ( appHA->flags & APPID_HA_FLAGS_TP_DONE ) && thirdparty_appid_module ) { - thirdparty_appid_module->session_state_set(session->tpsession, TP_STATE_TERMINATED); - session->setAppIdFlag(APPID_SESSION_NO_TPI); + thirdparty_appid_module->session_state_set(asd->tpsession, TP_STATE_TERMINATED); + asd->set_session_flags(APPID_SESSION_NO_TPI); } if (appHA->flags & APPID_HA_FLAGS_SVC_DONE) - session->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); if (appHA->flags & APPID_HA_FLAGS_HTTP) - session->setAppIdFlag(APPID_SESSION_HTTP_SESSION); - - session->tp_app_id = appHA->appId[0]; - session->serviceAppId = appHA->appId[1]; - session->client_service_app_id = appHA->appId[2]; - session->portServiceAppId = appHA->appId[3]; - session->payload_app_id = appHA->appId[4]; - session->tp_payload_app_id = appHA->appId[5]; - session->client_app_id = appHA->appId[6]; - session->misc_app_id = appHA->appId[7]; + asd->set_session_flags(APPID_SESSION_HTTP_SESSION); + + asd->tp_app_id = appHA->appId[0]; + asd->serviceAppId = appHA->appId[1]; + asd->client_service_app_id = appHA->appId[2]; + asd->portServiceAppId = appHA->appId[3]; + asd->payload_app_id = appHA->appId[4]; + asd->tp_payload_app_id = appHA->appId[5]; + asd->client_app_id = appHA->appId[6]; + asd->misc_app_id = appHA->appId[7]; } return sizeof(*appHA); } -char* AppIdApi::get_dns_query(AppIdSession* session, uint8_t* query_len) +char* AppIdApi::get_dns_query(AppIdSession* asd, uint8_t* query_len) { - if (session && session->dsession) + if (asd && asd->dsession) { if (query_len) { - if (session->dsession->host) - *query_len = session->dsession->host_len; + if (asd->dsession->host) + *query_len = asd->dsession->host_len; else *query_len = 0; } - return session->dsession->host; + return asd->dsession->host; } if (query_len) *query_len = 0; return nullptr; } -uint16_t AppIdApi::get_dns_query_offset(AppIdSession* session) +uint16_t AppIdApi::get_dns_query_offset(AppIdSession* asd) { - if (session && session->dsession) - return session->dsession->host_offset; + if (asd && asd->dsession) + return asd->dsession->host_offset; return 0; } -uint16_t AppIdApi::get_dns_record_type(AppIdSession* session) +uint16_t AppIdApi::get_dns_record_type(AppIdSession* asd) { - if (session && session->dsession) - return session->dsession->record_type; + if (asd && asd->dsession) + return asd->dsession->record_type; return 0; } -uint8_t AppIdApi::get_dns_response_type(AppIdSession* session) +uint8_t AppIdApi::get_dns_response_type(AppIdSession* asd) { - if (session && session->dsession) - return session->dsession->response_type; + if (asd && asd->dsession) + return asd->dsession->response_type; return 0; } -uint32_t AppIdApi::get_dns_ttl(AppIdSession* session) +uint32_t AppIdApi::get_dns_ttl(AppIdSession* asd) { - if (session && session->dsession) - return session->dsession->ttl; + if (asd && asd->dsession) + return asd->dsession->ttl; return 0; } diff --git a/src/network_inspectors/appid/appid_api.h b/src/network_inspectors/appid/appid_api.h index d57435296..ba2caa0e3 100644 --- a/src/network_inspectors/appid/appid_api.h +++ b/src/network_inspectors/appid/appid_api.h @@ -112,25 +112,21 @@ struct RNAServiceSubtype #define DHCP_OP55_MAX_SIZE 64 #define DHCP_OP60_MAX_SIZE 64 -struct DhcpFPData +struct DHCPData { - DhcpFPData *next; + DHCPData *next; unsigned op55_len; unsigned op60_len; uint8_t op55[DHCP_OP55_MAX_SIZE]; uint8_t op60[DHCP_OP60_MAX_SIZE]; - // FIXIT-L J should be using eth address type here - uint8_t mac[6]; + uint8_t eth_addr[6]; } ; -// FIXIT-L J inconsistently named structs (DHCPInfo vs DhcpFPData, note the "DHCP") struct DHCPInfo { DHCPInfo *next; uint32_t ipAddr; - // FIXIT-L J should be using eth address type here - // FIXIT-L J inconsistently named fields (macAddr here, mac in DhcpFPData) - uint8_t macAddr[6]; + uint8_t eth_addr[6]; uint32_t subnetmask; uint32_t leaseSecs; uint32_t router; @@ -155,14 +151,12 @@ struct AppIdSessionHA enum SEARCH_SUPPORT_TYPE { - // FIXIT-L J enums are inconsistently named NOT_A_SEARCH_ENGINE, SUPPORTED_SEARCH_ENGINE, UNSUPPORTED_SEARCH_ENGINE, - SEARCH_SUPPORT_TYPE_UNKNOWN, + UNKNOWN_SEARCH_ENGINE, }; -// FIXIT-M J probable duplication from new http_inspect enum HTTP_FIELD_ID { REQ_AGENT_FID = 0, @@ -234,15 +228,16 @@ public: SEARCH_SUPPORT_TYPE get_http_search(AppIdSession*); sfip_t* get_http_xff_addr(AppIdSession*); char* get_tls_host(AppIdSession*); - DhcpFPData* get_dhcp_fp_data(AppIdSession*); - void free_dhcp_fp_data(AppIdSession*, DhcpFPData*); + DHCPData* get_dhcp_fp_data(AppIdSession*); + void free_dhcp_fp_data(AppIdSession*, DHCPData*); DHCPInfo* get_dhcp_info(AppIdSession*); void free_dhcp_info(AppIdSession*, DHCPInfo*); FpSMBData* get_smb_fp_data(AppIdSession*); void free_smb_fp_data(AppIdSession*, FpSMBData*); char* get_netbios_name(AppIdSession*); - uint32_t produce_ha_state(void* lwssn, uint8_t* buf); - uint32_t consume_ha_state(void* lwssn, const uint8_t* buf, uint8_t length, IpProtocol proto, sfip_t* ip); + uint32_t produce_ha_state(Flow* flow, uint8_t* buf); + uint32_t consume_ha_state(Flow* flow, const uint8_t* buf, uint8_t length, + IpProtocol proto, sfip_t* ip); AppIdSession* get_appid_data(Flow* flow); char* get_dns_query(AppIdSession*, uint8_t* query_len); uint16_t get_dns_query_offset(AppIdSession*); diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index a39ac7870..f69db31d0 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -35,11 +35,9 @@ #define ODP_PORT_DETECTORS "odp/port/*" #define CUSTOM_PORT_DETECTORS "custom/port/*" +#define MAX_DISPLAY_SIZE 65536 -// FIXIT - M this global needs to go asap... just here now to compile while doing some major config -// refactoring -AppIdConfig* pAppidActiveConfig = nullptr; - +static AppIdConfig* appid_config = nullptr; unsigned appIdPolicyId; uint32_t app_id_netmasks[33]; @@ -56,8 +54,24 @@ AppIdModuleConfig::~AppIdModuleConfig() snort_free((void*)conf_file); snort_free((void*)app_detector_dir); snort_free((void*)thirdparty_appid_dir); - pAppidActiveConfig = nullptr; + appid_config = nullptr; + +} + +AppIdConfig::AppIdConfig( AppIdModuleConfig* config ) + : mod_config( config ), app_info_mgr(AppInfoManager::get_instance()) +{ + +} + +AppIdConfig::~AppIdConfig() +{ + cleanup(); +} +AppIdConfig* AppIdConfig::get_appid_config() +{ + return appid_config; } void AppIdConfig::add_generic_config_element(const char* name, void* pData) @@ -82,9 +96,7 @@ void* AppIdConfig::find_generic_config_element(const char* name) pConfigItem = (AppidGenericConfigItem*)sflist_next(&next)) { if (strcmp(pConfigItem->name, name) == 0) - { return pConfigItem->pData; - } } return nullptr; @@ -214,6 +226,7 @@ void AppIdConfig::read_port_detectors(const char* files) } } } + if (port && proto && appId > APP_ID_NONE) { while ((tmp_port = port)) @@ -225,9 +238,9 @@ void AppIdConfig::read_port_detectors(const char* files) udp_port_only[tmp_port->port] = appId; snort_free(tmp_port); - set_app_info_active(appId); + app_info_mgr.set_app_info_active(appId); } - set_app_info_active(appId); + app_info_mgr.set_app_info_active(appId); } else ErrorMessage("Missing parameter(s) in port service '%s'\n",globs.gl_pathv[n]); @@ -668,28 +681,24 @@ void AppIdConfig::set_safe_search_enforcement(int enabled) bool AppIdConfig::init_appid( ) { + appid_config = this; map_app_names_to_snort_ids(); - appIdPolicyId = 53; - // FIXIT - active config must be per Inspector instance...not this global... - pAppidActiveConfig = this; InitNetmasks(app_id_netmasks); - init_appid_info_table(mod_config->app_detector_dir); - sflist_init(&pAppidActiveConfig->client_app_args); + app_info_mgr.init_appid_info_table(mod_config->app_detector_dir); + sflist_init(&appid_config->client_app_args); load_analysis_config(mod_config->conf_file, 0, mod_config->instance_id); read_port_detectors(ODP_PORT_DETECTORS); read_port_detectors(CUSTOM_PORT_DETECTORS); - ThirdPartyAppIDInit(mod_config); - show(); if ( mod_config->dump_ports ) { dumpPorts(stdout); display_port_config(); - dump_app_info_table(); - exit(0); + app_info_mgr.dump_app_info_table(); + exit(0); // FIXIT-L - implement better way to dump config and exit } return true; @@ -726,7 +735,7 @@ void AppIdConfig::cleanup() thirdparty_appid_module->print_stats(); ThirdPartyAppIDFini(); - cleanup_appid_info_table(); + app_info_mgr.cleanup_appid_info_table(); NetworkSet* net_list; ///< list of network sets while ((net_list = net_list_list)) @@ -862,7 +871,7 @@ void AppIdConfig::display_port_config() int first; first = 1; - for (i=0; iprint_stats(); LogMessage(" Total packets ignored : %" PRIu64 "\n", appid_stats.ignored_packets); - AppIdServiceStateDumpStats(); + dump_service_state_stats(); } AppIdInspector::AppIdInspector(const AppIdModuleConfig* pc) @@ -79,14 +79,14 @@ bool AppIdInspector::configure(SnortConfig*) show(nullptr); return active_config->init_appid(); - // FIXIT some of this stuff may be needed in some fashion... + // FIXIT-M some of this stuff may be needed in some fashion... #ifdef REMOVED_WHILE_NOT_IN_USE _dpd.registerGeAppId(getOpenAppId); if (!thirdparty_appid_module) _dpd.streamAPI->register_http_header_callback(httpHeaderCallback); _dpd.registerSslAppIdLookup(sslAppGroupIdLookup); - // FIXIT AppID will need to register for SIP events for sip detection to work... + // FIXIT-M AppID will need to register for SIP events for sip detection to work... if (_dpd.streamAPI->service_event_subscribe(PP_SIP, SIP_EVENT_TYPE_SIP_DIALOG, SipSessionSnortCallback) == false) DynamicPreprocessorFatalMessage("failed to subscribe to SIP_DIALOG\n"); @@ -111,7 +111,6 @@ void AppIdInspector::tinit() { init_appid_statistics(config); hostPortAppCacheInit(); - init_dynamic_app_info_table(); init_appid_forecast(); init_http_detector(); init_service_plugins(); @@ -121,10 +120,8 @@ void AppIdInspector::tinit() init_length_app_cache(); lua_detector_mgr = new LuaDetectorManager; - lua_detector_mgr->LoadLuaModules(pAppidActiveConfig); - lua_detector_mgr->luaModuleInitAllClients(); - lua_detector_mgr->luaModuleInitAllServices(); - lua_detector_mgr->FinalizeLuaModules(); + lua_detector_mgr->load_lua_detectors(active_config); + lua_detector_mgr->activate_lua_detectors(); if(config->debug && list_lua_detectors) { lua_detector_mgr->list_lua_detectors(); @@ -146,6 +143,8 @@ void AppIdInspector::tinit() void AppIdInspector::tterm() { + cleanup_appid_statistics(); + hostPortAppCacheFini(); clean_appid_forecast(); service_dns_host_clean(); @@ -155,12 +154,10 @@ void AppIdInspector::tterm() clean_http_detector(); free_CHP_glossary(); free_length_app_cache(); - free_dynamic_app_info_table(); AppIdSession::release_free_list_flow_data(); delete lua_detector_mgr; clean_service_state(); - cleanup_appid_statistics(); } void AppIdInspector::eval(Packet* pkt) @@ -243,74 +240,74 @@ const BaseApi* nin_appid = &appid_inspector_api.base; #endif #ifdef REMOVED_WHILE_NOT_IN_USE -// FIXIT-M: This is to be replace with snort3 inspection events +// FIXIT-M This is to be replace with snort3 inspection events void httpHeaderCallback(Packet* p, HttpParsedHeaders* const headers) { - AppIdSession* session; + AppIdSession* asd; int direction; - AppIdConfig* pConfig = pAppidActiveConfig; + AppIdConfig* pConfig = AppIdConfig::get_appid_config(); if (thirdparty_appid_module) return; - if (!p || !(session = appid_api.get_appid_data(p->flow))) + if (!p || !(asd = appid_api.get_appid_data(p->flow))) return; direction = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; - if (!session->hsession) - session->hsession = (decltype(session->hsession))snort_calloc(sizeof(httpSession)); + if (!asd->hsession) + asd->hsession = (decltype(asd->hsession))snort_calloc(sizeof(httpSession)); if (direction == APP_ID_FROM_INITIATOR) { if (headers->host.start) { - snort_free(session->hsession->host); - session->hsession->host = snort_strndup((char*)headers->host.start, headers->host.len); - session->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; + snort_free(asd->hsession->host); + asd->hsession->host = snort_strndup((char*)headers->host.start, headers->host.len); + asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; if (headers->url.start) { - snort_free(session->hsession->url); - session->hsession->url = (char*)snort_calloc(sizeof(HTTP_PREFIX) + + snort_free(asd->hsession->url); + asd->hsession->url = (char*)snort_calloc(sizeof(HTTP_PREFIX) + headers->host.len + headers->url.len); - strcpy(session->hsession->url, HTTP_PREFIX); - strncat(session->hsession->url, (char*)headers->host.start, headers->host.len); - strncat(session->hsession->url, (char*)headers->url.start, headers->url.len); - session->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; + strcpy(asd->hsession->url, HTTP_PREFIX); + strncat(asd->hsession->url, (char*)headers->host.start, headers->host.len); + strncat(asd->hsession->url, (char*)headers->url.start, headers->url.len); + asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; } } if (headers->userAgent.start) { - snort_free(session->hsession->useragent); - session->hsession->useragent = snort_strndup((char*)headers->userAgent.start, + snort_free(asd->hsession->useragent); + asd->hsession->useragent = snort_strndup((char*)headers->userAgent.start, headers->userAgent.len); - session->scan_flags |= SCAN_HTTP_USER_AGENT_FLAG; + asd->scan_flags |= SCAN_HTTP_USER_AGENT_FLAG; } if (headers->referer.start) { - snort_free(session->hsession->referer); - session->hsession->referer = snort_strndup((char*)headers->referer.start, + snort_free(asd->hsession->referer); + asd->hsession->referer = snort_strndup((char*)headers->referer.start, headers->referer.len); } if (headers->via.start) { - snort_free(session->hsession->via); - session->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len); - session->scan_flags |= SCAN_HTTP_VIA_FLAG; + snort_free(asd->hsession->via); + asd->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len); + asd->scan_flags |= SCAN_HTTP_VIA_FLAG; } } else { if (headers->via.start) { - snort_free(session->hsession->via); - session->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len); - session->scan_flags |= SCAN_HTTP_VIA_FLAG; + snort_free(asd->hsession->via); + asd->hsession->via = snort_strndup((char*)headers->via.start, headers->via.len); + asd->scan_flags |= SCAN_HTTP_VIA_FLAG; } if (headers->contentType.start) { - snort_free(session->hsession->content_type); - session->hsession->content_type = snort_strndup((char*)headers->contentType.start, + snort_free(asd->hsession->content_type); + asd->hsession->content_type = snort_strndup((char*)headers->contentType.start, headers->contentType.len); } if (headers->responseCode.start) @@ -319,17 +316,17 @@ void httpHeaderCallback(Packet* p, HttpParsedHeaders* const headers) responseCodeNum = strtoul((char*)headers->responseCode.start, nullptr, 10); if (responseCodeNum > 0 && responseCodeNum < 700) { - snort_free(session->hsession->response_code); - session->hsession->response_code = snort_strndup((char*)headers->responseCode.start, + snort_free(asd->hsession->response_code); + asd->hsession->response_code = snort_strndup((char*)headers->responseCode.start, headers->responseCode.len); } } } - session->processHTTPPacket(p, direction, headers, pConfig); - session->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION); - p->flow->set_application_ids(session->pick_service_app_id(), session->pick_client_app_id(), - session->pick_payload_app_id(), session->pick_misc_app_id()); + asd->processHTTPPacket(p, direction, headers, pConfig); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION); + p->flow->set_application_ids(asd->pick_service_app_id(), asd->pick_client_app_id(), + asd->pick_payload_app_id(), asd->pick_misc_app_id()); } #endif @@ -340,32 +337,32 @@ void httpHeaderCallback(Packet* p, HttpParsedHeaders* const headers) // AppId* serviceAppId, AppId* ClientAppId, AppId* payloadAppId) int sslAppGroupIdLookup(void*, const char*, const char*, AppId*, AppId*, AppId*) { - // FIXIT-M: detemine need and proper location for this code when support for ssl is implemented + // FIXIT-M detemine need and proper location for this code when support for ssl is implemented #ifdef REMOVED_WHILE_NOT_IN_USE - AppIdSession* session; + AppIdSession* asd; *serviceAppId = *ClientAppId = *payload_app_id = APP_ID_NONE; if (commonName) { ssl_scan_cname((const uint8_t*)commonName, strlen(commonName), ClientAppId, payload_app_id, - &pAppidActiveConfig->serviceSslConfig); + &AppIdConfig::get_appid_config()->serviceSslConfig); } if (serverName) { ssl_scan_hostname((const uint8_t*)serverName, strlen(serverName), ClientAppId, - payload_app_id, &pAppidActiveConfig->serviceSslConfig); + payload_app_id, &AppIdConfig::get_appid_config()->serviceSslConfig); } - if (ssnptr && (session = appid_api.get_appid_data(ssnptr))) + if (ssnptr && (asd = appid_api.get_appid_data(ssnptr))) { - *serviceAppId = pick_service_app_id(session); + *serviceAppId = pick_service_app_id(asd); if (*ClientAppId == APP_ID_NONE) { - *ClientAppId = pick_client_app_id(session); + *ClientAppId = pick_client_app_id(asd); } if (*payload_app_id == APP_ID_NONE) { - *payload_app_id = pick_payload_app_id(session); + *payload_app_id = pick_payload_app_id(asd); } } if (*serviceAppId != APP_ID_NONE || @@ -382,7 +379,7 @@ int sslAppGroupIdLookup(void*, const char*, const char*, AppId*, AppId*, AppId*) AppId getOpenAppId(Flow* flow) { assert(flow); - AppIdSession* session = appid_api.get_appid_data(flow); - return session->payload_app_id; + AppIdSession* asd = appid_api.get_appid_data(flow); + return asd->payload_app_id; } diff --git a/src/network_inspectors/appid/appid_inspector.h b/src/network_inspectors/appid/appid_inspector.h index 364d8eb25..a94e7b58d 100644 --- a/src/network_inspectors/appid/appid_inspector.h +++ b/src/network_inspectors/appid/appid_inspector.h @@ -45,8 +45,8 @@ public: return active_config; } -private: +private: const AppIdModuleConfig* config = nullptr; AppIdConfig* active_config = nullptr; bool list_lua_detectors = true; diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 58d7b6ba6..12396b316 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -21,6 +21,7 @@ #include +#include "sfip/sf_ip.h" #include "appid_module.h" #include "profiler/profiler.h" #include "utils/util.h" @@ -35,7 +36,7 @@ unsigned long app_id_ignored_packet_count = 0; THREAD_LOCAL ProfileStats appidPerfStats; -// FIXIT-M: define and implement a flexible solution for maintaining protocol specific stats +// FIXIT-M define and implement a flexible solution for maintaining protocol specific stats const PegInfo appid_pegs[] = { { "packets", "count of packets received by appid inspector" }, @@ -108,6 +109,20 @@ const PegInfo appid_pegs[] = { nullptr, nullptr } }; +static const Parameter session_log_filter[] = +{ + {"src_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", + "source ip address in CIDR format" }, + { "dst_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", + "destination ip address in CIDR format" }, + { "src_port", Parameter::PT_PORT, "1:", nullptr, "source port" }, + { "dst_port", Parameter::PT_PORT, "1:", nullptr, "destination port" }, + { "protocol", Parameter::PT_STRING, nullptr, nullptr,"ip protocol"}, + { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false", + "enable logging for all appid sessions" }, + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } +}; + static const Parameter s_params[] = { { "conf", Parameter::PT_STRING, nullptr, nullptr, @@ -132,11 +147,12 @@ static const Parameter s_params[] = "enable dump of AppId port information" }, { "thirdparty_appid_dir", Parameter::PT_STRING, nullptr, nullptr, "directory to load thirdparty AppId detectors from" }, - + { "session_log_filter", Parameter::PT_TABLE, session_log_filter, nullptr, + "session log filter options" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; -// FIXIT-M: Add appid_rules back in once we start using it. +// FIXIT-M Add appid_rules back in once we start using it. #ifdef REMOVED_WHILE_NOT_IN_USE static const RuleMap appid_rules[] = { @@ -191,6 +207,14 @@ bool AppIdModule::set(const char*, Value& v, SnortConfig*) config->debug = v.get_bool(); else if ( v.is("dump_ports") ) config->dump_ports = v.get_bool(); + else if ( v.is("session_log_filter") ) + config->session_log_filter.log_all_sessions = false; // FIXIT-L need to implement support for all log options + else if ( v.is("log_all_sessions") ) + config->session_log_filter.log_all_sessions = v.get_bool(); + else if (v.is("src_ip") ) + sfip_pton(v.get_string(), &config->session_log_filter.sip); + else if (v.is("dst_ip") ) + sfip_pton(v.get_string(), &config->session_log_filter.dip); else return false; diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index ecc75ece1..e9416ff32 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -17,7 +17,8 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// appid_flow_data.cc author Sourcefire Inc. +// appid_session.cc author Sourcefire Inc. +#include "appid_session.h" #include "log/messages.h" #include "protocols/tcp.h" @@ -28,6 +29,13 @@ #include "time/packet_time.h" #include "utils/util.h" +#include "app_info_table.h" +#include "appid_module.h" +#include "fw_appid.h" +#include "appid_stats.h" +#include "app_forecast.h" +#include "host_port_app_cache.h" +#include "lua_detector_module.h" #include "appid_utils/ip_funcs.h" #include "client_plugins/client_app_base.h" #include "detector_plugins/detector_http.h" @@ -36,13 +44,6 @@ #include "service_plugins/service_ssl.h" #include "service_plugins/service_util.h" -#include "appid_session.h" -#include "appid_module.h" -#include "fw_appid.h" -#include "appid_stats.h" -#include "app_forecast.h" -#include "host_port_app_cache.h" -#include "lua_detector_module.h" ProfileStats tpPerfStats; ProfileStats tpLibPerfStats; @@ -51,16 +52,10 @@ ProfileStats clientMatchPerfStats; ProfileStats serviceMatchPerfStats; unsigned AppIdSession::flow_id = 0; -static THREAD_LOCAL AppIdFlowData* fd_free_list; - -static volatile int app_id_debug_flag; -static FWDebugSessionConstraints app_id_debug_info; -char app_id_debug_session[FW_DEBUG_SESSION_ID_SIZE]; -bool app_id_debug_session_flag; - -// FIXIT - should appid_flow_data_id be global to all threads? -static THREAD_LOCAL uint32_t appid_flow_data_id = 0; +THREAD_LOCAL AppIdFlowData* AppIdSession::fd_free_list = nullptr; +THREAD_LOCAL uint32_t AppIdSession::appid_flow_data_id = 0; +// FIXIT-L - determine reason for this mapping and whether we still need it snort3 or can harmonize the IDs used static int16_t snortId_for_ftp; static int16_t snortId_for_ftp_data; static int16_t snortId_for_imap; @@ -79,248 +74,47 @@ void map_app_names_to_snort_ids() snortId_for_http2 = FindProtocolReference("http2"); } -static inline bool fwAppIdDebugCheck(Flow* flow, AppIdSession* session, volatile int debug_flag, - FWDebugSessionConstraints* info, char* debug_session, int direction) +void AppIdSession::set_session_logging_state(const Packet* pkt, int direction) { - if (debug_flag) + if(config->mod_config->session_log_filter.log_all_sessions) { - assert(flow); - const FlowKey* key = flow->key; - - if (((info->protocol == PktType::NONE) || info->protocol == key->pkt_type) && - (((!info->sport || info->sport == key->port_l) && - (!info->sip_flag || memcmp(&info->sip, key->ip_l, sizeof(info->sip)) == 0) && - (!info->dport || info->dport == key->port_h) && - (!info->dip_flag || memcmp(&info->dip, key->ip_h, sizeof(info->dip)) == 0)) || - ((!info->sport || info->sport == key->port_h) && - (!info->sip_flag || memcmp(&info->sip, key->ip_h, sizeof(info->sip)) == 0) && - (!info->dport || info->dport == key->port_l) && - (!info->dip_flag || memcmp(&info->dip, key->ip_l, sizeof(info->dip)) == 0)))) - { - int af; - sfip_t sip; - sfip_t dip; - unsigned offset; - uint16_t sport; - uint16_t dport; - char sipstr[INET6_ADDRSTRLEN]; - char dipstr[INET6_ADDRSTRLEN]; - - if (session && session->common.fsf_type.flow_type != APPID_SESSION_TYPE_IGNORE) - { - if (session->common.initiator_port) - { - if (session->common.initiator_port == key->port_l) - { - sfip_set_raw(&sip, key->ip_l, AF_INET); - sfip_set_raw(&dip, key->ip_l, AF_INET); - sport = key->port_l; - dport = key->port_h; - } - else - { - sfip_set_raw(&sip, key->ip_l, AF_INET); - sfip_set_raw(&dip, key->ip_l, AF_INET); - sport = key->port_h; - dport = key->port_l; - } - } - else - { - // FIXIT-L: the key_ip var was added to be able to call sfip_fast_eq6, need to - // verify this works... not tested as yet... - sfip_t key_ip; - memcpy(key_ip.ip32, key->ip_l, sizeof(key_ip.ip32)); - if (sfip_fast_eq6(&session->common.initiator_ip, &key_ip) == 0) - { - sfip_set_raw(&sip, key->ip_l, AF_INET); - sfip_set_raw(&dip, key->ip_h, AF_INET); - sport = key->port_l; - dport = key->port_h; - } - else - { - sfip_set_raw(&sip, key->ip_l, AF_INET); - sfip_set_raw(&dip, key->ip_h, AF_INET); - sport = key->port_h; - dport = key->port_l; - } - } - } - else - { - sfip_set_raw(&sip, key->ip_l, AF_INET); - sfip_set_raw(&dip, key->ip_h, AF_INET); - sport = key->port_l; - dport = key->port_h; - } - sipstr[0] = 0; - if ( sip.ip32[0] || sip.ip32[1] || sip.ip16[4] || - (sip.ip16[5] && sip.ip16[5] != 0xffff) ) - { - af = AF_INET6; - offset = 0; - } - else - { - af = AF_INET; - offset = 12; - } - - inet_ntop(af, &sip.ip8[offset], sipstr, sizeof(sipstr)); - dipstr[0] = 0; - if ( dip.ip32[0] || dip.ip32[1] || dip.ip16[4] || - (dip.ip16[5] && dip.ip16[5] != 0xFFFF) ) - { - af = AF_INET6; - offset = 0; - } - else - { - af = AF_INET; - offset = 12; - } - - inet_ntop(af, &dip.ip8[offset], dipstr, sizeof(dipstr)); -#ifdef HAVE_DAQ_ADDRESS_SPACE_ID - snprintf(debug_session, FW_DEBUG_SESSION_ID_SIZE, "%s-%u -> %s-%u %u%s AS %u I %u", - sipstr, (unsigned)sport, dipstr, (unsigned)dport, (unsigned)key->pkt_type, - (direction == APP_ID_FROM_INITIATOR) ? "" : " R", - (unsigned)key->addressSpaceId, get_instance_id()); -#else - snprintf(debug_session, FW_DEBUG_SESSION_ID_SIZE, "%s-%u -> %s-%u %u%s I %u", - sipstr, (unsigned)sport, dipstr, (unsigned)dport, (unsigned)key->pkt_type, - (direction == APP_ID_FROM_INITIATOR) ? "" : " R", get_instance_id()); -#endif - return true; - } + session_logging_enabled = true; } - return false; -} - -#ifdef APPID_UNUSED_CODE -static inline void appIdDebugParse(const char* desc, const uint8_t* data, uint32_t length, - volatile int* debug_flag, FWDebugSessionConstraints* info) -{ - *debug_flag = 0; - memset(info, 0, sizeof(*info)); - do + else { - if (length >= sizeof(info->protocol)) - { - info->protocol = static_cast(*data); - length -= sizeof(info->protocol); - data += sizeof(info->protocol); - } - else - break; - - if (length >= sizeof(info->sip)) - { - memcpy(&info->sip, data, sizeof(info->sip)); - if (info->sip.u6_addr32[1] || info->sip.u6_addr32[2] || info->sip.u6_addr32[3]) - info->sip_flag = 1; - else if (info->sip.u6_addr32[0]) - { - info->sip.u6_addr32[3] = info->sip.u6_addr32[0]; - info->sip.u6_addr32[0] = 0; - info->sip.u6_addr16[5] = 0xFFFF; - info->sip_flag = 1; - } - length -= sizeof(info->sip); - data += sizeof(info->sip); - } - else - break; + if( !sfip_equals( pkt->ptrs.ip_api.get_src(), &config->mod_config->session_log_filter.sip) ) + return; - if (length >= sizeof(info->sport)) - { - memcpy(&info->sport, data, sizeof(info->sport)); - length -= sizeof(info->sport); - data += sizeof(info->sport); - } - else - break; + if( !sfip_equals( pkt->ptrs.ip_api.get_dst(), &config->mod_config->session_log_filter.dip) ) + return; - if (length >= sizeof(info->dip)) - { - memcpy(&info->dip, data, sizeof(info->dip)); - if (info->dip.u6_addr32[1] || info->dip.u6_addr32[2] || info->dip.u6_addr32[3]) - info->dip_flag = 1; - else if (info->dip.u6_addr32[0]) - { - info->dip.u6_addr32[3] = info->dip.u6_addr32[0]; - info->dip.u6_addr32[0] = 0; - info->dip.u6_addr16[5] = 0xFFFF; - info->dip_flag = 1; - } - length -= sizeof(info->dip); - data += sizeof(info->dip); - } - else - break; + if( !( pkt->ptrs.dp == config->mod_config->session_log_filter.dport ) ) + return; - if (length >= sizeof(info->dport)) - memcpy(&info->dport, data, sizeof(info->dport)); - else - break; - } - while (0); + if( !( pkt->ptrs.dp == config->mod_config->session_log_filter.dport ) ) + return; - if (info->protocol != PktType::NONE || info->sip_flag || info->sport || info->dip_flag || - info->dport) - { - int saf; - int daf; - char sipstr[INET6_ADDRSTRLEN]; - char dipstr[INET6_ADDRSTRLEN]; + if( !( pkt->ptrs.type == config->mod_config->session_log_filter.protocol ) ) + return; - if (!info->sip.u6_addr32[0] && !info->sip.u6_addr32[0] && !info->sip.u6_addr16[4] && - info->sip.u6_addr16[5] == 0xFFFF) - { - saf = AF_INET; - } - else - saf = AF_INET6; - if (!info->dip.u6_addr32[0] && !info->dip.u6_addr32[0] && !info->dip.u6_addr16[4] && - info->dip.u6_addr16[5] == 0xFFFF) - { - daf = AF_INET; - } - else - daf = AF_INET6; - if (!info->sip_flag) - saf = daf; - if (!info->dip_flag) - daf = saf; - sipstr[0] = 0; - inet_ntop(saf, saf == AF_INET ? &info->sip.u6_addr32[3] : info->sip.u6_addr32, sipstr, - sizeof(sipstr)); - dipstr[0] = 0; - inet_ntop(daf, daf == AF_INET ? &info->dip.u6_addr32[3] : info->dip.u6_addr32, dipstr, - sizeof(dipstr)); - LogMessage("Debugging %s with %s-%u and %s-%u %u\n", desc, - sipstr, (unsigned)info->sport, - dipstr, (unsigned)info->dport, - (unsigned)info->protocol); - *debug_flag = 1; + session_logging_enabled = true; } - else - LogMessage("Debugging %s disabled\n", desc); -} -int AppIdDebug(uint16_t, const uint8_t* const data, uint32_t length, void**, char*, int) -{ - appIdDebugParse("appId", data, length, &app_id_debug_flag, &app_id_debug_info); - return 0; + if(session_logging_enabled) + snprintf(session_logging_id, MAX_SESSION_LOGGING_ID_LEN, "%s-%u -> %s-%u %u%s AS %u I %u", + sfip_to_str(pkt->ptrs.ip_api.get_src()), (unsigned)pkt->ptrs.sp, + sfip_to_str(pkt->ptrs.ip_api.get_dst()), (unsigned)pkt->ptrs.dp, + (unsigned)pkt->ptrs.type, (direction == APP_ID_FROM_INITIATOR) ? "" : " R", + (unsigned)pkt->pkth->address_space_id, get_instance_id()); + + return; } -#endif -// FIXIT-M: this function does work that probably should be in http inspector, appid should leverage that if possible +// FIXIT-M this function does work that probably should be in http inspector, appid should leverage that if possible static inline void getOffsetsFromRebuilt(Packet* pkt, httpSession* hsession) { // size of "GET /\r\n\r\n" -#define MIN_HTTP_REQ_HEADER_SIZE 9 + constexpr auto MIN_HTTP_REQ_HEADER_SIZE = sizeof("GET /\r\n\r\n"); const uint8_t cookieStr[] = "Cookie: "; unsigned cookieStrLen = sizeof(cookieStr)-1; const uint8_t crlf[] = "\r\n"; @@ -375,40 +169,6 @@ static inline void getOffsetsFromRebuilt(Packet* pkt, httpSession* hsession) hsession->cookieEndOffset = p - pkt->data; } -void AppIdSession::clear_app_id_data() -{ - payload_app_id = APP_ID_UNKNOWN; - serviceAppId = APP_ID_UNKNOWN; - tp_payload_app_id = APP_ID_UNKNOWN; - tp_app_id = APP_ID_UNKNOWN; - if (payload_version) - { - snort_free(payload_version); - payload_version = nullptr; - } - if (serviceVendor) - { - snort_free(serviceVendor); - serviceVendor = nullptr; - } - if (serviceVersion) - { - snort_free(serviceVersion); - serviceVersion = nullptr; - } - - if (tsession) - free_tls_session_data(); - - if (hsession) - free_http_session_data(); - - if (dsession) - free_dns_session_data(); - - if (thirdparty_appid_module) - thirdparty_appid_module->session_delete(tpsession, 1); -} AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, int direction) { @@ -423,19 +183,21 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp; data->flow = p->flow; data->stats.firstPktsecond = p->pkth->ts.tv_sec; + data->set_session_logging_state(p, direction); p->flow->set_flow_data(data); return data; } -AppIdSession::AppIdSession(IpProtocol proto, const sfip_t* ip) : FlowData(flow_id) +AppIdSession::AppIdSession(IpProtocol proto, const sfip_t* ip) + : FlowData(flow_id), protocol(proto) { service_ip.clear(); - id = ++appid_flow_data_id; - common.fsf_type.flow_type = APPID_SESSION_TYPE_NORMAL; - protocol = proto; + session_id = ++appid_flow_data_id; + common.flow_type = APPID_FLOW_TYPE_NORMAL; common.initiator_ip = *ip; - + config = AppIdConfig::get_appid_config(); + app_info_mgr = &AppInfoManager::get_instance(); if (thirdparty_appid_module) if (!(tpsession = thirdparty_appid_module->session_create())) ErrorMessage("Could not allocate third party session data"); @@ -471,44 +233,46 @@ AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const s { char src_ip[INET6_ADDRSTRLEN]; char dst_ip[INET6_ADDRSTRLEN]; - // FIXIT - not needed until ctrlPkt expectedSession is supported + // FIXIT-M not needed until crtlPkt expectedSession is supported //struct _ExpectNode** node; enum PktType type = get_pkt_type_from_ip_proto(proto); assert(type != PktType::NONE); - if (app_id_debug_session_flag) - { - sfip_ntop(cliIp, src_ip, sizeof(src_ip)); - sfip_ntop(srvIp, dst_ip, sizeof(dst_ip)); - } - - AppIdSession* session = new AppIdSession(proto, cliIp); - session->common.policyId = appIdPolicyId; + AppIdSession* asd = new AppIdSession(proto, cliIp); + asd->common.policyId = appIdPolicyId; - // FIXIT - expect session control packet support not ported to snort3 yet + // FIXIT-M expect session control packet support not ported to snort3 yet //node = (flags & APPID_EARLY_SESSION_FLAG_FW_RULE) ? &ctrlPkt->expectedSession : nullptr; - // FIXIT - 2.9.x set_application_protocol_id_expected has several new parameters, need to look + // FIXIT-M 2.9.x set_application_protocol_id_expected has several new parameters, need to look // into what is required to support those here. if ( Stream::set_application_protocol_id_expected(ctrlPkt, type, proto, cliIp, cliPort, srvIp, srvPort, - app_id, session) ) + app_id, asd) ) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n", - app_id_debug_session, src_ip, (unsigned)cliPort, dst_ip, + sfip_ntop(cliIp, src_ip, sizeof(src_ip)); + sfip_ntop(srvIp, dst_ip, sizeof(dst_ip)); + WarningMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n", + asd->session_logging_id, src_ip, (unsigned)cliPort, dst_ip, (unsigned)srvPort, (unsigned)proto); - delete session; - return nullptr; + delete asd; + asd = nullptr; } - else if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s created a related flow for %s-%u -> %s-%u %u\n", - app_id_debug_session, src_ip, (unsigned)cliPort, dst_ip, - (unsigned)srvPort, (unsigned)proto); + else + { + if (asd->session_logging_enabled) + { + sfip_ntop(cliIp, src_ip, sizeof(src_ip)); + sfip_ntop(srvIp, dst_ip, sizeof(dst_ip)); + LogMessage("AppIdDbg %s related flow %s for %s-%u -> %s-%u %u\n", + asd->session_logging_id, asd ? "created" : "creation failed", + src_ip, (unsigned)cliPort, dst_ip, (unsigned)srvPort, (unsigned)proto); + } - session->in_expected_cache = true; + asd->in_expected_cache = true; + } - return session; + return asd; } void AppIdSession::reinit_shared_data() @@ -519,7 +283,7 @@ void AppIdSession::reinit_shared_data() if (isSslServiceAppId(tp_app_id)) { payload_app_id = referred_payload_app_id = tp_payload_app_id = APP_ID_NONE; - clearAppIdFlag(APPID_SESSION_CONTINUE); + clear_session_flags(APPID_SESSION_CONTINUE); if (payload_version) { snort_free(payload_version); @@ -533,9 +297,9 @@ void AppIdSession::reinit_shared_data() } //service - if (!getAppIdFlag(APPID_SESSION_STICKY_SERVICE)) + if (!get_session_flags(APPID_SESSION_STICKY_SERVICE)) { - clearAppIdFlag(APPID_SESSION_STICKY_SERVICE); + clear_session_flags(APPID_SESSION_STICKY_SERVICE); tp_app_id = serviceAppId = portServiceAppId = APP_ID_NONE; if (serviceVendor) @@ -573,7 +337,7 @@ void AppIdSession::reinit_shared_data() resp_tpPackets = 0; scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; - clearAppIdFlag(APPID_SESSION_SERVICE_DETECTED |APPID_SESSION_CLIENT_DETECTED | + clear_session_flags(APPID_SESSION_SERVICE_DETECTED |APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SSL_SESSION|APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT); } @@ -584,9 +348,9 @@ int AppIdSession::exec_client_detectors(Packet* p, int direction) if (rna_client_data != nullptr) { ret = rna_client_data->validate(p->data, p->dsize, direction, this, p, - rna_client_data->userData); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s %s client detector returned %d\n", app_id_debug_session, + rna_client_data->userData); + if (session_logging_enabled) + LogMessage("AppIdDbg %s %s client detector returned %d\n", session_logging_id, rna_client_data->name ? rna_client_data->name : "UNKNOWN", ret); } else if ( (candidate_client_list != nullptr) @@ -604,8 +368,8 @@ int AppIdSession::exec_client_detectors(Packet* p, int direction) client = (RNAClientAppModule*)node->ndata; result = client->validate(p->data, p->dsize, direction, this, p, client->userData); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s %s client detector returned %d\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s %s client detector returned %d\n", session_logging_id, client->name ? client->name : "UNKNOWN", result); node_tmp = node; @@ -635,7 +399,7 @@ bool AppIdSession::is_packet_ignored(Packet* p) appid_stats.ignored_packets++; return true; } - AppIdSession* session = appid_api.get_appid_data(p->flow); + AppIdSession* asd = appid_api.get_appid_data(p->flow); // FIXIT-M - Need to convert this _dpd stream api call to the correct snort++ method #ifdef REMOVED_WHILE_NOT_IN_USE @@ -645,8 +409,8 @@ bool AppIdSession::is_packet_ignored(Packet* p) #endif if (is_http2) { - if (session) - session->is_http2 = true; + if (asd) + asd->is_http2 = true; if ( !p->is_rebuilt() ) { // For HTTP/2, we only want to look at the ones that are rebuilt from @@ -659,15 +423,15 @@ bool AppIdSession::is_packet_ignored(Packet* p) { if ( p->is_rebuilt() && !p->flow->is_proxied() ) { - if (session && session->hsession && session->hsession->get_offsets_from_rebuilt) + if (asd && asd->hsession && asd->hsession->get_offsets_from_rebuilt) { - getOffsetsFromRebuilt(p, session->hsession); - if (app_id_debug_session_flag) + getOffsetsFromRebuilt(p, asd->hsession); + if (asd->session_logging_enabled) LogMessage( "AppIdDbg %s offsets from rebuilt packet: uri: %u-%u cookie: %u-%u\n", - app_id_debug_session, session->hsession->uriOffset, - session->hsession->uriEndOffset, session->hsession->cookieOffset, - session->hsession->cookieEndOffset); + asd->session_logging_id, asd->hsession->uriOffset, + asd->hsession->uriEndOffset, asd->hsession->cookieOffset, + asd->hsession->cookieEndOffset); } appid_stats.ignored_packets++; return true; @@ -697,19 +461,19 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list)) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s flow is HTTP\n", app_id_debug_session); - setAppIdFlag(APPID_SESSION_HTTP_SESSION); + if (session_logging_enabled) + LogMessage("AppIdDbg %s flow is HTTP\n", session_logging_id); + set_session_flags(APPID_SESSION_HTTP_SESSION); } if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list)) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s flow is SPDY\n", app_id_debug_session); + if (session_logging_enabled) + LogMessage("AppIdDbg %s flow is SPDY\n", session_logging_id); - setAppIdFlag(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION); + set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION); } - if (getAppIdFlag(APPID_SESSION_HTTP_SESSION)) + if (get_session_flags(APPID_SESSION_HTTP_SESSION)) { if (!hsession) { @@ -717,12 +481,12 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, memset(ptype_scan_counts, 0, 7 * sizeof(ptype_scan_counts[0])); } - if (getAppIdFlag(APPID_SESSION_SPDY_SESSION)) + if (get_session_flags(APPID_SESSION_SPDY_SESSION)) { if (attribute_data->spdyRequesHost) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s SPDY host is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s SPDY host is %s\n", session_logging_id, attribute_data->spdyRequesHost); if (hsession->host) { @@ -734,8 +498,8 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } if (attribute_data->spdyRequestPath) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s SPDY URI is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s SPDY URI is %s\n", session_logging_id, attribute_data->spdyRequestPath); if (hsession->uri) { @@ -757,7 +521,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, snort_free(hsession->url); hsession->chp_finished = 0; } - if (getAppIdFlag(APPID_SESSION_DECRYPTED) + if (get_session_flags(APPID_SESSION_DECRYPTED) && memcmp(attribute_data->spdyRequestScheme, httpScheme, sizeof(httpScheme)- 1) == 0) { @@ -797,13 +561,13 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, { if (attribute_data->httpRequesHost) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s HTTP host is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s HTTP host is %s\n", session_logging_id, attribute_data->httpRequesHost); if (hsession->host) { snort_free(hsession->host); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->host = attribute_data->httpRequesHost; @@ -817,12 +581,12 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->url) { snort_free(hsession->url); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } //change http to https if session was decrypted. - if (getAppIdFlag(APPID_SESSION_DECRYPTED) + if (get_session_flags(APPID_SESSION_DECRYPTED) && memcmp(attribute_data->httpRequesUrl, httpScheme, sizeof(httpScheme)-1) == 0) { @@ -848,7 +612,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->uri) { snort_free(hsession->uri); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->uri = attribute_data->httpRequestUri; @@ -857,8 +621,8 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, attribute_data->httpRequestUri = nullptr; attribute_data->httpRequestUriOffset = 0; attribute_data->httpRequestUriEndOffset = 0; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", session_logging_id, hsession->uriOffset, hsession->uriEndOffset, hsession->uri); } @@ -868,7 +632,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->via) { snort_free(hsession->via); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->via = attribute_data->httpRequestVia; @@ -880,7 +644,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->via) { snort_free(hsession->via); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->via = attribute_data->httpResponseVia; @@ -892,7 +656,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->useragent) { snort_free(hsession->useragent); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->useragent = attribute_data->httpRequestUserAgent; @@ -903,14 +667,14 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, // - once it supports it... if (attribute_data->httpResponseVersion) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s HTTP response version is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s HTTP response version is %s\n", session_logging_id, attribute_data->httpResponseVersion); if (strncmp(attribute_data->httpResponseVersion, "HTTP/2", 6) == 0) { - if (app_id_debug_session_flag) + if (session_logging_enabled) LogMessage("AppIdDbg %s 3rd party detected and parsed HTTP/2\n", - app_id_debug_session); + session_logging_id); is_http2 = true; } snort_free(attribute_data->httpResponseVersion); @@ -918,13 +682,13 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } if (attribute_data->httpResponseCode) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s HTTP response code is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s HTTP response code is %s\n", session_logging_id, attribute_data->httpResponseCode); if (hsession->response_code) { snort_free(hsession->response_code); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->response_code = attribute_data->httpResponseCode; @@ -935,32 +699,32 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, // asks the server to upgrade to HTTP/2). if (attribute_data->httpResponseUpgrade) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", session_logging_id, attribute_data->httpResponseUpgrade); - if (pAppidActiveConfig->mod_config->http2_detection_enabled) + if (config->mod_config->http2_detection_enabled) if (hsession->response_code && (strncmp( hsession->response_code, "101", 3) == 0)) if (strncmp(attribute_data->httpResponseUpgrade, "h2c", 3) == 0) { - if (app_id_debug_session_flag) + if (session_logging_enabled) LogMessage("AppIdDbg %s Got an upgrade to HTTP/2\n", - app_id_debug_session); + session_logging_id); is_http2 = true; } snort_free(attribute_data->httpResponseUpgrade); attribute_data->httpResponseUpgrade = nullptr; } - if (!pAppidActiveConfig->mod_config->referred_appId_disabled && + if (!config->mod_config->referred_appId_disabled && attribute_data->httpRequestReferer) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s referrer is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s referrer is %s\n", session_logging_id, attribute_data->httpRequestReferer); if (hsession->referer) { snort_free(hsession->referer); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->referer = attribute_data->httpRequestReferer; @@ -971,7 +735,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->cookie) { snort_free(hsession->cookie); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->cookie = attribute_data->httpRequestCookie; @@ -980,8 +744,8 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, attribute_data->httpRequestCookie = nullptr; attribute_data->httpRequestCookieOffset = 0; attribute_data->httpRequestCookieEndOffset = 0; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", session_logging_id, hsession->cookieOffset, hsession->cookieEndOffset, hsession->cookie); } @@ -990,7 +754,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->content_type) { snort_free(hsession->content_type); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->content_type = attribute_data->httpResponseContent; @@ -1002,7 +766,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->location) { snort_free(hsession->location); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->location = attribute_data->httpResponseLocation; @@ -1010,13 +774,13 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } if (attribute_data->httpRequestBody) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s got a request body %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s got a request body %s\n", session_logging_id, attribute_data->httpRequestBody); if (hsession->req_body) { snort_free(hsession->req_body); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->req_body = attribute_data->httpRequestBody; @@ -1027,7 +791,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (hsession->body) { snort_free(hsession->body); - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->chp_finished = 0; } hsession->body = attribute_data->httpResponseBody; @@ -1039,7 +803,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } if (!hsession->chp_finished || hsession->chp_hold_flow) { - setAppIdFlag(APPID_SESSION_CHP_INSPECTING); + set_session_flags(APPID_SESSION_CHP_INSPECTING); if (thirdparty_appid_module) thirdparty_appid_module->session_attr_set(tpsession, TP_ATTR_CONTINUE_MONITORING); @@ -1077,7 +841,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } } - if (!pAppidActiveConfig->mod_config->referred_appId_disabled && + if (!config->mod_config->referred_appId_disabled && !hsession->referer) { if (attribute_data->httpRequestReferer) @@ -1088,14 +852,14 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } if (hsession->url || (confidence == 100 && - session_packet_count > pAppidActiveConfig->mod_config->rtmp_max_packets)) + session_packet_count > config->mod_config->rtmp_max_packets)) { if (hsession->url) { - if (((getAppIdFromUrl(nullptr, hsession->url, nullptr, + if (((get_appid_from_url(nullptr, hsession->url, nullptr, hsession->referer, &client_app_id, &serviceAppId, &payload_app_id, &referred_payload_app_id, 1)) || - (getAppIdFromUrl(nullptr, hsession->url, nullptr, + (get_appid_from_url(nullptr, hsession->url, nullptr, hsession->referer, &client_app_id, &serviceAppId, &payload_app_id, &referred_payload_app_id, 0))) == 1) { @@ -1119,7 +883,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, thirdparty_appid_module->session_delete(tpsession, 1); } tpsession = nullptr; - clearAppIdFlag(APPID_SESSION_APP_REINSPECT); + clear_session_flags(APPID_SESSION_APP_REINSPECT); } } else if (ThirdPartyAppIDFoundProto(APP_ID_SSL, proto_list)) @@ -1129,7 +893,7 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, if (thirdparty_appid_module && tpsession) tmpAppId = thirdparty_appid_module->session_appid_get(tpsession); - setAppIdFlag(APPID_SESSION_SSL_SESSION); + set_session_flags(APPID_SESSION_SSL_SESSION); if (!tsession) tsession = (tlsSession*)snort_calloc(sizeof(tlsSession)); @@ -1166,22 +930,22 @@ void AppIdSession::ProcessThirdPartyResults(Packet* p, int confidence, } else if (ThirdPartyAppIDFoundProto(APP_ID_FTP_CONTROL, proto_list)) { - if (!pAppidActiveConfig->mod_config->ftp_userid_disabled && attribute_data->ftpCommandUser) + if (!config->mod_config->ftp_userid_disabled && attribute_data->ftpCommandUser) { if (username) snort_free(username); username = attribute_data->ftpCommandUser; attribute_data->ftpCommandUser = nullptr; username_service = APP_ID_FTP_CONTROL; - setAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED); + set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); } } } void AppIdSession::checkTerminateTpModule(uint16_t tpPktCount) { - if ((tpPktCount >= pAppidActiveConfig->mod_config->max_tp_flow_depth) || - (getAppIdFlag(APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT) == + if ((tpPktCount >= config->mod_config->max_tp_flow_depth) || + (get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT) == (APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT) && hsession && hsession->uri && (!hsession->chp_candidate || hsession->chp_finished))) { @@ -1201,23 +965,22 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i AppId* tp_proto_list; int tp_confidence; bool isTpAppidDiscoveryDone = false; - AppIdConfig* pConfig = pAppidActiveConfig; /*** Start of third-party processing. ***/ - if (thirdparty_appid_module && !getAppIdFlag(APPID_SESSION_NO_TPI) + if (thirdparty_appid_module && !get_session_flags(APPID_SESSION_NO_TPI) && (!TPIsAppIdDone(tpsession) - || getAppIdFlag(APPID_SESSION_APP_REINSPECT | APPID_SESSION_APP_REINSPECT_SSL))) + || get_session_flags(APPID_SESSION_APP_REINSPECT | APPID_SESSION_APP_REINSPECT_SSL))) { // First SSL decrypted packet is now being inspected. Reset the flag so that SSL decrypted // traffic // gets processed like regular traffic from next packet onwards - if (getAppIdFlag(APPID_SESSION_APP_REINSPECT_SSL)) - clearAppIdFlag(APPID_SESSION_APP_REINSPECT_SSL); + if (get_session_flags(APPID_SESSION_APP_REINSPECT_SSL)) + clear_session_flags(APPID_SESSION_APP_REINSPECT_SSL); - if (p->dsize || pAppidActiveConfig->mod_config->tp_allow_probes) + if (p->dsize || config->mod_config->tp_allow_probes) { if (protocol != IpProtocol::TCP || !p->dsize || (p->packet_flags & PKT_STREAM_ORDER_OK) - || pAppidActiveConfig->mod_config->tp_allow_probes) + || config->mod_config->tp_allow_probes) { { Profile tpLibPerfStats_profile_context(tpLibPerfStats); @@ -1231,17 +994,17 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i } isTpAppidDiscoveryDone = true; if (thirdparty_appid_module->session_state_get(tpsession) == TP_STATE_CLASSIFIED) - clearAppIdFlag(APPID_SESSION_APP_REINSPECT); + clear_session_flags(APPID_SESSION_APP_REINSPECT); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s 3rd party returned %d\n", app_id_debug_session, tp_app_id); + if (session_logging_enabled) + LogMessage("AppIdDbg %s 3rd party returned %d\n", session_logging_id, tp_app_id); - if (appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_IGNORE)) + if (app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_IGNORE)) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s 3rd party ignored\n", app_id_debug_session); + if (session_logging_enabled) + LogMessage("AppIdDbg %s 3rd party ignored\n", session_logging_id); - if (getAppIdFlag(APPID_SESSION_HTTP_SESSION)) + if (get_session_flags(APPID_SESSION_HTTP_SESSION)) tp_app_id = APP_ID_HTTP; else tp_app_id = APP_ID_NONE; @@ -1250,14 +1013,14 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i // some cases. Treat it like HTTP w/ is_http2 flag set. if ((tp_app_id == APP_ID_HTTP2) && (tp_confidence == 100)) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", app_id_debug_session); + if (session_logging_enabled) + LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", session_logging_id); tp_app_id = APP_ID_HTTP; is_http2 = true; } // if the third-party appId must be treated as a client, do it now - if (appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_TP_CLIENT)) + if (app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_TP_CLIENT)) client_app_id = tp_app_id; ProcessThirdPartyResults(p, tp_confidence, tp_proto_list, tp_attribute_data); @@ -1265,10 +1028,10 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i else { tp_app_id = APP_ID_NONE; - if (app_id_debug_session_flag && !getAppIdFlag(APPID_SESSION_TPI_OOO_LOGGED)) + if (session_logging_enabled && !get_session_flags(APPID_SESSION_TPI_OOO_LOGGED)) { - setAppIdFlag(APPID_SESSION_TPI_OOO_LOGGED); - LogMessage("AppIdDbg %s 3rd party packet out-of-order\n", app_id_debug_session); + set_session_flags(APPID_SESSION_TPI_OOO_LOGGED); + LogMessage("AppIdDbg %s 3rd party packet out-of-order\n", session_logging_id); } } if (thirdparty_appid_module->session_state_get(tpsession) == TP_STATE_MONITORING) @@ -1284,11 +1047,11 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i tp_app_id = APP_ID_NONE; } if (tp_app_id > APP_ID_NONE - && (!getAppIdFlag(APPID_SESSION_APP_REINSPECT) || payload_app_id > APP_ID_NONE)) + && (!get_session_flags(APPID_SESSION_APP_REINSPECT) || payload_app_id > APP_ID_NONE)) { AppId snort_app_id; // if the packet is HTTP, then search for via pattern - if (getAppIdFlag(APPID_SESSION_HTTP_SESSION) && hsession) + if (get_session_flags(APPID_SESSION_HTTP_SESSION) && hsession) { snort_app_id = APP_ID_HTTP; //data should never be APP_ID_HTTP @@ -1298,12 +1061,12 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i tp_app_id = APP_ID_HTTP; processHTTPPacket(p, direction, nullptr); if (TPIsAppIdAvailable(tpsession) && tp_app_id == APP_ID_HTTP - && !getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + && !get_session_flags(APPID_SESSION_APP_REINSPECT)) { rna_client_state = RNA_STATE_FINISHED; - setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED); + set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED); rnaServiceState = RNA_STATE_FINISHED; - clearAppIdFlag(APPID_SESSION_CONTINUE); + clear_session_flags(APPID_SESSION_CONTINUE); if (direction == APP_ID_FROM_INITIATOR) { ip = p->ptrs.ip_api.get_dst(); @@ -1318,7 +1081,7 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i } } } - else if (getAppIdFlag(APPID_SESSION_SSL_SESSION) && tsession) + else if (get_session_flags(APPID_SESSION_SSL_SESSION) && tsession) { examine_ssl_metadata(p); uint16_t serverPort; @@ -1331,16 +1094,16 @@ bool AppIdSession::do_third_party_discovery(IpProtocol protocol, const sfip_t* i //SSL policy needs to determine IMAPS/POP3S etc before appId sees first // server packet portServiceAppId = porAppId; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s SSL is service %d, portServiceAppId %d\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s SSL is service %d, portServiceAppId %d\n", session_logging_id, tp_app_id, portServiceAppId); } else { tp_payload_app_id = tp_app_id; tp_app_id = porAppId; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s SSL is %d\n", app_id_debug_session, tp_app_id); + if (session_logging_enabled) + LogMessage("AppIdDbg %s SSL is %d\n", session_logging_id, tp_app_id); } snort_app_id = APP_ID_SSL; } @@ -1381,7 +1144,6 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI { AppInfoTableEntry* entry; bool isTpAppidDiscoveryDone = false; - AppIdConfig* pConfig = pAppidActiveConfig; if (rnaServiceState != RNA_STATE_FINISHED) { @@ -1398,19 +1160,19 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI if (protocol == IpProtocol::TCP && (p->ptrs.sp == 21 || p->ptrs.dp == 21) && !(p->ptrs.tcph->is_fin() || p->ptrs.tcph->is_rst())) { - setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_NOT_A_SERVICE + set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_SERVICE_DETECTED); if (!AddFTPServiceState(this)) { - setAppIdFlag(APPID_SESSION_CONTINUE); + set_session_flags(APPID_SESSION_CONTINUE); if (p->ptrs.dp != 21) - setAppIdFlag(APPID_SESSION_RESPONDER_SEEN); + set_session_flags(APPID_SESSION_RESPONDER_SEEN); } rnaServiceState = RNA_STATE_STATEFUL; } else { - setAppIdFlag(APPID_SESSION_MID | APPID_SESSION_SERVICE_DETECTED); + set_session_flags(APPID_SESSION_MID | APPID_SESSION_SERVICE_DETECTED); rnaServiceState = RNA_STATE_FINISHED; } } @@ -1420,11 +1182,11 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI { //tp has positively identified appId, Dig deeper only if sourcefire // detector identifies additional information or flow is UDP reveresed. - if ((entry = appInfoEntryGet(tp_app_id)) && entry->svrValidator + if ((entry = app_info_mgr->get_app_info_entry(tp_app_id)) && entry->svrValidator && ((entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL) || ((entry->flags & APPINFO_FLAG_SERVICE_UDP_REVERSED) && protocol == IpProtocol::UDP - && getAppIdFlag( + && get_session_flags( APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_RESPONDER_MONITORED)))) { @@ -1444,28 +1206,28 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI //stop rna inspection as soon as tp has classified a valid AppId later in the session if (rnaServiceState == RNA_STATE_STATEFUL&& prevRnaServiceState == RNA_STATE_STATEFUL && - !getAppIdFlag(APPID_SESSION_NO_TPI) && + !get_session_flags(APPID_SESSION_NO_TPI) && TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX) { - entry = appInfoEntryGet(tp_app_id); + entry = app_info_mgr->get_app_info_entry(tp_app_id); if (entry && entry->svrValidator && !(entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL)) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s Stop service detection\n", app_id_debug_session); + if (session_logging_enabled) + LogMessage("AppIdDbg %s Stop service detection\n", session_logging_id); stop_rna_service_inspection(p, direction); } } if (rnaServiceState == RNA_STATE_STATEFUL) { - AppIdDiscoverService(p, direction, this, pConfig); + AppIdDiscoverService(p, direction, this); isTpAppidDiscoveryDone = true; //to stop executing validator after service has been detected by RNA. - if (getAppIdFlag(APPID_SESSION_SERVICE_DETECTED | + if (get_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE) == APPID_SESSION_SERVICE_DETECTED) rnaServiceState = RNA_STATE_FINISHED; - if (serviceAppId == APP_ID_DNS && pAppidActiveConfig->mod_config->dns_host_reporting + if (serviceAppId == APP_ID_DNS && config->mod_config->dns_host_reporting && dsession && dsession->host) { size_t size = dsession->host_len; @@ -1474,10 +1236,10 @@ bool AppIdSession::do_service_discovery(IpProtocol protocol, int direction, AppI } else if (serviceAppId == APP_ID_RTMP) examine_rtmp_metadata(); - else if (getAppIdFlag(APPID_SESSION_SSL_SESSION) && tsession) + else if (get_session_flags(APPID_SESSION_SSL_SESSION) && tsession) examine_ssl_metadata(p); - if (tp_app_id <= APP_ID_NONE && getAppIdFlag(APPID_SESSION_SERVICE_DETECTED | + if (tp_app_id <= APP_ID_NONE && get_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_IGNORE_HOST) == APPID_SESSION_SERVICE_DETECTED) { @@ -1498,7 +1260,7 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) Profile clientMatchPerfStats_profile_context(clientMatchPerfStats); uint32_t prevRnaClientState = rna_client_state; bool was_http2 = is_http2; - bool was_service = getAppIdFlag(APPID_SESSION_SERVICE_DETECTED) ? true : false; + bool was_service = get_session_flags(APPID_SESSION_SERVICE_DETECTED) ? true : false; //decision to directly call validator or go through elaborate service_state tracking //is made once at the beginning of sesssion. if (rna_client_state == RNA_STATE_NONE && p->dsize && direction == APP_ID_FROM_INITIATOR) @@ -1508,11 +1270,11 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) else if (TPIsAppIdAvailable(tpsession) && ( tp_app_id > APP_ID_NONE ) && ( tp_app_id < SF_APPID_MAX ) ) { - entry = appInfoEntryGet(tp_app_id); + entry = app_info_mgr->get_app_info_entry(tp_app_id); if ( entry && entry->clntValidator && ( ( entry->flags & APPINFO_FLAG_CLIENT_ADDITIONAL ) || ( ( entry->flags & APPINFO_FLAG_CLIENT_USER) - && getAppIdFlag(APPID_SESSION_DISCOVER_USER) ) ) ) + && get_session_flags(APPID_SESSION_DISCOVER_USER) ) ) ) { //tp has positively identified appId, Dig deeper only if sourcefire // detector identifies additional information @@ -1521,26 +1283,26 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) } else { - setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + set_session_flags(APPID_SESSION_CLIENT_DETECTED); rna_client_state = RNA_STATE_FINISHED; } } - else if (getAppIdFlag(APPID_SESSION_HTTP_SESSION)) + else if (get_session_flags(APPID_SESSION_HTTP_SESSION)) rna_client_state = RNA_STATE_FINISHED; else rna_client_state = RNA_STATE_STATEFUL; } //stop rna inspection as soon as tp has classified a valid AppId later in the session if ((rna_client_state == RNA_STATE_STATEFUL || rna_client_state == RNA_STATE_DIRECT) - && rna_client_state == prevRnaClientState && !getAppIdFlag(APPID_SESSION_NO_TPI) + && rna_client_state == prevRnaClientState && !get_session_flags(APPID_SESSION_NO_TPI) && TPIsAppIdAvailable(tpsession) && tp_app_id > APP_ID_NONE && tp_app_id < SF_APPID_MAX) { - entry = appInfoEntryGet(tp_app_id); + entry = app_info_mgr->get_app_info_entry(tp_app_id); if (!(entry && entry->clntValidator && entry->clntValidator == rna_client_data && (entry->flags & (APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER)))) { rna_client_state = RNA_STATE_FINISHED; - setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + set_session_flags(APPID_SESSION_CLIENT_DETECTED); } } if (rna_client_state == RNA_STATE_DIRECT) @@ -1549,13 +1311,13 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) if (direction == APP_ID_FROM_INITIATOR) { /* get out if we've already tried to validate a client app */ - if (!getAppIdFlag(APPID_SESSION_CLIENT_DETECTED)) + if (!get_session_flags(APPID_SESSION_CLIENT_DETECTED)) { ret = exec_client_detectors(p, direction); } } else if (rnaServiceState != RNA_STATE_STATEFUL - && getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)) + && get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)) { ret = exec_client_detectors(p, direction); } @@ -1581,26 +1343,26 @@ bool AppIdSession::do_client_discovery(int direction, Packet* p) if (direction == APP_ID_FROM_INITIATOR) { /* get out if we've already tried to validate a client app */ - if (!getAppIdFlag(APPID_SESSION_CLIENT_DETECTED)) + if (!get_session_flags(APPID_SESSION_CLIENT_DETECTED)) ret = exec_client_detectors(p, direction); } else if (rnaServiceState != RNA_STATE_STATEFUL - && getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)) + && get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)) ret = exec_client_detectors(p, direction); if (ret < 0) - setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + set_session_flags(APPID_SESSION_CLIENT_DETECTED); } else - setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + set_session_flags(APPID_SESSION_CLIENT_DETECTED); } } - if (app_id_debug_session_flag) + if (session_logging_enabled) if (!was_http2 && is_http2) - LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", app_id_debug_session); + LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", session_logging_id); - if (!was_service && getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!was_service && get_session_flags(APPID_SESSION_SERVICE_DETECTED)) sync_with_snort_id(serviceAppId, p); } @@ -1618,21 +1380,20 @@ void AppIdSession::do_application_discovery(Packet* p) int direction; const sfip_t* ip; uint16_t port; - AppIdConfig* pConfig = pAppidActiveConfig; if( is_packet_ignored(p) ) return; - AppIdSession* session = (AppIdSession*) p->flow->get_flow_data(AppIdSession::flow_id); - if (session) + AppIdSession* asd = (AppIdSession*) p->flow->get_flow_data(AppIdSession::flow_id); + if (asd) { - if (session->common.fsf_type.flow_type == APPID_SESSION_TYPE_IGNORE) + if (asd->common.flow_type == APPID_FLOW_TYPE_IGNORE) return; - if (session->common.fsf_type.flow_type == APPID_SESSION_TYPE_NORMAL) + if (asd->common.flow_type == APPID_FLOW_TYPE_NORMAL) { - protocol = session->protocol; - session->flow = p->flow; + protocol = asd->protocol; + asd->flow = p->flow; } else if (p->is_tcp()) protocol = IpProtocol::TCP; @@ -1640,14 +1401,14 @@ void AppIdSession::do_application_discovery(Packet* p) protocol = IpProtocol::UDP; ip = p->ptrs.ip_api.get_src(); - if (session->common.initiator_port) - direction = (session->common.initiator_port == p->ptrs.sp) ? APP_ID_FROM_INITIATOR : - APP_ID_FROM_RESPONDER; + if (asd->common.initiator_port) + direction = (asd->common.initiator_port == p->ptrs.sp) ? + APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; else - direction = (sfip_fast_equals_raw(ip, &session->common.initiator_ip)) ? + direction = (sfip_fast_equals_raw(ip, &asd->common.initiator_ip)) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; - session->in_expected_cache = false; + asd->in_expected_cache = false; } else { @@ -1660,112 +1421,96 @@ void AppIdSession::do_application_discovery(Packet* p) else return; - // FIXIT - L Refactor to use direction symbols defined by snort proper + // FIXIT-L Refactor to use direction symbols defined by snort proper direction = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; } - app_id_debug_session_flag = fwAppIdDebugCheck(p->flow, session, app_id_debug_flag, - &app_id_debug_info, app_id_debug_session, direction); - - flow_flags = AppIdSession::is_session_monitored(p, direction, session); + flow_flags = AppIdSession::is_session_monitored(p, direction, asd); if (!(flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))) { - if (!session) + if (!asd) { - if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) == - APPID_SESSION_BIDIRECTIONAL_CHECKED) - { - // FIXIT-M: This _dpd call needs to be convert to correct snort++ call - // static THREAD_LOCAL APPID_SESSION_STRUCT_FLAG ignore_fsf - // { APPID_SESSION_TYPE_IGNORE }; - - // p->flow->set_flow_data(PP_APP_ID, &ignore_fsf, nullptr); + ip = (direction == APP_ID_FROM_INITIATOR) ? + p->ptrs.ip_api.get_src() : p->ptrs.ip_api.get_dst(); + AppIdSession* tmp_session = new AppIdSession(protocol, ip); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s not monitored\n", app_id_debug_session); - } + if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) == + APPID_SESSION_BIDIRECTIONAL_CHECKED) + tmp_session->common.flow_type = APPID_FLOW_TYPE_IGNORE; else + tmp_session->common.flow_type = APPID_FLOW_TYPE_TMP; + tmp_session->common.flags = flow_flags; + tmp_session->common.initiator_ip = *ip; + if ((protocol == IpProtocol::TCP || protocol == IpProtocol::UDP) + && p->ptrs.sp != p->ptrs.dp) { - ip = (direction == APP_ID_FROM_INITIATOR) ? - p->ptrs.ip_api.get_src() : p->ptrs.ip_api.get_dst(); - AppIdSession* tmp_session = new AppIdSession(protocol, ip); - - tmp_session->common.fsf_type.flow_type = APPID_SESSION_TYPE_TMP; - tmp_session->common.flags = flow_flags; - tmp_session->common.initiator_ip = *ip; - if ( ( protocol == IpProtocol::TCP || protocol == IpProtocol::UDP ) && - p->ptrs.sp != p->ptrs.dp ) - { - tmp_session->common.initiator_port = - (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp; - } - else - tmp_session->common.initiator_port = 0; - tmp_session->common.policyId = appIdPolicyId; - p->flow->set_flow_data(tmp_session); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s unknown monitoring\n", app_id_debug_session); + tmp_session->common.initiator_port = + (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp; } + else + tmp_session->common.initiator_port = 0; + tmp_session->common.policyId = appIdPolicyId; + p->flow->set_flow_data(tmp_session); } else { - session->common.flags = flow_flags; + asd->common.flags = flow_flags; if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) == - APPID_SESSION_BIDIRECTIONAL_CHECKED) - session->common.fsf_type.flow_type = APPID_SESSION_TYPE_IGNORE; - session->common.policyId = appIdPolicyId; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s not monitored\n", app_id_debug_session); + APPID_SESSION_BIDIRECTIONAL_CHECKED) + asd->common.flow_type = APPID_FLOW_TYPE_IGNORE; + asd->common.policyId = appIdPolicyId; } + return; } - if (!session || session->common.fsf_type.flow_type == APPID_SESSION_TYPE_TMP) + if (!asd || asd->common.flow_type == APPID_FLOW_TYPE_TMP) { /* This call will free the existing temporary session, if there is one */ - session = AppIdSession::allocate_session(p, protocol, direction); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s new session\n", app_id_debug_session); + asd = AppIdSession::allocate_session(p, protocol, direction); + if (asd->session_logging_enabled) + LogMessage("AppIdDbg %s new session\n", asd->session_logging_id); } appid_stats.processed_packets++; - session->session_packet_count++; + asd->session_packet_count++; if (direction == APP_ID_FROM_INITIATOR) - session->stats.initiatorBytes += p->pkth->pktlen; + asd->stats.initiatorBytes += p->pkth->pktlen; else - session->stats.responderBytes += p->pkth->pktlen; + asd->stats.responderBytes += p->pkth->pktlen; - session->common.flags = flow_flags; - session->common.policyId = appIdPolicyId; - session->common.policyId = appIdPolicyId; + asd->common.flags = flow_flags; + asd->common.policyId = appIdPolicyId; + asd->common.policyId = appIdPolicyId; - if (session->getAppIdFlag(APPID_SESSION_IGNORE_FLOW)) + if (asd->get_session_flags(APPID_SESSION_IGNORE_FLOW)) { - if (app_id_debug_session_flag && !session->getAppIdFlag(APPID_SESSION_IGNORE_FLOW_LOGGED)) + if (asd->session_logging_enabled && !asd->get_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED)) { - session->setAppIdFlag(APPID_SESSION_IGNORE_FLOW_LOGGED); + asd->set_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED); LogMessage("AppIdDbg %s Ignoring connection with service %d\n", - app_id_debug_session, session->serviceAppId); + asd->session_logging_id, asd->serviceAppId); } + return; } if (p->packet_flags & PKT_STREAM_ORDER_BAD) - session->setAppIdFlag(APPID_SESSION_OOO); + asd->set_session_flags(APPID_SESSION_OOO); else if ( p->is_tcp() && p->ptrs.tcph ) { const auto* tcph = p->ptrs.tcph; - if ( tcph->is_rst() && session->previous_tcp_flags == TH_SYN ) + if ( tcph->is_rst() && asd->previous_tcp_flags == TH_SYN ) { AppIdServiceIDState* id_state; - session->setAppIdFlag(APPID_SESSION_SYN_RST); - if (sfip_is_set(&session->service_ip)) + asd->set_session_flags(APPID_SESSION_SYN_RST); + if (sfip_is_set(&asd->service_ip)) { - ip = &session->service_ip; - port = session->service_port; + ip = &asd->service_ip; + port = asd->service_port; } else { @@ -1773,9 +1518,8 @@ void AppIdSession::do_application_discovery(Packet* p) port = p->ptrs.sp; } - id_state = AppIdGetServiceIDState(ip, IpProtocol::TCP, port, - AppIdServiceDetectionLevel( - session)); + id_state = get_service_id_state(ip, IpProtocol::TCP, port, + AppIdServiceDetectionLevel(asd)); if (id_state) { @@ -1783,23 +1527,22 @@ void AppIdSession::do_application_discovery(Packet* p) id_state->reset_time = packet_time(); else if ((packet_time() - id_state->reset_time) >= 60) { - // FIXIT-H ip's on the packet are const - // AppIdRemoveServiceIDState(ip, IpProtocol::TCP, port, - // AppIdServiceDetectionLevel(session)); - session->setAppIdFlag(APPID_SESSION_SERVICE_DELETED); + remove_service_id_state(ip, IpProtocol::TCP, port, + AppIdServiceDetectionLevel(asd)); + asd->set_session_flags(APPID_SESSION_SERVICE_DELETED); } } } - session->previous_tcp_flags = p->ptrs.tcph->th_flags; + asd->previous_tcp_flags = p->ptrs.tcph->th_flags; } /*HostPort based AppId. */ - if (!(session->scan_flags & SCAN_HOST_PORT_FLAG)) + if (!(asd->scan_flags & SCAN_HOST_PORT_FLAG)) { HostPortVal* hv; - session->scan_flags |= SCAN_HOST_PORT_FLAG; + asd->scan_flags |= SCAN_HOST_PORT_FLAG; if (direction == APP_ID_FROM_INITIATOR) { ip = p->ptrs.ip_api.get_dst(); @@ -1816,60 +1559,60 @@ void AppIdSession::do_application_discovery(Packet* p) switch (hv->type) { case 1: - session->client_app_id = hv->appId; - session->rna_client_state = RNA_STATE_FINISHED; + asd->client_app_id = hv->appId; + asd->rna_client_state = RNA_STATE_FINISHED; break; case 2: - session->payload_app_id = hv->appId; + asd->payload_app_id = hv->appId; break; default: - session->serviceAppId = hv->appId; - session->sync_with_snort_id(hv->appId, p); - session->rnaServiceState = RNA_STATE_FINISHED; - session->rna_client_state = RNA_STATE_FINISHED; - session->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); + asd->serviceAppId = hv->appId; + asd->sync_with_snort_id(hv->appId, p); + asd->rnaServiceState = RNA_STATE_FINISHED; + asd->rna_client_state = RNA_STATE_FINISHED; + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); if (thirdparty_appid_module) - thirdparty_appid_module->session_delete(session->tpsession, 1); - session->tpsession = nullptr; + thirdparty_appid_module->session_delete(asd->tpsession, 1); + asd->tpsession = nullptr; } } } - session->check_app_detection_restart(); + asd->check_app_detection_restart(); //restart inspection by 3rd party - if (!session->getAppIdFlag(APPID_SESSION_NO_TPI)) + if (!asd->get_session_flags(APPID_SESSION_NO_TPI)) { - if (TPIsAppIdDone(session->tpsession) && session->getAppIdFlag( + if (TPIsAppIdDone(asd->tpsession) && asd->get_session_flags( APPID_SESSION_HTTP_SESSION) && p->dsize) { - if (session->tp_reinspect_by_initiator) + if (asd->tp_reinspect_by_initiator) { - session->clearAppIdFlag(APPID_SESSION_APP_REINSPECT); + asd->clear_session_flags(APPID_SESSION_APP_REINSPECT); if (direction == APP_ID_FROM_RESPONDER) - session->tp_reinspect_by_initiator = 0; //toggle at OK response + asd->tp_reinspect_by_initiator = 0; //toggle at OK response } else if (direction == APP_ID_FROM_INITIATOR) { - session->tp_reinspect_by_initiator = 1; //once per request - session->setAppIdFlag(APPID_SESSION_APP_REINSPECT); - if (app_id_debug_session_flag) + asd->tp_reinspect_by_initiator = 1; //once per request + asd->set_session_flags(APPID_SESSION_APP_REINSPECT); + if (asd->session_logging_enabled) LogMessage("AppIdDbg %s 3rd party allow reinspect http\n", - app_id_debug_session); - session->clear_http_field(); + asd->session_logging_id); + asd->clear_http_field(); } } } - if (session->tp_app_id == APP_ID_SSH && session->payload_app_id != APP_ID_SFTP && - session->session_packet_count >= MIN_SFTP_PACKET_COUNT && session->session_packet_count < - MAX_SFTP_PACKET_COUNT) + if (asd->tp_app_id == APP_ID_SSH && asd->payload_app_id != APP_ID_SFTP && + asd->session_packet_count >= MIN_SFTP_PACKET_COUNT && + asd->session_packet_count < MAX_SFTP_PACKET_COUNT) { if ( p->ptrs.ip_api.tos() == 8 ) { - session->payload_app_id = APP_ID_SFTP; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s data is SFTP\n", app_id_debug_session); + asd->payload_app_id = APP_ID_SFTP; + if (asd->session_logging_enabled) + LogMessage("AppIdDbg %s data is SFTP\n", asd->session_logging_id); } } @@ -1877,17 +1620,17 @@ void AppIdSession::do_application_discovery(Packet* p) #ifdef REMOVED_WHILE_NOT_IN_USE // do third party detector processing - isTpAppidDiscoveryDone = session->do_third_party_discovery(protocol, ip, p, direction); + isTpAppidDiscoveryDone = asd->do_third_party_discovery(protocol, ip, p, direction); #endif - if (direction == APP_ID_FROM_RESPONDER && !session->getAppIdFlag( + if (direction == APP_ID_FROM_RESPONDER && !asd->get_session_flags( APPID_SESSION_PORT_SERVICE_DONE|APPID_SESSION_SYN_RST)) { - session->setAppIdFlag(APPID_SESSION_PORT_SERVICE_DONE); - session->portServiceAppId = getPortServiceId(protocol, p->ptrs.sp, pConfig); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s port service %d\n", app_id_debug_session, - session->portServiceAppId); + asd->set_session_flags(APPID_SESSION_PORT_SERVICE_DONE); + asd->portServiceAppId = getPortServiceId(protocol, p->ptrs.sp, asd->config); + if (asd->session_logging_enabled) + LogMessage("AppIdDbg %s port service %d\n", asd->session_logging_id, + asd->portServiceAppId); } /* Length-based detectors. */ @@ -1895,92 +1638,92 @@ void AppIdSession::do_application_discovery(Packet* p) * - Port service didn't find anything (and we haven't yet either). * - We haven't hit the max packets allowed for detector sequence matches. * - Packet has data (we'll ignore 0-sized packets in sequencing). */ - if ( (session->portServiceAppId <= APP_ID_NONE) - && (session->length_sequence.sequence_cnt < LENGTH_SEQUENCE_CNT_MAX) + if ( (asd->portServiceAppId <= APP_ID_NONE) + && (asd->length_sequence.sequence_cnt < LENGTH_SEQUENCE_CNT_MAX) && (p->dsize > 0)) { - uint8_t index = session->length_sequence.sequence_cnt; - session->length_sequence.proto = protocol; - session->length_sequence.sequence_cnt++; - session->length_sequence.sequence[index].direction = direction; - session->length_sequence.sequence[index].length = p->dsize; - session->portServiceAppId = find_length_app_cache(&session->length_sequence); - if (session->portServiceAppId > APP_ID_NONE) - session->setAppIdFlag(APPID_SESSION_PORT_SERVICE_DONE); + uint8_t index = asd->length_sequence.sequence_cnt; + asd->length_sequence.proto = protocol; + asd->length_sequence.sequence_cnt++; + asd->length_sequence.sequence[index].direction = direction; + asd->length_sequence.sequence[index].length = p->dsize; + asd->portServiceAppId = find_length_app_cache(&asd->length_sequence); + if (asd->portServiceAppId > APP_ID_NONE) + asd->set_session_flags(APPID_SESSION_PORT_SERVICE_DONE); } /* exceptions for rexec and any other service detector that needs to see SYN and SYN/ACK */ - if (session->getAppIdFlag(APPID_SESSION_REXEC_STDERR)) + if (asd->get_session_flags(APPID_SESSION_REXEC_STDERR)) { - AppIdDiscoverService(p, direction, session, pConfig); - if (session->serviceAppId == APP_ID_DNS && - pAppidActiveConfig->mod_config->dns_host_reporting && - session->dsession && session->dsession->host ) + AppIdDiscoverService(p, direction, asd); + if (asd->serviceAppId == APP_ID_DNS && + asd->config->mod_config->dns_host_reporting && + asd->dsession && asd->dsession->host ) { - size_t size = session->dsession->host_len; - dns_host_scan_hostname((const uint8_t*)session->dsession->host, size, + size_t size = asd->dsession->host_len; + dns_host_scan_hostname((const uint8_t*)asd->dsession->host, size, &ClientAppId, &payloadAppId); - session->set_client_app_id_data(ClientAppId, nullptr); + asd->set_client_app_id_data(ClientAppId, nullptr); } - else if (session->serviceAppId == APP_ID_RTMP) - session->examine_rtmp_metadata(); - else if (session->getAppIdFlag(APPID_SESSION_SSL_SESSION) && session->tsession) - session->examine_ssl_metadata(p); + else if (asd->serviceAppId == APP_ID_RTMP) + asd->examine_rtmp_metadata(); + else if (asd->get_session_flags(APPID_SESSION_SSL_SESSION) && asd->tsession) + asd->examine_ssl_metadata(p); } else if (protocol != IpProtocol::TCP || !p->dsize || (p->packet_flags & PKT_STREAM_ORDER_OK)) { // FIXIT-M commented out assignment causes analysis warning /*isTpAppidDiscoveryDone = */ - session->do_service_discovery(protocol, direction, ClientAppId, payloadAppId, p); - isTpAppidDiscoveryDone = session->do_client_discovery(direction, p); - session->setAppIdFlag(APPID_SESSION_ADDITIONAL_PACKET); + asd->do_service_discovery(protocol, direction, ClientAppId, payloadAppId, p); + isTpAppidDiscoveryDone = asd->do_client_discovery(direction, p); + asd->set_session_flags(APPID_SESSION_ADDITIONAL_PACKET); } else { - if (app_id_debug_session_flag && p->dsize && - !session->getAppIdFlag(APPID_SESSION_OOO_LOGGED)) + if (asd->session_logging_enabled && p->dsize && + !asd->get_session_flags(APPID_SESSION_OOO_LOGGED)) { - session->setAppIdFlag(APPID_SESSION_OOO_LOGGED); - LogMessage("AppIdDbg %s packet out-of-order\n", app_id_debug_session); + asd->set_session_flags(APPID_SESSION_OOO_LOGGED); + LogMessage("AppIdDbg %s packet out-of-order\n", asd->session_logging_id); } } - serviceAppId = session->pick_service_app_id(); - payloadAppId = session->pick_payload_app_id(); + serviceAppId = asd->pick_service_app_id(); + payloadAppId = asd->pick_payload_app_id(); if (serviceAppId > APP_ID_NONE) { - if (session->getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (asd->get_session_flags(APPID_SESSION_DECRYPTED)) { - if (session->misc_app_id == APP_ID_NONE) - session->update_encrypted_app_id(serviceAppId); + if (asd->misc_app_id == APP_ID_NONE) + asd->update_encrypted_app_id(serviceAppId); } -// FIXIT-M: Need to determine what api to use for this _dpd function +// FIXIT-M Need to determine what api to use for this _dpd function #if 1 UNUSED(isTpAppidDiscoveryDone); #else else if (isTpAppidDiscoveryDone && isSslServiceAppId(serviceAppId) && _dpd.isSSLPolicyEnabled(nullptr)) - session->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); #endif } - p->flow->set_application_ids(serviceAppId, session->pick_client_app_id(), payloadAppId, session->pick_misc_app_id()); + p->flow->set_application_ids(serviceAppId, asd->pick_client_app_id(), payloadAppId, asd->pick_misc_app_id()); /* Set the field that the Firewall queries to see if we have a search engine. */ - if (session->search_support_type == SEARCH_SUPPORT_TYPE_UNKNOWN && payloadAppId > APP_ID_NONE) + if (asd->search_support_type == UNKNOWN_SEARCH_ENGINE && payloadAppId > APP_ID_NONE) { - uint flags = appInfoEntryFlagGet(payloadAppId, APPINFO_FLAG_SEARCH_ENGINE | + uint flags = AppInfoManager::get_instance().get_app_info_flags(payloadAppId, APPINFO_FLAG_SEARCH_ENGINE | APPINFO_FLAG_SUPPORTED_SEARCH); - session->search_support_type = + asd->search_support_type = (flags & APPINFO_FLAG_SEARCH_ENGINE) ? ((flags & APPINFO_FLAG_SUPPORTED_SEARCH) ? SUPPORTED_SEARCH_ENGINE : UNSUPPORTED_SEARCH_ENGINE ) : NOT_A_SEARCH_ENGINE; - if (app_id_debug_session_flag) + if (asd->session_logging_enabled) { const char* typeString; - switch ( session->search_support_type ) + switch ( asd->search_support_type ) { case NOT_A_SEARCH_ENGINE: typeString = "NOT_A_SEARCH_ENGINE"; break; case SUPPORTED_SEARCH_ENGINE: typeString = "SUPPORTED_SEARCH_ENGINE"; break; @@ -1989,22 +1732,22 @@ void AppIdSession::do_application_discovery(Packet* p) } LogMessage("AppIdDbg %s appId: %u (safe)search_support_type=%s\n", - app_id_debug_session, payloadAppId, typeString); + asd->session_logging_id, payloadAppId, typeString); } } if ( serviceAppId != APP_ID_NONE ) { - if ( payloadAppId != APP_ID_NONE && payloadAppId != session->pastIndicator) + if ( payloadAppId != APP_ID_NONE && payloadAppId != asd->pastIndicator) { - session->pastIndicator = payloadAppId; - checkSessionForAFIndicator(p, direction, (ApplicationId)payloadAppId); + asd->pastIndicator = payloadAppId; + check_session_for_AF_indicator(p, direction, (ApplicationId)payloadAppId); } - if (session->payload_app_id == APP_ID_NONE && session->pastForecast != serviceAppId && - session->pastForecast != APP_ID_UNKNOWN) + if (asd->payload_app_id == APP_ID_NONE && asd->pastForecast != serviceAppId && + asd->pastForecast != APP_ID_UNKNOWN) { - session->pastForecast = checkSessionForAFForecast(session, p, direction, + asd->pastForecast = check_session_for_AF_forecast(asd, p, direction, (ApplicationId)serviceAppId); } } @@ -2021,7 +1764,7 @@ static inline int PENetworkMatch(const sfip_t* pktAddr, const PortExclusion* pe) && ((pkt[3] & nm[3]) == peIP[3])); } -static inline int checkPortExclusion(const Packet* pkt, int reversed) +static inline int check_port_exclusion(const Packet* pkt, bool reversed) { SF_LIST** src_port_exclusions; SF_LIST** dst_port_exclusions; @@ -2029,17 +1772,17 @@ static inline int checkPortExclusion(const Packet* pkt, int reversed) PortExclusion* pe; const sfip_t* s_ip; uint16_t port; - AppIdConfig* pConfig = pAppidActiveConfig; + AppIdConfig* config = AppIdConfig::get_appid_config(); if ( pkt->is_tcp() ) { - src_port_exclusions = pConfig->tcp_port_exclusions_src; - dst_port_exclusions = pConfig->tcp_port_exclusions_dst; + src_port_exclusions = config->tcp_port_exclusions_src; + dst_port_exclusions = config->tcp_port_exclusions_dst; } else if ( pkt->is_udp() ) { - src_port_exclusions = pConfig->udp_port_exclusions_src; - dst_port_exclusions = pConfig->udp_port_exclusions_dst; + src_port_exclusions = config->udp_port_exclusions_src; + dst_port_exclusions = config->udp_port_exclusions_dst; } else return 0; @@ -2082,14 +1825,14 @@ static inline int checkPortExclusion(const Packet* pkt, int reversed) return 0; } -static inline unsigned isIPMonitored(const Packet* p, int dst) +static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst) { const sfip_t* sf_ip; NetworkSet* net_list; unsigned flags; int32_t zone; NSIPv6Addr ip6; - AppIdConfig* pConfig = pAppidActiveConfig; + AppIdConfig* config = AppIdConfig::get_appid_config(); if (!dst) { @@ -2098,18 +1841,17 @@ static inline unsigned isIPMonitored(const Packet* p, int dst) } else { - zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? p->pkth->ingress_group - : - p->pkth->egress_group; + zone = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? + p->pkth->ingress_group : p->pkth->egress_group; if (zone == DAQ_PKTHDR_FLOOD) return 0; sf_ip = p->ptrs.ip_api.get_dst(); } - if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone]) - net_list = pConfig->net_list_by_zone[zone]; + if (zone >= 0 && zone < MAX_ZONES && config->net_list_by_zone[zone]) + net_list = config->net_list_by_zone[zone]; else - net_list = pConfig->net_list; + net_list = config->net_list; if ( sf_ip->is_ip4() ) { @@ -2127,7 +1869,7 @@ static inline unsigned isIPMonitored(const Packet* p, int dst) return flags | IPFUNCS_CHECKED; } -static inline bool isSpecialSessionMonitored(const Packet* p) +static inline bool is_special_session_monitored(const Packet* p) { if ( p->is_ip4() ) { @@ -2142,32 +1884,26 @@ static inline bool isSpecialSessionMonitored(const Packet* p) bool AppIdSession::is_ssl_decryption_enabled() { - if (getAppIdFlag(APPID_SESSION_DECRYPTED)) - return 1; -// FIXIT-M J bad bad bad -// #ifdef UNIT_TEST -// if (session_packet_count >= 12) -// return 1; -// return 0; -// #else + if (get_session_flags(APPID_SESSION_DECRYPTED)) + return true; + return flow->is_proxied(); -// #endif } -uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSession* session) +uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSession* asd) { uint64_t flags; uint64_t flow_flags = APPID_SESSION_DISCOVER_APP; flow_flags |= (dir == APP_ID_FROM_INITIATOR) ? APPID_SESSION_INITIATOR_SEEN : APPID_SESSION_RESPONDER_SEEN; - if (session) + if (asd) { - flow_flags |= session->common.flags; - if (session->common.policyId != appIdPolicyId) + flow_flags |= asd->common.flags; + if (asd->common.policyId != appIdPolicyId) { - if (checkPortExclusion(p, dir == APP_ID_FROM_RESPONDER)) + if (check_port_exclusion(p, dir == APP_ID_FROM_RESPONDER)) { flow_flags |= APPID_SESSION_INITIATOR_SEEN | APPID_SESSION_RESPONDER_SEEN | APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED; @@ -2177,18 +1913,18 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi } if (dir == APP_ID_FROM_INITIATOR) { - if (session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED)) + if (asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) { - flags = isIPMonitored(p, 0); + flags = get_ipfuncs_flags(p, false); if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_INITIATOR_MONITORED; else flow_flags &= ~APPID_SESSION_INITIATOR_MONITORED; } - if (session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED)) + if (asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) { - flags = isIPMonitored(p, 1); + flags = get_ipfuncs_flags(p, true); if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_RESPONDER_MONITORED; else @@ -2197,18 +1933,18 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi } else { - if (session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED)) + if (asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) { - flags = isIPMonitored(p, 0); + flags = get_ipfuncs_flags(p, false); if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_RESPONDER_MONITORED; else flow_flags &= ~APPID_SESSION_RESPONDER_MONITORED; } - if (session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED)) + if (asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) { - flags = isIPMonitored(p, 1); + flags = get_ipfuncs_flags(p, true); if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_INITIATOR_MONITORED; else @@ -2217,15 +1953,15 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi } } - if (session->getAppIdFlag(APPID_SESSION_BIDIRECTIONAL_CHECKED) == + if (asd->get_session_flags(APPID_SESSION_BIDIRECTIONAL_CHECKED) == APPID_SESSION_BIDIRECTIONAL_CHECKED) return flow_flags; if (dir == APP_ID_FROM_INITIATOR) { - if (!session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED)) + if (!asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) { - flags = isIPMonitored(p, 0); + flags = get_ipfuncs_flags(p, false); flow_flags |= APPID_SESSION_INITIATOR_CHECKED; if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_INITIATOR_MONITORED; @@ -2234,22 +1970,22 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi if (flags & IPFUNCS_APPLICATION) flow_flags |= APPID_SESSION_DISCOVER_APP; - if (isSpecialSessionMonitored(p)) + if (is_special_session_monitored(p)) { flow_flags |= APPID_SESSION_SPECIAL_MONITORED; } } if (!(flow_flags & APPID_SESSION_DISCOVER_APP) - && !session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED)) + && !asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) { - flags = isIPMonitored(p, 1); + flags = get_ipfuncs_flags(p, true); if (flags & IPFUNCS_CHECKED) flow_flags |= APPID_SESSION_RESPONDER_CHECKED; if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_RESPONDER_MONITORED; if (flags & IPFUNCS_APPLICATION) flow_flags |= APPID_SESSION_DISCOVER_APP; - if (isSpecialSessionMonitored(p)) + if (is_special_session_monitored(p)) { flow_flags |= APPID_SESSION_SPECIAL_MONITORED; } @@ -2257,23 +1993,23 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi } else { - if (!session->getAppIdFlag(APPID_SESSION_RESPONDER_CHECKED)) + if (!asd->get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) { - flags = isIPMonitored(p, 0); + flags = get_ipfuncs_flags(p, false); flow_flags |= APPID_SESSION_RESPONDER_CHECKED; if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_RESPONDER_MONITORED; if (flags & IPFUNCS_APPLICATION) flow_flags |= APPID_SESSION_DISCOVER_APP; - if (isSpecialSessionMonitored(p)) + if (is_special_session_monitored(p)) { flow_flags |= APPID_SESSION_SPECIAL_MONITORED; } } if (!(flow_flags & APPID_SESSION_DISCOVER_APP) - && !session->getAppIdFlag(APPID_SESSION_INITIATOR_CHECKED)) + && !asd->get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) { - flags = isIPMonitored(p, 1); + flags = get_ipfuncs_flags(p, true); if (flags & IPFUNCS_CHECKED) flow_flags |= APPID_SESSION_INITIATOR_CHECKED; if (flags & IPFUNCS_HOSTS_IP) @@ -2282,21 +2018,21 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi flow_flags |= APPID_SESSION_DISCOVER_USER; if (flags & IPFUNCS_APPLICATION) flow_flags |= APPID_SESSION_DISCOVER_APP; - if (isSpecialSessionMonitored(p)) + if (is_special_session_monitored(p)) { flow_flags |= APPID_SESSION_SPECIAL_MONITORED; } } } } - else if (checkPortExclusion(p, 0)) + else if (check_port_exclusion(p, false)) { flow_flags |= APPID_SESSION_INITIATOR_SEEN | APPID_SESSION_RESPONDER_SEEN | APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_RESPONDER_CHECKED; } else if (dir == APP_ID_FROM_INITIATOR) { - flags = isIPMonitored(p, 0); + flags = get_ipfuncs_flags(p, false); flow_flags |= APPID_SESSION_INITIATOR_CHECKED; if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_INITIATOR_MONITORED; @@ -2306,7 +2042,7 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi flow_flags |= APPID_SESSION_DISCOVER_APP; if (!(flow_flags & APPID_SESSION_DISCOVER_APP)) { - flags = isIPMonitored(p, 1); + flags = get_ipfuncs_flags(p, true); if (flags & IPFUNCS_CHECKED) flow_flags |= APPID_SESSION_RESPONDER_CHECKED; if (flags & IPFUNCS_HOSTS_IP) @@ -2314,14 +2050,14 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi if (flags & IPFUNCS_APPLICATION) flow_flags |= APPID_SESSION_DISCOVER_APP; } - if (isSpecialSessionMonitored(p)) + if (is_special_session_monitored(p)) { flow_flags |= APPID_SESSION_SPECIAL_MONITORED; } } else { - flags = isIPMonitored(p, 0); + flags = get_ipfuncs_flags(p, false); flow_flags |= APPID_SESSION_RESPONDER_CHECKED; if (flags & IPFUNCS_HOSTS_IP) flow_flags |= APPID_SESSION_RESPONDER_MONITORED; @@ -2329,7 +2065,7 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi flow_flags |= APPID_SESSION_DISCOVER_APP; if (!(flow_flags & APPID_SESSION_DISCOVER_APP)) { - flags = isIPMonitored(p, 1); + flags = get_ipfuncs_flags(p, true); if (flags & IPFUNCS_CHECKED) flow_flags |= APPID_SESSION_INITIATOR_CHECKED; if (flags & IPFUNCS_HOSTS_IP) @@ -2340,7 +2076,7 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi flow_flags |= APPID_SESSION_DISCOVER_APP; } - if (isSpecialSessionMonitored(p)) + if (is_special_session_monitored(p)) { flow_flags |= APPID_SESSION_SPECIAL_MONITORED; } @@ -2351,7 +2087,7 @@ uint64_t AppIdSession::is_session_monitored(const Packet* p, int dir, AppIdSessi void AppIdSession::check_app_detection_restart() { - if (getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (get_session_flags(APPID_SESSION_DECRYPTED)) return; if (!is_ssl_decryption_enabled()) @@ -2360,29 +2096,29 @@ void AppIdSession::check_app_detection_restart() AppId serviceAppId = pick_service_app_id(); bool isSsl = isSslServiceAppId(serviceAppId); - // A session could either: + // A asd could either: // 1. Start of as SSL - captured with isSsl flag, OR - // 2. It could start of as a non-SSL session and later change to SSL. For example, FTP->FTPS. + // 2. It could start of as a non-SSL asd and later change to SSL. For example, FTP->FTPS. // In this case APPID_SESSION_ENCRYPTED flag is set by the protocol state machine. - if (getAppIdFlag(APPID_SESSION_ENCRYPTED) || isSsl) + if (get_session_flags(APPID_SESSION_ENCRYPTED) || isSsl) { - setAppIdFlag(APPID_SESSION_DECRYPTED); + set_session_flags(APPID_SESSION_DECRYPTED); encrypted.serviceAppId = serviceAppId; encrypted.payloadAppId = pick_payload_app_id(); encrypted.ClientAppId = pick_client_app_id(); encrypted.miscAppId = pick_misc_app_id(); encrypted.referredAppId = pick_referred_payload_app_id(); reinit_shared_data(); - if (app_id_debug_session_flag) + if (session_logging_enabled) LogMessage("AppIdDbg %s SSL decryption is available, restarting app Detection\n", - app_id_debug_session); + session_logging_id); - // APPID_SESSION_ENCRYPTED is set upon receiving a command which upgrades the session to + // APPID_SESSION_ENCRYPTED is set upon receiving a command which upgrades the asd to // SSL. Next packet after the command will have encrypted traffic. In the case of a - // session which starts as SSL, current packet itself is encrypted. Set the special flag + // asd which starts as SSL, current packet itself is encrypted. Set the special flag // APPID_SESSION_APP_REINSPECT_SSL which allows reinspection of this pcaket. if (isSsl) - setAppIdFlag(APPID_SESSION_APP_REINSPECT_SSL); + set_session_flags(APPID_SESSION_APP_REINSPECT_SSL); } } @@ -2441,10 +2177,10 @@ void AppIdSession::set_client_app_id_data(AppId clientAppId, char** version) if (client_app_id != clientAppId) { - unsigned prev_priority = appInfoEntryPriorityGet(client_app_id); - unsigned curr_priority = appInfoEntryPriorityGet(clientAppId); + unsigned prev_priority = app_info_mgr->get_app_info_priority(client_app_id); + unsigned curr_priority = app_info_mgr->get_app_info_priority(clientAppId); - if (pAppidActiveConfig->mod_config->instance_id) + if (config->mod_config->instance_id) checkSandboxDetection(clientAppId); if ((client_app_id) && (prev_priority > curr_priority )) @@ -2477,9 +2213,7 @@ void AppIdSession::sync_with_snort_id(AppId newAppId, Packet* p) int16_t tempSnortId = snort_id; if (tempSnortId == UNSYNCED_SNORT_ID) - { tempSnortId = snort_id = p->flow->ssn_state.application_protocol; - } if (tempSnortId == snortId_for_ftp || tempSnortId == snortId_for_ftp_data || tempSnortId == snortId_for_imap || tempSnortId == snortId_for_pop3 || @@ -2488,7 +2222,7 @@ void AppIdSession::sync_with_snort_id(AppId newAppId, Packet* p) return; // These preprocessors, in snort proper, already know and expect these to remain // unchanged. } - if ((entry = appInfoEntryGet(newAppId)) && (tempSnortId = entry->snortId)) + if ((entry = app_info_mgr->get_app_info_entry(newAppId)) && (tempSnortId = entry->snortId)) { // Snort has a separate protocol ID for HTTP/2. We don't. So, when we // talk to them about it, we have to play by their rules. @@ -2497,10 +2231,10 @@ void AppIdSession::sync_with_snort_id(AppId newAppId, Packet* p) if (tempSnortId != snort_id) { - if (app_id_debug_session_flag) + if (session_logging_enabled) if (tempSnortId == snortId_for_http2) LogMessage("AppIdDbg %s Telling Snort that it's HTTP/2\n", - app_id_debug_session); + session_logging_id); p->flow->ssn_state.application_protocol = tempSnortId; snort_id = tempSnortId; @@ -2568,10 +2302,10 @@ void AppIdSession::examine_rtmp_metadata() if (hsession->url) { - if (((getAppIdFromUrl(nullptr, hsession->url, &version, + if (((get_appid_from_url(nullptr, hsession->url, &version, hsession->referer, &ClientAppId, &serviceAppId, &payloadAppId, &referredPayloadAppId, 1)) || - (getAppIdFromUrl(nullptr, hsession->url, &version, + (get_appid_from_url(nullptr, hsession->url, &version, hsession->referer, &ClientAppId, &serviceAppId, &payloadAppId, &referredPayloadAppId, 0))) == 1) { @@ -2595,7 +2329,7 @@ void AppIdSession::set_referred_payload_app_id_data(AppId id) if (referred_payload_app_id != id) { - if (pAppidActiveConfig->mod_config->instance_id) + if (config->mod_config->instance_id) checkSandboxDetection(id); referred_payload_app_id = id; @@ -2604,16 +2338,15 @@ void AppIdSession::set_referred_payload_app_id_data(AppId id) void AppIdSession::set_payload_app_id_data(ApplicationId id, char** version) { - if (id <= APP_ID_NONE) return; if (payload_app_id != id) { - unsigned prev_priority = appInfoEntryPriorityGet(payload_app_id); - unsigned curr_priority = appInfoEntryPriorityGet(id); + unsigned prev_priority = app_info_mgr->get_app_info_priority(payload_app_id); + unsigned curr_priority = app_info_mgr->get_app_info_priority(id); - if (pAppidActiveConfig->mod_config->instance_id) + if (config->mod_config->instance_id) checkSandboxDetection(id); if ((payload_app_id ) && (prev_priority > curr_priority )) @@ -2660,7 +2393,7 @@ void AppIdSession::set_service_appid_data(AppId id, char* vendor, char** version { serviceAppId = id; - if (pAppidActiveConfig->mod_config->instance_id) + if (config->mod_config->instance_id) checkSandboxDetection(id); /* Clear out previous values of vendor & version */ @@ -2867,7 +2600,7 @@ void AppIdSession::delete_shared_data() update_appid_statistics(this); if (flow) - FailInProcessService(this, pAppidActiveConfig); + FailInProcessService(this, config); free_flow_data(); if (thirdparty_appid_module) @@ -3032,26 +2765,26 @@ void AppIdSession::stop_rna_service_inspection(Packet* p, int direction) } rnaServiceState = RNA_STATE_FINISHED; - setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); - clearAppIdFlag(APPID_SESSION_CONTINUE); + set_session_flags(APPID_SESSION_SERVICE_DETECTED); + clear_session_flags(APPID_SESSION_CONTINUE); } AppId AppIdSession::is_appid_detection_done() { - return getAppIdFlag(APPID_SESSION_SERVICE_DETECTED); + return get_session_flags(APPID_SESSION_SERVICE_DETECTED); } AppId AppIdSession::pick_service_app_id() { AppId rval; - if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL ) + if ( common.flow_type != APPID_FLOW_TYPE_NORMAL ) return APP_ID_NONE; - if (getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - bool deferred = appInfoEntryFlagGet(serviceAppId, APPINFO_FLAG_DEFER) - || appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_DEFER); + bool deferred = app_info_mgr->get_app_info_flags(serviceAppId, APPINFO_FLAG_DEFER) + || app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_DEFER); if (serviceAppId > APP_ID_NONE && !deferred) return serviceAppId; @@ -3083,11 +2816,11 @@ AppId AppIdSession::pick_service_app_id() AppId AppIdSession::pick_only_service_app_id() { - if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL ) + if ( common.flow_type != APPID_FLOW_TYPE_NORMAL ) return APP_ID_NONE; - bool deferred = appInfoEntryFlagGet(serviceAppId, APPINFO_FLAG_DEFER) - || appInfoEntryFlagGet(tp_app_id, APPINFO_FLAG_DEFER); + bool deferred = app_info_mgr->get_app_info_flags(serviceAppId, APPINFO_FLAG_DEFER) + || app_info_mgr->get_app_info_flags(tp_app_id, APPINFO_FLAG_DEFER); if (serviceAppId > APP_ID_NONE && !deferred) return serviceAppId; @@ -3105,7 +2838,7 @@ AppId AppIdSession::pick_only_service_app_id() AppId AppIdSession::pick_misc_app_id() { - if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL ) + if ( common.flow_type != APPID_FLOW_TYPE_NORMAL ) return APP_ID_NONE; if (misc_app_id > APP_ID_NONE) return misc_app_id; @@ -3114,7 +2847,7 @@ AppId AppIdSession::pick_misc_app_id() AppId AppIdSession::pick_client_app_id() { - if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL ) + if ( common.flow_type != APPID_FLOW_TYPE_NORMAL ) return APP_ID_NONE; if (client_app_id > APP_ID_NONE) return client_app_id; @@ -3123,12 +2856,12 @@ AppId AppIdSession::pick_client_app_id() AppId AppIdSession::pick_payload_app_id() { - if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL ) + if ( common.flow_type != APPID_FLOW_TYPE_NORMAL ) return APP_ID_NONE; // if we have a deferred payload, just use it. // we are not worried about the APP_ID_UNKNOWN case here - if (appInfoEntryFlagGet(tp_payload_app_id, APPINFO_FLAG_DEFER_PAYLOAD)) + if (app_info_mgr->get_app_info_flags(tp_payload_app_id, APPINFO_FLAG_DEFER_PAYLOAD)) return tp_payload_app_id; else if (payload_app_id > APP_ID_NONE) return payload_app_id; @@ -3140,7 +2873,7 @@ AppId AppIdSession::pick_payload_app_id() AppId AppIdSession::pick_referred_payload_app_id() { - if ( common.fsf_type.flow_type != APPID_SESSION_TYPE_NORMAL ) + if ( common.flow_type != APPID_FLOW_TYPE_NORMAL ) return APP_ID_NONE; if (referred_payload_app_id > APP_ID_NONE) return referred_payload_app_id; @@ -3192,7 +2925,7 @@ AppId AppIdSession::fw_pick_referred_payload_app_id() bool AppIdSession::is_ssl_session_decrypted() { - return getAppIdFlag(APPID_SESSION_DECRYPTED); + return get_session_flags(APPID_SESSION_DECRYPTED); } #ifdef REMOVED_WHILE_NOT_IN_USE @@ -3210,39 +2943,71 @@ static const char* httpFieldName[ NUMBER_OF_PTYPES ] = // for use in debug messa "body", }; +void AppIdSession::clear_app_id_data() +{ + payload_app_id = APP_ID_UNKNOWN; + serviceAppId = APP_ID_UNKNOWN; + tp_payload_app_id = APP_ID_UNKNOWN; + tp_app_id = APP_ID_UNKNOWN; + if (payload_version) + { + snort_free(payload_version); + payload_version = nullptr; + } + if (serviceVendor) + { + snort_free(serviceVendor); + serviceVendor = nullptr; + } + if (serviceVersion) + { + snort_free(serviceVersion); + serviceVersion = nullptr; + } + + if (tsession) + free_tls_session_data(); + + if (hsession) + free_http_session_data(); + + if (dsession) + free_dns_session_data(); + + if (thirdparty_appid_module) + thirdparty_appid_module->session_delete(tpsession, 1); +} + int AppIdSession::initial_CHP_sweep(char** chp_buffers, MatchedCHPAction** ppmatches) { CHPApp* cah = nullptr; int longest = 0; int size, i; - int scanKeyFoundSomething=0; - CHPMatchTally* pTally = nullptr; // scanKeyCHP allocates a pointer, but we free it when ready + CHPTallyAndActions chp; + chp.matches = *ppmatches; for (i = 0; i <= MAX_KEY_PATTERN; i++) { ppmatches[i] = nullptr; - if (chp_buffers[i] && (size = strlen(chp_buffers[i])) && - scanKeyCHP((PatternType)i, chp_buffers[i], size, &pTally, &ppmatches[i])) - scanKeyFoundSomething=1; + if (chp_buffers[i] && (size = strlen(chp_buffers[i]))) + scan_key_chp((PatternType)i, chp_buffers[i], size, chp); } - if (!scanKeyFoundSomething) + if (chp.match_tally.empty()) return 0; - for (i = 0; i < pTally->in_use_elements; i++) + for (auto& item: chp.match_tally) { // Only those items which have had their key_pattern_countdown field reduced to zero are a // full match - if (pTally->item[i].key_pattern_countdown) + if (item.key_pattern_countdown) continue; - if (longest < pTally->item[i].key_pattern_length_sum) + if (longest < item.key_pattern_length_sum) { // We've found a new longest pattern set - longest = pTally->item[i].key_pattern_length_sum; - cah = pTally->item[i].chpapp; + longest = item.key_pattern_length_sum; + cah = item.chpapp; } } - // either we have a candidate or we don't so we can free the tally structure either way. - free(pTally); if (cah == nullptr) { @@ -3252,7 +3017,7 @@ int AppIdSession::initial_CHP_sweep(char** chp_buffers, MatchedCHPAction** ppmat { if (ppmatches[i]) { - FreeMatchedCHPActions(ppmatches[i]); + free_matched_chp_actions(ppmatches[i]); ppmatches[i] = nullptr; } } @@ -3269,9 +3034,9 @@ int AppIdSession::initial_CHP_sweep(char** chp_buffers, MatchedCHPAction** ppmat hsession->ptype_req_counts[i] = cah->ptype_req_counts[i] + cah->ptype_rewrite_insert_used[i]; if (i > 3 && !cah->ptype_scan_counts[i] - && !getAppIdFlag(APPID_SESSION_SPDY_SESSION)) + && !get_session_flags(APPID_SESSION_SPDY_SESSION)) { - clearAppIdFlag(APPID_SESSION_CHP_INSPECTING); + clear_session_flags(APPID_SESSION_CHP_INSPECTING); if (thirdparty_appid_module) thirdparty_appid_module->session_attr_clear(tpsession, TP_ATTR_CONTINUE_MONITORING); @@ -3364,7 +3129,7 @@ void AppIdSession::processCHP(char** version, Packet* p) if (ptype_scan_counts[i] && chp_buffers[i] && (size = strlen(chp_buffers[i])) > 0) { found_in_buffer = 0; - ret = scanCHP((PatternType)i, chp_buffers[i], size, chp_matches[i], version, &user, + ret = scan_chp((PatternType)i, chp_buffers[i], size, chp_matches[i], version, &user, &chp_rewritten[i], &found_in_buffer, http_session, p); chp_matches[i] = nullptr; // freed by scanCHP() http_session->total_found += found_in_buffer; @@ -3450,7 +3215,7 @@ void AppIdSession::processCHP(char** version, Packet* p) if (http_session->fflow && http_session->fflow->flow_prepared) { - finalizeFflow(http_session->fflow, http_session->app_type_flags, + finalize_fflow(http_session->fflow, http_session->app_type_flags, (http_session->fflow->appId ? http_session->fflow->appId : chp_final), p); snort_free(http_session->fflow); http_session->fflow = nullptr; @@ -3465,14 +3230,14 @@ void AppIdSession::processCHP(char** version, Packet* p) username_service = chp_final; else username_service = serviceAppId; - setAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED); + set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); } for (i = 0; i < NUMBER_OF_PTYPES; i++) { if (nullptr != chp_rewritten[i]) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s rewritten %s: %s\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s rewritten %s: %s\n", session_logging_id, httpFieldName[i], chp_rewritten[i]); if (http_session->new_field[i]) snort_free(http_session->new_field[i]); @@ -3515,9 +3280,9 @@ bool AppIdSession::is_payload_appid_set() void AppIdSession::clearMiscHttpFlags() { - if (!getAppIdFlag(APPID_SESSION_SPDY_SESSION)) + if (!get_session_flags(APPID_SESSION_SPDY_SESSION)) { - clearAppIdFlag(APPID_SESSION_CHP_INSPECTING); + clear_session_flags(APPID_SESSION_CHP_INSPECTING); if (thirdparty_appid_module) thirdparty_appid_module->session_attr_clear(tpsession, TP_ATTR_CONTINUE_MONITORING); @@ -3533,9 +3298,8 @@ void AppIdSession::pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData* att HTTP_XFF_FIELD_TRUE_CLIENT_IP }; - // XFF precedence configuration cannot change for a session. Do not get it again if we already + // XFF precedence configuration cannot change for a asd. Do not get it again if we already // got it. -// FIXIT-M: #ifdef REMOVED_WHILE_NOT_IN_USE if (!hsession->xffPrecedence) hsession->xffPrecedence = _dpd.sessionAPI->get_http_xff_precedence( @@ -3549,10 +3313,10 @@ void AppIdSession::pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData* att sizeof(defaultXffPrecedence[0]); } - if (app_id_debug_session_flag) + if (session_logging_enabled) { for (i = 0; i < attribute_data->numXffFields; i++) - LogMessage("AppIdDbg %s %s : %s\n", app_id_debug_session, + LogMessage("AppIdDbg %s %s : %s\n", session_logging_id, attribute_data->xffFieldValue[i].field, attribute_data->xffFieldValue[i].value); } @@ -3618,9 +3382,9 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* if (!http_session) { clear_app_id_data(); - if (app_id_debug_session_flag) + if (session_logging_enabled) LogMessage("AppIdDbg %s attempt to process HTTP packet with no HTTP data\n", - app_id_debug_session); + session_logging_id); return 0; } @@ -3636,18 +3400,18 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* return 0; } - if (direction == APP_ID_FROM_RESPONDER && !getAppIdFlag( + if (direction == APP_ID_FROM_RESPONDER && !get_session_flags( APPID_SESSION_RESPONSE_CODE_CHECKED)) { if (http_session->response_code) { - setAppIdFlag(APPID_SESSION_RESPONSE_CODE_CHECKED); + set_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED); if (strlen(http_session->response_code) != RESPONSE_CODE_LENGTH) { - /* received bad response code. Stop processing this session */ + /* received bad response code. Stop processing this asd */ clear_app_id_data(); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s bad http response code\n", app_id_debug_session); + if (session_logging_enabled) + LogMessage("AppIdDbg %s bad http response code\n", session_logging_id); return 0; } @@ -3655,11 +3419,11 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* #if RESPONSE_CODE_PACKET_THRESHHOLD else if (++(http_session->response_code_packets) == RESPONSE_CODE_PACKET_THRESHHOLD) { - setAppIdFlag(APPID_SESSION_RESPONSE_CODE_CHECKED); - /* didn't receive response code in first X packets. Stop processing this session */ - clear_app_id_data(session); - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s no response code received\n", app_id_debug_session); + set_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED); + /* didn't receive response code in first X packets. Stop processing this asd */ + clear_app_id_data(asd); + if (session_logging_enabled) + LogMessage("AppIdDbg %s no response code received\n", session_logging_id); PREPROC_PROFILE_END(httpPerfStats); return 0; } @@ -3675,12 +3439,12 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* if (serviceAppId == APP_ID_NONE) { serviceAppId = APP_ID_HTTP; - if (pAppidActiveConfig->mod_config->instance_id) + if (config->mod_config->instance_id) checkSandboxDetection(APP_ID_HTTP); } - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", app_id_debug_session, + if (session_logging_enabled) + LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", session_logging_id, http_session->chp_finished, http_session->chp_hold_flow); if (!http_session->chp_finished || http_session->chp_hold_flow) @@ -3689,14 +3453,14 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* if (!http_session->skip_simple_detect) // false unless a match happened with a call to // processCHP(). { - if (!getAppIdFlag(APPID_SESSION_APP_REINSPECT)) + if (!get_session_flags(APPID_SESSION_APP_REINSPECT)) { // Scan Server Header for Vendor & Version if ( (thirdparty_appid_module && (scan_flags & SCAN_HTTP_VENDOR_FLAG) && hsession->server) || (!thirdparty_appid_module && - getHTTPHeaderLocation(p->data, p->dsize, HTTP_ID_SERVER, &start, &end, - &hmp) == 1) ) + get_http_header_location(p->data, p->dsize, HTTP_ID_SERVER, + &start, &end, &hmp) == 1) ) { if (serviceAppId == APP_ID_NONE || serviceAppId == APP_ID_HTTP) { @@ -3704,10 +3468,10 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* RNAServiceSubtype** tmpSubtype; if (thirdparty_appid_module) - getServerVendorVersion((uint8_t*)hsession->server, + get_server_vendor_version((uint8_t*)hsession->server, strlen(hsession->server), &vendorVersion, &vendor, &subtype); else - getServerVendorVersion(p->data + start, end - start, &vendorVersion, + get_server_vendor_version(p->data + start, end - start, &vendorVersion, &vendor, &subtype); if (vendor || vendorVersion) { @@ -3738,11 +3502,11 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* } } - if (webdav_found(&hmp)) + if (is_webdav_found(&hmp)) { - if (app_id_debug_session_flag && payload_id > APP_ID_NONE && + if (session_logging_enabled && payload_id > APP_ID_NONE && payload_app_id != payload_id) - LogMessage("AppIdDbg %s data is webdav\n", app_id_debug_session); + LogMessage("AppIdDbg %s data is webdav\n", session_logging_id); set_payload_app_id_data(APP_ID_WEBDAV, nullptr); } @@ -3755,15 +3519,15 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* snort_free(version); version = nullptr; } - identifyUserAgent((uint8_t*)useragent, size, &service_id, &client_id, &version); - if (app_id_debug_session_flag && service_id > APP_ID_NONE && service_id != - APP_ID_HTTP && serviceAppId != service_id) - LogMessage("AppIdDbg %s User Agent is service %d\n", app_id_debug_session, + identify_user_agent((uint8_t*)useragent, size, &service_id, &client_id, &version); + if (session_logging_enabled && service_id > APP_ID_NONE && + service_id != APP_ID_HTTP && serviceAppId != service_id) + LogMessage("AppIdDbg %s User Agent is service %d\n", session_logging_id, service_id); set_service_appid_data(service_id, nullptr, nullptr); - if (app_id_debug_session_flag && client_id > APP_ID_NONE && client_id != + if (session_logging_enabled && client_id > APP_ID_NONE && client_id != APP_ID_HTTP && client_app_id != client_id) - LogMessage("AppIdDbg %s User Agent is client %d\n", app_id_debug_session, + LogMessage("AppIdDbg %s User Agent is client %d\n", session_logging_id, client_id); set_client_app_id_data(client_id, &version); scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG; @@ -3778,10 +3542,10 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* snort_free(version); version = nullptr; } - payload_id = geAppidByViaPattern((uint8_t*)via, size, &version); - if (app_id_debug_session_flag && payload_id > APP_ID_NONE && + payload_id = get_appid_by_pattern((uint8_t*)via, size, &version); + if (session_logging_enabled && payload_id > APP_ID_NONE && payload_app_id != payload_id) - LogMessage("AppIdDbg %s VIA is data %d\n", app_id_debug_session, + LogMessage("AppIdDbg %s VIA is data %d\n", session_logging_id, payload_id); set_payload_app_id_data((ApplicationId)payload_id, nullptr); scan_flags &= ~SCAN_HTTP_VIA_FLAG; @@ -3791,7 +3555,7 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* /* Scan X-Working-With HTTP header */ if ((thirdparty_appid_module && (scan_flags & SCAN_HTTP_XWORKINGWITH_FLAG) && hsession->x_working_with) || - (!thirdparty_appid_module && getHTTPHeaderLocation(p->data, p->dsize, + (!thirdparty_appid_module && get_http_header_location(p->data, p->dsize, HTTP_ID_X_WORKING_WITH, &start, &end, &hmp) == 1)) { AppId appId; @@ -3806,16 +3570,16 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* { if (direction == APP_ID_FROM_INITIATOR) { - if (app_id_debug_session_flag && client_id > APP_ID_NONE && client_id != + if (session_logging_enabled && client_id > APP_ID_NONE && client_id != APP_ID_HTTP && client_app_id != client_id) - LogMessage("AppIdDbg %s X is client %d\n", app_id_debug_session, appId); + LogMessage("AppIdDbg %s X is client %d\n", session_logging_id, appId); set_client_app_id_data(appId, &version); } else { - if (app_id_debug_session_flag && service_id > APP_ID_NONE && service_id != + if (session_logging_enabled && service_id > APP_ID_NONE && service_id != APP_ID_HTTP && serviceAppId != service_id) - LogMessage("AppIdDbg %s X is service %d\n", app_id_debug_session, appId); + LogMessage("AppIdDbg %s X is service %d\n", session_logging_id, appId); set_service_appid_data(appId, nullptr, &version); } scan_flags &= ~SCAN_HTTP_XWORKINGWITH_FLAG; @@ -3826,17 +3590,17 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* if ((thirdparty_appid_module && (scan_flags & SCAN_HTTP_CONTENT_TYPE_FLAG) && hsession->content_type && !is_payload_appid_set()) || (!thirdparty_appid_module && !is_payload_appid_set() && - getHTTPHeaderLocation(p->data, p->dsize, HTTP_ID_CONTENT_TYPE, &start, &end, - &hmp) == 1)) + get_http_header_location(p->data, p->dsize, HTTP_ID_CONTENT_TYPE, + &start, &end, &hmp) == 1)) { if (thirdparty_appid_module) - payload_id = geAppidByContentType((uint8_t*)hsession->content_type, + payload_id = get_appid_by_content_type((uint8_t*)hsession->content_type, strlen(hsession->content_type)); else - payload_id = geAppidByContentType(p->data + start, end - start); - if (app_id_debug_session_flag && payload_id > APP_ID_NONE + payload_id = get_appid_by_content_type(p->data + start, end - start); + if (session_logging_enabled && payload_id > APP_ID_NONE && payload_app_id != payload_id) - LogMessage("AppIdDbg %s Content-Type is data %d\n", app_id_debug_session, + LogMessage("AppIdDbg %s Content-Type is data %d\n", session_logging_id, payload_id); set_payload_app_id_data((ApplicationId)payload_id, nullptr); scan_flags &= ~SCAN_HTTP_CONTENT_TYPE_FLAG; @@ -3849,30 +3613,30 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* snort_free(version); version = nullptr; } - if (getAppIdFromUrl(host, url, &version, referer, &client_id, &service_id, + if (get_appid_from_url(host, url, &version, referer, &client_id, &service_id, &payload_id, &referredPayloadAppId, 0) == 1) { // do not overwrite a previously-set client or service if (client_app_id <= APP_ID_NONE) { - if (app_id_debug_session_flag && client_id > APP_ID_NONE && client_id != + if (session_logging_enabled && client_id > APP_ID_NONE && client_id != APP_ID_HTTP && client_app_id != client_id) - LogMessage("AppIdDbg %s URL is client %d\n", app_id_debug_session, + LogMessage("AppIdDbg %s URL is client %d\n", session_logging_id, client_id); set_client_app_id_data(client_id, nullptr); } if (serviceAppId <= APP_ID_NONE) { - if (app_id_debug_session_flag && service_id > APP_ID_NONE && service_id != + if (session_logging_enabled && service_id > APP_ID_NONE && service_id != APP_ID_HTTP && serviceAppId != service_id) - LogMessage("AppIdDbg %s URL is service %d\n", app_id_debug_session, + LogMessage("AppIdDbg %s URL is service %d\n", session_logging_id, service_id); set_service_appid_data(service_id, nullptr, nullptr); } // DO overwrite a previously-set data - if (app_id_debug_session_flag && payload_id > APP_ID_NONE && + if (session_logging_enabled && payload_id > APP_ID_NONE && payload_app_id != payload_id) - LogMessage("AppIdDbg %s URL is data %d\n", app_id_debug_session, payload_id); + LogMessage("AppIdDbg %s URL is data %d\n", session_logging_id, payload_id); set_payload_app_id_data((ApplicationId)payload_app_id, &version); set_referred_payload_app_id_data(referredPayloadAppId); } @@ -3883,7 +3647,7 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* { if (tp_payload_app_id > APP_ID_NONE) { - entry = appInfoEntryGet(tp_payload_app_id); + entry = app_info_mgr->get_app_info_entry(tp_payload_app_id); // only move tpPayloadAppId to client if its got a clientAppId if (entry->clientId > APP_ID_NONE) { @@ -3893,7 +3657,7 @@ int AppIdSession::processHTTPPacket(Packet* p, int direction, HttpParsedHeaders* } else if (payload_app_id > APP_ID_NONE) { - entry = appInfoEntryGet(payload_app_id); + entry = app_info_mgr->get_app_info_entry(payload_app_id); // only move payloadAppId to client if it has a ClientAppid if (entry->clientId > APP_ID_NONE) { diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 0f2da3021..63d18dfeb 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -44,18 +44,14 @@ #define HTTP_PREFIX "http://" #define SF_DEBUG_FILE stdout -#define NUMBER_OF_PTYPES 9 #define APPID_SESSION_DATA_NONE 0 - #define APPID_SESSION_DATA_DHCP_FP_DATA 2 #define APPID_SESSION_DATA_SMB_DATA 4 #define APPID_SESSION_DATA_DHCP_INFO 5 - #define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT 0x20000000 #define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT 0x40000000 #define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000 - #define APPID_SESSION_BIDIRECTIONAL_CHECKED \ (APPID_SESSION_INITIATOR_CHECKED | \ APPID_SESSION_RESPONDER_CHECKED) @@ -63,10 +59,12 @@ (APPID_SESSION_RESPONDER_MONITORED | \ APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | \ APPID_SESSION_SPECIAL_MONITORED) +#define MAX_SESSION_LOGGING_ID_LEN (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1) struct RNAServiceElement; struct RNAServiceSubtype; struct RNAClientAppModule; +class AppInfoManager; enum RNA_INSPECTION_STATE { @@ -84,18 +82,9 @@ struct AppIdFlowData AppIdFreeFCN fd_free; }; -#define APPID_SESSION_TYPE_IGNORE APPID_FLOW_TYPE_IGNORE -#define APPID_SESSION_TYPE_NORMAL APPID_FLOW_TYPE_NORMAL -#define APPID_SESSION_TYPE_TMP APPID_FLOW_TYPE_TMP - -struct APPID_SESSION_STRUCT_FLAG -{ - APPID_FLOW_TYPE flow_type; -}; - struct CommonAppIdData { - APPID_SESSION_STRUCT_FLAG fsf_type; /* This must be first. */ + APPID_FLOW_TYPE flow_type; unsigned policyId; //flags shared with other preprocessor via session attributes. uint64_t flags; @@ -123,11 +112,6 @@ struct fflow_info int flow_prepared; }; -struct HttpRewriteableFields -{ - char* str; -}; - struct httpSession { char* host; @@ -203,9 +187,6 @@ struct tlsSession int tls_orgUnit_strlen; }; -extern char app_id_debug_session[]; -extern bool app_id_debug_session_flag; - /* The UNSYNCED_SNORT_ID value is to cheaply insure we get the value from snort rather than assume */ #define UNSYNCED_SNORT_ID 0x5555 @@ -215,7 +196,7 @@ void map_app_names_to_snort_ids(); class AppIdSession : public FlowData { public: - AppIdSession(IpProtocol proto, const sfip_t* ip); + AppIdSession(IpProtocol, const sfip_t*); ~AppIdSession(); static AppIdSession* allocate_session(const Packet*, IpProtocol, int); @@ -223,55 +204,17 @@ public: uint16_t, IpProtocol, int16_t, int); static void do_application_discovery(Packet*); -private: - bool do_client_discovery(int, Packet*); - bool do_service_discovery(IpProtocol, int, AppId, AppId, Packet*); - int exec_client_detectors(Packet*, int); - - static uint64_t is_session_monitored(const Packet*, int, AppIdSession*); - static bool is_packet_ignored(Packet* p); - bool is_payload_appid_set(); - void clear_app_id_data(); - void reinit_shared_data(); - bool is_ssl_decryption_enabled(); - void check_app_detection_restart(); - void update_encrypted_app_id(AppId serviceAppId); - void sync_with_snort_id(AppId, Packet*); - void examine_ssl_metadata(Packet*); - void examine_rtmp_metadata(); - void set_client_app_id_data(AppId clientAppId, char** version); - void set_service_appid_data( AppId, char*, char**); - void set_referred_payload_app_id_data( AppId); - void set_payload_app_id_data( ApplicationId, char**); - void stop_rna_service_inspection(Packet*, int); - -#ifdef REMOVED_WHILE_NOT_IN_USE - // FIXIT-M: these are not needed until appid for snort3 supports 3rd party detectors (e.g. NAVL) - void ProcessThirdPartyResults(Packet*, int, AppId*, ThirdPartyAppIDAttributeData*); - void checkTerminateTpModule(uint16_t tpPktCount); - bool do_third_party_discovery(IpProtocol, const sfip_t*, Packet*, int&); - - // FIXIT-H: when http detection is made functional we need to look at these methods and determine if they are - // needed and what changes are required for snort3 - void pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData*); - int initial_CHP_sweep(char**, MatchedCHPAction**); - void clearMiscHttpFlags(); - int processHTTPPacket(Packet*, int, HttpParsedHeaders* const); - void processCHP(char**, Packet*); -#endif - -public: + AppIdConfig* config = nullptr; CommonAppIdData common; AppIdSession* next = nullptr; Flow* flow = nullptr; + AppIdFlowData* flowData = nullptr; + AppInfoManager* app_info_mgr = nullptr; sfip_t service_ip; uint16_t service_port = 0; IpProtocol protocol = IpProtocol::PROTO_NOT_SET; uint8_t previous_tcp_flags = 0; - - AppIdFlowData* flowData = nullptr; - // AppId matching service side AppId serviceAppId = APP_ID_NONE; AppId portServiceAppId = APP_ID_NONE; @@ -310,7 +253,7 @@ public: char* username = nullptr; AppId username_service = APP_ID_NONE; char* netbios_domain = nullptr; - uint32_t id = 0; + uint32_t session_id = 0; httpSession* hsession = nullptr; tlsSession* tsession = nullptr; unsigned scan_flags = 0; @@ -356,28 +299,29 @@ public: AppId pastForecast = APP_ID_NONE; bool is_http2 = false; - SEARCH_SUPPORT_TYPE search_support_type = SEARCH_SUPPORT_TYPE_UNKNOWN; - + SEARCH_SUPPORT_TYPE search_support_type = UNKNOWN_SEARCH_ENGINE; bool in_expected_cache = false; - static unsigned flow_id; static void init() { flow_id = FlowData::get_flow_id(); } - void setAppIdFlag(uint64_t flags) + void set_session_flags(uint64_t flags) { common.flags |= flags; } - void clearAppIdFlag(uint64_t flags) + void clear_session_flags(uint64_t flags) { common.flags &= ~flags; } - inline uint64_t getAppIdFlag(uint64_t flags) + inline uint64_t get_session_flags(uint64_t flags) { return (common.flags & flags); } + char session_logging_id[MAX_SESSION_LOGGING_ID_LEN]; + bool session_logging_enabled = false; + static void release_free_list_flow_data(); void* get_flow_data(unsigned id); int add_flow_data(void* data, unsigned id, AppIdFreeFCN); @@ -406,6 +350,48 @@ public: AppId fw_pick_payload_app_id(); AppId fw_pick_referred_payload_app_id(); bool is_ssl_session_decrypted(); +private: + bool do_client_discovery(int, Packet*); + bool do_service_discovery(IpProtocol, int, AppId, AppId, Packet*); + int exec_client_detectors(Packet*, int); + + static uint64_t is_session_monitored(const Packet*, int, AppIdSession*); + static bool is_packet_ignored(Packet* p); + bool is_payload_appid_set(); + void reinit_shared_data(); + bool is_ssl_decryption_enabled(); + void check_app_detection_restart(); + void update_encrypted_app_id(AppId serviceAppId); + void sync_with_snort_id(AppId, Packet*); + void examine_ssl_metadata(Packet*); + void examine_rtmp_metadata(); + void set_client_app_id_data(AppId clientAppId, char** version); + void set_service_appid_data( AppId, char*, char**); + void set_referred_payload_app_id_data( AppId); + void set_payload_app_id_data( ApplicationId, char**); + void stop_rna_service_inspection(Packet*, int); + void set_session_logging_state(const Packet* pkt, int direction); + +#ifdef REMOVED_WHILE_NOT_IN_USE + // FIXIT-M these are not needed until appid for snort3 supports 3rd party detectors (e.g. NAVL) + void ProcessThirdPartyResults(Packet*, int, AppId*, ThirdPartyAppIDAttributeData*); + void checkTerminateTpModule(uint16_t tpPktCount); + bool do_third_party_discovery(IpProtocol, const sfip_t*, Packet*, int&); + + // FIXIT-H when http detection is made functional we need to look at these methods and determine if they are + // needed and what changes are required for snort3 + void clear_app_id_data(); + void pickHttpXffAddress(Packet*, ThirdPartyAppIDAttributeData*); + int initial_CHP_sweep(char**, MatchedCHPAction**); + void clearMiscHttpFlags(); + int processHTTPPacket(Packet*, int, HttpParsedHeaders* const); + void processCHP(char**, Packet*); +#endif + + void create_session_logging_id(int direction, Packet* pkt); + + static THREAD_LOCAL uint32_t appid_flow_data_id; + static THREAD_LOCAL AppIdFlowData* fd_free_list; }; #endif diff --git a/src/network_inspectors/appid/appid_stats.cc b/src/network_inspectors/appid/appid_stats.cc index ec10e7ee9..5a090b21e 100644 --- a/src/network_inspectors/appid/appid_stats.cc +++ b/src/network_inspectors/appid/appid_stats.cc @@ -41,11 +41,6 @@ #define URLCATBUCKETS 100 #define URLREPBUCKETS 5 -// FIXIT - find out where this is defined in snort 2.x and define appropriately here -#if 1 -#define UNIFIED2_IDS_EVENT_APPSTAT 1 -#endif - struct AppIdStatRecord { uint32_t app_id; @@ -61,7 +56,7 @@ struct AppIdStatRecord struct AppIdStatOutputRecord { - char appName[MAX_EVENT_APPNAME_LEN]; + char app_name[MAX_EVENT_APPNAME_LEN]; uint32_t initiatorBytes; uint32_t responderBytes; }; @@ -115,7 +110,7 @@ static inline time_t get_time() return now - (now % bucketInterval); } -void update_appid_statistics(AppIdSession* session) +void update_appid_statistics(AppIdSession* asd) { if ( !enableAppStats ) return; @@ -129,17 +124,17 @@ void update_appid_statistics(AppIdSession* session) start_stats_period(now); } - time_t bucketTime = session->stats.firstPktsecond - - (session->stats.firstPktsecond % bucketInterval); + time_t bucketTime = asd->stats.firstPktsecond - + (asd->stats.firstPktsecond % bucketInterval); StatsBucket* bucket = get_stats_bucket(bucketTime); if ( !bucket ) return; - bucket->totalStats.txByteCnt += session->stats.initiatorBytes; - bucket->totalStats.rxByteCnt += session->stats.responderBytes; + bucket->totalStats.txByteCnt += asd->stats.initiatorBytes; + bucket->totalStats.rxByteCnt += asd->stats.responderBytes; - const uint32_t web_app_id = session->pick_payload_app_id(); + const uint32_t web_app_id = asd->pick_payload_app_id(); if (web_app_id > APP_ID_NONE) { const uint32_t app_id = web_app_id; @@ -158,7 +153,7 @@ void update_appid_statistics(AppIdSession* session) } else { - // FIXIT-M really? we just silently ignore an allocation failure? + WarningMessage("Error saving statistics record for app id: %u", app_id); snort_free(record); record = nullptr; } @@ -166,12 +161,12 @@ void update_appid_statistics(AppIdSession* session) if (record) { - record->initiatorBytes += session->stats.initiatorBytes; - record->responderBytes += session->stats.responderBytes; + record->initiatorBytes += asd->stats.initiatorBytes; + record->responderBytes += asd->stats.responderBytes; } } - const uint32_t service_app_id = session->pick_service_app_id(); + const uint32_t service_app_id = asd->pick_service_app_id(); if ((service_app_id) && (service_app_id != web_app_id)) { @@ -191,7 +186,7 @@ void update_appid_statistics(AppIdSession* session) } else { - // FIXIT-M really? don't ignore insert failure? add a stat here + WarningMessage("Error saving statistics record for app id: %u", app_id); snort_free(record); record = nullptr; } @@ -199,12 +194,12 @@ void update_appid_statistics(AppIdSession* session) if (record) { - record->initiatorBytes += session->stats.initiatorBytes; - record->responderBytes += session->stats.responderBytes; + record->initiatorBytes += asd->stats.initiatorBytes; + record->responderBytes += asd->stats.responderBytes; } } - const uint32_t client_app_id = session->pick_client_app_id(); + const uint32_t client_app_id = asd->pick_client_app_id(); if (client_app_id > APP_ID_NONE && client_app_id != service_app_id && client_app_id != web_app_id) @@ -226,7 +221,7 @@ void update_appid_statistics(AppIdSession* session) } else { - // FIXIT-M really? we just silently ignore an allocation failure? + WarningMessage("Error saving statistics record for app id: %u", app_id); snort_free(record); record = nullptr; } @@ -234,8 +229,8 @@ void update_appid_statistics(AppIdSession* session) if (record) { - record->initiatorBytes += session->stats.initiatorBytes; - record->responderBytes += session->stats.responderBytes; + record->initiatorBytes += asd->stats.initiatorBytes; + record->responderBytes += asd->stats.responderBytes; } } } @@ -269,17 +264,6 @@ static void close_stats_log_file() } } -void reinit_appid_statistics() -{ - // FIXIT-L J really should something like: - // if ( !stats_files_are_open() ) - // return; - if (!enableAppStats) - return; - - close_stats_log_file(); -} - void flush_appid_statistics() { if (!enableAppStats) @@ -406,7 +390,7 @@ static void dump_statistics() for (node = fwAvlFirst(bucket->appsTree); node != nullptr; node = fwAvlNext(node)) { struct AppIdStatOutputRecord* recBuffPtr; - const char* appName; + const char* app_name; bool cooked_client = false; AppId app_id; char tmpBuff[MAX_EVENT_APPNAME_LEN]; @@ -422,21 +406,21 @@ static void dump_statistics() app_id -= 2000000000; } - AppInfoTableEntry* entry = appInfoEntryGet(app_id); + AppInfoTableEntry* entry = AppInfoManager::get_instance().get_app_info_entry(app_id); if (entry) { - appName = entry->appName; + app_name = entry->app_name; if (cooked_client) { - snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_cl_%s", appName); + snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_cl_%s", app_name); tmpBuff[MAX_EVENT_APPNAME_LEN-1] = 0; - appName = tmpBuff; + app_name = tmpBuff; } } else if (app_id == APP_ID_UNKNOWN || app_id == APP_ID_UNKNOWN_UI) - appName = "__unknown"; + app_name = "__unknown"; else if (app_id == APP_ID_NONE) - appName = "__none"; + app_name = "__none"; else { ErrorMessage("invalid appid in appStatRecord (%u)\n", record->app_id); @@ -446,10 +430,10 @@ static void dump_statistics() snprintf(tmpBuff, MAX_EVENT_APPNAME_LEN, "_err_%u",app_id); tmpBuff[MAX_EVENT_APPNAME_LEN - 1] = 0; - appName = tmpBuff; + app_name = tmpBuff; } - memcpy(recBuffPtr->appName, appName, strlen(appName)); + memcpy(recBuffPtr->app_name, app_name, strlen(app_name)); /**buffPtr++ = htonl(record->app_id); */ recBuffPtr->initiatorBytes = htonl(record->initiatorBytes); diff --git a/src/network_inspectors/appid/appid_stats.h b/src/network_inspectors/appid/appid_stats.h index 7adeaadd7..103145f99 100644 --- a/src/network_inspectors/appid/appid_stats.h +++ b/src/network_inspectors/appid/appid_stats.h @@ -26,9 +26,7 @@ class AppIdSession; class AppIdModuleConfig; void update_appid_statistics(AppIdSession*); -void init_appid_statistics(const AppIdModuleConfig*); -void reinit_appid_statistics(); +void init_appid_statistics(const AppIdModuleConfig* config); void flush_appid_statistics(); void cleanup_appid_statistics(); - #endif diff --git a/src/network_inspectors/appid/appid_utils/common_util.h b/src/network_inspectors/appid/appid_utils/common_util.h index d0b9f6f73..cb6637089 100644 --- a/src/network_inspectors/appid/appid_utils/common_util.h +++ b/src/network_inspectors/appid/appid_utils/common_util.h @@ -29,19 +29,6 @@ #include "framework/decode_data.h" -struct FWDebugSessionConstraints -{ - ip::snort_in6_addr sip; - int sip_flag; - ip::snort_in6_addr dip; - int dip_flag; - uint16_t sport; - uint16_t dport; - PktType protocol; -}; - -#define FW_DEBUG_SESSION_ID_SIZE (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1) - struct ConfigItem { char* name; /* name of the config item */ diff --git a/src/network_inspectors/appid/appid_utils/sfutil.h b/src/network_inspectors/appid/appid_utils/sfutil.h index ac2409947..b5fcac07f 100644 --- a/src/network_inspectors/appid/appid_utils/sfutil.h +++ b/src/network_inspectors/appid/appid_utils/sfutil.h @@ -24,7 +24,6 @@ #include -int SFGetRelocatePathForFile(const char* const content_file, const char** const root_path); extern int Tokenize(char* data, char* toklist[]); extern int strip(char* data); extern void InitNetmasks(uint32_t netmasks[]); diff --git a/src/network_inspectors/appid/application_ids.h b/src/network_inspectors/appid/application_ids.h index f93e076d7..74369e707 100644 --- a/src/network_inspectors/appid/application_ids.h +++ b/src/network_inspectors/appid/application_ids.h @@ -999,8 +999,6 @@ enum ApplicationId : int32_t APP_ID_ANYCONNECT_IPSEC_CLIENT = 2923, APP_ID_FTP_ACTIVE = 4002, APP_ID_FTP_PASSIVE = 4003, - - // FIXIT - L Need better name since often there is no UI APP_ID_UNKNOWN_UI = 65535 // this causes the UI to render Unknown instead of pending or blank }; diff --git a/src/network_inspectors/appid/client_plugins/client_app_aim.cc b/src/network_inspectors/appid/client_plugins/client_app_aim.cc index 9519705d7..dc82b8b5c 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_aim.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_aim.cc @@ -198,7 +198,7 @@ static inline bool check_username( } static CLIENT_APP_RETCODE aim_validate( const uint8_t* const data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, Detector*) + AppIdSession* asd, Packet*, Detector*) { if ( dir != APP_ID_FROM_INITIATOR ) return CLIENT_APP_INPROCESS; @@ -269,7 +269,7 @@ static CLIENT_APP_RETCODE aim_validate( const uint8_t* const data, uint16_t size char username[USERNAME_LEN]; if ( check_username(cur, tlv, username, username + USERNAME_LEN) ) - aim_client_mod.api->add_user(flowp, username, + aim_client_mod.api->add_user(asd, username, APP_ID_AOL_INSTANT_MESSENGER, 1); } break; @@ -300,8 +300,7 @@ static CLIENT_APP_RETCODE aim_validate( const uint8_t* const data, uint16_t size char version[MAX_VERSION_SIZE]; snprintf(version, sizeof(version), "%d.%d.%d", major, minor, lesser); - aim_client_mod.api->add_app( - flowp, APP_ID_AOL_INSTANT_MESSENGER, + aim_client_mod.api->add_app( asd, APP_ID_AOL_INSTANT_MESSENGER, APP_ID_AOL_INSTANT_MESSENGER, version); appid_stats.aim_clients++; } @@ -311,7 +310,7 @@ static CLIENT_APP_RETCODE aim_validate( const uint8_t* const data, uint16_t size return CLIENT_APP_INPROCESS; bail: - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_api.h b/src/network_inspectors/appid/client_plugins/client_app_api.h index 30ec6c97f..ce9719051 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_api.h +++ b/src/network_inspectors/appid/client_plugins/client_app_api.h @@ -26,6 +26,7 @@ #include "appid_api.h" #include "appid_session.h" +#include "utils/util.h" struct Packet; struct Detector; diff --git a/src/network_inspectors/appid/client_plugins/client_app_base.cc b/src/network_inspectors/appid/client_plugins/client_app_base.cc index 1f8fa128e..b533ffc95 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_base.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_base.cc @@ -62,10 +62,10 @@ * already exist). */ #define MAX_CANDIDATE_CLIENTS 10 -static void* client_app_flowdata_get(AppIdSession* flowp, unsigned client_id); -static int client_app_flowdata_add(AppIdSession* flowp, void* data, unsigned client_id, AppIdFreeFCN +static void* client_app_flowdata_get(AppIdSession* asd, unsigned client_id); +static int client_app_flowdata_add(AppIdSession* asd, void* data, unsigned client_id, AppIdFreeFCN fcn); -static void AppIdAddClientAppInfo(AppIdSession* flowp, const char* info); +static void AppIdAddClientAppInfo(AppIdSession* asd, const char* info); static const ClientAppApi client_app_api = { @@ -147,7 +147,7 @@ static THREAD_LOCAL ClientAppMatch* match_free_list = nullptr; static void appSetClientValidator(RNAClientAppFCN fcn, AppId appId, unsigned extractsInfo) { - AppInfoTableEntry* pEntry = appInfoEntryGet(appId); + AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId); if (!pEntry) { ErrorMessage("AppId: invalid direct client application AppId: %d\n", appId); @@ -571,14 +571,13 @@ void init_client_plugins() sflist_init(&client_app_config->module_configs); client_app_config->enabled = true; - ClientAppParseArgs(&pAppidActiveConfig->client_app_args); + ClientAppParseArgs(&AppIdConfig::get_appid_config()->client_app_args); if (client_app_config->enabled) { - client_init_api.debug = pAppidActiveConfig->mod_config->debug; - client_init_api.pAppidConfig = pAppidActiveConfig; - // FIXIT - active config global must go... - client_init_api.instance_id = pAppidActiveConfig->mod_config->instance_id; + client_init_api.debug = AppIdConfig::get_appid_config()->mod_config->debug; + client_init_api.pAppidConfig = AppIdConfig::get_appid_config(); + client_init_api.instance_id = AppIdConfig::get_appid_config()->mod_config->instance_id; for (li = client_app_config->tcp_client_app_list; li; li = li->next) initialize_module(li); @@ -702,32 +701,32 @@ static int pattern_match(void* id, void* /*unused_tree*/, int index, void* data, return 0; } -void AppIdAddClientApp(AppIdSession* flowp, AppId service_id, AppId id, const char* version) +void AppIdAddClientApp(AppIdSession* asd, AppId service_id, AppId id, const char* version) { if (version) { - if (flowp->client_version) + if (asd->client_version) { - if (strcmp(version, flowp->client_version)) + if (strcmp(version, asd->client_version)) { - snort_free(flowp->client_version); - flowp->client_version = snort_strdup(version); + snort_free(asd->client_version); + asd->client_version = snort_strdup(version); } } else - flowp->client_version = snort_strdup(version); + asd->client_version = snort_strdup(version); } - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->client_service_app_id = service_id; - flowp->client_app_id = id; + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->client_service_app_id = service_id; + asd->client_app_id = id; checkSandboxDetection(id); } -static void AppIdAddClientAppInfo(AppIdSession* flowp, const char* info) +static void AppIdAddClientAppInfo(AppIdSession* asd, const char* info) { - if (flowp->hsession && !flowp->hsession->url) - flowp->hsession->url = snort_strdup(info); + if (asd->hsession && !asd->hsession->url) + asd->hsession->url = snort_strdup(info); } static ClientAppMatch* BuildClientPatternList(const Packet* pkt, IpProtocol protocol) @@ -817,7 +816,7 @@ static void FreeClientPatternList(ClientAppMatch** match_list) * * @param p packet to process */ -static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* flowp) +static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* asd) { const RNAClientAppModule* client = nullptr; ClientAppMatch* match_list; @@ -829,36 +828,36 @@ static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* flowp) if (!p->dsize) return; - if (flowp->rna_client_data != nullptr) + if (asd->rna_client_data != nullptr) return; - if (flowp->candidate_client_list != nullptr) + if (asd->candidate_client_list != nullptr) { - if (flowp->num_candidate_clients_tried > 0) + if (asd->num_candidate_clients_tried > 0) return; } else { - flowp->candidate_client_list = (SF_LIST*) snort_calloc(sizeof(SF_LIST)); - sflist_init(flowp->candidate_client_list); - flowp->num_candidate_clients_tried = 0; + asd->candidate_client_list = (SF_LIST*) snort_calloc(sizeof(SF_LIST)); + sflist_init(asd->candidate_client_list); + asd->num_candidate_clients_tried = 0; } - match_list = BuildClientPatternList(p, flowp->protocol); - while (flowp->num_candidate_clients_tried < MAX_CANDIDATE_CLIENTS) + match_list = BuildClientPatternList(p, asd->protocol); + while (asd->num_candidate_clients_tried < MAX_CANDIDATE_CLIENTS) { const RNAClientAppModule* tmp = GetNextFromClientPatternList(&match_list); if (tmp != nullptr) { SF_LNODE* cursor; - client = (RNAClientAppModule*)sflist_first(flowp->candidate_client_list, &cursor); + client = (RNAClientAppModule*)sflist_first(asd->candidate_client_list, &cursor); while (client && (client != tmp)) client = (RNAClientAppModule*)sflist_next(&cursor); if (client == nullptr) { - sflist_add_tail(flowp->candidate_client_list, (void*)tmp); - flowp->num_candidate_clients_tried++; + sflist_add_tail(asd->candidate_client_list, (void*)tmp); + asd->num_candidate_clients_tried++; #ifdef CLIENT_APP_DEBUG _dpd.logMsg("Using %s from pattern match", tmp ? tmp->name : \ n ",ULL"); #endif @@ -871,13 +870,13 @@ static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* flowp) } FreeClientPatternList(&match_list); - if (sflist_count(flowp->candidate_client_list) == 0) + if (sflist_count(asd->candidate_client_list) == 0) { client = nullptr; switch (p->ptrs.dp) { case 465: - if (flowp->getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (asd->get_session_flags(APPID_SESSION_DECRYPTED)) client = &smtp_client_mod; break; default: @@ -885,8 +884,8 @@ static void ClientAppID(Packet* p, const int /*direction*/, AppIdSession* flowp) } if (client != nullptr) { - sflist_add_tail(flowp->candidate_client_list, (void*)client); - flowp->num_candidate_clients_tried++; + sflist_add_tail(asd->candidate_client_list, (void*)client); + asd->num_candidate_clients_tried++; } } } @@ -899,24 +898,24 @@ int AppIdDiscoverClientApp(Packet* p, int direction, AppIdSession* rnaData) if (direction == APP_ID_FROM_INITIATOR) { /* get out if we've already tried to validate a client app */ - if (!rnaData->getAppIdFlag(APPID_SESSION_CLIENT_DETECTED)) + if (!rnaData->get_session_flags(APPID_SESSION_CLIENT_DETECTED)) ClientAppID(p, direction, rnaData); } else if ( rnaData->rnaServiceState != RNA_STATE_STATEFUL - && rnaData->getAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)) + && rnaData->get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS)) ClientAppID(p, direction, rnaData); return APPID_SESSION_SUCCESS; } -static void* client_app_flowdata_get(AppIdSession* flowp, unsigned client_id) +static void* client_app_flowdata_get(AppIdSession* asd, unsigned client_id) { - return flowp->get_flow_data(client_id); + return asd->get_flow_data(client_id); } -static int client_app_flowdata_add(AppIdSession* flowp, void* data, unsigned client_id, AppIdFreeFCN +static int client_app_flowdata_add(AppIdSession* asd, void* data, unsigned client_id, AppIdFreeFCN fcn) { - return flowp->add_flow_data(data, client_id, fcn); + return asd->add_flow_data(data, client_id, fcn); } diff --git a/src/network_inspectors/appid/client_plugins/client_app_bit.cc b/src/network_inspectors/appid/client_plugins/client_app_bit.cc index 2ba141466..ff12bcd10 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_bit.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_bit.cc @@ -73,7 +73,7 @@ THREAD_LOCAL BIT_CLIENT_APP_CONFIG bit_config; static CLIENT_APP_RETCODE bit_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE bit_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule bit_client_mod = { @@ -154,7 +154,7 @@ static CLIENT_APP_RETCODE bit_init(const IniClientAppAPI* const init_api, SF_LIS } static CLIENT_APP_RETCODE bit_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { ClientBITData* fd; uint16_t offset; @@ -162,11 +162,11 @@ static CLIENT_APP_RETCODE bit_validate(const uint8_t* data, uint16_t size, const if (dir != APP_ID_FROM_INITIATOR) return CLIENT_APP_INPROCESS; - fd = (ClientBITData*)bit_client_mod.api->data_get(flowp, bit_client_mod.flow_data_index); + fd = (ClientBITData*)bit_client_mod.api->data_get(asd, bit_client_mod.flow_data_index); if (!fd) { fd = (ClientBITData*)snort_calloc(sizeof(ClientBITData)); - bit_client_mod.api->data_add(flowp, fd, bit_client_mod.flow_data_index, &snort_free); + bit_client_mod.api->data_add(asd, fd, bit_client_mod.flow_data_index, &snort_free); fd->state = BIT_STATE_BANNER; } @@ -222,8 +222,8 @@ inprocess: return CLIENT_APP_INPROCESS; done: - bit_client_mod.api->add_app(flowp, APP_ID_BITTORRENT, APP_ID_BITTORRENT, nullptr); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + bit_client_mod.api->add_app(asd, APP_ID_BITTORRENT, APP_ID_BITTORRENT, nullptr); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.bit_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc b/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc index 002459108..eaff50aec 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_bit_tracker.cc @@ -72,7 +72,7 @@ THREAD_LOCAL BIT_CLIENT_APP_CONFIG udp_bit_config; static CLIENT_APP_RETCODE udp_bit_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE udp_bit_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule bit_tracker_client_mod = { @@ -156,7 +156,7 @@ static CLIENT_APP_RETCODE udp_bit_init(const IniClientAppAPI* const init_api, SF } static CLIENT_APP_RETCODE udp_bit_validate(const uint8_t* data, uint16_t size, const int /*dir*/, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { ClientBITData* fd; uint16_t offset; @@ -164,12 +164,12 @@ static CLIENT_APP_RETCODE udp_bit_validate(const uint8_t* data, uint16_t size, c if (size < (UDP_BIT_FIRST_LEN + UDP_BIT_END_LEN + 3)) return CLIENT_APP_EINVALID; - fd = (ClientBITData*)bit_tracker_client_mod.api->data_get(flowp, + fd = (ClientBITData*)bit_tracker_client_mod.api->data_get(asd, bit_tracker_client_mod.flow_data_index); if (!fd) { fd = (ClientBITData*)snort_calloc(sizeof(ClientBITData)); - bit_tracker_client_mod.api->data_add(flowp, fd, + bit_tracker_client_mod.api->data_add(asd, fd, bit_tracker_client_mod.flow_data_index, &snort_free); fd->state = BIT_STATE_BANNER; } @@ -267,9 +267,9 @@ inprocess: return CLIENT_APP_INPROCESS; done: - bit_tracker_client_mod.api->add_app(flowp, APP_ID_BITTORRENT, APP_ID_BITTRACKER_CLIENT, + bit_tracker_client_mod.api->add_app(asd, APP_ID_BITTORRENT, APP_ID_BITTRACKER_CLIENT, nullptr); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.bittracker_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_msn.cc b/src/network_inspectors/appid/client_plugins/client_app_msn.cc index bf4167b90..0b04ee903 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_msn.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_msn.cc @@ -35,7 +35,7 @@ struct MSN_CLIENT_APP_CONFIG THREAD_LOCAL MSN_CLIENT_APP_CONFIG msn_config; static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); struct Client_App_Pattern { @@ -114,7 +114,7 @@ static CLIENT_APP_RETCODE msn_init(const IniClientAppAPI* const init_api, SF_LIS } static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector*) + AppIdSession* asd, Packet* pkt, struct Detector*) { const uint8_t* end; uint8_t version[MAX_VERSION_SIZE]; @@ -125,7 +125,7 @@ static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const product_id = APP_ID_MSN_MESSENGER; memset(&version,0,sizeof(version)); - if (!data || !msn_client_mod.api || !flowp || !pkt) + if (!data || !msn_client_mod.api || !asd || !pkt) return CLIENT_APP_ENULL; if (dir != APP_ID_FROM_INITIATOR) @@ -194,8 +194,8 @@ static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const return CLIENT_APP_INPROCESS; done: - msn_client_mod.api->add_app(flowp, APP_ID_MSN_MESSENGER, product_id, (char*)version); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + msn_client_mod.api->add_app(asd, APP_ID_MSN_MESSENGER, product_id, (char*)version); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.msn_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_rtp.cc b/src/network_inspectors/appid/client_plugins/client_app_rtp.cc index 8a83e9de8..3e9c5e966 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_rtp.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_rtp.cc @@ -84,7 +84,7 @@ THREAD_LOCAL RTP_CLIENT_APP_CONFIG rtp_config; static CLIENT_APP_RETCODE rtp_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule rtp_client_mod = { @@ -277,7 +277,7 @@ static CLIENT_APP_RETCODE rtp_init(const IniClientAppAPI* const init_api, SF_LIS } static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { ClientRTPData* fd; ClientRTPMsg* hdr; @@ -285,11 +285,11 @@ static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const if (!size) return CLIENT_APP_INPROCESS; - fd = (ClientRTPData*)rtp_client_mod.api->data_get(flowp, rtp_client_mod.flow_data_index); + fd = (ClientRTPData*)rtp_client_mod.api->data_get(asd, rtp_client_mod.flow_data_index); if (!fd) { fd = (ClientRTPData*)snort_calloc(sizeof(ClientRTPData)); - rtp_client_mod.api->data_add(flowp, fd, rtp_client_mod.flow_data_index, &snort_free); + rtp_client_mod.api->data_add(asd, fd, rtp_client_mod.flow_data_index, &snort_free); fd->state = RTP_STATE_CONNECTION; } @@ -352,8 +352,8 @@ static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const return CLIENT_APP_INPROCESS; } - rtp_client_mod.api->add_app(flowp, APP_ID_RTP, APP_ID_RTP, nullptr); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + rtp_client_mod.api->add_app(asd, APP_ID_RTP, APP_ID_RTP, nullptr); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.rtp_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_smtp.cc b/src/network_inspectors/appid/client_plugins/client_app_smtp.cc index a395a902e..53971f5ec 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_smtp.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_smtp.cc @@ -93,7 +93,7 @@ THREAD_LOCAL SMTP_CLIENT_APP_CONFIG smtp_config; static CLIENT_APP_RETCODE smtp_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule smtp_client_mod = { @@ -240,10 +240,9 @@ static CLIENT_APP_RETCODE smtp_init(const IniClientAppAPI* const init_api, SF_LI * prefix_len - The number of characters that are the prefix to the version, * including the NUL terminating character. */ -static int extract_version_and_add_client_app(ApplicationId clientId, - const int prefix_len, const uint8_t* product, const uint8_t* product_end, - ClientSMTPData* const client_data, AppIdSession* flowp, - AppId appId, PegCount *stat_counter) +static int extract_version_and_add_client_app(ApplicationId clientId, const int prefix_len, + const uint8_t* product, const uint8_t* product_end, ClientSMTPData* const client_data, + AppIdSession* asd, AppId appId, PegCount *stat_counter) { const uint8_t* p; uint8_t* v; @@ -262,7 +261,7 @@ static int extract_version_and_add_client_app(ApplicationId clientId, *v = *p; } *v = 0; - smtp_client_mod.api->add_app(flowp, appId, clientId, (char*)client_data->version); + smtp_client_mod.api->add_app(asd, appId, clientId, (char*)client_data->version); (*stat_counter)++; return 0; } @@ -274,7 +273,7 @@ static int extract_version_and_add_client_app(ApplicationId clientId, * Returns 0 if a recognized product is found. Otherwise returns 1. */ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* product, - const uint8_t* data_end, AppIdSession* flowp, Packet*) + const uint8_t* data_end, AppIdSession* asd, Packet*) { const uint8_t* p; uint8_t* v; @@ -301,7 +300,7 @@ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* produc if (p >= data_end || *p != ' ') return 1; return extract_version_and_add_client_app(APP_ID_OUTLOOK, - 2, p, data_end, fd, flowp, appId, + 2, p, data_end, fd, asd, appId, &appid_stats.smtp_microsoft_outlook_clients); } else if (*p == ' ') @@ -310,13 +309,13 @@ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* produc if (data_end-p >= (int)sizeof(EXPRESS) && memcmp(p, EXPRESS, sizeof(EXPRESS)-1) == 0) { return extract_version_and_add_client_app(APP_ID_OUTLOOK_EXPRESS, - sizeof(EXPRESS), p, data_end, fd, flowp, appId, + sizeof(EXPRESS), p, data_end, fd, asd, appId, &appid_stats.smtp_microsoft_outlook_express_clients); } else if (data_end-p >= (int)sizeof(IMO) && memcmp(p, IMO, sizeof(IMO)-1) == 0) { return extract_version_and_add_client_app(APP_ID_OUTLOOK, - sizeof(IMO), p, data_end, fd, flowp, appId, + sizeof(IMO), p, data_end, fd, asd, appId, &appid_stats.smtp_microsoft_outlook_imo_clients); } } @@ -326,14 +325,14 @@ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* produc sizeof(APP_SMTP_EVOLUTION)-1) == 0) { return extract_version_and_add_client_app(APP_ID_EVOLUTION, - sizeof(APP_SMTP_EVOLUTION), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_EVOLUTION), product, data_end, fd, asd, appId, &appid_stats.smtp_evolution_clients); } else if (len >= sizeof(APP_SMTP_LOTUS_NOTES) && memcmp(product, APP_SMTP_LOTUS_NOTES, sizeof(APP_SMTP_LOTUS_NOTES)-1) == 0) { return extract_version_and_add_client_app(APP_ID_LOTUS_NOTES, - sizeof(APP_SMTP_LOTUS_NOTES), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_LOTUS_NOTES), product, data_end, fd, asd, appId, &appid_stats.smtp_lotus_notes_clients); } else if (len >= sizeof(APP_SMTP_APPLEMAIL) && memcmp(product, APP_SMTP_APPLEMAIL, @@ -347,7 +346,7 @@ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* produc *v = *p; } *v = 0; - smtp_client_mod.api->add_app(flowp, appId, APP_ID_APPLE_EMAIL, (char*)fd->version); + smtp_client_mod.api->add_app(asd, appId, APP_ID_APPLE_EMAIL, (char*)fd->version); appid_stats.smtp_applemail_clients++; return 0; } @@ -355,49 +354,49 @@ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* produc sizeof(APP_SMTP_EUDORA)-1) == 0) { return extract_version_and_add_client_app(APP_ID_EUDORA, - sizeof(APP_SMTP_EUDORA), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_EUDORA), product, data_end, fd, asd, appId, &appid_stats.smtp_eudora_clients); } else if (len >= sizeof(APP_SMTP_EUDORAPRO) && memcmp(product, APP_SMTP_EUDORAPRO, sizeof(APP_SMTP_EUDORAPRO)-1) == 0) { return extract_version_and_add_client_app(APP_ID_EUDORA_PRO, - sizeof(APP_SMTP_EUDORAPRO), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_EUDORAPRO), product, data_end, fd, asd, appId, &appid_stats.smtp_eudora_pro_clients); } else if (len >= sizeof(APP_SMTP_AOL) && memcmp(product, APP_SMTP_AOL, sizeof(APP_SMTP_AOL)-1) == 0) { return extract_version_and_add_client_app(APP_ID_AOL_EMAIL, - sizeof(APP_SMTP_AOL), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_AOL), product, data_end, fd, asd, appId, &appid_stats.smtp_aol_clients); } else if (len >= sizeof(APP_SMTP_MUTT) && memcmp(product, APP_SMTP_MUTT, sizeof(APP_SMTP_MUTT)-1) == 0) { return extract_version_and_add_client_app(APP_ID_MUTT, - sizeof(APP_SMTP_MUTT), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_MUTT), product, data_end, fd, asd, appId, &appid_stats.smtp_mutt_clients); } else if (len >= sizeof(APP_SMTP_KMAIL) && memcmp(product, APP_SMTP_KMAIL, sizeof(APP_SMTP_KMAIL)-1) == 0) { return extract_version_and_add_client_app(APP_ID_KMAIL, - sizeof(APP_SMTP_KMAIL), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_KMAIL), product, data_end, fd, asd, appId, &appid_stats.smtp_kmail_clients); } else if (len >= sizeof(APP_SMTP_THUNDERBIRD) && memcmp(product, APP_SMTP_THUNDERBIRD, sizeof(APP_SMTP_THUNDERBIRD)-1) == 0) { return extract_version_and_add_client_app(APP_ID_THUNDERBIRD, - sizeof(APP_SMTP_THUNDERBIRD), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_THUNDERBIRD), product, data_end, fd, asd, appId, &appid_stats.smtp_thunderbird_clients); } else if (len >= sizeof(APP_SMTP_MTHUNDERBIRD) && memcmp(product, APP_SMTP_MTHUNDERBIRD, sizeof(APP_SMTP_MTHUNDERBIRD)-1) == 0) { return extract_version_and_add_client_app(APP_ID_THUNDERBIRD, - sizeof(APP_SMTP_MTHUNDERBIRD), product, data_end, fd, flowp, appId, + sizeof(APP_SMTP_MTHUNDERBIRD), product, data_end, fd, asd, appId, &appid_stats.smtp_thunderbird_clients); } else if (len >= sizeof(APP_SMTP_MOZILLA) && memcmp(product, APP_SMTP_MOZILLA, @@ -413,7 +412,7 @@ static int IdentifyClientVersion(ClientSMTPData* const fd, const uint8_t* produc { return extract_version_and_add_client_app( APP_ID_THUNDERBIRD, sizeof(APP_SMTP_THUNDERBIRD_SHORT), - p, data_end, fd, flowp, appId, + p, data_end, fd, asd, appId, &appid_stats.smtp_thunderbird_clients); } } @@ -431,7 +430,7 @@ static void freeData(void* data) } static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector*) + AppIdSession* asd, Packet* pkt, struct Detector*) { ClientSMTPData* fd; const uint8_t* end; @@ -439,13 +438,13 @@ static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, cons SMTPState currState = SMTP_STATE_NONE; #endif - fd = (ClientSMTPData*)smtp_client_mod.api->data_get(flowp, smtp_client_mod.flow_data_index); + fd = (ClientSMTPData*)smtp_client_mod.api->data_get(asd, smtp_client_mod.flow_data_index); if (!fd) { fd = (ClientSMTPData*)snort_calloc(sizeof(ClientSMTPData)); if (!fd) return CLIENT_APP_ENOMEM; - if (smtp_client_mod.api->data_add(flowp, fd, smtp_client_mod.flow_data_index, &freeData)) + if (smtp_client_mod.api->data_add(asd, fd, smtp_client_mod.flow_data_index, &freeData)) { snort_free(fd); return CLIENT_APP_ENOMEM; @@ -460,33 +459,33 @@ static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, cons { fd->flags &= ~(CLIENT_FLAG_STARTTLS_SENT); fd->flags |= CLIENT_FLAG_SMTPS; - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); // we no longer need + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); // we no longer need // to examine the // response. - if (!flowp->getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (!asd->get_session_flags(APPID_SESSION_DECRYPTED)) { /* Because we can't see any further info without decryption we settle for plain APP_ID_SMTPS instead of perhaps finding data that would make calling IdentifyClientVersion() worthwhile, So set the appid and call it good. */ - smtp_client_mod.api->add_app(flowp, APP_ID_SMTPS, APP_ID_SMTPS, nullptr); + smtp_client_mod.api->add_app(asd, APP_ID_SMTPS, APP_ID_SMTPS, nullptr); goto done; } } return CLIENT_APP_INPROCESS; } - if (flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED)) + if (asd->get_session_flags(APPID_SESSION_ENCRYPTED)) { - if (!flowp->getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (!asd->get_session_flags(APPID_SESSION_DECRYPTED)) return CLIENT_APP_INPROCESS; } for (end = data + size; data < end; data++) { #if UNIT_TESTING - if (app_id_debug_session_flag && currState != fd->state) + if (session_logging_enabled && currState != fd->state) { DEBUG_WRAP(DebugMessage(DEBUG_APPID, "AppIdDbg %s SMTP client state %s\n", - app_id_debug_session, stateName[fd->state]); ); + session_logging_id, stateName[fd->state]); ); currState = fd->state; } #endif @@ -557,7 +556,7 @@ static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, cons fd->pos = 0; fd->nextstate = fd->state; fd->state = SMTP_STATE_SKIP_LINE; - flowp->setAppIdFlag(APPID_SESSION_ENCRYPTED); + asd->set_session_flags(APPID_SESSION_ENCRYPTED); } } else @@ -611,7 +610,7 @@ static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, cons (len >= 2 && data[1] == 0x0D && data[2] == 0x0A)) { AppId appId = (fd->flags & CLIENT_FLAG_SMTPS) ? APP_ID_SMTPS : APP_ID_SMTP; - smtp_client_mod.api->add_app(flowp, appId, appId, nullptr); + smtp_client_mod.api->add_app(asd, appId, appId, nullptr); goto done; } } @@ -648,7 +647,7 @@ static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, cons { if (fd->headerline && fd->pos) { - IdentifyClientVersion(fd, fd->headerline, fd->headerline + fd->pos, flowp, pkt); + IdentifyClientVersion(fd, fd->headerline, fd->headerline + fd->pos, asd, pkt); snort_free(fd->headerline); fd->headerline = nullptr; } @@ -691,7 +690,7 @@ static CLIENT_APP_RETCODE smtp_validate(const uint8_t* data, uint16_t size, cons return CLIENT_APP_INPROCESS; done: - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_ssh.cc b/src/network_inspectors/appid/client_plugins/client_app_ssh.cc index f54a57359..3bf64bac0 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_ssh.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_ssh.cc @@ -155,7 +155,7 @@ THREAD_LOCAL SSH_CLIENT_CONFIG ssh_client_config; static CLIENT_APP_RETCODE ssh_client_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE ssh_client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule ssh_client_mod = { @@ -356,7 +356,7 @@ static inline CLIENT_APP_RETCODE ssh_client_validate_keyx(uint16_t offset, const if (fd->pos >= fd->plen) { offset++; - // FIXIT-M: if offset > size then there is probably a D-H Key Exchange Init packet in this payload + // FIXIT-L if offset > size then there is probably a D-H Key Exchange Init packet in this payload // For now parsing the Key Exchange Init is good enough to declare valid key exchange but for // future enhance parsing to validate the D-H Key Exchange Init. if (offset == size) @@ -613,7 +613,7 @@ static inline CLIENT_APP_RETCODE ssh_client_sm(const uint8_t* data, uint16_t siz } static CLIENT_APP_RETCODE ssh_client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { ClientSSHData* fd; CLIENT_APP_RETCODE sm_ret; @@ -621,11 +621,11 @@ static CLIENT_APP_RETCODE ssh_client_validate(const uint8_t* data, uint16_t size if (!size || dir != APP_ID_FROM_INITIATOR) return CLIENT_APP_INPROCESS; - fd = ( ClientSSHData*)ssh_client_mod.api->data_get(flowp, ssh_client_mod.flow_data_index); + fd = ( ClientSSHData*)ssh_client_mod.api->data_get(asd, ssh_client_mod.flow_data_index); if (!fd) { fd = (ClientSSHData*)snort_calloc(sizeof(ClientSSHData)); - ssh_client_mod.api->data_add(flowp, fd, ssh_client_mod.flow_data_index, &snort_free); + ssh_client_mod.api->data_add(asd, fd, ssh_client_mod.flow_data_index, &snort_free); fd->state = SSH_CLIENT_STATE_BANNER; fd->hstate = SSH2_HEADER_BEGIN; fd->oldhstate = SSH1_HEADER_BEGIN; @@ -635,8 +635,8 @@ static CLIENT_APP_RETCODE ssh_client_validate(const uint8_t* data, uint16_t size if (sm_ret != CLIENT_APP_SUCCESS) return sm_ret; - ssh_client_mod.api->add_app(flowp, APP_ID_SSH, fd->client_id, (const char*)fd->version); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + ssh_client_mod.api->add_app(asd, APP_ID_SSH, fd->client_id, (const char*)fd->version); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.ssh_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_timbuktu.cc b/src/network_inspectors/appid/client_plugins/client_app_timbuktu.cc index d178e6e52..d6b3e2e24 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_timbuktu.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_timbuktu.cc @@ -70,7 +70,7 @@ THREAD_LOCAL TIMBUKTU_CLIENT_APP_CONFIG timbuktu_config; static CLIENT_APP_RETCODE timbuktu_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE timbuktu_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule timbuktu_client_mod = { @@ -152,7 +152,7 @@ static CLIENT_APP_RETCODE timbuktu_init(const IniClientAppAPI* const init_api, S } static CLIENT_APP_RETCODE timbuktu_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { ClientTIMBUKTUData* fd; uint16_t offset; @@ -160,12 +160,12 @@ static CLIENT_APP_RETCODE timbuktu_validate(const uint8_t* data, uint16_t size, if (dir != APP_ID_FROM_INITIATOR) return CLIENT_APP_INPROCESS; - fd = (ClientTIMBUKTUData*)timbuktu_client_mod.api->data_get(flowp, + fd = (ClientTIMBUKTUData*)timbuktu_client_mod.api->data_get(asd, timbuktu_client_mod.flow_data_index); if (!fd) { fd = (ClientTIMBUKTUData*)snort_calloc(sizeof(ClientTIMBUKTUData)); - timbuktu_client_mod.api->data_add(flowp, fd, + timbuktu_client_mod.api->data_add(asd, fd, timbuktu_client_mod.flow_data_index, &snort_free); fd->state = TIMBUKTU_STATE_BANNER; } @@ -236,8 +236,8 @@ inprocess: return CLIENT_APP_INPROCESS; done: - timbuktu_client_mod.api->add_app(flowp, APP_ID_TIMBUKTU, APP_ID_TIMBUKTU, nullptr); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + timbuktu_client_mod.api->add_app(asd, APP_ID_TIMBUKTU, APP_ID_TIMBUKTU, nullptr); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_tns.cc b/src/network_inspectors/appid/client_plugins/client_app_tns.cc index b2e625506..34c7e1ff7 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_tns.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_tns.cc @@ -131,7 +131,7 @@ THREAD_LOCAL TNS_CLIENT_APP_CONFIG tns_config; static CLIENT_APP_RETCODE tns_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE tns_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule tns_client_mod = { @@ -214,7 +214,7 @@ static CLIENT_APP_RETCODE tns_init(const IniClientAppAPI* const init_api, SF_LIS #define TNS_MAX_INFO_SIZE 63 static CLIENT_APP_RETCODE tns_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { char username[TNS_MAX_INFO_SIZE+1]; ClientTNSData* fd; @@ -227,11 +227,11 @@ static CLIENT_APP_RETCODE tns_validate(const uint8_t* data, uint16_t size, const if (dir != APP_ID_FROM_INITIATOR) return CLIENT_APP_INPROCESS; - fd = (ClientTNSData*)tns_client_mod.api->data_get(flowp, tns_client_mod.flow_data_index); + fd = (ClientTNSData*)tns_client_mod.api->data_get(asd, tns_client_mod.flow_data_index); if (!fd) { fd = (ClientTNSData*)snort_calloc(sizeof(ClientTNSData)); - tns_client_mod.api->data_add(flowp, fd, tns_client_mod.flow_data_index, &snort_free); + tns_client_mod.api->data_add(asd, fd, tns_client_mod.flow_data_index, &snort_free); fd->state = TNS_STATE_MESSAGE_LEN; } @@ -421,7 +421,7 @@ inprocess: return CLIENT_APP_INPROCESS; done: - tns_client_mod.api->add_app(flowp, APP_ID_ORACLE_TNS, APP_ID_ORACLE_DATABASE, fd->version); + tns_client_mod.api->add_app(asd, APP_ID_ORACLE_TNS, APP_ID_ORACLE_DATABASE, fd->version); if (user_start && user_end && ((user_size = user_end - user_start) > 0)) { /* we truncate extra long usernames */ @@ -429,9 +429,9 @@ done: user_size = TNS_MAX_INFO_SIZE; memcpy(username, &data[user_start], user_size); username[user_size] = 0; - tns_client_mod.api->add_user(flowp, username, APP_ID_ORACLE_DATABASE, 1); + tns_client_mod.api->add_user(asd, username, APP_ID_ORACLE_DATABASE, 1); } - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.tns_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_vnc.cc b/src/network_inspectors/appid/client_plugins/client_app_vnc.cc index cc32082ee..9fee88d90 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_vnc.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_vnc.cc @@ -57,7 +57,7 @@ THREAD_LOCAL VNC_CLIENT_APP_CONFIG vnc_config; static CLIENT_APP_RETCODE vnc_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE vnc_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); SO_PUBLIC RNAClientAppModule vnc_client_mod = { @@ -141,7 +141,7 @@ static CLIENT_APP_RETCODE vnc_init(const IniClientAppAPI* const init_api, SF_LIS } static CLIENT_APP_RETCODE vnc_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { ClientVNCData* fd; uint16_t offset; @@ -149,11 +149,11 @@ static CLIENT_APP_RETCODE vnc_validate(const uint8_t* data, uint16_t size, const if (dir != APP_ID_FROM_INITIATOR) return CLIENT_APP_INPROCESS; - fd = (ClientVNCData*)vnc_client_mod.api->data_get(flowp, vnc_client_mod.flow_data_index); + fd = (ClientVNCData*)vnc_client_mod.api->data_get(asd, vnc_client_mod.flow_data_index); if (!fd) { fd = (ClientVNCData*)snort_calloc(sizeof(ClientVNCData)); - vnc_client_mod.api->data_add(flowp, fd, vnc_client_mod.flow_data_index, &snort_free); + vnc_client_mod.api->data_add(asd, fd, vnc_client_mod.flow_data_index, &snort_free); fd->state = VNC_STATE_BANNER; } @@ -197,8 +197,8 @@ inprocess: return CLIENT_APP_INPROCESS; done: - vnc_client_mod.api->add_app(flowp, APP_ID_VNC_RFB, APP_ID_VNC, (const char*)fd->version); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + vnc_client_mod.api->add_app(asd, APP_ID_VNC_RFB, APP_ID_VNC, (const char*)fd->version); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.vnc_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_ym.cc b/src/network_inspectors/appid/client_plugins/client_app_ym.cc index 508a44716..3fd3a50b7 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_ym.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_ym.cc @@ -41,7 +41,7 @@ THREAD_LOCAL YM_CLIENT_APP_CONFIG ym_config; static CLIENT_APP_RETCODE ym_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); RNAClientAppModule ym_client_mod = { @@ -141,7 +141,7 @@ static const uint8_t* skip_separator(const uint8_t* data, const uint8_t* end) } static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, Detector*) + AppIdSession* asd, Packet* pkt, Detector*) { #define HEADERSIZE 20 #define VERSIONID "135" @@ -159,7 +159,7 @@ static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const DebugFormat(DEBUG_LOG,"Found yahoo! client: %zu\n",sizeof(VERSIONID)); - if (!data || !ym_client_mod.api || !flowp || !pkt) + if (!data || !ym_client_mod.api || !asd || !pkt) return CLIENT_APP_ENULL; if (dir != APP_ID_FROM_INITIATOR) @@ -221,8 +221,8 @@ static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const return CLIENT_APP_INPROCESS; done: - ym_client_mod.api->add_app(flowp, APP_ID_YAHOO, product_id, (char*)version); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + ym_client_mod.api->add_app(asd, APP_ID_YAHOO, product_id, (char*)version); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); appid_stats.yahoo_messenger_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/test/client_app_smtp_test.cc b/src/network_inspectors/appid/client_plugins/test/client_app_smtp_test.cc index 282c63849..25bede943 100644 --- a/src/network_inspectors/appid/client_plugins/test/client_app_smtp_test.cc +++ b/src/network_inspectors/appid/client_plugins/test/client_app_smtp_test.cc @@ -235,7 +235,7 @@ TEST(client_app_smtp, identify_client_version_mozilla_thunderbird) check_client_version(client_str, APP_ID_THUNDERBIRD, "5.0", &appid_stats.smtp_thunderbird_clients); } -// FIXIT-M: Add additional tests for other client types (Outlook, etc). +// FIXIT-M Add additional tests for other client types (Outlook, etc). int main(int argc, char** argv) { diff --git a/src/network_inspectors/appid/detector_plugins/detector_base.cc b/src/network_inspectors/appid/detector_plugins/detector_base.cc index 74cd80bda..a5f0cf5d8 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_base.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_base.cc @@ -26,8 +26,8 @@ #include "log/messages.h" #include "service_plugins/service_base.h" -static void* detector_flowdata_get(AppIdSession* flowp, unsigned detector_id); -static int detector_flowdata_add(AppIdSession* flowp, void* data, unsigned detector_id, +static void* detector_flowdata_get(AppIdSession* asd, unsigned detector_id); +static int detector_flowdata_add(AppIdSession* asd, void* data, unsigned detector_id, AppIdFreeFCN fcn); static const DetectorApi detector_api @@ -96,9 +96,9 @@ int init_detector_plugins() * * @return RNA flow data structure for success */ -static void* detector_flowdata_get(AppIdSession* flowp, unsigned detector_id) +static void* detector_flowdata_get(AppIdSession* asd, unsigned detector_id) { - return flowp->get_flow_data(detector_id); + return asd->get_flow_data(detector_id); } /** @@ -110,9 +110,9 @@ static void* detector_flowdata_get(AppIdSession* flowp, unsigned detector_id) * * @return RNA flow data structure for success */ -static int detector_flowdata_add(AppIdSession* flowp, void* data, unsigned detector_id, +static int detector_flowdata_add(AppIdSession* asd, void* data, unsigned detector_id, AppIdFreeFCN fcn) { - return flowp->add_flow_data(data, detector_id, fcn); + return asd->add_flow_data(data, detector_id, fcn); } diff --git a/src/network_inspectors/appid/detector_plugins/detector_dns.cc b/src/network_inspectors/appid/detector_plugins/detector_dns.cc index a7191db44..5cb44ffa7 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_dns.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_dns.cc @@ -52,7 +52,6 @@ #pragma pack(1) -// FIXIT-H J bitfields should be replaced with getters/setters struct DNSHeader { uint16_t id; @@ -148,7 +147,7 @@ static int dns_service_init(const IniServiceAPI* const); static int dns_udp_validate(ServiceValidationArgs*); static int dns_tcp_validate(ServiceValidationArgs*); -static RNAServiceElement udp_svc_element = +static const RNAServiceElement udp_svc_element = { nullptr, // next &dns_udp_validate, // validate @@ -160,7 +159,7 @@ static RNAServiceElement udp_svc_element = "dns" // name }; -static RNAServiceElement tcp_svc_element = +static const RNAServiceElement tcp_svc_element = { nullptr, // next &dns_tcp_validate, // validate @@ -172,7 +171,7 @@ static RNAServiceElement tcp_svc_element = "tcp dns" // name }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &dns_tcp_validate, 53, IpProtocol::TCP, 0 }, { &dns_udp_validate, 53, IpProtocol::UDP, 0 }, @@ -389,7 +388,7 @@ static int dns_validate_label(const uint8_t* data, uint16_t* offset, uint16_t si } static int dns_validate_query(const uint8_t* data, uint16_t* offset, uint16_t size, - uint16_t id, unsigned host_reporting, AppIdSession* flowp) + uint16_t id, unsigned host_reporting, AppIdSession* asd) { int ret; const uint8_t* host; @@ -425,11 +424,11 @@ static int dns_validate_query(const uint8_t* data, uint16_t* offset, uint16_t si case PATTERN_MX_REC: case PATTERN_SOA_REC: case PATTERN_NS_REC: - dns_service_mod.api->add_dns_query_info(flowp, id, host, host_len, host_offset, + dns_service_mod.api->add_dns_query_info(asd, id, host, host_len, host_offset, record_type); break; case PATTERN_PTR_REC: - dns_service_mod.api->add_dns_query_info(flowp, id, nullptr, 0, 0, record_type); + dns_service_mod.api->add_dns_query_info(asd, id, nullptr, 0, 0, record_type); break; default: break; @@ -440,7 +439,7 @@ static int dns_validate_query(const uint8_t* data, uint16_t* offset, uint16_t si } static int dns_validate_answer(const uint8_t* data, uint16_t* offset, uint16_t size, - uint16_t id, uint8_t rcode, unsigned host_reporting, AppIdSession* flowp) + uint16_t id, uint8_t rcode, unsigned host_reporting, AppIdSession* asd) { int ret; const uint8_t* host; @@ -476,7 +475,7 @@ static int dns_validate_answer(const uint8_t* data, uint16_t* offset, uint16_t s case PATTERN_MX_REC: case PATTERN_SOA_REC: case PATTERN_NS_REC: - dns_service_mod.api->add_dns_response_info(flowp, id, nullptr, 0, 0, rcode, ttl); + dns_service_mod.api->add_dns_response_info(asd, id, nullptr, 0, 0, rcode, ttl); break; case PATTERN_PTR_REC: host = data + r_data_offset; @@ -488,7 +487,7 @@ static int dns_validate_answer(const uint8_t* data, uint16_t* offset, uint16_t s host_len = 0; host_offset = 0; } - dns_service_mod.api->add_dns_response_info(flowp, id, host, host_len, host_offset, + dns_service_mod.api->add_dns_response_info(asd, id, host, host_len, host_offset, rcode, ttl); break; default: @@ -500,7 +499,7 @@ static int dns_validate_answer(const uint8_t* data, uint16_t* offset, uint16_t s } static int dns_validate_header(const int dir, DNSHeader* hdr, - unsigned host_reporting, AppIdSession* flowp) + unsigned host_reporting, AppIdSession* asd) { if (hdr->Opcode > MAX_OPCODE || hdr->Opcode == INVALID_OPCODE) { @@ -518,7 +517,7 @@ static int dns_validate_header(const int dir, DNSHeader* hdr, { // Query. if (host_reporting) - dns_service_mod.api->reset_dns_info(flowp); + dns_service_mod.api->reset_dns_info(asd); return dir == APP_ID_FROM_INITIATOR ? SERVICE_SUCCESS : SERVICE_REVERSED; } @@ -527,7 +526,7 @@ static int dns_validate_header(const int dir, DNSHeader* hdr, } static int validate_packet(const uint8_t* data, uint16_t size, const int, - unsigned host_reporting, AppIdSession* flowp) + unsigned host_reporting, AppIdSession* asd) { uint16_t i; uint16_t count; @@ -544,7 +543,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, const int, count = ntohs(hdr->QDCount); for (i=0; iid), host_reporting, flowp) != + if (dns_validate_query(data, &offset, size, ntohs(hdr->id), host_reporting, asd) != SERVICE_SUCCESS) { return SERVICE_NOMATCH; @@ -558,7 +557,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, const int, for (i=0; iid), hdr->RCODE, - host_reporting, flowp) != SERVICE_SUCCESS) + host_reporting, asd) != SERVICE_SUCCESS) { return SERVICE_NOMATCH; } @@ -571,7 +570,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, const int, for (i=0; iid), hdr->RCODE, - host_reporting, flowp) != SERVICE_SUCCESS) + host_reporting, asd) != SERVICE_SUCCESS) { return SERVICE_NOMATCH; } @@ -584,7 +583,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, const int, for (i=0; iid), hdr->RCODE, - host_reporting, flowp) != SERVICE_SUCCESS) + host_reporting, asd) != SERVICE_SUCCESS) { return SERVICE_NOMATCH; } @@ -592,7 +591,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, const int, } if (hdr->QR && (hdr->RCODE != 0)) // error response - dns_service_mod.api->add_dns_response_info(flowp, ntohs(hdr->id), nullptr, 0, 0, + dns_service_mod.api->add_dns_response_info(asd, ntohs(hdr->id), nullptr, 0, 0, hdr->RCODE, 0); @@ -602,7 +601,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, const int, static int dns_udp_validate(ServiceValidationArgs* args) { int rval; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -616,18 +615,18 @@ static int dns_udp_validate(ServiceValidationArgs* args) goto udp_done; } if ((rval = dns_validate_header(dir, (DNSHeader*)data, - pAppidActiveConfig->mod_config->dns_host_reporting, flowp)) != SERVICE_SUCCESS) + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd)) != SERVICE_SUCCESS) { if (rval == SERVICE_REVERSED) { if (dir == APP_ID_FROM_RESPONDER) { - if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { // To get here, we missed the initial query, got a // response, and now we've got another query. rval = validate_packet(data, size, dir, - pAppidActiveConfig->mod_config->dns_host_reporting, flowp); + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd); if (rval == SERVICE_SUCCESS) goto inprocess; } @@ -638,10 +637,10 @@ static int dns_udp_validate(ServiceValidationArgs* args) // To get here, we missed the initial query, but now we've got // a response. rval = validate_packet(data, size, dir, - pAppidActiveConfig->mod_config->dns_host_reporting, flowp); + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd); if (rval == SERVICE_SUCCESS) { - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); goto success; } goto nomatch; @@ -652,7 +651,7 @@ static int dns_udp_validate(ServiceValidationArgs* args) } rval = validate_packet(data, size, dir, - pAppidActiveConfig->mod_config->dns_host_reporting, flowp); + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd); if ((rval == SERVICE_SUCCESS) && (dir == APP_ID_FROM_INITIATOR)) goto inprocess; @@ -661,27 +660,26 @@ udp_done: { case SERVICE_SUCCESS: success: - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); - dns_service_mod.api->add_service(flowp, args->pkt, dir, &udp_svc_element, + asd->set_session_flags(APPID_SESSION_CONTINUE); + dns_service_mod.api->add_service(asd, args->pkt, dir, &udp_svc_element, APP_ID_DNS, nullptr, nullptr, nullptr); appid_stats.dns_udp_flows++; return SERVICE_SUCCESS; case SERVICE_INVALID_CLIENT: invalid: - dns_service_mod.api->incompatible_data(flowp, args->pkt, dir, &udp_svc_element, + dns_service_mod.api->incompatible_data(asd, args->pkt, dir, &udp_svc_element, dns_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; case SERVICE_NOMATCH: nomatch: - dns_service_mod.api->fail_service(flowp, args->pkt, dir, &udp_svc_element, - dns_service_mod.flow_data_index, - args->pConfig); + dns_service_mod.api->fail_service(asd, args->pkt, dir, &udp_svc_element, + dns_service_mod.flow_data_index); return SERVICE_NOMATCH; case SERVICE_INPROCESS: inprocess: - dns_udp_client_mod.api->add_app(flowp, APP_ID_NONE, APP_ID_DNS, nullptr); - dns_service_mod.api->service_inprocess(flowp, args->pkt, dir, &udp_svc_element); + dns_udp_client_mod.api->add_app(asd, APP_ID_NONE, APP_ID_DNS, nullptr); + dns_service_mod.api->service_inprocess(asd, args->pkt, dir, &udp_svc_element); return SERVICE_INPROCESS; default: return rval; @@ -694,7 +692,7 @@ static int dns_tcp_validate(ServiceValidationArgs* args) const DNSTCPHeader* hdr; uint16_t tmp; int rval; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -713,7 +711,7 @@ static int dns_tcp_validate(ServiceValidationArgs* args) size -= sizeof(DNSTCPHeader); tmp = ntohs(hdr->length); if (tmp < sizeof(DNSHeader) || dns_validate_header(dir, (DNSHeader*)data, - pAppidActiveConfig->mod_config->dns_host_reporting, flowp)) + AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, asd)) { if (dir == APP_ID_FROM_INITIATOR) goto not_compatible; @@ -723,17 +721,17 @@ static int dns_tcp_validate(ServiceValidationArgs* args) if (tmp > size) goto not_compatible; - rval = validate_packet(data, size, dir, pAppidActiveConfig->mod_config->dns_host_reporting, - flowp); + rval = validate_packet(data, size, dir, AppIdConfig::get_appid_config()->mod_config->dns_host_reporting, + asd); if (rval != SERVICE_SUCCESS) goto tcp_done; - dd = static_cast(dns_service_mod.api->data_get(flowp, + dd = static_cast(dns_service_mod.api->data_get(asd, dns_service_mod.flow_data_index)); if (!dd) { dd = static_cast(snort_calloc(sizeof(ServiceDNSData))); - if (dns_service_mod.api->data_add(flowp, dd, dns_service_mod.flow_data_index, &snort_free)) + if (dns_service_mod.api->data_add(asd, dd, dns_service_mod.flow_data_index, &snort_free)) dd->state = DNS_STATE_QUERY; } @@ -767,27 +765,26 @@ tcp_done: } success: - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); - dns_service_mod.api->add_service(flowp, args->pkt, dir, &tcp_svc_element, + asd->set_session_flags(APPID_SESSION_CONTINUE); + dns_service_mod.api->add_service(asd, args->pkt, dir, &tcp_svc_element, APP_ID_DNS, nullptr, nullptr, nullptr); appid_stats.dns_tcp_flows++; return SERVICE_SUCCESS; not_compatible: - dns_service_mod.api->incompatible_data(flowp, args->pkt, dir, &tcp_svc_element, + dns_service_mod.api->incompatible_data(asd, args->pkt, dir, &tcp_svc_element, dns_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; fail: - dns_service_mod.api->fail_service(flowp, args->pkt, dir, &tcp_svc_element, - dns_service_mod.flow_data_index, - args->pConfig); + dns_service_mod.api->fail_service(asd, args->pkt, dir, &tcp_svc_element, + dns_service_mod.flow_data_index); return SERVICE_NOMATCH; inprocess: - dns_tcp_client_mod.api->add_app(flowp, APP_ID_NONE, APP_ID_DNS, nullptr); - dns_service_mod.api->service_inprocess(flowp, args->pkt, dir, &tcp_svc_element); + dns_tcp_client_mod.api->add_app(asd, APP_ID_NONE, APP_ID_DNS, nullptr); + dns_service_mod.api->service_inprocess(asd, args->pkt, dir, &tcp_svc_element); return SERVICE_INPROCESS; } diff --git a/src/network_inspectors/appid/detector_plugins/detector_http.cc b/src/network_inspectors/appid/detector_plugins/detector_http.cc index 88ebd517d..464089350 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_http.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_http.cc @@ -362,8 +362,8 @@ public: HTTPListElement* clientAgentPatternList = nullptr; HTTPListElement* contentTypePatternList = nullptr; CHPListElement* chpList = nullptr; - DetectorAppUrlList appUrlList; - DetectorAppUrlList RTMPUrlList; + std::vector app_url_patterns; + std::vector rtmp_url_patterns; }; static THREAD_LOCAL HttpPatternLists* httpPatternLists = nullptr; @@ -429,73 +429,17 @@ void insert_content_type_pattern(HTTPListElement* element) void insert_url_pattern(DetectorAppUrlPattern* pattern) { - DetectorAppUrlList* urlList = &httpPatternLists->appUrlList; - /**first time usedCount and allocatedCount are both 0, urlPattern will be nullptr. - * This case is same as malloc. In case of error, realloc will return nullptr, and - * original urlPattern buffer is left untouched. - */ - if (urlList->usedCount == urlList->allocatedCount) - { - DetectorAppUrlPattern** tmp = (decltype(tmp)) (realloc(urlList->urlPattern, - (urlList->allocatedCount + URL_LIST_STEP_SIZE) * sizeof(*tmp))); - if (!tmp) - { - FreeDetectorAppUrlPattern(pattern); - return; - } - urlList->urlPattern = tmp; - urlList->allocatedCount += URL_LIST_STEP_SIZE; - } - urlList->urlPattern[urlList->usedCount++] = pattern; + httpPatternLists->app_url_patterns.push_back(pattern); } void insert_rtmp_url_pattern(DetectorAppUrlPattern* pattern) { - DetectorAppUrlList* urlList = &httpPatternLists->RTMPUrlList; - /**first time usedCount and allocatedCount are both 0, urlPattern will be nullptr. - * This case is same as malloc. In case of error, realloc will return nullptr, and - * original urlPattern buffer is left untouched. - */ - if (urlList->usedCount == urlList->allocatedCount) - { - DetectorAppUrlPattern** tmp = (decltype(tmp)) (realloc(urlList->urlPattern, - (urlList->allocatedCount + URL_LIST_STEP_SIZE) * sizeof(*tmp))); - if (!tmp) - { - FreeDetectorAppUrlPattern(pattern); - return; - } - urlList->urlPattern = tmp; - urlList->allocatedCount += URL_LIST_STEP_SIZE; - } - urlList->urlPattern[urlList->usedCount++] = pattern; + httpPatternLists->rtmp_url_patterns.push_back(pattern); } void insert_app_url_pattern(DetectorAppUrlPattern* pattern) { - DetectorAppUrlList* urlList = &httpPatternLists->appUrlList; - /**first time usedCount and allocatedCount are both 0, urlPattern will be nullptr. - * This case is same as malloc. In case of error, realloc will return nullptr, and - * original urlPattern buffer is left untouched. - */ - if (urlList->usedCount == urlList->allocatedCount) - { - DetectorAppUrlPattern** tmp = (decltype(tmp)) (realloc(urlList->urlPattern, - (urlList->allocatedCount + URL_LIST_STEP_SIZE) * sizeof(*tmp))); - if (!tmp) - { - FreeDetectorAppUrlPattern(pattern); - return; - } - urlList->urlPattern = tmp; - urlList->allocatedCount += URL_LIST_STEP_SIZE; - } - urlList->urlPattern[urlList->usedCount++] = pattern; -} - -DetectorAppUrlList* getAppUrlList() -{ - return (&httpPatternLists->appUrlList); + insert_url_pattern( pattern ); } static void FreeHTTPListElement(HTTPListElement* element) @@ -524,33 +468,17 @@ static void CleanHttpPatternLists() { HTTPListElement* element; CHPListElement* chpe; - size_t i; - for (i = 0; i < httpPatternLists->appUrlList.usedCount; i++) - { - FreeDetectorAppUrlPattern(httpPatternLists->appUrlList.urlPattern[i]); - httpPatternLists->appUrlList.urlPattern[i] = nullptr; - } - for (i = 0; i < httpPatternLists->RTMPUrlList.usedCount; i++) - { - FreeDetectorAppUrlPattern(httpPatternLists->RTMPUrlList.urlPattern[i]); - httpPatternLists->RTMPUrlList.urlPattern[i] = nullptr; - } - if (httpPatternLists->appUrlList.urlPattern) - { - // FIXIT-M: still allocated by malloc/realloc - free(httpPatternLists->appUrlList.urlPattern); - httpPatternLists->appUrlList.urlPattern = nullptr; - } - httpPatternLists->appUrlList.allocatedCount = 0; - if (httpPatternLists->RTMPUrlList.urlPattern) - { - free(httpPatternLists->RTMPUrlList.urlPattern); - httpPatternLists->RTMPUrlList.urlPattern = nullptr; - } - httpPatternLists->RTMPUrlList.allocatedCount = 0; - httpPatternLists->appUrlList.usedCount = 0; - httpPatternLists->RTMPUrlList.usedCount = 0; + for(auto* pattern: httpPatternLists->app_url_patterns) + FreeDetectorAppUrlPattern(pattern); + + httpPatternLists->app_url_patterns.clear(); + + for(auto* pattern: httpPatternLists->rtmp_url_patterns) + FreeDetectorAppUrlPattern(pattern); + + httpPatternLists->rtmp_url_patterns.clear(); + while ((element = httpPatternLists->clientAgentPatternList)) { httpPatternLists->clientAgentPatternList = element->next; @@ -631,76 +559,41 @@ static int chp_pattern_match(void* id, void*, int index, void* data, void*) new_match->next = *matches; *matches = new_match; } + return 0; } -#define CHP_TALLY_GROWTH_FACTOR 10 -static inline void chp_add_candidate_to_tally(CHPMatchTally** ppTally, CHPApp* chpapp) +static inline void chp_add_candidate_to_tally(CHPMatchTally& match_tally, CHPApp* chpapp) { - int index; - CHPMatchTally* pTally = *ppTally; - if (!pTally) + for (auto& item: match_tally) { - pTally = (CHPMatchTally*)snort_calloc(sizeof(CHPMatchTally) + - ( CHP_TALLY_GROWTH_FACTOR * sizeof(CHPMatchCandidate))); - pTally->in_use_elements = 0; - pTally->allocated_elements = CHP_TALLY_GROWTH_FACTOR; - *ppTally = pTally; - } - for (index=0; index < pTally->in_use_elements; index++ ) - { - if (chpapp == pTally->item[index].chpapp) + if (chpapp == item.chpapp) { - pTally->item[index].key_pattern_countdown--; + item.key_pattern_countdown--; return; } } - // Not found. Add to array - if (pTally->in_use_elements == pTally->allocated_elements) - { - int newCount = pTally->allocated_elements + CHP_TALLY_GROWTH_FACTOR; - CHPMatchTally* pNewTally = (CHPMatchTally*)realloc(pTally, sizeof(CHPMatchTally)+newCount* - sizeof(CHPMatchCandidate)); - if (pNewTally) - { - *ppTally = pTally = pNewTally; - pTally->allocated_elements = newCount; - } - else - return; // failed to allocate a bigger chunk - } - // index == pTally->in_use_elements - pTally->in_use_elements++; - pTally->item[index].chpapp = chpapp; - pTally->item[index].key_pattern_length_sum = chpapp->key_pattern_length_sum; - pTally->item[index].key_pattern_countdown = chpapp->key_pattern_count - 1; // the count would - // have included - // this find. -} -struct CHPTallyAndActions -{ - CHPMatchTally* pTally; - MatchedCHPAction* matches; -}; + match_tally.push_back({chpapp, chpapp->key_pattern_length_sum, chpapp->key_pattern_count - 1}); +} // In addition to creating the linked list of matching actions this function will // create the CHPMatchTally needed to find the longest matching pattern. static int chp_key_pattern_match(void* id, void*, int index, void* data, void*) { - CHPTallyAndActions* pTallyAndActions = (CHPTallyAndActions*)data; + CHPTallyAndActions* chp = (CHPTallyAndActions*)data; CHPAction* target = (CHPAction*)id; if (target->key_pattern) { // We have a match from a key pattern. We need to have it's parent chpapp represented in - // the tally. - // If the chpapp has never been seen then add an item to the tally's array + // the tally. If the chpapp has never been seen then add an item to the tally's array // else decrement the count of expected key_patterns until zero so that we know when we // have them all. - chp_add_candidate_to_tally(&pTallyAndActions->pTally, target->chpapp); + chp_add_candidate_to_tally(chp->match_tally, target->chpapp); } - return chp_pattern_match(id, nullptr, index, &pTallyAndActions->matches, nullptr); + + return chp_pattern_match(id, nullptr, index, &chp->matches, nullptr); } static int http_pattern_match(void* id, void*, int index, void* data, void*) @@ -711,12 +604,8 @@ static int http_pattern_match(void* id, void*, int index, void* data, void*) DetectorHTTPPattern* target = (DetectorHTTPPattern*)id; /* make sure we haven't already seen this pattern */ - for (tmp = matches; - *tmp; - tmp = &(*tmp)->next) - { + for (tmp = matches; *tmp; tmp = &(*tmp)->next) cm = *tmp; - } if (!*tmp) { @@ -753,12 +642,9 @@ static SearchTool* processPatterns(DetectorHTTPPattern* patternList, return patternMatcher; } -static int processHostPatterns(DetectorHTTPPattern* patternList, size_t patternListCount, - HTTPListElement* luaPatternList, DetectorAppUrlList* urlPatternList, - DetectorAppUrlList* RTMPUrlList) +static int processHostPatterns(DetectorHTTPPattern* patternList, size_t patternListCount) { HTTPListElement* element; - DetectorAppUrlPattern* appUrlPattern; if (!detectorHttpConfig->host_url_matcher) detectorHttpConfig->host_url_matcher = mlmpCreate(); @@ -776,7 +662,7 @@ static int processHostPatterns(DetectorHTTPPattern* patternList, size_t patternL return -1; } - for (element = luaPatternList; element != 0; element = element->next) + for (element = httpPatternLists->hostPayloadPatternList; element != 0; element = element->next) { if (addMlmpPattern(detectorHttpConfig->host_url_matcher, &detectorHttpConfig->hosUrlPatternsList, element->detectorHTTPPattern.pattern, element->detectorHTTPPattern.pattern_size, @@ -786,28 +672,26 @@ static int processHostPatterns(DetectorHTTPPattern* patternList, size_t patternL return -1; } - for (uint32_t i = 0; i < RTMPUrlList->usedCount; i++) + for (auto* pattern: httpPatternLists->rtmp_url_patterns) { - appUrlPattern = RTMPUrlList->urlPattern[i]; if (addMlmpPattern(detectorHttpConfig->RTMPHosUrlMatcher, &detectorHttpConfig->hosUrlPatternsList, - appUrlPattern->patterns.host.pattern, appUrlPattern->patterns.host.patternSize, - appUrlPattern->patterns.path.pattern, appUrlPattern->patterns.path.patternSize, - appUrlPattern->userData.query.pattern, appUrlPattern->userData.query.patternSize, - appUrlPattern->userData.appId, appUrlPattern->userData.payload, - appUrlPattern->userData.service_id, appUrlPattern->userData.client_app, + pattern->patterns.host.pattern, pattern->patterns.host.patternSize, + pattern->patterns.path.pattern, pattern->patterns.path.patternSize, + pattern->userData.query.pattern, pattern->userData.query.patternSize, + pattern->userData.appId, pattern->userData.payload, + pattern->userData.service_id, pattern->userData.client_app, SINGLE) < 0) return -1; } - for (uint32_t i = 0; i < urlPatternList->usedCount; i++) + for (auto* pattern: httpPatternLists->app_url_patterns) { - appUrlPattern = urlPatternList->urlPattern[i]; if (addMlmpPattern(detectorHttpConfig->host_url_matcher, &detectorHttpConfig->hosUrlPatternsList, - appUrlPattern->patterns.host.pattern, appUrlPattern->patterns.host.patternSize, - appUrlPattern->patterns.path.pattern, appUrlPattern->patterns.path.patternSize, - appUrlPattern->userData.query.pattern, appUrlPattern->userData.query.patternSize, - appUrlPattern->userData.appId, appUrlPattern->userData.payload, - appUrlPattern->userData.service_id, appUrlPattern->userData.client_app, + pattern->patterns.host.pattern, pattern->patterns.host.patternSize, + pattern->patterns.path.pattern, pattern->patterns.path.patternSize, + pattern->userData.query.pattern, pattern->userData.query.patternSize, + pattern->userData.appId, pattern->userData.payload, + pattern->userData.service_id, pattern->userData.client_app, SINGLE) < 0) return -1; } @@ -919,9 +803,7 @@ int finalize_http_detector() numPatterns = sizeof(host_payload_http_detector_patterns)/ sizeof(*host_payload_http_detector_patterns); - if (processHostPatterns(host_payload_http_detector_patterns, numPatterns, - httpPatternLists->hostPayloadPatternList, &httpPatternLists->appUrlList, - &httpPatternLists->RTMPUrlList) < 0) + if (processHostPatterns(host_payload_http_detector_patterns, numPatterns) < 0) return -1; numPatterns = sizeof(content_type_patterns)/sizeof(*content_type_patterns); @@ -1435,7 +1317,7 @@ static void fflowCreate(char* adata, fflow_info* fflow, Packet* p, AppId target_ fflow->flow_prepared = 1; } -void finalizeFflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appId, Packet* p) +void finalize_fflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appId, Packet* p) { AppIdSession* fp; sfip_t saddr, daddr; @@ -1464,23 +1346,13 @@ void finalizeFflow(fflow_info* fflow, unsigned app_type_flags, AppId target_appI } } -int scanKeyCHP(PatternType ptype, char* buf, int buf_size, CHPMatchTally** ppTally, - MatchedCHPAction** ppmatches) +void scan_key_chp(PatternType ptype, char* buf, int buf_size, CHPTallyAndActions& match_tally) { - CHPTallyAndActions tallyAndActions; - tallyAndActions.pTally = *ppTally; - tallyAndActions.matches = *ppmatches; - - //FIXIT-H detectorHttpConfig->chp_matchers[ptype]->find_all(buf, buf_size, &chp_key_pattern_match, - false, (void*)(&tallyAndActions)); - - *ppTally = tallyAndActions.pTally; - *ppmatches = tallyAndActions.matches; - return (int)(tallyAndActions.pTally != nullptr); + false, (void*)(&match_tally)); } -AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, char** version, +AppId scan_chp(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, char** version, char** user, char** new_field, int* total_found, httpSession* hsession, Packet* p) { MatchedCHPAction* second_sweep_for_inserts = nullptr; @@ -1491,17 +1363,15 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, if (ptype > MAX_KEY_PATTERN) { - // There is no previous attempt to match generated by scanKeyCHP() + // There is no previous attempt to match generated by scan_key_chp() mp = nullptr; - - // FIXIT-H detectorHttpConfig->chp_matchers[ptype]->find_all(buf, buf_size, &chp_pattern_match, false, (void*)(&mp)); } if (!mp) return APP_ID_NONE; - if (pAppidActiveConfig->mod_config->disable_safe_search) + if (AppIdConfig::get_appid_config()->mod_config->disable_safe_search) { new_field = nullptr; } @@ -1517,7 +1387,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, { case DEFER_TO_SIMPLE_DETECT: // Ignore all other patterns; we are done. - FreeMatchedCHPActions(mp); + free_matched_chp_actions(mp); // Returning APP_ID_NONE will trigger the clearing of hsession->skip_simple_detect // and the freeing of any planned field rewrites. return APP_ID_NONE; @@ -1547,7 +1417,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, hsession->skip_simple_detect = true; break; case EXTRACT_USER: - if (!*user && !pAppidActiveConfig->mod_config->chp_userid_disabled) + if (!*user && !AppIdConfig::get_appid_config()->mod_config->chp_userid_disabled) { extractCHP(buf, buf_size, tmp->index, match->psize, match->action_data, user); @@ -1568,7 +1438,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, } break; case FUTURE_APPID_SESSION_SIP: - if (pAppidActiveConfig->mod_config->chp_fflow_disabled) + if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) break; if (!hsession->fflow) hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); @@ -1577,7 +1447,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, break; case FUTURE_APPID_SESSION_DIP: - if (pAppidActiveConfig->mod_config->chp_fflow_disabled) + if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) break; if (!hsession->fflow) hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); @@ -1586,7 +1456,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, break; case FUTURE_APPID_SESSION_SPORT: - if (pAppidActiveConfig->mod_config->chp_fflow_disabled) + if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) break; if (!hsession->fflow) hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); @@ -1595,7 +1465,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, break; case FUTURE_APPID_SESSION_DPORT: - if (pAppidActiveConfig->mod_config->chp_fflow_disabled) + if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) break; if (!hsession->fflow) hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); @@ -1604,7 +1474,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, break; case FUTURE_APPID_SESSION_PROTOCOL: - if (pAppidActiveConfig->mod_config->chp_fflow_disabled) + if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) break; if (!hsession->fflow) hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); @@ -1613,7 +1483,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, break; case FUTURE_APPID_SESSION_CREATE: - if (pAppidActiveConfig->mod_config->chp_fflow_disabled) + if (AppIdConfig::get_appid_config()->mod_config->chp_fflow_disabled) break; if (!hsession->fflow) hsession->fflow = (fflow_info*)snort_calloc(sizeof(fflow_info)); @@ -1680,7 +1550,7 @@ AppId scanCHP(PatternType ptype, char* buf, int buf_size, MatchedCHPAction* mp, (*total_found)++; } - FreeMatchedCHPActions(mp); + free_matched_chp_actions(mp); return ret; } @@ -1696,7 +1566,7 @@ static inline int optionallyReplaceWithStrdup(char** optionalStr, const char* st return 0; } -void identifyUserAgent(const uint8_t* start, int size, AppId* serviceAppId, AppId* ClientAppId, +void identify_user_agent(const uint8_t* start, int size, AppId* serviceAppId, AppId* ClientAppId, char** version) { int skypeDetect; @@ -1715,7 +1585,6 @@ void identifyUserAgent(const uint8_t* start, int size, AppId* serviceAppId, AppI char temp_ver[MAX_VERSION_SIZE]; temp_ver[0] = 0; - // FIXIT-H detectorHttpConfig->client_agent_matcher->find_all((const char*)start, size, &http_pattern_match, false, (void*)&mp); @@ -2026,7 +1895,7 @@ done: FreeMatchStructures(mp); } -int geAppidByViaPattern(const uint8_t* data, unsigned size, char** version) +int get_appid_by_pattern(const uint8_t* data, unsigned size, char** version) { unsigned i; const uint8_t* data_ptr; @@ -2037,7 +1906,6 @@ int geAppidByViaPattern(const uint8_t* data, unsigned size, char** version) if (detectorHttpConfig->via_matcher) { - // FIXIT-H detectorHttpConfig->via_matcher->find_all((const char*)data, size, &http_pattern_match, false, (void*)&mp); } @@ -2104,7 +1972,7 @@ AppId scan_header_x_working_with(const uint8_t* data, uint32_t size, char** vers return APP_ID_NONE; } -AppId geAppidByContentType(const uint8_t* data, int size) +AppId get_appid_by_content_type(const uint8_t* data, int size) { MatchedPatterns* mp = nullptr; DetectorHTTPPattern* match; @@ -2112,7 +1980,6 @@ AppId geAppidByContentType(const uint8_t* data, int size) if (detectorHttpConfig->content_type_matcher) { - // FIXIT-H detectorHttpConfig->content_type_matcher->find_all((const char*)data, size, &content_pattern_match, false, (void*)&mp); } @@ -2166,7 +2033,7 @@ done: return 0; } -int getHTTPHeaderLocation(const uint8_t* data, unsigned size, HttpId id, int* start, int* end, +int get_http_header_location(const uint8_t* data, unsigned size, HttpId id, int* start, int* end, HeaderMatchedPatterns* hmp) { HTTPHeaderIndices* match; @@ -2183,7 +2050,6 @@ int getHTTPHeaderLocation(const uint8_t* data, unsigned size, HttpId id, int* st if (detectorHttpConfig->header_matcher) { - //FIXIT-H detectorHttpConfig->header_matcher->find_all((const char*)data, size, &http_header_pattern_match, false, (void*)hmp); } @@ -2205,7 +2071,7 @@ int getHTTPHeaderLocation(const uint8_t* data, unsigned size, HttpId id, int* st return 0; } -AppId getAppIdFromUrl(char* host, char* url, char** version, char* referer, AppId* ClientAppId, +AppId get_appid_from_url(char* host, char* url, char** version, char* referer, AppId* ClientAppId, AppId* serviceAppId, AppId* payloadAppId, AppId* referredPayloadAppId, unsigned from_rtmp) { char* path; @@ -2316,7 +2182,7 @@ AppId getAppIdFromUrl(char* host, char* url, char** version, char* referer, AppI snort_free(temp_host); /* if referred_id feature id disabled, referer will be null */ - if (referer && (!payload_found || appInfoEntryFlagGet(data->payload_id, APPINFO_FLAG_REFERRED))) + if (referer && (!payload_found || AppInfoManager::get_instance().get_app_info_flags(data->payload_id, APPINFO_FLAG_REFERRED))) { referer_start = referer; @@ -2366,7 +2232,7 @@ AppId getAppIdFromUrl(char* host, char* url, char** version, char* referer, AppI return payload_found; } -void getServerVendorVersion(const uint8_t* data, int len, char** version, char** vendor, +void get_server_vendor_version(const uint8_t* data, int len, char** version, char** vendor, RNAServiceSubtype** subtype) { const uint8_t* subname; @@ -2484,24 +2350,25 @@ void getServerVendorVersion(const uint8_t* data, int len, char** version, char** *(*vendor+vendor_len) = '\0'; } -int webdav_found(HeaderMatchedPatterns* hmp) +bool is_webdav_found(HeaderMatchedPatterns* hmp) { - // to check for webdav, look for one of the special methods - int found = 0; + bool found = false; + if (hmp->headers[HTTP_ID_COPY].start > 0) - found = 1; + found = true; else if (hmp->headers[HTTP_ID_MOVE].start > 0) - found = 1; + found = true; else if (hmp->headers[HTTP_ID_LOCK].start > 0) - found = 1; + found = true; else if (hmp->headers[HTTP_ID_UNLOCK].start > 0) - found = 1; + found = true; else if (hmp->headers[HTTP_ID_MKCOL].start > 0) - found = 1; + found = true; else if (hmp->headers[HTTP_ID_PROPPATCH].start > 0) - found = 1; + found = true; else if (hmp->headers[HTTP_ID_PROPFIND].start > 0) - found = 1; + found = true; + return found; } @@ -2515,7 +2382,7 @@ int webdav_found(HeaderMatchedPatterns* hmp) static CLIENT_APP_RETCODE http_client_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE http_client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); static int http_service_init(const IniServiceAPI* const init_api); static int http_service_validate(ServiceValidationArgs* args); @@ -2565,7 +2432,7 @@ SO_PUBLIC RNAClientAppModule http_client_mod = 0 }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { nullptr, @@ -2575,7 +2442,7 @@ static RNAServiceValidationPort pp[] = } }; -static RNAServiceElement http_service_element = +static const RNAServiceElement http_service_element = { nullptr, &http_service_validate, @@ -2601,7 +2468,7 @@ RNAServiceValidationModule http_service_mod = static CLIENT_APP_RETCODE http_client_init(const IniClientAppAPI* const init_api, SF_LIST*) { - if (pAppidActiveConfig->mod_config->http2_detection_enabled) + if (AppIdConfig::get_appid_config()->mod_config->http2_detection_enabled) { for (unsigned i = 0; i < sizeof(patterns)/sizeof(*patterns); i++) { @@ -2623,16 +2490,16 @@ static CLIENT_APP_RETCODE http_client_init(const IniClientAppAPI* const init_api } static CLIENT_APP_RETCODE http_client_validate(const uint8_t*, uint16_t, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector*) + AppIdSession* asd, Packet* pkt, struct Detector*) { - http_client_mod.api->add_app(flowp, APP_ID_HTTP, APP_ID_HTTP + GENERIC_APP_OFFSET, nullptr); - flowp->rna_client_state = RNA_STATE_FINISHED; - http_service_mod.api->add_service(flowp, pkt, dir, &http_service_element, + http_client_mod.api->add_app(asd, APP_ID_HTTP, APP_ID_HTTP + GENERIC_APP_OFFSET, nullptr); + asd->rna_client_state = RNA_STATE_FINISHED; + http_service_mod.api->add_service(asd, pkt, dir, &http_service_element, APP_ID_HTTP, nullptr, nullptr, nullptr); - flowp->rnaServiceState = RNA_STATE_FINISHED; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); - flowp->is_http2 = true; + asd->rnaServiceState = RNA_STATE_FINISHED; + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED); + asd->clear_session_flags(APPID_SESSION_CONTINUE); + asd->is_http2 = true; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/detector_plugins/detector_http.h b/src/network_inspectors/appid/detector_plugins/detector_http.h index ec85bde9c..b5edaac0b 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_http.h +++ b/src/network_inspectors/appid/detector_plugins/detector_http.h @@ -154,13 +154,6 @@ struct DetectorAppUrlPattern UrlUserData userData; }; -struct DetectorAppUrlList -{ - DetectorAppUrlPattern** urlPattern = nullptr; - size_t usedCount = 0; - size_t allocatedCount = 0; -}; - void init_http_detector(); int finalize_http_detector(); void clean_http_detector(); @@ -170,11 +163,9 @@ void insert_content_type_pattern(HTTPListElement* element); void insert_url_pattern(DetectorAppUrlPattern* pattern); void insert_rtmp_url_pattern(DetectorAppUrlPattern* pattern); void insert_app_url_pattern(DetectorAppUrlPattern* pattern); -DetectorAppUrlList* getAppUrlList(); - -int geAppidByViaPattern(const uint8_t*, unsigned, char**); -int getHTTPHeaderLocation(const uint8_t*, unsigned, HttpId, int*, int*, HeaderMatchedPatterns*); -inline void FreeMatchedCHPActions(MatchedCHPAction* ma) +int get_appid_by_pattern(const uint8_t*, unsigned, char**); +int get_http_header_location(const uint8_t*, unsigned, HttpId, int*, int*, HeaderMatchedPatterns*); +inline void free_matched_chp_actions(MatchedCHPAction* ma) { MatchedCHPAction* tmp; @@ -186,17 +177,16 @@ inline void FreeMatchedCHPActions(MatchedCHPAction* ma) } } -int scanKeyCHP(PatternType, char*, int, CHPMatchTally**, MatchedCHPAction**); -AppId scanCHP(PatternType, char*, int, MatchedCHPAction*, char**, char**, char**, int*, +void scan_key_chp(PatternType ptype, char* buf, int buf_size, CHPTallyAndActions& match_tally); +AppId scan_chp(PatternType, char*, int, MatchedCHPAction*, char**, char**, char**, int*, httpSession*, Packet*); -AppId getAppIdFromUrl(char*, char*, char**, char*, AppId*, AppId*, AppId*, AppId*, unsigned); -AppId geAppidByContentType(const uint8_t*, int); +AppId get_appid_from_url(char*, char*, char**, char*, AppId*, AppId*, AppId*, AppId*, unsigned); +AppId get_appid_by_content_type(const uint8_t*, int); AppId scan_header_x_working_with(const uint8_t*, uint32_t, char**); -void identifyUserAgent(const uint8_t*, int, AppId*, AppId*, char**); -void getServerVendorVersion(const uint8_t*, int, char**, char**, RNAServiceSubtype**); -int webdav_found(HeaderMatchedPatterns*); - -void finalizeFflow(fflow_info*, unsigned app_type_flags, AppId, Packet* ); +void identify_user_agent(const uint8_t*, int, AppId*, AppId*, char**); +void get_server_vendor_version(const uint8_t*, int, char**, char**, RNAServiceSubtype**); +bool is_webdav_found(HeaderMatchedPatterns*); +void finalize_fflow(fflow_info*, unsigned app_type_flags, AppId, Packet* ); #endif diff --git a/src/network_inspectors/appid/detector_plugins/detector_imap.cc b/src/network_inspectors/appid/detector_plugins/detector_imap.cc index 13e706433..4d861d5e2 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_imap.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_imap.cc @@ -45,8 +45,6 @@ static const unsigned IMAP_USER_NAME_MAX_LEN = 32; static const unsigned IMAP_TAG_MAX_LEN = 6; static const unsigned MIN_CMDS = 3; -// FIXIT-M: delete OK_LOGIN if not needed... -// static const char* const OK_LOGIN = " LOGIN Ok."; static const char NO_LOGIN[] = " Login failed."; struct CLIENT_APP_CONFIG @@ -74,13 +72,12 @@ struct ClientAppData char imapCmdTag[IMAP_TAG_MAX_LEN+1]; }; -// FIXIT-L THREAD_LOCAL? static CLIENT_APP_CONFIG ca_config; static CLIENT_APP_RETCODE init(const IniClientAppAPI* const init_api, SF_LIST* config); static void clean(); static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, Detector* userData); + AppIdSession* asd, Packet* pkt, Detector* userData); static RNAClientAppModule client_app_mod = { @@ -184,13 +181,9 @@ static Client_App_Pattern patterns[] = { UID, sizeof(UID)-1, 0 }, }; -// FIXIT-L THREAD_LOCAL? static size_t longest_pattern; - static const unsigned IMAP_PORT = 143; - static const unsigned IMAP_COUNT_THRESHOLD = 2; - static const char OK[] = "OK"; static const char BAD[] = "BAD"; static const char NO[] = "NO"; @@ -240,7 +233,7 @@ struct ServiceIMAPData static int imap_init(const IniServiceAPI* const init_api); static int imap_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &imap_validate, @@ -252,7 +245,7 @@ static RNAServiceElement svc_element = "imap", }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &imap_validate, IMAP_PORT, IpProtocol::TCP, 0 }, { &imap_validate, 220, IpProtocol::TCP, 0 }, @@ -308,7 +301,7 @@ static CLIENT_APP_RETCODE init(const IniClientAppAPI* const init_api, SF_LIST* c } cmd_matcher->prep(); - pAppidActiveConfig->add_generic_config_element(client_app_mod.name, cmd_matcher); + AppIdConfig::get_appid_config()->add_generic_config_element(client_app_mod.name, cmd_matcher); ca_config.enabled = 1; @@ -321,21 +314,17 @@ static CLIENT_APP_RETCODE init(const IniClientAppAPI* const init_api, SF_LIST* c { DebugFormat(DEBUG_LOG,"Processing %s: %s\n",item->name, item->value); if (strcasecmp(item->name, "enabled") == 0) - { ca_config.enabled = atoi(item->value); - } } } if (ca_config.enabled) - { for (i=0; i < sizeof(patterns)/sizeof(*patterns); i++) { DebugFormat(DEBUG_LOG,"registering pattern: %s\n",(const char*)patterns[i].pattern); init_api->RegisterPatternNoCase(&validate, IpProtocol::TCP, patterns[i].pattern, patterns[i].length, -1); } - } unsigned j; for (j=0; j < sizeof(appIdRegistry)/sizeof(*appIdRegistry); j++) @@ -366,11 +355,11 @@ static int imap_init(const IniServiceAPI* const init_api) static void clean() { SearchTool* cmd_matcher = - (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); if (cmd_matcher) delete cmd_matcher; - pAppidActiveConfig->remove_generic_config_element(client_app_mod.name); + AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name); } static int pattern_match(void* id, void*, int index, void* data, void*) @@ -408,7 +397,7 @@ static inline int isImapTagChar(uint8_t tag) } static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t size, - AppIdSession* flowp) + AppIdSession* asd) { const uint8_t* end = data + size; ServiceIMAPData* id = &dd->server; @@ -420,7 +409,7 @@ static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t #ifdef DEBUG_IMAP_DETECTOR if (id->state != id->last_state) { - DebugFormat(DEBUG_INSPECTOR,"%p State %d\n",flowp, id->state); + DebugFormat(DEBUG_INSPECTOR,"%p State %d\n",asd, id->state); id->last_state = id->state; } #endif @@ -586,7 +575,7 @@ static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t /*add user successful */ if ((id->flags & IMAP_FLAG_RESULT_OK) && dd->client.username[0]) { - service_mod.api->add_user(flowp, dd->client.username, APP_ID_IMAP, 1); // use of + service_mod.api->add_user(asd, dd->client.username, APP_ID_IMAP, 1); // use of // LOGIN // cmd // implies @@ -622,7 +611,7 @@ static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t /*add user login failed */ if ((id->flags & IMAP_FLAG_RESULT_NO) && dd->client.username[0]) { - service_mod.api->add_user(flowp, dd->client.username, APP_ID_IMAP, 0); // use + service_mod.api->add_user(asd, dd->client.username, APP_ID_IMAP, 0); // use // of // LOGIN // cmd @@ -672,9 +661,9 @@ static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t { if (id->flags & IMAP_FLAG_RESULT_OK) { - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); /* we are potentially overriding any APP_ID_IMAP assessment that was made earlier. */ - client_app_mod.api->add_app(flowp, APP_ID_IMAPS, APP_ID_IMAPS, nullptr); // sets + client_app_mod.api->add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr); // sets // APPID_SESSION_CLIENT_DETECTED } else @@ -697,7 +686,7 @@ static int imap_server_validate(DetectorData* dd, const uint8_t* data, uint16_t } static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { const uint8_t* s = data; const uint8_t* end = (data + size); @@ -707,7 +696,7 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int ClientAppData* fd; char tag[IMAP_TAG_MAX_LEN+1] = { 0 }; SearchTool* cmd_matcher = - (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); #ifdef APP_ID_USES_REASSEMBLED Stream::flush_response_flush(pkt); @@ -716,11 +705,11 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int if (!size) return CLIENT_APP_INPROCESS; - dd = (DetectorData*)imap_detector_mod.api->data_get(flowp, imap_detector_mod.flow_data_index); + dd = (DetectorData*)imap_detector_mod.api->data_get(asd, imap_detector_mod.flow_data_index); if (!dd) { dd = (DetectorData*)snort_calloc(sizeof(DetectorData)); - imap_detector_mod.api->data_add(flowp, dd, imap_detector_mod.flow_data_index, &snort_free); + imap_detector_mod.api->data_add(asd, dd, imap_detector_mod.flow_data_index, &snort_free); dd->server.flags = IMAP_FLAG_FIRST_PACKET; fd = &dd->client; } @@ -731,13 +720,13 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int { dd->need_continue = 1; fd->set_flags = 1; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } if (dir == APP_ID_FROM_RESPONDER) { - if (imap_server_validate(dd, data, size, flowp)) - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + if (imap_server_validate(dd, data, size, asd)) + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); return CLIENT_APP_INPROCESS; } @@ -774,8 +763,8 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int if (end == s || !isblank(*s)) { dd->need_continue = 0; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); return CLIENT_APP_SUCCESS; } for (; (s < end) && isblank(*s); s++) @@ -785,8 +774,8 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int if ((length = (end - s)) <= 0) { dd->need_continue = 0; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); return CLIENT_APP_SUCCESS; } cmd = nullptr; @@ -839,13 +828,13 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int fd->count++; if (fd->count == MIN_CMDS) { - client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP, + client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP, nullptr); fd->detected = 1; if (fd->got_user) { - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } fd->state = IMAP_CLIENT_STATE_AUTH; } @@ -882,13 +871,13 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int fd->count++; if (fd->count == MIN_CMDS) { - client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP, + client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP, nullptr); fd->detected = 1; if (fd->got_user) { - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag( + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags( APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } } @@ -933,12 +922,12 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int fd->count++; if (fd->count == MIN_CMDS) { - client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP, nullptr); + client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP, nullptr); fd->detected = 1; if (fd->got_user) { - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } } if (!cmd->eoc) @@ -955,12 +944,12 @@ static CLIENT_APP_RETCODE validate(const uint8_t* data, uint16_t size, const int fd->count++; if (fd->count == MIN_CMDS) { - client_app_mod.api->add_app(flowp, APP_ID_IMAP, APP_ID_IMAP, nullptr); + client_app_mod.api->add_app(asd, APP_ID_IMAP, APP_ID_IMAP, nullptr); fd->detected = 1; if (fd->got_user) { - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } } if (!cmd->eoc) @@ -979,7 +968,7 @@ static int imap_validate(ServiceValidationArgs* args) { DetectorData* dd; ServiceIMAPData* id; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -993,11 +982,11 @@ static int imap_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - dd = (DetectorData*)imap_detector_mod.api->data_get(flowp, imap_detector_mod.flow_data_index); + dd = (DetectorData*)imap_detector_mod.api->data_get(asd, imap_detector_mod.flow_data_index); if (!dd) { dd = (DetectorData*)snort_calloc(sizeof(DetectorData)); - imap_detector_mod.api->data_add(flowp, dd, imap_detector_mod.flow_data_index, &snort_free); + imap_detector_mod.api->data_add(asd, dd, imap_detector_mod.flow_data_index, &snort_free); id = &dd->server; id->state = IMAP_STATE_BEGIN; id->flags = IMAP_FLAG_FIRST_PACKET; @@ -1006,52 +995,52 @@ static int imap_validate(ServiceValidationArgs* args) id = &dd->server; if (dd->need_continue) - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); else { - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); - if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + asd->clear_session_flags(APPID_SESSION_CONTINUE); + if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { appid_stats.imap_flows++; return SERVICE_SUCCESS; } } - if (!imap_server_validate(dd, data, size, flowp)) + if (!imap_server_validate(dd, data, size, asd)) { if ((id->flags & IMAP_FLAG_RESULT_OK) && dd->client.state == IMAP_CLIENT_STATE_STARTTLS_CMD) { /* IMAP server response to STARTTLS command from client was OK */ - service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_IMAPS, nullptr, nullptr, nullptr); appid_stats.imaps_flows++; return SERVICE_SUCCESS; } if (id->count >= IMAP_COUNT_THRESHOLD && - !flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + !asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_IMAP, nullptr, nullptr, nullptr); appid_stats.imap_flows++; return SERVICE_SUCCESS; } } - else if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + else if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - service_mod.flow_data_index, args->pConfig); + service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + service_mod.flow_data_index); return SERVICE_NOMATCH; } else { - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_SUCCESS; } inprocess: - service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; } diff --git a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc index c5b11b0d5..6dfdd3c80 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc @@ -108,12 +108,11 @@ struct DetectorData int need_continue; }; -// FIXIT-L THREAD_LOCAL? static KRB_CLIENT_APP_CONFIG krb_client_config; static CLIENT_APP_RETCODE krb_client_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); static RNAClientAppModule client_app_mod = { @@ -153,7 +152,7 @@ static Detector_Pattern client_patterns[] = static int krb_server_init(const IniServiceAPI* const init_api); static int krb_server_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &krb_server_validate, @@ -165,7 +164,7 @@ static RNAServiceElement svc_element = "kerberos" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &krb_server_validate, 88, IpProtocol::TCP, 0 }, { &krb_server_validate, 88, IpProtocol::UDP, 0 }, @@ -294,7 +293,7 @@ static int krb_server_init(const IniServiceAPI* const init_api) #define ERROR_MSG_TYPE 0x1e static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, const uint8_t* end, - AppIdSession* flowp) + AppIdSession* asd) { static const uint8_t KRB_CLIENT_VERSION[] = "\x0a1\x003\x002\x001"; static const uint8_t KRB_CLIENT_TYPE[] = "\x0a2\x003\x002\x001"; @@ -306,7 +305,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons #ifdef DEBUG_MSGS if (krbs->state != krbs->last_state) { - DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)flowp, krbs->state); + DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state); krbs->last_state = krbs->state; } #endif @@ -320,7 +319,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons break; case KRB_STATE_APP: DebugFormat(DEBUG_INSPECTOR,"%p Type %u (%02X)\n", - (void*)flowp, *s & (~ASN_1_TYPE_MASK), *s); + (void*)asd, *s & (~ASN_1_TYPE_MASK), *s); if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT)) return KRB_FAILED; krbs->msg_type = *s & (~ASN_1_TYPE_MASK); @@ -386,7 +385,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons krbs->tag = 0xa2; break; case KRB_STATE_FIELD: - DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)flowp, *s); + DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s); if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0) return KRB_FAILED; krbs->tag = *s; @@ -409,10 +408,10 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons { if (krbs->msg_len <= 1) { - DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)flowp); + DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd); if (!krbs->added) { - client_app_mod.api->add_app(flowp, APP_ID_KERBEROS, APP_ID_KERBEROS, + client_app_mod.api->add_app(asd, APP_ID_KERBEROS, APP_ID_KERBEROS, krbs->ver); krbs->added = 1; } @@ -442,7 +441,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons break; case KRB_STATE_FIELD_LEVEL2: - DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)flowp, *s); + DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s); if (krbs->msg_len <= 1) { krbs->state = KRB_STATE_APP; @@ -555,7 +554,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons { if (krbs->pos) { - DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)flowp, krbs->pos); + DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos); krbs->cname[krbs->pos] = 0; } if (krbs->msg_len <= 1) @@ -616,7 +615,7 @@ static KRB_RETCODE krb_walk_client_packet(KRBState* krbs, const uint8_t* s, cons } static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, const uint8_t* end, - AppIdSession* flowp, Packet* pkt, const int dir, + AppIdSession* asd, Packet* pkt, const int dir, const char* reqCname) { static const uint8_t KRB_SERVER_VERSION[] = "\x0a0\x003\x002\x001"; @@ -630,7 +629,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons #ifdef DEBUG_MSGS if (krbs->state != krbs->last_state) { - DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)flowp, krbs->state); + DebugFormat(DEBUG_INSPECTOR,"%p State %d\n", (void*)asd, krbs->state); krbs->last_state = krbs->state; } #endif @@ -644,7 +643,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons break; case KRB_STATE_APP: DebugFormat(DEBUG_INSPECTOR,"%p Type %u (%02X)\n", - (void*)flowp, *s & (~ASN_1_TYPE_MASK), *s); + (void*)asd, *s & (~ASN_1_TYPE_MASK), *s); if ((*s & ASN_1_TYPE_MASK) != (ASN_1_APPLICATION|ASN_1_CONSTRUCT)) return KRB_FAILED; krbs->msg_type = *s & (~ASN_1_TYPE_MASK); @@ -720,7 +719,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons krbs->pos++; break; case KRB_STATE_ERROR_VALUE: - DebugFormat(DEBUG_INSPECTOR,"%p Error %u\n", (void*)flowp, *s); + DebugFormat(DEBUG_INSPECTOR,"%p Error %u\n", (void*)asd, *s); if (krbs->msg_len <= 1) { krbs->flags |= KRB_FLAG_SERVICE_DETECTED; @@ -732,13 +731,13 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons if (*s == KDC_ERR_PREAUTH_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p unAuthorized\n", (void*)flowp); + DebugFormat(DEBUG_INSPECTOR,"%p unAuthorized\n", (void*)asd); krbs->flags |= KRB_FLAG_AUTH_FAILED; } krbs->state = KRB_STATE_FIELD; break; case KRB_STATE_FIELD: - DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)flowp, *s); + DebugFormat(DEBUG_INSPECTOR,"%p Tag %02X\n", (void*)asd, *s); if (krbs->msg_len < 2 || *s <= krbs->tag || (*s & ASN_1_TYPE_MASK) != 0xa0) return KRB_FAILED; krbs->tag = *s; @@ -856,7 +855,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons { if (krbs->pos) { - DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)flowp, krbs->pos); + DebugFormat(DEBUG_INSPECTOR,"%p Name %u\n", (void*)asd, krbs->pos); krbs->cname[krbs->pos] = 0; krbs->flags |= KRB_FLAG_USER_DETECTED; } @@ -919,14 +918,14 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons if (krbs->msg_len <= 1) { /*end of server response message */ - DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)flowp); + DebugFormat(DEBUG_INSPECTOR,"%p Valid\n", (void*)asd); if (krbs->flags & KRB_FLAG_SERVICE_DETECTED) { - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED) && pkt) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED) && pkt) { - service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_KERBEROS, + service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_KERBEROS, nullptr, krbs->ver, nullptr); - flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); appid_stats.kerberos_flows++; } } @@ -936,7 +935,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons if (krb_client_config.failedLogin && ((krbs->flags & KRB_FLAG_USER_DETECTED) || reqCname)) { - service_mod.api->add_user(flowp, + service_mod.api->add_user(asd, (krbs->flags & KRB_FLAG_USER_DETECTED) ? krbs->cname : reqCname, APP_ID_LDAP, 0); appid_stats.kerberos_users++; @@ -945,7 +944,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons } else if (krbs->flags & KRB_FLAG_USER_DETECTED) { - service_mod.api->add_user(flowp, krbs->cname, APP_ID_LDAP, 1); + service_mod.api->add_user(asd, krbs->cname, APP_ID_LDAP, 1); appid_stats.kerberos_users++; } @@ -956,7 +955,7 @@ static KRB_RETCODE krb_walk_server_packet(KRBState* krbs, const uint8_t* s, cons } static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector*) + AppIdSession* asd, Packet* pkt, struct Detector*) { const uint8_t* s = data; const uint8_t* end = (data + size); @@ -964,7 +963,7 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size #ifdef DEBUG_MSGS DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %u->%u %u %d", - (void*)flowp, (unsigned int)flowp->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir); + (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir); #else UNUSED(pkt); #endif @@ -976,14 +975,14 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size if (!size) return CLIENT_APP_INPROCESS; - fd = (DetectorData*)kerberos_detector_mod.api->data_get(flowp, + fd = (DetectorData*)kerberos_detector_mod.api->data_get(asd, kerberos_detector_mod.flow_data_index); if (!fd) { fd = (DetectorData*)snort_calloc(sizeof(DetectorData)); - kerberos_detector_mod.api->data_add(flowp, fd, + kerberos_detector_mod.api->data_add(asd, fd, kerberos_detector_mod.flow_data_index, &snort_free); - if (flowp->protocol == IpProtocol::TCP) + if (asd->protocol == IpProtocol::TCP) { fd->clnt_state.state = KRB_STATE_TCP_LENGTH; fd->svr_state.state = KRB_STATE_TCP_LENGTH; @@ -1003,24 +1002,24 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size { fd->need_continue = 1; fd->set_flags = 1; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } if (dir == APP_ID_FROM_INITIATOR) { - if (krb_walk_client_packet(&fd->clnt_state, s, end, flowp) == KRB_FAILED) + if (krb_walk_client_packet(&fd->clnt_state, s, end, asd) == KRB_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)flowp); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); return CLIENT_APP_SUCCESS; } } - else if (krb_walk_server_packet(&fd->svr_state, s, end, flowp, nullptr, dir, + else if (krb_walk_server_packet(&fd->svr_state, s, end, asd, nullptr, dir, fd->clnt_state.cname) == KRB_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p Server Failed\n", (void*)flowp); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + DebugFormat(DEBUG_INSPECTOR,"%p Server Failed\n", (void*)asd); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } return CLIENT_APP_INPROCESS; } @@ -1028,7 +1027,7 @@ static CLIENT_APP_RETCODE krb_client_validate(const uint8_t* data, uint16_t size static int krb_server_validate(ServiceValidationArgs* args) { DetectorData* fd; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -1037,7 +1036,7 @@ static int krb_server_validate(ServiceValidationArgs* args) const uint8_t* end = (data + size); DebugFormat(DEBUG_INSPECTOR, "%p Processing %u %u->%u %u %d", - (void*)flowp, (unsigned int)flowp->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir); + (void*)asd, (unsigned int)asd->protocol, pkt->ptrs.sp, pkt->ptrs.dp, size, dir); if (dir != APP_ID_FROM_RESPONDER) goto inprocess; @@ -1049,14 +1048,14 @@ static int krb_server_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - fd = (DetectorData*)kerberos_detector_mod.api->data_get(flowp, + fd = (DetectorData*)kerberos_detector_mod.api->data_get(asd, kerberos_detector_mod.flow_data_index); if (!fd) { fd = (DetectorData*)snort_calloc(sizeof(DetectorData)); - kerberos_detector_mod.api->data_add(flowp, fd, + kerberos_detector_mod.api->data_add(asd, fd, kerberos_detector_mod.flow_data_index, &snort_free); - if (flowp->protocol == IpProtocol::TCP) + if (asd->protocol == IpProtocol::TCP) { fd->clnt_state.state = KRB_STATE_TCP_LENGTH; fd->svr_state.state = KRB_STATE_TCP_LENGTH; @@ -1073,30 +1072,30 @@ static int krb_server_validate(ServiceValidationArgs* args) } if (fd->need_continue) - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); else { - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); - if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + asd->clear_session_flags(APPID_SESSION_CONTINUE); + if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) return SERVICE_SUCCESS; } - if (krb_walk_server_packet(&fd->svr_state, s, end, flowp, pkt, dir, fd->clnt_state.cname) == + if (krb_walk_server_packet(&fd->svr_state, s, end, asd, pkt, dir, fd->clnt_state.cname) == KRB_FAILED) { - DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)flowp); - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + DebugFormat(DEBUG_INSPECTOR,"%p Failed\n", (void*)asd); + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - service_mod.flow_data_index, args->pConfig); + service_mod.api->fail_service(asd, pkt, dir, &svc_element, + service_mod.flow_data_index); return SERVICE_NOMATCH; } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_SUCCESS; } inprocess: - service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; } diff --git a/src/network_inspectors/appid/detector_plugins/detector_pattern.cc b/src/network_inspectors/appid/detector_plugins/detector_pattern.cc index 3d10361d2..7e24d7e32 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_pattern.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_pattern.cc @@ -39,12 +39,12 @@ static void pattern_service_clean(); static CLIENT_APP_RETCODE client_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE client_init_tcp(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); static void client_clean(); static const IniServiceAPI* iniServiceApi; static const IniClientAppAPI* iniClientApi; -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &service_validate, @@ -101,14 +101,6 @@ RNAClientAppModule pattern_tcp_client_mod = 0 }; -static RNAServiceValidationPort pp = -{ - &service_validate, - 0, - IpProtocol::PROTO_NOT_SET, - 0 -}; - static void FreePattern(Pattern* pattern) { if (pattern) @@ -186,7 +178,7 @@ static void read_patterns(PortPatternNode* portPatternList, PatternService** ser pattern->offset = pNode->offset; pattern->next = ps->pattern; ps->pattern = pattern; - set_app_info_active(ps->id); + AppInfoManager::get_instance().set_app_info_active(ps->id); } } @@ -195,6 +187,7 @@ static void install_ports(PatternService* serviceList, const IniServiceAPI* cons { PatternService* ps; PortNode* port; + RNAServiceValidationPort pp = { &service_validate, 0, IpProtocol::PROTO_NOT_SET, 0 }; for (ps = serviceList; ps; ps = ps->next) { @@ -723,35 +716,34 @@ static int service_validate(ServiceValidationArgs* args) { uint32_t id; const RNAServiceElement* service = nullptr; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; uint16_t size = args->size; - if (!data || !pattern_service_mod.api || !flowp || !pkt) + if (!data || !pattern_service_mod.api || !asd || !pkt) return SERVICE_ENULL; if (!size) goto inprocess; if (dir != APP_ID_FROM_RESPONDER) goto inprocess; - id = csdPatternTreeSearch(data, size, flowp->protocol, pkt, &service, false); + id = csdPatternTreeSearch(data, size, asd->protocol, pkt, &service, false); if (!id) goto fail; - pattern_service_mod.api->add_service(flowp, pkt, dir, &svc_element, id, nullptr, nullptr, + pattern_service_mod.api->add_service(asd, pkt, dir, &svc_element, id, nullptr, nullptr, nullptr); return SERVICE_SUCCESS; inprocess: - pattern_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + pattern_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; fail: - pattern_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - pattern_service_mod.flow_data_index, - args->pConfig); + pattern_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + pattern_service_mod.flow_data_index); return SERVICE_NOMATCH; } @@ -786,23 +778,23 @@ static void client_clean() } static CLIENT_APP_RETCODE client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector*) + AppIdSession* asd, Packet* pkt, struct Detector*) { AppId id; const RNAServiceElement* service = nullptr; - if (!data || !flowp || !pkt) + if (!data || !asd || !pkt) return CLIENT_APP_ENULL; if (!size) goto inprocess; if (dir == APP_ID_FROM_RESPONDER) goto inprocess; - id = csdPatternTreeSearch(data, size, flowp->protocol, pkt, &service, true); + id = csdPatternTreeSearch(data, size, asd->protocol, pkt, &service, true); if (!id) goto fail; - pattern_tcp_client_mod.api->add_app(flowp, id, id, nullptr); + pattern_tcp_client_mod.api->add_app(asd, id, id, nullptr); return CLIENT_APP_SUCCESS; inprocess: diff --git a/src/network_inspectors/appid/detector_plugins/detector_pattern.h b/src/network_inspectors/appid/detector_plugins/detector_pattern.h index 7d23678d0..8ee868e76 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_pattern.h +++ b/src/network_inspectors/appid/detector_plugins/detector_pattern.h @@ -49,7 +49,7 @@ struct Pattern PatternService* ps; }; -struct PortNode // FIXIT this name changed from "Port" which is already in use by Snort++ +struct PortNode { PortNode* next; uint16_t port; diff --git a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc index ee6ca3ade..71e71c04a 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc @@ -56,15 +56,12 @@ struct ClientPOP3Data int got_user; }; -// static const unsigned MIN_POP3_CMDS = 3; - -// FIXIT-L THREAD_LOCAL? static POP3_CLIENT_APP_CONFIG pop3_config; static CLIENT_APP_RETCODE pop3_ca_init(const IniClientAppAPI* const init_api, SF_LIST* config); static void pop3_ca_clean(); static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, struct Detector* userData); + AppIdSession* asd, Packet* pkt, struct Detector* userData); static RNAClientAppModule client_app_mod = { @@ -169,11 +166,8 @@ static Client_App_Pattern patterns[] = { CAPA2, sizeof(CAPA2)-1, 1 }, }; -// FIXIT-L THREAD_LOCAL? static size_t longest_pattern; - static const unsigned POP3_PORT = 110; - static const unsigned POP3_COUNT_THRESHOLD = 4; static const char POP3_OK[] = "+OK"; @@ -201,7 +195,7 @@ struct ServicePOP3Data static int pop3_init(const IniServiceAPI* const init_api); static int pop3_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &pop3_validate, @@ -213,7 +207,7 @@ static RNAServiceElement svc_element = "pop3" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &pop3_validate, POP3_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -328,10 +322,10 @@ static int pop3_init(const IniServiceAPI* const init_api) static void pop3_ca_clean() { SearchTool* cmd_matcher = - (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); if (cmd_matcher) delete cmd_matcher; - pAppidActiveConfig->remove_generic_config_element(client_app_mod.name); + AppIdConfig::get_appid_config()->remove_generic_config_element(client_app_mod.name); } static int pop3_pattern_match(void* id, void*, int index, void* data, void*) @@ -395,7 +389,7 @@ static int pop3_check_line(const uint8_t** data, const uint8_t* end) } static int pop3_server_validate(POP3DetectorData* dd, const uint8_t* data, uint16_t size, - AppIdSession* flowp, int server) + AppIdSession* asd, int server) { static const char ven_cppop[] = "cppop"; static const char ven_cc[] = "Cubic Circle"; @@ -465,11 +459,11 @@ static int pop3_server_validate(POP3DetectorData* dd, const uint8_t* data, uint1 } else { - flowp->setAppIdFlag(APPID_SESSION_ENCRYPTED); - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_ENCRYPTED); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); /* we are potentially overriding the APP_ID_POP3 assessment that was made earlier. */ - client_app_mod.api->add_app(flowp, APP_ID_POP3S, APP_ID_POP3S, nullptr); // sets + client_app_mod.api->add_app(asd, APP_ID_POP3S, APP_ID_POP3S, nullptr); // sets // APPID_SESSION_CLIENT_DETECTED } } @@ -478,20 +472,20 @@ static int pop3_server_validate(POP3DetectorData* dd, const uint8_t* data, uint1 { if (pd->error) { - service_mod.api->add_user(flowp, dd->client.username, APP_ID_POP3, 0); + service_mod.api->add_user(asd, dd->client.username, APP_ID_POP3, 0); snort_free(dd->client.username); dd->client.username = nullptr; } else { - service_mod.api->add_user(flowp, dd->client.username, APP_ID_POP3, 1); + service_mod.api->add_user(asd, dd->client.username, APP_ID_POP3, 1); snort_free(dd->client.username); dd->client.username = nullptr; dd->need_continue = 0; - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); dd->client.got_user = 1; if (dd->client.detected) - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); } } if (server && begin) @@ -671,7 +665,7 @@ ven_ver_done:; } static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet*, struct Detector*) + AppIdSession* asd, Packet*, struct Detector*) { const uint8_t* s = data; const uint8_t* end = (data + size); @@ -687,12 +681,12 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c Stream::flush_response_flush(pkt); #endif - dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(flowp, + dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(asd, pop3_detector_mod.flow_data_index); if (!dd) { dd = (POP3DetectorData*)snort_calloc(sizeof(POP3DetectorData)); - pop3_detector_mod.api->data_add(flowp, dd, + pop3_detector_mod.api->data_add(asd, dd, pop3_detector_mod.flow_data_index, &pop3_free_state); dd->server.state = POP3_STATE_CONNECT; fd = &dd->client; @@ -705,23 +699,23 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c { dd->need_continue = 1; fd->set_flags = 1; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } if (dir == APP_ID_FROM_RESPONDER) { #ifdef DEBUG_POP3 - DebugFormat(DEBUG_INSPECTOR,"%p Calling server\n",flowp); + DebugFormat(DEBUG_INSPECTOR,"%p Calling server\n",asd); DumpHex(SF_DEBUG_FILE, data, size); #endif - if (pop3_server_validate(dd, data, size, flowp, 0)) - flowp->clearAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + if (pop3_server_validate(dd, data, size, asd, 0)) + asd->clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); return CLIENT_APP_INPROCESS; } #ifdef DEBUG_POP3 - DebugFormat(DEBUG_INSPECTOR,"%p Client\n",flowp); + DebugFormat(DEBUG_INSPECTOR,"%p Client\n",asd); DumpHex(SF_DEBUG_FILE, data, size); #endif @@ -729,7 +723,7 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c { unsigned pattern_index; SearchTool* cmd_matcher = - (SearchTool*)pAppidActiveConfig->find_generic_config_element(client_app_mod.name); + (SearchTool*)AppIdConfig::get_appid_config()->find_generic_config_element(client_app_mod.name); cmd = nullptr; cmd_matcher->find_all((char*)s, (length > longest_pattern ? longest_pattern : length), @@ -738,7 +732,7 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c if (!cmd) { dd->need_continue = 0; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); return CLIENT_APP_SUCCESS; } s += cmd->length; @@ -858,7 +852,7 @@ static CLIENT_APP_RETCODE pop3_ca_validate(const uint8_t* data, uint16_t size, c { /* We stayed in non-secure mode and received a TRANSACTION-state command: POP3 found */ - client_app_mod.api->add_app(flowp, APP_ID_POP3, APP_ID_POP3, nullptr); // sets + client_app_mod.api->add_app(asd, APP_ID_POP3, APP_ID_POP3, nullptr); // sets // APPID_SESSION_CLIENT_DETECTED fd->detected = 1; } @@ -881,7 +875,7 @@ static int pop3_validate(ServiceValidationArgs* args) { POP3DetectorData* dd; ServicePOP3Data* pd; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -898,16 +892,16 @@ static int pop3_validate(ServiceValidationArgs* args) goto inprocess; #ifdef DEBUG_POP3 - DebugFormat(DEBUG_INSPECTOR,"%p Dir %d\n",flowp, dir); + DebugFormat(DEBUG_INSPECTOR,"%p Dir %d\n",asd, dir); DumpHex(SF_DEBUG_FILE, data, size); #endif - dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(flowp, + dd = (POP3DetectorData*)pop3_detector_mod.api->data_get(asd, pop3_detector_mod.flow_data_index); if (!dd) { dd = (POP3DetectorData*)snort_calloc(sizeof(POP3DetectorData)); - pop3_detector_mod.api->data_add(flowp, dd, + pop3_detector_mod.api->data_add(asd, dd, pop3_detector_mod.flow_data_index, &pop3_free_state); dd->client.state = POP3_CLIENT_STATE_AUTH; pd = &dd->server; @@ -917,23 +911,23 @@ static int pop3_validate(ServiceValidationArgs* args) pd = &dd->server; if (dd->need_continue) - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); else { - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); - if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + asd->clear_session_flags(APPID_SESSION_CONTINUE); + if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { appid_stats.pop_flows++; return SERVICE_SUCCESS; } } - if (!pop3_server_validate(dd, data, size, flowp, 1)) + if (!pop3_server_validate(dd, data, size, asd, 1)) { if (pd->count >= POP3_COUNT_THRESHOLD - && !flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + && !asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - service_mod.api->add_service_consume_subtype(flowp, pkt, dir, &svc_element, + service_mod.api->add_service_consume_subtype(asd, pkt, dir, &svc_element, dd->client.state == POP3_CLIENT_STATE_STLS_CMD ? APP_ID_POP3S : APP_ID_POP3, pd->vendor, pd->version[0] ? pd->version : nullptr, pd->subtype); @@ -942,21 +936,21 @@ static int pop3_validate(ServiceValidationArgs* args) return SERVICE_SUCCESS; } } - else if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + else if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - service_mod.flow_data_index, args->pConfig); + service_mod.api->fail_service(asd, pkt, dir, &svc_element, + service_mod.flow_data_index); return SERVICE_NOMATCH; } else { - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); appid_stats.pop_flows++; return SERVICE_SUCCESS; } inprocess: - service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; } diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index f35dbdef2..099708cd4 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -100,11 +100,11 @@ static THREAD_LOCAL DetectorSipConfig detector_sip_config; static CLIENT_APP_RETCODE sip_client_init(const IniClientAppAPI* const init_api, SF_LIST* config); static void sip_clean(); static CLIENT_APP_RETCODE sip_client_validate(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, Detector* userData); + AppIdSession* asd, Packet* pkt, Detector* userData); static CLIENT_APP_RETCODE sip_tcp_client_init(const IniClientAppAPI* const init_api, SF_LIST* config); static CLIENT_APP_RETCODE sip_tcp_client_validate(const uint8_t* data, uint16_t size, - const int dir, AppIdSession* flowp, Packet* pkt, Detector* userData); + const int dir, AppIdSession* asd, Packet* pkt, Detector* userData); static int get_sip_client_app(void* patternMatcher, char* pattern, uint32_t patternLen, AppId* ClientAppId, char** clientVersion); static void clean_sip_ua(); @@ -182,7 +182,7 @@ struct ServiceSIPData static int sip_service_init(const IniServiceAPI* const init_api); static int sip_service_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &sip_service_validate, @@ -194,7 +194,7 @@ static RNAServiceElement svc_element = "sip" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &sip_service_validate, SIP_PORT, IpProtocol::TCP, 0 }, { &sip_service_validate, SIP_PORT, IpProtocol::UDP, 0 }, @@ -310,28 +310,28 @@ static void clientDataFree(void* data) // static const char* const SIP_USRNAME_BEGIN_MARKER = "data_get(flowp, + fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(asd, sip_udp_client_mod.flow_data_index); if (!fd) { fd = (ClientSIPData*)snort_calloc(sizeof(ClientSIPData)); - sip_udp_client_mod.api->data_add(flowp, fd, + sip_udp_client_mod.api->data_add(asd, fd, sip_udp_client_mod.flow_data_index, &clientDataFree); fd->owner = &sip_udp_client_mod; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } return CLIENT_APP_INPROCESS; } -static CLIENT_APP_RETCODE sip_tcp_client_validate(const uint8_t* data, uint16_t size, - const int dir, AppIdSession* flowp, Packet* pkt, struct Detector* userData) +static CLIENT_APP_RETCODE sip_tcp_client_validate(const uint8_t* data, uint16_t size, const int + dir, AppIdSession* asd, Packet* pkt, struct Detector* userData) { - return sip_client_validate(data, size, dir, flowp, pkt, userData); + return sip_client_validate(data, size, dir, asd, pkt, userData); } static int sipAppAddPattern(DetectorAppSipPattern** patternList, AppId ClientAppId, @@ -355,7 +355,6 @@ int sipUaPatternAdd( AppId ClientAppId, const char* clientVersion, const char* p return sipAppAddPattern(&detector_sip_config.sip_ua_list, ClientAppId, clientVersion, pattern); } -// FIXIT-L - noone calls this function, is it needed? int sipServerPatternAdd(AppId ClientAppId, const char* clientVersion, const char* pattern) { return sipAppAddPattern(&detector_sip_config.sip_server_list, ClientAppId, clientVersion, pattern); @@ -465,8 +464,8 @@ static int get_sip_client_app(void* patternMatcher, char* pattern, uint32_t patt return 1; } -static void createRtpFlow(AppIdSession* flowp, const Packet* pkt, const sfip_t* cliIp, - uint16_t cliPort, const sfip_t* srvIp, uint16_t srvPort, IpProtocol proto, int16_t app_id) +static void createRtpFlow(AppIdSession* asd, const Packet* pkt, const sfip_t* cliIp, + uint16_t cliPort, const sfip_t* srvIp, uint16_t srvPort, IpProtocol proto, int16_t app_id) { AppIdSession* fp, * fp2; @@ -474,10 +473,10 @@ static void createRtpFlow(AppIdSession* flowp, const Packet* pkt, const sfip_t* APPID_EARLY_SESSION_FLAG_FW_RULE); if (fp) { - fp->client_app_id = flowp->client_app_id; - fp->payload_app_id = flowp->payload_app_id; + fp->client_app_id = asd->client_app_id; + fp->payload_app_id = asd->payload_app_id; fp->serviceAppId = APP_ID_RTP; - PopulateExpectedFlow(flowp, fp, APPID_SESSION_IGNORE_ID_FLAGS); + PopulateExpectedFlow(asd, fp, APPID_SESSION_IGNORE_ID_FLAGS); } // create an RTCP flow as well @@ -485,21 +484,21 @@ static void createRtpFlow(AppIdSession* flowp, const Packet* pkt, const sfip_t* APPID_EARLY_SESSION_FLAG_FW_RULE); if (fp2) { - fp2->client_app_id = flowp->client_app_id; - fp2->payload_app_id = flowp->payload_app_id; + fp2->client_app_id = asd->client_app_id; + fp2->payload_app_id = asd->payload_app_id; fp2->serviceAppId = APP_ID_RTCP; - PopulateExpectedFlow(flowp, fp2, APPID_SESSION_IGNORE_ID_FLAGS); + PopulateExpectedFlow(asd, fp2, APPID_SESSION_IGNORE_ID_FLAGS); } } -static int addFutureRtpFlows(AppIdSession* flowp, const SipDialog* dialog, const Packet* p) +static int addFutureRtpFlows(AppIdSession* asd, const SipDialog* dialog, const Packet* p) { SIP_MediaData* mdataA,* mdataB; - // check the first media session + // check the first media asd if (nullptr == dialog->mediaSessions) return -1; - // check the second media session + // check the second media asd if (nullptr == dialog->mediaSessions->nextS) return -1; @@ -515,13 +514,10 @@ static int addFutureRtpFlows(AppIdSession* flowp, const SipDialog* dialog, const DebugFormat(DEBUG_SIP, "Adding future channels Destine IP: %s Port: %u\n", sfip_to_str(&mdataB->maddress), mdataB->mport); - // FIXIT All of the casts in these two function calls are flagrantly wrong. These - // signatures don't line up and it doesn't seem to be a simple fix. - createRtpFlow(flowp, p, &mdataA->maddress, mdataA->mport, &mdataB->maddress, + createRtpFlow(asd, p, &mdataA->maddress, mdataA->mport, &mdataB->maddress, mdataB->mport, IpProtocol::UDP, APP_ID_RTP); - createRtpFlow(flowp, p, &mdataB->maddress, mdataB->mport, &mdataA->maddress, + createRtpFlow(asd, p, &mdataB->maddress, mdataB->mport, &mdataA->maddress, mdataA->mport, IpProtocol::UDP, APP_ID_RTP); - mdataA = mdataA->nextM; mdataB = mdataB->nextM; } @@ -529,22 +525,22 @@ static int addFutureRtpFlows(AppIdSession* flowp, const SipDialog* dialog, const } static void SipSessionCbClientProcess(const Packet* p, const SipHeaders* headers, const - SipDialog* dialog, AppIdSession* flowp) + SipDialog* dialog, AppIdSession* asd) { ClientSIPData* fd; AppId ClientAppId = APP_ID_SIP; char* clientVersion = nullptr; int direction; - fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(flowp, + fd = (ClientSIPData*)sip_udp_client_mod.api->data_get(asd, sip_udp_client_mod.flow_data_index); if (!fd) { fd = (ClientSIPData*)snort_calloc(sizeof(ClientSIPData)); - sip_udp_client_mod.api->data_add(flowp, fd, + sip_udp_client_mod.api->data_add(asd, fd, sip_udp_client_mod.flow_data_index, &clientDataFree); fd->owner = &sip_udp_client_mod; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } if (fd->owner != &sip_udp_client_mod && fd->owner != &sip_tcp_client_mod) @@ -594,25 +590,25 @@ static void SipSessionCbClientProcess(const Packet* p, const SipHeaders* headers success: //client detection successful - sip_udp_client_mod.api->add_app(flowp, APP_ID_SIP, ClientAppId, clientVersion); + sip_udp_client_mod.api->add_app(asd, APP_ID_SIP, ClientAppId, clientVersion); if (fd->userName) - sip_udp_client_mod.api->add_user(flowp, (char*)fd->userName, APP_ID_SIP, 1); + sip_udp_client_mod.api->add_user(asd, (char*)fd->userName, APP_ID_SIP, 1); - flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + asd->set_session_flags(APPID_SESSION_CLIENT_DETECTED); } static void SipSessionCbServiceProcess(const Packet* p, const SipHeaders* headers, const - SipDialog* dialog, AppIdSession* flowp) + SipDialog* dialog, AppIdSession* asd) { ServiceSIPData* ss; int direction; - ss = (ServiceSIPData*)sip_service_mod.api->data_get(flowp, sip_service_mod.flow_data_index); + ss = (ServiceSIPData*)sip_service_mod.api->data_get(asd, sip_service_mod.flow_data_index); if (!ss) { ss = (ServiceSIPData*)snort_calloc(sizeof(ServiceSIPData)); - sip_service_mod.api->data_add(flowp, ss, sip_service_mod.flow_data_index, &snort_free); + sip_service_mod.api->data_add(asd, ss, sip_service_mod.flow_data_index, &snort_free); } ss->serverPkt = 0; @@ -639,14 +635,14 @@ static void SipSessionCbServiceProcess(const Packet* p, const SipHeaders* header return; if (dialog->mediaUpdated) - addFutureRtpFlows(flowp, dialog, p); + addFutureRtpFlows(asd, dialog, p); if (dialog->state == SIP_DLG_ESTABLISHED) { - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); - sip_service_mod.api->add_service(flowp, p, direction, &svc_element, + asd->set_session_flags(APPID_SESSION_CONTINUE); + sip_service_mod.api->add_service(asd, p, direction, &svc_element, APP_ID_SIP, ss->vendor[0] ? ss->vendor : nullptr, nullptr, nullptr); } } @@ -654,7 +650,7 @@ static void SipSessionCbServiceProcess(const Packet* p, const SipHeaders* header void SipSessionSnortCallback(void*, ServiceEventType, void* data) { - AppIdSession* session = nullptr; + AppIdSession* asd = nullptr; SipEventData* eventData = (SipEventData*)data; const Packet* p = eventData->packet; @@ -679,16 +675,16 @@ void SipSessionSnortCallback(void*, ServiceEventType, void* data) } #endif if(p->flow) - session = appid_api.get_appid_data(p->flow); + asd = appid_api.get_appid_data(p->flow); - if(!session) + if(!asd) { WarningMessage("AppId Session does not exist.\n"); return; } - SipSessionCbClientProcess(p, headers, dialog, session); - SipSessionCbServiceProcess(p, headers, dialog, session); + SipSessionCbClientProcess(p, headers, dialog, asd); + SipSessionCbServiceProcess(p, headers, dialog, asd); } static int sip_service_init(const IniServiceAPI* const init_api) @@ -736,13 +732,13 @@ static int sip_service_init(const IniServiceAPI* const init_api) static int sip_service_validate(ServiceValidationArgs* args) { ServiceSIPData* ss; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; - ss = (ServiceSIPData*)sip_service_mod.api->data_get(flowp, sip_service_mod.flow_data_index); + ss = (ServiceSIPData*)sip_service_mod.api->data_get(asd, sip_service_mod.flow_data_index); if (!ss) { ss = (ServiceSIPData*)snort_calloc(sizeof(ServiceSIPData)); - sip_service_mod.api->data_add(flowp, ss, sip_service_mod.flow_data_index, &snort_free); + sip_service_mod.api->data_add(asd, ss, sip_service_mod.flow_data_index, &snort_free); } if (args->size && args->dir == APP_ID_FROM_RESPONDER) @@ -752,18 +748,18 @@ static int sip_service_validate(ServiceValidationArgs* args) if (ss->serverPkt > 10) { - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - sip_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - sip_service_mod.flow_data_index, args->pConfig); + sip_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + sip_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; } - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - sip_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + sip_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); } return SERVICE_INPROCESS; diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.h b/src/network_inspectors/appid/detector_plugins/detector_sip.h index 03a6174a2..deb5b6e8c 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.h +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.h @@ -46,7 +46,7 @@ extern struct RNAClientAppModule sip_udp_client_mod; extern struct RNAClientAppModule sip_tcp_client_mod; extern struct RNAServiceValidationModule sip_service_mod; -// FIXIT-M: ServiceEventType enum needs to become real when SIP is supported +// FIXIT-M ServiceEventType enum needs to become real when SIP is supported enum ServiceEventType {}; void SipSessionSnortCallback(void* ssnptr, ServiceEventType, void* eventData); diff --git a/src/network_inspectors/appid/fw_appid.cc b/src/network_inspectors/appid/fw_appid.cc index 6a21e055d..244aaf5c2 100644 --- a/src/network_inspectors/appid/fw_appid.cc +++ b/src/network_inspectors/appid/fw_appid.cc @@ -28,6 +28,7 @@ #include "utils/util.h" #include "appid_stats.h" +#include "appid_config.h" #include "appid_module.h" #include "app_forecast.h" #include "app_info_table.h" @@ -56,116 +57,32 @@ void reset_appid_stats(int, void*) } #endif -unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone) +void AppIdAddUser(AppIdSession* asd, const char* username, AppId appId, int success) { - NetworkSet* net_list; - unsigned flags; - AppIdConfig* pConfig = pAppidActiveConfig; - - if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone]) - net_list = pConfig->net_list_by_zone[zone]; - else - net_list = pConfig->net_list; - - NetworkSet_ContainsEx(net_list, ip4, &flags); - return flags; -} - -void AppIdAddUser(AppIdSession* session, const char* username, AppId appId, int success) -{ - if (session->username) - snort_free(session->username); - session->username = snort_strdup(username); - session->username_service = appId; + if (asd->username) + snort_free(asd->username); + asd->username = snort_strdup(username); + asd->username_service = appId; if (success) - session->setAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED); - else - session->clearAppIdFlag(APPID_SESSION_LOGIN_SUCCEEDED); -} - -void AppIdAddDnsQueryInfo(AppIdSession* session, uint16_t id, const uint8_t* host, uint8_t host_len, - uint16_t host_offset, uint16_t record_type) -{ - if ( session->dsession ) - { - if ( ( session->dsession->state != 0 ) && ( session->dsession->id != id ) ) - AppIdResetDnsInfo(session); - } - else - session->dsession = (dnsSession*)snort_calloc(sizeof(dnsSession)); - - if (session->dsession->state & DNS_GOT_QUERY) - return; - session->dsession->state |= DNS_GOT_QUERY; - - session->dsession->id = id; - session->dsession->record_type = record_type; - - if (!session->dsession->host) - { - if ((host != nullptr) && (host_len > 0) && (host_offset > 0)) - { - session->dsession->host_len = host_len; - session->dsession->host_offset = host_offset; - session->dsession->host = dns_parse_host(host, host_len); - } - } -} - -void AppIdAddDnsResponseInfo(AppIdSession* session, uint16_t id, const uint8_t* host, - uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl) -{ - if ( session->dsession ) - { - if ( ( session->dsession->state != 0 ) && ( session->dsession->id != id ) ) - AppIdResetDnsInfo(session); - } + asd->set_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); else - session->dsession = (dnsSession*)snort_calloc(sizeof(*session->dsession)); - - if (session->dsession->state & DNS_GOT_RESPONSE) - return; - session->dsession->state |= DNS_GOT_RESPONSE; - - session->dsession->id = id; - session->dsession->response_type = response_type; - session->dsession->ttl = ttl; - - if (!session->dsession->host) - { - if ((host != nullptr) && (host_len > 0) && (host_offset > 0)) - { - session->dsession->host_len = host_len; - session->dsession->host_offset = host_offset; - session->dsession->host = dns_parse_host(host, host_len); - } - } -} - -void AppIdResetDnsInfo(AppIdSession* session) -{ - if (session->dsession) - { - snort_free(session->dsession->host); - memset(session->dsession, 0, sizeof(*(session->dsession))); - } + asd->clear_session_flags(APPID_SESSION_LOGIN_SUCCEEDED); } -void AppIdAddPayload(AppIdSession* session, AppId payload_id) +void AppIdAddPayload(AppIdSession* asd, AppId payload_id) { - if (pAppidActiveConfig->mod_config->instance_id) + if (AppIdConfig::get_appid_config()->mod_config->instance_id) checkSandboxDetection(payload_id); - session->payload_app_id = payload_id; + asd->payload_app_id = payload_id; } - void checkSandboxDetection(AppId appId) { AppInfoTableEntry* entry; - if (pAppidActiveConfig->mod_config->instance_id) + if (AppIdConfig::get_appid_config()->mod_config->instance_id) { - entry = appInfoEntryGet(appId); + entry = AppInfoManager::get_instance().get_app_info_entry(appId); if ( entry && ( entry->flags & APPINFO_FLAG_ACTIVE ) ) fprintf(SF_DEBUG_FILE, "Detected AppId %d\n", entry->appId); else if( appId != 0 ) diff --git a/src/network_inspectors/appid/fw_appid.h b/src/network_inspectors/appid/fw_appid.h index c17eeb97f..c49027951 100644 --- a/src/network_inspectors/appid/fw_appid.h +++ b/src/network_inspectors/appid/fw_appid.h @@ -42,19 +42,12 @@ extern uint8_t appIdPriorityArray[SF_APPID_MAX + 1]; AppIdSession* getAppIdData(void* lwssn); void AppIdAddUser(AppIdSession*, const char* username, AppId, int success); -void AppIdAddDnsQueryInfo(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len, - uint16_t host_offset, uint16_t record_type); -void AppIdAddDnsResponseInfo(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len, - uint16_t host_offset, uint8_t response_type, uint32_t ttl); -void AppIdResetDnsInfo(AppIdSession*); void AppIdAddPayload(AppIdSession*, AppId); extern unsigned dhcp_fp_table_size; -unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone); void checkSandboxDetection(AppId appId); - inline void initializePriorityArray() { for ( int i=0; i < SF_APPID_MAX; ++i ) @@ -120,7 +113,7 @@ inline int TPIsAppIdAvailable(void* tpSession) inline int testSSLAppIdForReinspect(AppId app_id) { if (app_id <= SF_APPID_MAX && - (app_id == APP_ID_SSL || appInfoEntryFlagGet(app_id, APPINFO_FLAG_SSL_INSPECT))) + (app_id == APP_ID_SSL || AppInfoManager::get_instance().get_app_info_flags(app_id, APPINFO_FLAG_SSL_INSPECT))) return 1; else return 0; diff --git a/src/network_inspectors/appid/http_common.h b/src/network_inspectors/appid/http_common.h index 74ef5f139..07ebc2247 100644 --- a/src/network_inspectors/appid/http_common.h +++ b/src/network_inspectors/appid/http_common.h @@ -34,8 +34,6 @@ class SearchTool; struct tMlmpTree; -// FIXIT-M hack to get initial port to build, define these properly -#if 1 struct HttpParsedHeaders { struct HttpBuf @@ -55,8 +53,7 @@ struct HttpParsedHeaders #define HTTP_XFF_FIELD_X_FORWARDED_FOR "" #define HTTP_XFF_FIELD_TRUE_CLIENT_IP "" - -#endif +#define HTTP_MAX_XFF_FIELDS 255 // These values are used in Lua code as raw numbers. Do NOT reassign new values. enum DHPSequence @@ -196,12 +193,12 @@ struct CHPMatchCandidate int key_pattern_countdown; }; -// FIXIT-M: make the 'item' field a std:vector and refactor code to eliminate realloc calls -struct CHPMatchTally +typedef std::vector CHPMatchTally; + +struct CHPTallyAndActions { - int allocated_elements; - int in_use_elements; - CHPMatchCandidate item[1]; + CHPMatchTally match_tally; + MatchedCHPAction* matches; }; // url parts extracted from http headers. diff --git a/src/network_inspectors/appid/ips_appid_option.cc b/src/network_inspectors/appid/ips_appid_option.cc index d0a1bda15..685974817 100644 --- a/src/network_inspectors/appid/ips_appid_option.cc +++ b/src/network_inspectors/appid/ips_appid_option.cc @@ -138,7 +138,7 @@ bool AppIdIpsOption::operator==(const IpsOption& ips) const void AppIdIpsOption::map_names_to_ids() { for (auto& appid_info : opt_data.appid_table) - appid_info.appid_ordinal = get_appid_by_name(appid_info.appid_name); + appid_info.appid_ordinal = AppInfoManager::get_instance().get_appid_by_name(appid_info.appid_name); opt_data.ids_mapped = true; } diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 9fbf4e237..914ec5231 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -134,7 +134,6 @@ Detector* createDetector(lua_State* L, const char* detectorName) UserData::push(L, DETECTOR, detector); // add a lua reference so the detector doesn't get garbage-collected - // FIXIT-M J should go in a different table maybe? lua_pushvalue(L, -1); detector->detectorUserDataRef = luaL_ref(L, LUA_REGISTRYINDEX); return detector; @@ -218,7 +217,7 @@ static int service_registerPattern(lua_State* L) auto& ud = *UserData::check(L, DETECTOR, index++); // FIXIT-M none of these params check for signedness casting issues - // FIXIT-M: May want to create a lua_toipprotocol() so we can handle + // FIXIT-M May want to create a lua_toipprotocol() so we can handle // error checking in that function. int protocol = lua_tonumber(L, index++); if (protocol > UINT8_MAX) @@ -249,7 +248,7 @@ static void appSetLuaClientValidator(RNAClientAppFCN fcn, AppId appId, unsigned { AppInfoTableEntry* entry; - if ((entry = appInfoEntryGet(appId))) + if ((entry = AppInfoManager::get_instance().get_app_info_entry(appId))) { entry->flags |= APPINFO_FLAG_ACTIVE; extractsInfo &= (APPINFO_FLAG_CLIENT_ADDITIONAL | APPINFO_FLAG_CLIENT_USER); @@ -282,10 +281,7 @@ static void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, AppId appId, { AppInfoTableEntry* entry; - // FIXIT-L: what type of error would cause this lookup to fail? is this programming error - // or user error due to misconfig or something like that... if change in handling needed - // apply to all instances where this lookup is done - if ((entry = appInfoEntryGet(appId))) + if ((entry = AppInfoManager::get_instance().get_app_info_entry(appId))) { entry->flags |= APPINFO_FLAG_ACTIVE; @@ -297,16 +293,15 @@ static void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, AppId appId, return; } - entry->svrValidator = ServiceGetServiceElement(fcn, data); + entry->svrValidator = get_service_element(fcn, data); if (entry->svrValidator) entry->flags |= extractsInfo; else - ErrorMessage("AppId: Failed to find a service element for AppId: %d - %p\n", - appId, (void*)data); + ErrorMessage("AppId: Failed to find a service element for AppId: %d\n",appId); } else { - ErrorMessage("Invalid direct service for AppId: %d - %p\n", appId, (void*)data); + WarningMessage("AppId: %d has not entry in application mapping configuration and no custom detector\n", appId); } } @@ -326,7 +321,7 @@ static int common_registerAppId(lua_State* L) appSetLuaClientValidator( validateAnyClientApp, appId, APPINFO_FLAG_CLIENT_ADDITIONAL, ud.ptr); - set_app_info_active(appId); + AppInfoManager::get_instance().set_app_info_active(appId); lua_pushnumber(L, 0); return 1; @@ -334,9 +329,6 @@ static int common_registerAppId(lua_State* L) static int Detector_htons(lua_State* L) { - // FIXIT-L ignoring arg #1, as it is unused - // auto* ud = UserData::check(L, DETECTOR, 1); - unsigned short aShort = lua_tonumber(L, 2); lua_pushnumber(L, htons(aShort)); @@ -345,9 +337,6 @@ static int Detector_htons(lua_State* L) static int Detector_htonl(lua_State* L) { - // FIXIT-L ignoring arg #1, as it is unused - // auto* ud = UserData::check(L, DETECTOR, 1); - unsigned int anInt = lua_tonumber(L, 2); lua_pushnumber(L, htonl(anInt)); @@ -407,7 +396,7 @@ static int service_analyzePayload(lua_State* L) assert(ud->validateParams.pkt); - ud->validateParams.flowp->payload_app_id = payloadId; + ud->validateParams.asd->payload_app_id = payloadId; return 0; } @@ -430,8 +419,7 @@ int validateAnyService(ServiceValidationArgs* args) if ( !detector ) { - // FIXIT-M J unhelpful error message - ErrorMessage("invalid LUA parameters"); + ErrorMessage("The service validation arguments do not contain a detector object\n"); return SERVICE_ENULL; } @@ -440,7 +428,7 @@ int validateAnyService(ServiceValidationArgs* args) detector->validateParams.data = args->data; detector->validateParams.size = args->size; detector->validateParams.dir = args->dir; - detector->validateParams.flowp = args->flowp; + detector->validateParams.asd = args->asd; detector->validateParams.pkt = args->pkt; const auto& serverName = detector->name; @@ -582,9 +570,7 @@ static int service_setServiceName(lua_State* L) * @return int - Number of elements on stack, which is always 1. * @return serviceName/stack - service name if successful, nil otherwise. */ -static int service_getServiceName( - lua_State* L - ) +static int service_getServiceName(lua_State* L) { auto& ud = *UserData::check(L, DETECTOR, 1); @@ -662,7 +648,7 @@ static int service_addDataId(lua_State* L) return 1; } - ud->validateParams.flowp->add_flow_data_id(sport, ud->server.pServiceElement); + ud->validateParams.asd->add_flow_data_id(sport, ud->server.pServiceElement); lua_pushnumber(L, 0); return 1; @@ -701,9 +687,9 @@ static int service_addService( /*Phase2 - discuss RNAServiceSubtype will be maintained on lua side therefore the last parameter on the following call is nullptr. Subtype is not displayed on DC at present. */ - retValue = AppIdServiceAddService(ud->validateParams.flowp, ud->validateParams.pkt, + retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt, ud->validateParams.dir, ud->server.pServiceElement, - get_appid_by_service_id(serviceId), vendor, version, nullptr); + AppInfoManager::get_instance().get_appid_by_service_id(serviceId), vendor, version, nullptr); lua_pushnumber(L, retValue); return 1; @@ -722,9 +708,9 @@ static int service_failService(lua_State* L) CHECK_INPUTS(); - unsigned int retValue = AppIdServiceFailService(ud->validateParams.flowp, + unsigned int retValue = AppIdServiceFailService(ud->validateParams.asd, ud->validateParams.pkt, ud->validateParams.dir, ud->server.pServiceElement, - APPID_SESSION_DATA_NONE, ud->appid_config); + APPID_SESSION_DATA_NONE); lua_pushnumber(L, retValue); return 1; @@ -743,7 +729,7 @@ static int service_inProcessService(lua_State* L) CHECK_INPUTS(); - unsigned int retValue = AppIdServiceInProcess(ud->validateParams.flowp, ud->validateParams.pkt, + unsigned int retValue = AppIdServiceInProcess(ud->validateParams.asd, ud->validateParams.pkt, ud->validateParams.dir, ud->server.pServiceElement); lua_pushnumber(L, retValue); @@ -764,7 +750,7 @@ static int service_inCompatibleData(lua_State* L) CHECK_INPUTS(); - retValue = AppIdServiceIncompatibleData(ud->validateParams.flowp, + retValue = AppIdServiceIncompatibleData(ud->validateParams.asd, ud->validateParams.pkt, ud->validateParams.dir, ud->server.pServiceElement, APPID_SESSION_DATA_NONE, ud->appid_config); @@ -946,7 +932,7 @@ static int Detector_getProtocolType(lua_State* L) } lua_checkstack (L, 1); - // FIXIT-M: is this conversion to double valid? + // FIXIT-M is this conversion to double valid? lua_pushnumber(L, (double)ud->validateParams.pkt->get_ip_proto_next() ); return 1; } @@ -1043,7 +1029,7 @@ static int Detector_getPktCount(lua_State* L) } CLIENT_APP_RETCODE validateAnyClientApp( const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, Packet* pkt, Detector* detector ) + AppIdSession* asd, Packet* pkt, Detector* detector ) { Profile lua_profile_context(luaCustomPerfStats); @@ -1052,7 +1038,7 @@ CLIENT_APP_RETCODE validateAnyClientApp( const uint8_t* data, uint16_t size, con const char* validateFn; const char* clientName; - if (!data || !flowp || !pkt || !detector) + if (!data || !asd || !pkt || !detector) { return CLIENT_APP_ENULL; } @@ -1061,7 +1047,7 @@ CLIENT_APP_RETCODE validateAnyClientApp( const uint8_t* data, uint16_t size, con detector->validateParams.data = data; detector->validateParams.size = size; detector->validateParams.dir = dir; - detector->validateParams.flowp = flowp; + detector->validateParams.asd = asd; detector->validateParams.pkt = (Packet*)pkt; validateFn = detector->packageInfo.client.validateFunctionName.c_str(); clientName = detector->name.c_str(); @@ -1171,7 +1157,7 @@ static int service_addClient(lua_State* L) return 1; } - AppIdAddClientApp(ud->validateParams.flowp, serviceId, clienAppId, version); + AppIdAddClientApp(ud->validateParams.asd, serviceId, clienAppId, version); lua_pushnumber(L, 0); return 1; @@ -1195,8 +1181,9 @@ static int client_addApp(lua_State* L) return 1; } - ud->client.appModule.api->add_app(ud->validateParams.flowp, - get_appid_by_service_id(serviceId), get_appid_by_client_id(productId), version); + ud->client.appModule.api->add_app(ud->validateParams.asd, + AppInfoManager::get_instance().get_appid_by_service_id(serviceId), + AppInfoManager::get_instance().get_appid_by_client_id(productId), version); lua_pushnumber(L, 0); return 1; @@ -1217,7 +1204,7 @@ static int client_addInfo(lua_State* L) return 1; } - ud->client.appModule.api->add_info(ud->validateParams.flowp, info); + ud->client.appModule.api->add_info(ud->validateParams.asd, info); lua_pushnumber(L, 0); return 1; @@ -1240,8 +1227,8 @@ static int client_addUser(lua_State* L) return 1; } - ud->client.appModule.api->add_user(ud->validateParams.flowp, userName, - get_appid_by_service_id(serviceId), 1); + ud->client.appModule.api->add_user(ud->validateParams.asd, userName, + AppInfoManager::get_instance().get_appid_by_service_id(serviceId), 1); lua_pushnumber(L, 0); return 1; @@ -1262,8 +1249,8 @@ static int client_addPayload(lua_State* L) return 1; } - ud->client.appModule.api->add_payload(ud->validateParams.flowp, - get_appid_by_payload_id(payloadId)); + ud->client.appModule.api->add_payload(ud->validateParams.asd, + AppInfoManager::get_instance().get_appid_by_payload_id(payloadId)); lua_pushnumber(L, 0); return 1; @@ -1291,7 +1278,7 @@ static int Detector_getFlow(lua_State* L) } auto df = new DetectorFlow(); - df->pFlow = ud->validateParams.flowp; + df->asd = ud->validateParams.asd; UserData::push(L, DETECTORFLOW, df); df->myLuaState = L; @@ -1351,13 +1338,13 @@ int Detector_addHttpPattern(lua_State* L) uint8_t* pattern_str = (uint8_t*)snort_strdup(tmpString); uint32_t appId = lua_tointeger(L, index++); - + AppInfoManager& app_info_manager = AppInfoManager::get_instance(); HTTPListElement* element = (HTTPListElement*)snort_calloc(sizeof(HTTPListElement)); DetectorHTTPPattern* pattern = &element->detectorHTTPPattern; pattern->seq = seq; - pattern->service_id = get_appid_by_service_id(service_id); - pattern->client_app = get_appid_by_client_id(client_app); - pattern->payload = get_appid_by_payload_id(payload); + pattern->service_id = app_info_manager.get_appid_by_service_id(service_id); + pattern->client_app = app_info_manager.get_appid_by_client_id(client_app); + pattern->payload = app_info_manager.get_appid_by_payload_id(payload); pattern->pattern = pattern_str; pattern->pattern_size = (int)pattern_size; pattern->appId = appId; @@ -1372,10 +1359,10 @@ int Detector_addHttpPattern(lua_State* L) insert_http_pattern_element(pType, element); - set_app_info_active(pattern->service_id); - set_app_info_active(pattern->client_app); - set_app_info_active(pattern->payload); - set_app_info_active(appId); + app_info_manager.set_app_info_active(pattern->service_id); + app_info_manager.set_app_info_active(pattern->client_app); + app_info_manager.set_app_info_active(pattern->payload); + app_info_manager.set_app_info_active(appId); return 0; } @@ -1422,7 +1409,7 @@ int Detector_addSSLCertPattern(lua_State* L) UNUSED(type); #endif - set_app_info_active(app_id); + AppInfoManager::get_instance().set_app_info_active(app_id); return 0; } @@ -1504,7 +1491,7 @@ static int Detector_addSSLCnamePattern(lua_State* L) UNUSED(type); #endif - set_app_info_active(app_id); + AppInfoManager::get_instance().set_app_info_active(app_id); return 0; } @@ -1582,7 +1569,7 @@ static int Detector_addContentTypePattern(lua_State* L) detector->pattern_size = strlen((char*)pattern); detector->appId = appId; insert_content_type_pattern(element); - set_app_info_active(appId); + AppInfoManager::get_instance().set_app_info_active(appId); return 0; } @@ -1673,27 +1660,24 @@ static inline int CHPGetPatternDataAndSize(lua_State* L, int index, char** patte *pattern_size = 0; *pattern_data = nullptr; tmpString = lua_tolstring(L, index, &*pattern_size); - // FIXIT-M: recode all this to something elegant since snort_strdup can't fail (just like Rudy) // non-empty pattern required - if (!tmpString || !*pattern_size || !(*pattern_data = snort_strdup(tmpString))) + if (!tmpString || !*pattern_size) { - if (*pattern_size) // implies snort_strdup() failed - ErrorMessage("LuaDetectorApi:CHP Action PATTERN string mem alloc failed."); - else - ErrorMessage("LuaDetectorApi:Invalid CHP Action PATTERN string."); // empty string in - // Lua code - bad + ErrorMessage("LuaDetectorApi:Invalid CHP Action PATTERN string."); return -1; } + *pattern_data = snort_strdup(tmpString); return 0; } static inline int CHPGetActionType(lua_State* L, int index, ActionType* action_type) { *action_type = (ActionType)lua_tointeger(L, index); - // FIXIT-M: many lua detectors call this with action_type == 14, max is set to 14...is this an issue or a feature if (*action_type < NO_ACTION || *action_type > MAX_ACTION_TYPE) { - WarningMessage("LuaDetectorApi:Incompatible CHP Action type, might be for a later version."); + WarningMessage( + "LuaDetectorApi:Unsupported CHP Action type: %d, possible version mismatch.", + *action_type); return -1; } return 0; @@ -1764,13 +1748,13 @@ static int detector_add_chp_action(AppId appIdInstance, int isKeyPattern, Patter if (actionType == GET_OFFSETS_FROM_REBUILT) { /* This is a search engine and it is SUPPORTED for safe-search packet rewrite */ - appInfoEntryFlagSet(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE | + AppInfoManager::get_instance().set_app_info_flags(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE | APPINFO_FLAG_SUPPORTED_SEARCH); } else if (actionType == SEARCH_UNSUPPORTED) { /* This is a search engine and it is UNSUPPORTED for safe-search packet rewrite */ - appInfoEntryFlagSet(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE); + AppInfoManager::get_instance().set_app_info_flags(CHP_APPIDINSTANCE_TO_ID(appIdInstance), APPINFO_FLAG_SEARCH_ENGINE); } return 0; } @@ -2154,14 +2138,12 @@ static int Detector_addAppUrl(lua_State* L) queryPattern = (uint8_t*)snort_strdup(tmpString); uint32_t appId = lua_tointeger(L, index++); - - /* Allocate memory for data structures */ + AppInfoManager& app_info_manager = AppInfoManager::get_instance(); DetectorAppUrlPattern* pattern = (DetectorAppUrlPattern*)snort_calloc(sizeof(DetectorAppUrlPattern)); - - pattern->userData.service_id = get_appid_by_service_id(service_id); - pattern->userData.client_app = get_appid_by_client_id(client_app); - pattern->userData.payload = get_appid_by_payload_id(payload); + pattern->userData.service_id = app_info_manager.get_appid_by_service_id(service_id); + pattern->userData.client_app = app_info_manager.get_appid_by_client_id(client_app); + pattern->userData.payload = app_info_manager.get_appid_by_payload_id(payload); pattern->userData.appId = appId; pattern->userData.query.pattern = queryPattern; pattern->userData.query.patternSize = queryPatternSize; @@ -2173,10 +2155,10 @@ static int Detector_addAppUrl(lua_State* L) pattern->patterns.scheme.patternSize = (int)schemePatternSize; insert_url_pattern(pattern); - set_app_info_active(pattern->userData.service_id); - set_app_info_active(pattern->userData.client_app); - set_app_info_active(pattern->userData.payload); - set_app_info_active(appId); + app_info_manager.set_app_info_active(pattern->userData.service_id); + app_info_manager.set_app_info_active(pattern->userData.client_app); + app_info_manager.set_app_info_active(pattern->userData.payload); + app_info_manager.set_app_info_active(appId); return 0; } @@ -2210,39 +2192,36 @@ static int Detector_addRTMPUrl(lua_State* L) /* Verify that host pattern is a valid string */ size_t hostPatternSize = 0; - uint8_t* hostPattern = nullptr; tmpString = lua_tolstring(L, index++, &hostPatternSize); - // FIXIT-L: recode all this to something elegant since snort_strdup can't fail (just like Rudy) - if (!tmpString || !hostPatternSize || !(hostPattern = (uint8_t*)snort_strdup(tmpString))) + if (!tmpString || !hostPatternSize) { ErrorMessage("Invalid host pattern string."); return 0; } + u_int8_t* hostPattern = (u_int8_t*)snort_strdup(tmpString); /* Verify that path pattern is a valid string */ size_t pathPatternSize = 0; - uint8_t* pathPattern = nullptr; tmpString = lua_tolstring(L, index++, &pathPatternSize); - // FIXIT-L: recode all this to something elegant since snort_strdup can't fail (just like Rudy) - if (!tmpString || !pathPatternSize || !(pathPattern = (uint8_t*)snort_strdup(tmpString))) + if (!tmpString || !pathPatternSize) { ErrorMessage("Invalid path pattern string."); snort_free(hostPattern); return 0; } + u_int8_t* pathPattern = (u_int8_t*)snort_strdup(tmpString); /* Verify that scheme pattern is a valid string */ size_t schemePatternSize; - uint8_t* schemePattern = nullptr; tmpString = lua_tolstring(L, index++, &schemePatternSize); - // FIXIT-L: recode all this to something elegant since snort_strdup can't fail (just like Rudy) - if (!tmpString || !schemePatternSize || !(schemePattern = (uint8_t*)snort_strdup(tmpString))) + if (!tmpString || !schemePatternSize) { ErrorMessage("Invalid scheme pattern string."); snort_free(pathPattern); snort_free(hostPattern); return 0; } + u_int8_t* schemePattern = (u_int8_t*)snort_strdup(tmpString); /* Verify that query pattern is a valid string */ size_t queryPatternSize; @@ -2251,11 +2230,11 @@ static int Detector_addRTMPUrl(lua_State* L) if (tmpString && queryPatternSize) queryPattern = (uint8_t*)snort_strdup(tmpString); - uint32_t appId = lua_tointeger(L, index++); + u_int32_t appId = lua_tointeger(L, index++); /* Allocate memory for data structures */ - DetectorAppUrlPattern* pattern = (DetectorAppUrlPattern*)snort_calloc( - sizeof(DetectorAppUrlPattern)); + DetectorAppUrlPattern* pattern = + (DetectorAppUrlPattern*)snort_calloc(sizeof(DetectorAppUrlPattern)); /* we want to put these patterns in just like for regular Urls, but we do NOT need legacy IDs for them. * so just use the appID for service, client, or payload ID */ @@ -2273,10 +2252,11 @@ static int Detector_addRTMPUrl(lua_State* L) pattern->patterns.scheme.patternSize = (int)schemePatternSize; insert_rtmp_url_pattern(pattern); - set_app_info_active(pattern->userData.service_id); - set_app_info_active(pattern->userData.client_app); - set_app_info_active(pattern->userData.payload); - set_app_info_active(appId); + AppInfoManager& app_info_manager = AppInfoManager::get_instance(); + app_info_manager.set_app_info_active(pattern->userData.service_id); + app_info_manager.set_app_info_active(pattern->userData.client_app); + app_info_manager.set_app_info_active(pattern->userData.payload); + app_info_manager.set_app_info_active(appId); return 0; } @@ -2313,7 +2293,7 @@ static int Detector_addSipUserAgent(lua_State* L) sipUaPatternAdd(client_app, clientVersion, uaPattern); - set_app_info_active(client_app); + AppInfoManager::get_instance().set_app_info_active(client_app); return 0; } @@ -2341,7 +2321,7 @@ static int openCreateApp(lua_State* L) return 1; /*number of results */ } - AppInfoTableEntry* entry = appInfoEntryCreate(tmpString); + AppInfoTableEntry* entry = AppInfoManager::get_instance().add_dynamic_app_entry(tmpString); if (entry) { @@ -2361,8 +2341,7 @@ static int openAddClientApp(lua_State* L) serviceAppId = lua_tonumber(L, 2); clienAppId = lua_tonumber(L, 3); - /*check inputs and whether this function is called in context of a - packet */ + // check inputs and whether this function is called in context of a packet if ( !ud->validateParams.pkt ) { lua_pushnumber(L, -1); @@ -2375,7 +2354,7 @@ static int openAddClientApp(lua_State* L) return 1; } - ud->client.appModule.api->add_app(ud->validateParams.flowp, serviceAppId, + ud->client.appModule.api->add_app(ud->validateParams.asd, serviceAppId, clienAppId, ""); lua_pushnumber(L, 0); @@ -2404,7 +2383,7 @@ static int openAddServiceApp(lua_State* L) /*Phase2 - discuss RNAServiceSubtype will be maintained on lua side therefore the last parameter on the following call is nullptr. Subtype is not displayed on DC at present. */ - retValue = AppIdServiceAddService(ud->validateParams.flowp, ud->validateParams.pkt, + retValue = AppIdServiceAddService(ud->validateParams.asd, ud->validateParams.pkt, ud->validateParams.dir, ud->server.pServiceElement, serviceId, nullptr, nullptr, nullptr); @@ -2434,7 +2413,7 @@ static int openAddPayloadApp(lua_State* L) return 1; } - ud->client.appModule.api->add_payload(ud->validateParams.flowp, payloadAppId); + ud->client.appModule.api->add_payload(ud->validateParams.asd, payloadAppId); lua_pushnumber(L, 0); return 1; @@ -2496,9 +2475,10 @@ static int openAddHttpPattern(lua_State* L) pattern->appId = APP_ID_NONE; insert_http_pattern_element(pType, element); - set_app_info_active(serviceAppId); - set_app_info_active(clienAppId); - set_app_info_active(payloadAppId); + AppInfoManager& app_info_manager = AppInfoManager::get_instance(); + app_info_manager.set_app_info_active(serviceAppId); + app_info_manager.set_app_info_active(clienAppId); + app_info_manager.set_app_info_active(payloadAppId); return 0; } @@ -2578,9 +2558,10 @@ static int openAddUrlPattern(lua_State* L) pattern->patterns.scheme.patternSize = (int)schemePatternSize; insert_app_url_pattern(pattern); - set_app_info_active(serviceAppId); - set_app_info_active(clienAppId); - set_app_info_active(payloadAppId); + AppInfoManager& app_info_manager = AppInfoManager::get_instance(); + app_info_manager.set_app_info_active(serviceAppId); + app_info_manager.set_app_info_active(clienAppId); + app_info_manager.set_app_info_active(payloadAppId); return 0; } @@ -2638,7 +2619,7 @@ static int addPortPatternClient(lua_State* L) pPattern->detectorName = snort_strdup(ud->name.c_str()); insert_client_port_pattern(pPattern); - set_app_info_active(appId); + AppInfoManager::get_instance().set_app_info_active(appId); return 0; } @@ -2689,7 +2670,7 @@ static int addPortPatternService(lua_State* L) //insert ports in order. insert_service_port_pattern(pPattern); - set_app_info_active(appId); + AppInfoManager::get_instance().set_app_info_active(appId); return 0; } @@ -2724,12 +2705,12 @@ static int Detector_addSipServer(lua_State* L) return 0; } - // FIXIT-M: uncomment when sip detector is included in the build + // FIXIT-M uncomment when sip detector is included in the build #ifdef REMOVED_WHILE_NOT_IN_USE sipServerPatternAdd(client_app, clientVersion, uaPattern, &ud->appid_config->detectorSipConfig); #endif - set_app_info_active(client_app); + AppInfoManager::get_instance().set_app_info_active(client_app); return 0; } @@ -2794,7 +2775,7 @@ static int createFutureFlow(lua_State* L) app_id_to_snort = lua_tointeger(L, 10); if (app_id_to_snort > APP_ID_NONE) { - AppInfoTableEntry* entry = appInfoEntryGet(app_id_to_snort); + AppInfoTableEntry* entry = AppInfoManager::get_instance().get_app_info_entry(app_id_to_snort); if (nullptr == entry) return 0; snort_app_id = entry->snortId; @@ -2810,7 +2791,7 @@ static int createFutureFlow(lua_State* L) fp->serviceAppId = service_app_id; fp->client_app_id = client_app_id; fp->payload_app_id = payload_app_id; - fp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE | + fp->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_PORT_SERVICE_DONE); fp->rnaServiceState = RNA_STATE_FINISHED; fp->rna_client_state = RNA_STATE_FINISHED; @@ -2994,18 +2975,20 @@ void Detector_fini(void* data) lua_close(myLuaState); } -/**Garbage collector hook function. Called when Lua side garbage collects detector api instance. Current design is to allocate - * one of each luaState, detector and detectorUserData buffers, and hold these buffers till RNA exits. SigHups processing - * reuses the buffers and calls DetectorInit to reinitialize. RNA ensures that UserData is not garbage collected, by - * creating a reference in LUA_REGISTRY table. The reference is released only on RNA exit. +/* Garbage collector hook function. Called when Lua side garbage collects detector + * api instance. Current design is to allocate one of each luaState, detector and + * detectorUserData buffers, and hold these buffers till RNA exits. SigHups processing + * reuses the buffers and calls DetectorInit to reinitialize. RNA ensures that + * UserData is not garbage collected, by creating a reference in LUA_REGISTRY + * table. The reference is released only on RNA exit. * - * If in future, one needs to free any of these buffers then one should consider references to detector buffer in RNAServiceElement - * stored in flows and hostServices data structures. Other detectors at this time create one static instance for the lifetime of RNA, - * and therefore we have adopted the same principle for Lua Detecotors. + * If in future, one needs to free any of these buffers then one should consider + * references to detector buffer in RNAServiceElement stored in flows and hostServices + * data structures. Other detectors at this time create one static instance for the + * lifetime of RNA, and therefore we have adopted the same principle for Lua Detecotors. */ static int Detector_gc(lua_State*) { - // FIXIT-M Does Detector_gc need to not be a no-op return 0; } diff --git a/src/network_inspectors/appid/lua_detector_api.h b/src/network_inspectors/appid/lua_detector_api.h index 1819dda4f..17fec6784 100644 --- a/src/network_inspectors/appid/lua_detector_api.h +++ b/src/network_inspectors/appid/lua_detector_api.h @@ -45,9 +45,9 @@ struct DetectorPackageInfo { struct UniInfo { - std::string initFunctionName; // FIXIT-M: clean this up = "DetectorInit"; // client init function - std::string cleanFunctionName; // = "DetectorClean"; // client clean function - std::string validateFunctionName; // = "DetectorValidate"; // client validate function + std::string initFunctionName; + std::string cleanFunctionName; + std::string validateFunctionName; int minimum_matches = 0; }; @@ -62,8 +62,7 @@ struct Detector { ~Detector(); - /**Identifies customer created detectors using SDL. */ - bool isCustom; + bool isCustom; // true for customer created detectors bool isActive; bool wasActive; @@ -72,54 +71,32 @@ struct Detector const uint8_t* data; uint16_t size; int dir; - AppIdSession* flowp; + AppIdSession* asd; Packet* pkt; uint8_t macAddress[6]; } validateParams; - /**Pointer to flow created by a validator. - */ - AppIdSession* pFlow; - struct { unsigned int serviceId; - - /**present only for server detectors*/ RNAServiceValidationModule serviceModule; - - /**calloced buffer to satisfy internal flow API. - */ RNAServiceElement* pServiceElement; } server; - /**constructed from packageInfo read from lua detector directly. Present - * only for client detectors. - */ struct { - /**application fingerprint id.*/ unsigned int appFpId; - - /**Client Application Module. */ RNAClientAppModule appModule; } client; + AppIdSession* pFlow; lua_State* myLuaState; - - /**Reference to lua userdata. This is a key into LUA_REGISTRYINDEX */ - int detectorUserDataRef; - - std::string name; // lua file name is used as detector name - - /**Package information retrieved from detector lua file. - */ + int detectorUserDataRef; // key into LUA_REGISTRYINDEX + std::string name; DetectorPackageInfo packageInfo; - unsigned detector_version; char* validatorBuffer; unsigned char digest[16]; - AppIdConfig* appid_config; }; diff --git a/src/network_inspectors/appid/lua_detector_flow_api.cc b/src/network_inspectors/appid/lua_detector_flow_api.cc index 578224b46..f0ee66276 100644 --- a/src/network_inspectors/appid/lua_detector_flow_api.cc +++ b/src/network_inspectors/appid/lua_detector_flow_api.cc @@ -217,10 +217,10 @@ static int DetectorFlow_new(lua_State* L) sflist_add_tail(&allocatedFlowList, detector_flow); - detector_flow->pFlow = AppIdSession::create_future_session(detector_data->validateParams.pkt, &saddr, + detector_flow->asd = AppIdSession::create_future_session(detector_data->validateParams.pkt, &saddr, sport, &daddr, dport, proto, 0, 0); - if (!detector_flow->pFlow) + if (!detector_flow->asd) { /*calloced buffer will be freed later after the current packet is processed. */ lua_pop(L, 1); @@ -264,7 +264,7 @@ static int DetectorFlow_setFlowFlag(lua_State* L) flags = lua_tonumber(L, 2); flags = ConvertFlagsLuaToC(flags); - pLuaData->pFlow->setAppIdFlag(flags); + pLuaData->asd->set_session_flags(flags); return 0; } @@ -288,7 +288,7 @@ static int DetectorFlow_getFlowFlag(lua_State* L) flags = lua_tonumber(L, 2); flags = ConvertFlagsLuaToC(flags); - ret = pLuaData->pFlow->getAppIdFlag(flags); + ret = pLuaData->asd->get_session_flags(flags); ret = ConvertFlagsCToLua(ret); lua_pushnumber(L, ret); @@ -312,7 +312,7 @@ static int DetectorFlow_clearFlowFlag(lua_State* L) flags = lua_tonumber(L, 2); flags = ConvertFlagsLuaToC(flags); - pLuaData->pFlow->clearAppIdFlag(flags); + pLuaData->asd->clear_session_flags(flags); return 0; } @@ -370,8 +370,8 @@ static int DetectorFlow_getFlowKey(lua_State* L) auto& pLuaData = *UserData::check(L, DETECTORFLOW, 1); assert(pLuaData.ptr); - lua_pushlstring(L, (char*)&pLuaData->pFlow->id, - sizeof(pLuaData->pFlow->id)); + lua_pushlstring(L, (char*)&pLuaData->asd->session_id, + sizeof(pLuaData->asd->session_id)); return 1; } diff --git a/src/network_inspectors/appid/lua_detector_flow_api.h b/src/network_inspectors/appid/lua_detector_flow_api.h index b47bf15d8..ec3c0ce79 100644 --- a/src/network_inspectors/appid/lua_detector_flow_api.h +++ b/src/network_inspectors/appid/lua_detector_flow_api.h @@ -30,9 +30,8 @@ class AppIdSession; struct DetectorFlow { - // FIXIT-M why is the lua state and user data ref on this object? lua_State* myLuaState; - AppIdSession* pFlow; + AppIdSession* asd; int userDataRef; }; diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index 987f98842..3e5f041f1 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -51,9 +51,6 @@ #define LUA_DETECTOR_FILENAME_MAX 1024 THREAD_LOCAL SF_LIST allocatedFlowList; /*list of flows allocated. */ -static uint32_t gLuaTrackerSize = 0; -static unsigned gNumDetectors = 0; -static unsigned gNumActiveDetectors; static inline bool match_char_set(char c, const char* set) { @@ -154,7 +151,7 @@ static inline bool get_lua_field( return result; } -static lua_State* createLuaState() +static lua_State* create_lua_state() { auto L = luaL_newstate(); luaL_openlibs(L); @@ -188,10 +185,11 @@ static lua_State* createLuaState() // set lua library paths char extra_path_buffer[PATH_MAX]; + // FIXIT-L compute this path in the appid config module and return it ready to use snprintf( extra_path_buffer, PATH_MAX-1, "%s/odp/libs/?.lua;%s/custom/libs/?.lua", - pAppidActiveConfig->mod_config->app_detector_dir, - pAppidActiveConfig->mod_config->app_detector_dir); + AppIdConfig::get_appid_config()->mod_config->app_detector_dir, + AppIdConfig::get_appid_config()->mod_config->app_detector_dir); const int save_top = lua_gettop(L); if ( get_lua_ns(L, "package.path") ) @@ -208,8 +206,7 @@ static lua_State* createLuaState() return L; } -// fetch or create packageInfo defined inside lua detector -static void getDetectorPackageInfo(Detector* detector) +static void get_detector_package_info(Detector* detector) { auto L = detector->myLuaState; Lua::ManageStack mgr(L); @@ -257,56 +254,17 @@ static void getDetectorPackageInfo(Detector* detector) lua_pop(L, 1); /*pop DetectorPackageInfo table */ } -/**Calls DetectorInit function inside lua detector. - * Calls initialization function as defined in packageInfo, which reads either user defined name - * or DetectorInit symbol. Pushes detectorUserData on stack as input parameter and the calls the - * function. Notice * that on error, lua_state is not closed. This keeps faulty detectors around - * without using it, but it keeps wrapping functions simpler. - */ -static void luaServerInit(Detector* detector) -{ - const auto& name = detector->name; - auto L = detector->myLuaState; - const auto& server = detector->packageInfo.server; - - lua_getglobal(L, server.initFunctionName.c_str()); - if (!lua_isfunction(L, -1)) - return; - - /*first parameter is DetectorUserData */ - lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef); - if ( lua_pcall(L, 1, 1, 0) ) - { - ErrorMessage("error loading lua Detector %s, error %s\n", - name.c_str(), lua_tostring(L, -1)); - return; - } - else - { - if ( detector->server.pServiceElement ) - detector->server.pServiceElement->ref_count = 1; - - DebugFormat(DEBUG_APPID, "Initialized %s\n", name.c_str()); - } -} - -/**Calls init function inside lua detector. - * Calls initialization function as defined in packageInfo. Pushes detectorUserData on stack - * as input parameter and the calls the function. Notice * that on error, lua_state is not - * closed. This keeps faulty detectors around without using it, but it keeps wrapping functions - * simpler. - */ -static void luaClientInit(Detector* detector) +static void clean_client_detector(Detector* detector) { auto L = detector->myLuaState; const auto& client = detector->packageInfo.client; - assert(!client.initFunctionName.empty()); + assert(!client.cleanFunctionName.empty() ); - lua_getglobal(L, client.initFunctionName.c_str()); + lua_getglobal(L, client.cleanFunctionName.c_str()); if (!lua_isfunction(L, -1)) { - ErrorMessage("Detector %s: does not contain DetectorInit() function\n", + ErrorMessage("Detector %s: does not contain DetectorFini() function\n", detector->name.c_str()); return; } @@ -314,48 +272,45 @@ static void luaClientInit(Detector* detector) /*first parameter is DetectorUserData */ lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef); - /*second parameter is a table containing configuration stuff. */ - // ... which is empty.??? - lua_newtable(L); - - if ( lua_pcall(L, 2, 1, 0) ) + if ( lua_pcall(L, 1, 1, 0) ) { - ErrorMessage("Could not initialize the %s client app element: %s\n", + ErrorMessage("Could not cleanup the %s client app element: %s\n", detector->name.c_str(), lua_tostring(L, -1)); - return; - } - else - { - DebugFormat(DEBUG_APPID, "Initialized %s\n", detector->name.c_str()); } } -static void luaClientFini(Detector* detector) +LuaDetectorManager::LuaDetectorManager() { - auto L = detector->myLuaState; - const auto& client = detector->packageInfo.client; - - assert(!client.cleanFunctionName.empty() ); + sflist_init(&allocatedFlowList); + allocated_detectors.clear(); +} - lua_getglobal(L, client.cleanFunctionName.c_str()); - if (!lua_isfunction(L, -1)) +LuaDetectorManager::~LuaDetectorManager() +{ + for ( auto& detector : allocated_detectors ) { - ErrorMessage("Detector %s: does not contain DetectorFini() function\n", - detector->name.c_str()); - return; - } - - /*first parameter is DetectorUserData */ - lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef); + if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() ) + clean_client_detector(detector); - if ( lua_pcall(L, 1, 1, 0) ) - { - ErrorMessage("Could not cleanup the %s client app element: %s\n", - detector->name.c_str(), lua_tostring(L, -1)); + delete detector; } + + sflist_static_free_all(&allocatedFlowList, freeDetectorFlow); + allocated_detectors.clear(); } -static inline void setLuaTrackerSize(lua_State* L, uint32_t numTrackers) +/**calculates Number of flow and host tracker entries for Lua detectors, given amount + * of memory allocated to RNA (fraction of total system memory) and number of detectors + * loaded in database. Calculations are based on CAICCI detector and observing memory + * consumption per tracker. + * @param rnaMemory - total memory RNA is allowed to use. This is calculated as a fraction of + * total system memory. + * @param numDetectors - number of lua detectors present in database. + */ +#define LUA_TRACKERS_MAX 10000 +#define LUA_TRACKER_AVG_MEM_BYTES 740 + +static inline void set_lua_tracker_size(lua_State* L, uint32_t numTrackers) { /*change flow tracker size according to available memory calculation */ lua_getglobal(L, "hostServiceTrackerModule"); @@ -394,31 +349,24 @@ static inline void setLuaTrackerSize(lua_State* L, uint32_t numTrackers) lua_pop(L, 1); } -LuaDetectorManager::LuaDetectorManager() -{ - sflist_init(&allocatedFlowList); - allocatedDetectorList.clear(); -} - -LuaDetectorManager::~LuaDetectorManager() +static inline uint32_t compute_lua_tracker_size(uint64_t rnaMemory, uint32_t numDetectors) { - for ( auto& detector : allocatedDetectorList ) - if ( !detector->packageInfo.client.initFunctionName.empty() ) - luaClientFini(detector); + uint64_t detectorMemory = (rnaMemory / 8); + unsigned numTrackers; - sflist_static_free_all(&allocatedFlowList, freeDetectorFlow); - for ( auto& detector : allocatedDetectorList ) - delete detector; - allocatedDetectorList.clear();} + if (!numDetectors) + numDetectors = 1; + numTrackers = (detectorMemory / LUA_TRACKER_AVG_MEM_BYTES) / numDetectors; + return (numTrackers > LUA_TRACKERS_MAX) ? LUA_TRACKERS_MAX : numTrackers; +} -void LuaDetectorManager::luaCustomLoad( char* detectorName, char* validator, +void LuaDetectorManager::initialize_lua_detector( const char* detectorName, char* validator, unsigned int validatorLen, unsigned char* const digest, AppIdConfig* pConfig, bool isCustom) { Detector* detector; - RNAClientAppModule* cam = nullptr; - lua_State* L = createLuaState(); + lua_State* L = create_lua_state(); if ( !L ) { ErrorMessage("can not create new luaState"); @@ -443,7 +391,7 @@ void LuaDetectorManager::luaCustomLoad( char* detectorName, char* validator, return; } - getDetectorPackageInfo(detector); + get_detector_package_info(detector); detector->validatorBuffer = validator; detector->isActive = true; detector->appid_config = pConfig; @@ -451,10 +399,10 @@ void LuaDetectorManager::luaCustomLoad( char* detectorName, char* validator, if ( detector->packageInfo.server.initFunctionName.empty() ) { - //assert(false); // FIXIT-M cam is null at this point so... WOMP + RNAClientAppModule* cam = nullptr; detector->client.appFpId = APP_ID_UNKNOWN; cam = &detector->client.appModule; - // cam->name = detector->packageInfo.name; + cam->name = detector->packageInfo.name.c_str(); cam->proto = detector->packageInfo.proto; cam->validate = validateAnyClientApp; cam->minimum_matches = detector->packageInfo.client.minimum_matches; @@ -476,34 +424,13 @@ void LuaDetectorManager::luaCustomLoad( char* detectorName, char* validator, } memcpy(detector->digest, digest, sizeof(detector->digest)); - allocatedDetectorList.push_front(detector); - gNumDetectors++; + allocated_detectors.push_front(detector); + num_lua_detectors++; DebugFormat(DEBUG_LOG,"Loaded detector %s\n", detectorName); } -/**calculates Number of flow and host tracker entries for Lua detectors, given amount - * of memory allocated to RNA (fraction of total system memory) and number of detectors - * loaded in database. Calculations are based on CAICCI detector and observing memory - * consumption per tracker. - * @param rnaMemory - total memory RNA is allowed to use. This is calculated as a fraction of - * total system memory. - * @param numDetectors - number of lua detectors present in database. - */ -#define LUA_TRACKERS_MAX 10000 -#define LUA_TRACKER_AVG_MEM_BYTES 740 - -static inline uint32_t calculateLuaTrackerSize(uint64_t rnaMemory, uint32_t numDetectors) -{ - uint64_t detectorMemory = (rnaMemory/8); - unsigned numTrackers; - if (!numDetectors) - numDetectors = 1; - numTrackers = (detectorMemory/LUA_TRACKER_AVG_MEM_BYTES)/numDetectors; - return (numTrackers > LUA_TRACKERS_MAX) ? LUA_TRACKERS_MAX : numTrackers; -} - -void LuaDetectorManager::loadCustomLuaModules(char* path, AppIdConfig* pConfig, bool isCustom) +void LuaDetectorManager::validate_lua_detector(const char* path, AppIdConfig* pConfig, bool isCustom) { unsigned n; FILE* file; @@ -575,13 +502,13 @@ void LuaDetectorManager::loadCustomLuaModules(char* path, AppIdConfig* pConfig, // FIXIT-M this finds the wrong detector -- it should be find_last_of auto it = std::find_if( - allocatedDetectorList.begin(), - allocatedDetectorList.end(), + allocated_detectors.begin(), + allocated_detectors.end(), [&detectorName](const Detector* d) { return d->name == detectorName; }); - if ( it != allocatedDetectorList.end() ) + if ( it != allocated_detectors.end() ) { Detector* detector = *it; if ( !memcmp(digest, detector->digest, sizeof(digest)) ) @@ -592,143 +519,141 @@ void LuaDetectorManager::loadCustomLuaModules(char* path, AppIdConfig* pConfig, } } - luaCustomLoad(detectorName, (char*)validatorBuffer, validatorBufferLen, digest, pConfig, + initialize_lua_detector(detectorName, (char*)validatorBuffer, validatorBufferLen, digest, pConfig, isCustom); } globfree(&globs); } -void LuaDetectorManager::FinalizeLuaModules() +// These functions call the 'DetectorInit' function of the lua detector. +// Calls initialization function as defined in packageInfo, which reads either user defined name +// or DetectorInit symbol. Pushes detectorUserData on stack as input parameter and the calls the +// function. Notice * that on error, lua_state is not closed. This keeps faulty detectors around +// without using it, but it keeps wrapping functions simpler. +static void init_service_detector(Detector* detector) { - gNumActiveDetectors = 0; + const auto& name = detector->name; + auto L = detector->myLuaState; + const auto& server = detector->packageInfo.server; - for ( auto& detector : allocatedDetectorList ) - { - if ( detector->isActive ) - { - ++gNumActiveDetectors; + lua_getglobal(L, server.initFunctionName.c_str()); + if (!lua_isfunction(L, -1)) + return; - if ( detector->server.pServiceElement ) - detector->server.pServiceElement->current_ref_count = - detector->server.pServiceElement->ref_count; - } + /*first parameter is DetectorUserData */ + lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef); + if ( lua_pcall(L, 1, 1, 0) ) + { + ErrorMessage("error loading lua Detector %s, error %s\n", + name.c_str(), lua_tostring(L, -1)); + return; } - - luaDetectorsSetTrackerSize(); -} - -void LuaDetectorManager::LoadLuaModules(AppIdConfig* pConfig) -{ - for ( auto& detector : allocatedDetectorList ) + else { - detector->wasActive = detector->isActive; - detector->isActive = 0; - if ( detector->server.pServiceElement ) - detector->server.pServiceElement->ref_count = 0; - } + detector->server.pServiceElement->ref_count = 1; - char path[PATH_MAX]; - snprintf(path, sizeof(path), "%s/odp/lua", pAppidActiveConfig->mod_config->app_detector_dir); - loadCustomLuaModules(path, pConfig, 0); - snprintf(path, sizeof(path), "%s/custom/lua", - pAppidActiveConfig->mod_config->app_detector_dir); - loadCustomLuaModules(path, pConfig, 1); - // luaDetectorsCleanInactive(); + DebugFormat(DEBUG_APPID, "Initialized %s\n", name.c_str()); + } } -void LuaDetectorManager::luaDetectorsUnload() +static void init_client_detector(Detector* detector) { - for ( auto& detector : allocatedDetectorList ) + auto L = detector->myLuaState; + const auto& client = detector->packageInfo.client; + + assert(!client.initFunctionName.empty()); + + lua_getglobal(L, client.initFunctionName.c_str()); + if (!lua_isfunction(L, -1)) { - if ( detector->isActive && !detector->packageInfo.server.initFunctionName.empty()) - detectorRemoveAllPorts(detector); + ErrorMessage("Detector %s: does not contain DetectorInit() function\n", + detector->name.c_str()); + return; + } - if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() ) - luaClientFini(detector); + /*first parameter is DetectorUserData */ + lua_rawgeti(L, LUA_REGISTRYINDEX, detector->detectorUserDataRef); - detector->isActive = false; + /*second parameter is a table containing configuration stuff. */ + // ... which is empty.??? + lua_newtable(L); - if (detector->server.pServiceElement) - detector->server.pServiceElement->ref_count = 0; + if ( lua_pcall(L, 2, 1, 0) ) + { + ErrorMessage("Could not initialize the %s client app element: %s\n", + detector->name.c_str(), lua_tostring(L, -1)); + return; } - - gNumActiveDetectors = 0; } -void LuaDetectorManager::luaDetectorsSetTrackerSize() +void LuaDetectorManager::init_lua_service_detectors() { - gLuaTrackerSize = calculateLuaTrackerSize(512*1024*1024, gNumActiveDetectors); - - DebugFormat(DEBUG_APPID, " Setting tracker size to %u\n", gLuaTrackerSize); + for ( auto& detector : allocated_detectors ) + init_service_detector(detector); +} - for ( auto& detector : allocatedDetectorList ) - { - if ( detector->isActive ) - setLuaTrackerSize(detector->myLuaState, gLuaTrackerSize); - } +void LuaDetectorManager::init_lua_client_detectors() +{ + for ( auto& detector : allocated_detectors ) + if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() ) + init_client_detector(detector); } -void LuaDetectorManager::UnloadLuaModules(AppIdConfig*) +void LuaDetectorManager::activate_lua_detectors() { - for ( auto& detector : allocatedDetectorList ) - { - if ( detector->wasActive ) + init_lua_client_detectors(); + init_lua_service_detectors(); + + for ( auto& detector : allocated_detectors ) + if ( detector->isActive ) { - if ( detector->client.appFpId ) - luaClientFini(detector); + ++num_active_lua_detectors; - detector->wasActive = false; + if ( detector->server.pServiceElement ) + detector->server.pServiceElement->current_ref_count = + detector->server.pServiceElement->ref_count; } - } -} -/**Reconfigure all Lua modules. - * Iterates over all Lua detectors in system and reconfigures them. This - * will however not read rna_csd_validator_map table again to check for - * newly activated or deactivate detectors. Current design calls for restarting - * RNA whenever detectors are activated/deactivated. - */ -void LuaDetectorManager::luaModuleInitAllServices() -{ - for ( auto& detector : allocatedDetectorList ) - luaServerInit(detector); + lua_tracker_size = compute_lua_tracker_size(512*1024*1024, num_active_lua_detectors); + for ( auto& detector : allocated_detectors ) + { + if ( detector->isActive ) + set_lua_tracker_size(detector->myLuaState, lua_tracker_size); + } } -/**Reconfigure all Lua modules. - * Iterates over all Lua detectors in system and reconfigures them. This - * will however not read rna_csd_validator_map table again to check for - * newly activated or deactivate detectors. Current design calls for restarting - * RNA whenever detectors are activated/deactivated. - */ -void LuaDetectorManager::luaModuleInitAllClients() +void LuaDetectorManager::load_lua_detectors(AppIdConfig* pConfig) { - for ( auto& detector : allocatedDetectorList ) - if ( detector->isActive && !detector->packageInfo.client.initFunctionName.empty() ) - luaClientInit(detector); + char path[PATH_MAX]; + snprintf(path, sizeof(path), "%s/odp/lua", + AppIdConfig::get_appid_config()->mod_config->app_detector_dir); + validate_lua_detector(path, pConfig, 0); + snprintf(path, sizeof(path), "%s/custom/lua", + AppIdConfig::get_appid_config()->mod_config->app_detector_dir); + validate_lua_detector(path, pConfig, 1); } void LuaDetectorManager::list_lua_detectors() { + // FIXIT-L make these perf counters size_t totalMem = 0; size_t mem; - uint32_t total_detectors = 0; - if ( allocatedDetectorList.empty() ) + if ( allocated_detectors.empty() ) return; LogMessage("Lua Detector Stats:\n"); - for ( auto& detector : allocatedDetectorList ) + for ( auto& detector : allocated_detectors ) { mem = lua_gc(detector->myLuaState, LUA_GCCOUNT, 0); totalMem += mem; - total_detectors++; LogMessage("\tDetector %s: Lua Memory usage %zu kb\n", detector->name.c_str(), mem); } - LogMessage("Lua Stats total detectors: %u\n", total_detectors); + LogMessage("Lua Stats total detectors: %lu\n", allocated_detectors.size()); LogMessage("Lua Stats total memory usage %zu kb\n", totalMem); } diff --git a/src/network_inspectors/appid/lua_detector_module.h b/src/network_inspectors/appid/lua_detector_module.h index f861f357e..f0bbb71eb 100644 --- a/src/network_inspectors/appid/lua_detector_module.h +++ b/src/network_inspectors/appid/lua_detector_module.h @@ -37,38 +37,23 @@ public: LuaDetectorManager(); ~LuaDetectorManager(); - // Load all Lua modules into a detector list - // - // Each RNA detector file in the folder app_id_detector_path is parsed for - // detector information. If it is a valid detector, a detector data structure - // is created for it and stored in allocatedDetectorList. - void LoadLuaModules(AppIdConfig*); - - // Finalize Lua modules - // This function should be called after LoadLuaModules(). It sets up proper AppId references - // and tracker size for all the detectors. - void FinalizeLuaModules(); - - // Unload Lua modules - // - // This function cleans up all the data structures that were created for the Lua detectors - // in a given AppId context. It should be called after FinalizeLuaModules(). - void UnloadLuaModules(AppIdConfig*); - - void add_chunk(const std::string&); - - void luaModuleInitAllServices(); - void luaModuleInitAllClients(); + void load_lua_detectors(AppIdConfig*); + void activate_lua_detectors(); void list_lua_detectors(); private: - void luaCustomLoad( char* detectorName, char* validator, unsigned int validatorLen, + void init_lua_service_detectors(); + void init_lua_client_detectors(); + void initialize_lua_detector(const char* detectorName, char* validator, unsigned int validatorLen, unsigned char* const digest, AppIdConfig*, bool isCustom); - void loadCustomLuaModules(char* path, AppIdConfig*, bool isCustom); - void luaDetectorsUnload(); - void luaDetectorsSetTrackerSize(); + void validate_lua_detector(const char* path, AppIdConfig*, bool isCustom); + + std::list allocated_detectors; - std::list allocatedDetectorList; + // FIXIT-L make these perf counters + uint32_t lua_tracker_size = 0; + uint32_t num_lua_detectors = 0; + uint32_t num_active_lua_detectors = 0; }; extern THREAD_LOCAL SF_LIST allocatedFlowList; diff --git a/src/network_inspectors/appid/lua_detector_util.h b/src/network_inspectors/appid/lua_detector_util.h index d4b3e4a33..f857a65e4 100644 --- a/src/network_inspectors/appid/lua_detector_util.h +++ b/src/network_inspectors/appid/lua_detector_util.h @@ -52,9 +52,6 @@ struct UserData assert(ud); ud->ptr = ptr; luaL_getmetatable(L, meta); - // FIXIT-L: clean this up if not needed or enable the assert...metatable should already be in registry at this point - //assert(lua_istable(L, -1)); - lua_setmetatable(L, -2); return ud; } diff --git a/src/network_inspectors/appid/service_plugins/service_api.h b/src/network_inspectors/appid/service_plugins/service_api.h index 10c9af9a9..7261aa630 100644 --- a/src/network_inspectors/appid/service_plugins/service_api.h +++ b/src/network_inspectors/appid/service_plugins/service_api.h @@ -50,18 +50,16 @@ struct ServiceValidationArgs const uint8_t* data; uint16_t size; int dir; - AppIdSession* flowp; + AppIdSession* asd; Packet* pkt; struct Detector* userdata; const AppIdConfig* pConfig; - bool app_id_debug_session_flag; - char* app_id_debug_session; + bool session_logging_enabled; + char* session_logging_id; }; using RNAServiceValidationFCN = int(*)(ServiceValidationArgs*); -#define MakeRNAServiceValidationPrototype(name) static int name(ServiceValidationArgs* args) - struct CleanServiceAPI { AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used @@ -87,12 +85,6 @@ struct IniServiceAPI AppIdConfig* pAppidConfig; ///< AppId context for which this API should be used }; -struct RNAServicePerf -{ - /*time to validate */ - uint64_t totalValidateTime; -}; - struct RNAServiceElement { RNAServiceElement* next; @@ -128,7 +120,7 @@ typedef int (* AddServiceConsumeSubtype)(AppIdSession* flow, const Packet* pkt, typedef int (* ServiceInProcess)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element); typedef int (* FailService)(AppIdSession* flow, const Packet* pkt, int dir, - const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig* pConfig); + const RNAServiceElement* svc_element, unsigned flow_data_index); typedef int (* IncompatibleData)(AppIdSession* flow, const Packet* pkt, int dir, const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*); typedef void (* AddHostInfo)(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info); diff --git a/src/network_inspectors/appid/service_plugins/service_base.cc b/src/network_inspectors/appid/service_plugins/service_base.cc index 10e386a4f..bb521fedb 100644 --- a/src/network_inspectors/appid/service_plugins/service_base.cc +++ b/src/network_inspectors/appid/service_plugins/service_base.cc @@ -21,8 +21,10 @@ #include "service_base.h" -#include +#include +#include +#include #include "service_api.h" #include "service_battle_field.h" #include "service_bgp.h" @@ -67,8 +69,53 @@ #include "utils/util.h" #include "sfip/sf_ip.h" -/*#define SERVICE_DEBUG 1 - #define SERVICE_DEBUG_PORT 0 */ +//#define SERVICE_DEBUG 1 +//#define SERVICE_DEBUG_PORT 80 + +#ifdef SERVICE_DEBUG +static const char* service_id_state_name[] = +{ + "NEW", + "VALID", + "PORT", + "PATTERN", + "BRUTE_FORCE" +}; + +#ifdef SERVICE_DEBUG_PORT +#define APPID_LOG_SERVICE(fmt) fprintf(SF_DEBUG_FILE, fmt) +#define APPID_LOG_FILTER_PORTS(dp, sp, fmt, ...) \ + if (dp == SERVICE_DEBUG_PORT || sp == SERVICE_DEBUG_PORT) \ + fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__) +#define APPID_LOG_FILTER_SERVICE_PORT(port, fmt, ...) \ + if (port == SERVICE_DEBUG_PORT) \ + fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__) +#define APPID_LOG_IP_FILTER_PORTS(dp, sp, ip, fmt, ...) \ + if (dp == SERVICE_DEBUG_PORT || sp == SERVICE_DEBUG_PORT) \ + { \ + char ipstr[INET6_ADDRSTRLEN]; \ + sfip_ntop(&ip, ipstr, sizeof(ipstr)); \ + fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__); \ + } +#else +#define APPID_LOG_SERVICE(fmt) fprintf(SF_DEBUG_FILE, fmt) +#define APPID_LOG_FILTER_PORTS(dp, sp, fmt, ...) fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__) +#define APPID_LOG_FILTER_SERVICE_PORT(port, fmt, ...) \ + UNUSED(port); \ + fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__) +#define APPID_LOG_IP_FILTER_PORTS(dp, sp, ip, fmt, ...) \ + { \ + char ipstr[INET6_ADDRSTRLEN]; \ + sfip_ntop(&ip, ipstr, sizeof(ipstr)); \ + fprintf(SF_DEBUG_FILE, fmt, __VA_ARGS__); \ + } +#endif +#else +#define APPID_LOG_SERVICE(fmt) +#define APPID_LOG_FILTER_PORTS(dp, sp, fmt, ...) +#define APPID_LOG_FILTER_SERVICE_PORT(port, fmt, ...) UNUSED(port); +#define APPID_LOG_IP_FILTER_PORTS(dp, sp, ip, fmt, ...) UNUSED(ip); +#endif #define BUFSIZE 512 @@ -81,17 +128,23 @@ * and tried per flow based on port/pattern (if a valid detector doesn't * already exist). */ #define MAX_CANDIDATE_SERVICES 10 +#define DHCP_OPTION55_LEN_MAX 255 -static void* service_flowdata_get(AppIdSession* flow, unsigned service_id); -static int service_flowdata_add(AppIdSession* flow, void* data, unsigned service_id, AppIdFreeFCN +static void* service_flowdata_get(AppIdSession* asd, unsigned service_id); +static int service_flowdata_add(AppIdSession* asd, void* data, unsigned service_id, AppIdFreeFCN fcn); -static void AppIdAddHostInfo(AppIdSession* flow, SERVICE_HOST_INFO_CODE code, const void* info); -static int AppIdAddDHCP(AppIdSession* flowp, unsigned op55_len, const uint8_t* op55, unsigned +static void add_host_info(AppIdSession* asd, SERVICE_HOST_INFO_CODE code, const void* info); +static int add_dhcp_info(AppIdSession* asd, unsigned op55_len, const uint8_t* op55, unsigned op60_len, const uint8_t* op60, const uint8_t* mac); -static void AppIdAddHostIP(AppIdSession* flow, const uint8_t* mac, uint32_t ip4, +static void add_host_ip_info(AppIdSession* asd, const uint8_t* mac, uint32_t ip4, int32_t zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router); -static void AppIdAddSMBData(AppIdSession* flow, unsigned major, unsigned minor, uint32_t flags); -static void AppIdServiceAddMisc(AppIdSession* flow, AppId miscId); +static void add_smb_info(AppIdSession* asd, unsigned major, unsigned minor, uint32_t flags); +static void add_miscellaneous_info(AppIdSession* asd, AppId miscId); +static void add_dns_query_info(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len, + uint16_t host_offset, uint16_t record_type); +static void add_dns_response_info(AppIdSession*, uint16_t id, const uint8_t* host, uint8_t host_len, + uint16_t host_offset, uint8_t response_type, uint32_t ttl); +static void reset_dns_info(AppIdSession*); struct ServiceMatch { @@ -102,12 +155,9 @@ struct ServiceMatch }; static const uint8_t zeromac[6] = { 0, 0, 0, 0, 0, 0 }; -static unsigned smOrderedListSize = 32; -static THREAD_LOCAL DHCPInfo* dhcp_info_free_list; -static THREAD_LOCAL FpSMBData* smb_data_free_list; -static THREAD_LOCAL ServiceMatch** smOrderedList = nullptr; -static THREAD_LOCAL ServiceMatch* free_service_match; -static THREAD_LOCAL ServiceConfig* serviceConfig = nullptr; +static THREAD_LOCAL DHCPInfo* dhcp_info_free_list = nullptr; +static THREAD_LOCAL FpSMBData* smb_data_free_list = nullptr; +static THREAD_LOCAL ServiceConfig* service_config = nullptr; static THREAD_LOCAL RNAServiceElement* ftp_service = nullptr; static THREAD_LOCAL ServicePatternData* free_pattern_data = nullptr; @@ -115,41 +165,30 @@ const ServiceApi serviceapi = { &service_flowdata_get, &service_flowdata_add, - &AppIdAddDHCP, - &AppIdAddHostIP, - &AppIdAddSMBData, + &add_dhcp_info, + &add_host_ip_info, + &add_smb_info, &AppIdServiceAddService, &AppIdServiceFailService, &AppIdServiceInProcess, &AppIdServiceIncompatibleData, - &AppIdAddHostInfo, + &add_host_info, &AppIdAddPayload, &AppIdAddUser, &AppIdServiceAddServiceSubtype, - &AppIdServiceAddMisc, - &AppIdAddDnsQueryInfo, - &AppIdAddDnsResponseInfo, - &AppIdResetDnsInfo, + &add_miscellaneous_info, + &add_dns_query_info, + &add_dns_response_info, + &reset_dns_info, }; -#ifdef SERVICE_DEBUG -static const char* serviceIdStateName[] = -{ - "NEW", - "VALID", - "PORT", - "PATTERN", - "BRUTE_FORCE" -}; -#endif - /*C service API */ static void ServiceRegisterPattern(RNAServiceValidationFCN, IpProtocol, const uint8_t*, unsigned, - int, struct Detector*, int, const char* ); -static void CServiceRegisterPattern(RNAServiceValidationFCN, IpProtocol, const uint8_t* , - unsigned, int , const char*); + int, struct Detector*, int, const char* ); +static void CServiceRegisterPattern(RNAServiceValidationFCN, IpProtocol, const uint8_t*, unsigned, + int, const char*); static void ServiceRegisterPatternUser(RNAServiceValidationFCN, IpProtocol, const uint8_t*, - unsigned, int, const char*); + unsigned, int, const char*); void appSetServiceValidator( RNAServiceValidationFCN, AppId, unsigned extractsInfo); static int CServiceAddPort(const RNAServiceValidationPort*, RNAServiceValidationModule*); static void CServiceRemovePorts(RNAServiceValidationFCN validate); @@ -215,7 +254,7 @@ const uint32_t NUM_STATIC_SERVICES = void appSetServiceValidator(RNAServiceValidationFCN fcn, AppId appId, unsigned extractsInfo) { - AppInfoTableEntry* pEntry = appInfoEntryGet(appId); + AppInfoTableEntry* pEntry = AppInfoManager::get_instance().get_app_info_entry(appId); if (!pEntry) { ErrorMessage("AppId: invalid direct service AppId, %d", appId); @@ -227,47 +266,34 @@ void appSetServiceValidator(RNAServiceValidationFCN fcn, AppId appId, unsigned e DebugFormat(DEBUG_APPID, "Ignoring direct service without info for AppId %d", appId); return; } - pEntry->svrValidator = ServiceGetServiceElement(fcn, nullptr); + pEntry->svrValidator = get_service_element(fcn, nullptr); if (pEntry->svrValidator) pEntry->flags |= extractsInfo; else ErrorMessage("AppId: failed to find a service element for AppId %d", appId); } -/**free ServiceMatch List. - */ void AppIdFreeServiceMatchList(ServiceMatch* sm) { ServiceMatch* tmpSm; - if (!sm) - return; - - for (tmpSm = sm; tmpSm->next; tmpSm = tmpSm->next) - ; - tmpSm->next = free_service_match; - free_service_match = sm; + while( sm ) + { + tmpSm = sm; + sm = sm->next; + snort_free(tmpSm); + } } -int AddFTPServiceState(AppIdSession* fp) +int AddFTPServiceState(AppIdSession* asd) { if (!ftp_service) return -1; - return fp->add_flow_data_id(21, ftp_service); + return asd->add_flow_data_id(21, ftp_service); } -/**allocate one ServiceMatch element. - */ static inline ServiceMatch* allocServiceMatch(void) { - ServiceMatch* sm; - - if ((sm = free_service_match)) - { - free_service_match = sm->next; - memset(sm, 0, sizeof(*sm)); - return sm; - } return (ServiceMatch*)snort_calloc(sizeof(ServiceMatch)); } @@ -280,14 +306,15 @@ static int pattern_match(void* id, void*, int index, void* data, void*) if (pd->position >= 0 && pd->position != index) return 0; - for (sm=*matches; sm; sm=sm->next) + for (sm = *matches; sm; sm = sm->next) if (sm->svc == pd->svc) break; + if (sm) sm->count++; else { - sm=allocServiceMatch(); + sm = allocServiceMatch(); sm->count++; sm->svc = pd->svc; sm->size = pd->size; @@ -313,9 +340,7 @@ AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig* pConf return appId; } -static inline uint16_t sslPortRemap( - uint16_t port - ) +static inline uint16_t sslPortRemap(uint16_t port) { switch (port) { @@ -340,25 +365,21 @@ static inline uint16_t sslPortRemap( } static inline RNAServiceElement* AppIdGetNexServiceByPort( IpProtocol protocol, uint16_t port, - const RNAServiceElement* const lasService, AppIdSession* rnaData) + const RNAServiceElement* const lasService, AppIdSession* asd) { RNAServiceElement* service = nullptr; SF_LIST* list = nullptr; - if (AppIdServiceDetectionLevel(rnaData) == 1) + if (AppIdServiceDetectionLevel(asd) == 1) { unsigned remappedPort = sslPortRemap(port); if (remappedPort) - list = serviceConfig->tcp_services[remappedPort]; + list = service_config->tcp_services[remappedPort]; } else if (protocol == IpProtocol::TCP) - { - list = serviceConfig->tcp_services[port]; - } + list = service_config->tcp_services[port]; else - { - list = serviceConfig->udp_services[port]; - } + list = service_config->udp_services[port]; if (list) { @@ -375,64 +396,46 @@ static inline RNAServiceElement* AppIdGetNexServiceByPort( IpProtocol protocol, } } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (port == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Port service for protocol %u port %u, service %s\n", + APPID_LOG_FILTER_SERVICE_PORT(port, "Port service for protocol %u port %u, service %s\n", (unsigned)protocol, (unsigned)port, (service && service->name) ? service->name : "UNKNOWN"); -#endif return service; } -static inline RNAServiceElement* AppIdNexServiceByPattern(AppIdServiceIDState* id_state -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - , uint16_t port -#endif -#endif - ) +static inline RNAServiceElement* get_service_by_pattern(AppIdServiceIDState* id_state, + uint16_t port) { RNAServiceElement* service = nullptr; - while (id_state->currenService) + while (id_state->current_service) { - id_state->currenService = id_state->currenService->next; - if (id_state->currenService && id_state->currenService->svc->current_ref_count) + id_state->current_service = id_state->current_service->next; + if (id_state->current_service && id_state->current_service->svc->current_ref_count) { - service = id_state->currenService->svc; + service = id_state->current_service->svc; break; } } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (port == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Next pattern service %s\n", + APPID_LOG_FILTER_SERVICE_PORT(port, "Next pattern service %s\n", (service && service->name) ? service->name : "UNKNOWN"); -#endif return service; } -const RNAServiceElement* ServiceGetServiceElement(RNAServiceValidationFCN fcn, Detector* userdata) +const RNAServiceElement* get_service_element(RNAServiceValidationFCN fcn, Detector* userdata) { RNAServiceElement* li; - for (li=serviceConfig->tcp_service_list; li; li=li->next) - { + for (li = service_config->tcp_service_list; li; li = li->next) if ((li->validate == fcn) && (li->userdata == userdata)) return li; - } - for (li=serviceConfig->udp_service_list; li; li=li->next) - { + for (li=service_config->udp_service_list; li; li=li->next) if ((li->validate == fcn) && (li->userdata == userdata)) return li; - } + return nullptr; } @@ -449,19 +452,19 @@ static void ServiceRegisterPattern(RNAServiceValidationFCN fcn, IpProtocol proto if ((IpProtocol)proto == IpProtocol::TCP) { - patterns = &serviceConfig->tcp_patterns; - pd_list = &serviceConfig->tcp_pattern_data; + patterns = &service_config->tcp_patterns; + pd_list = &service_config->tcp_pattern_data; - count = &serviceConfig->tcp_pattern_count; - list = &serviceConfig->tcp_service_list; + count = &service_config->tcp_pattern_count; + list = &service_config->tcp_service_list; } else if ((IpProtocol)proto == IpProtocol::UDP) { - patterns = &serviceConfig->udp_patterns; - pd_list = &serviceConfig->udp_pattern_data; + patterns = &service_config->udp_patterns; + pd_list = &service_config->udp_pattern_data; - count = &serviceConfig->udp_pattern_count; - list = &serviceConfig->udp_service_list; + count = &service_config->udp_pattern_count; + list = &service_config->udp_service_list; } else { @@ -564,7 +567,7 @@ static void RemoveServicePortsByType(RNAServiceValidationFCN validate, SF_LIST** { li->ref_count--; sflist_remove_node(listTmp, iter); - // FIXIT-M: Revisit this for better solution to calling sflist_first after + // FIXIT-M Revisit this for better solution to calling sflist_first after // deleting a node... ultimate solution for use of sflist would be move // to STL liTmp = (RNAServiceElement*)sflist_first(listTmp, &iter); @@ -576,52 +579,44 @@ static void RemoveServicePortsByType(RNAServiceValidationFCN validate, SF_LIST** } } -/** - * \brief Remove all ports registered for all services - * - * This function takes care of removing ports for all services including C service modules, - * Lua detector modules and services associated with C detector modules. - * - * @return void - */ static void RemoveAllServicePorts() { int i; for ( i= 0; i < RNA_SERVICE_MAX_PORT; i++) { - if (serviceConfig->tcp_services[i]) + if (service_config->tcp_services[i]) { - sflist_free(serviceConfig->tcp_services[i]); - serviceConfig->tcp_services[i] = nullptr; + sflist_free(service_config->tcp_services[i]); + service_config->tcp_services[i] = nullptr; } } for (i = 0; i < RNA_SERVICE_MAX_PORT; i++) { - if (serviceConfig->udp_services[i]) + if (service_config->udp_services[i]) { - sflist_free(serviceConfig->udp_services[i]); - serviceConfig->udp_services[i] = nullptr; + sflist_free(service_config->udp_services[i]); + service_config->udp_services[i] = nullptr; } } for (i = 0; i < RNA_SERVICE_MAX_PORT; i++) { - if (serviceConfig->udp_reversed_services[i]) + if (service_config->udp_reversed_services[i]) { - sflist_free(serviceConfig->udp_reversed_services[i]); - serviceConfig->udp_reversed_services[i] = nullptr; + sflist_free(service_config->udp_reversed_services[i]); + service_config->udp_reversed_services[i] = nullptr; } } } void ServiceRemovePorts(RNAServiceValidationFCN validate, struct Detector* userdata) { - RemoveServicePortsByType(validate, serviceConfig->tcp_services, - serviceConfig->tcp_service_list, userdata); - RemoveServicePortsByType(validate, serviceConfig->udp_services, - serviceConfig->udp_service_list, userdata); - RemoveServicePortsByType(validate, serviceConfig->udp_reversed_services, - serviceConfig->udp_reversed_service_list, userdata); + RemoveServicePortsByType(validate, service_config->tcp_services, + service_config->tcp_service_list, userdata); + RemoveServicePortsByType(validate, service_config->udp_services, + service_config->udp_service_list, userdata); + RemoveServicePortsByType(validate, service_config->udp_reversed_services, + service_config->udp_reversed_service_list, userdata); } static void CServiceRemovePorts(RNAServiceValidationFCN validate) @@ -641,20 +636,20 @@ int ServiceAddPort(const RNAServiceValidationPort* pp, RNAServiceValidationModul svm->name, (unsigned)pp->proto, (unsigned)pp->port); if (pp->proto == IpProtocol::TCP) { - services = serviceConfig->tcp_services; - list = &serviceConfig->tcp_service_list; + services = service_config->tcp_services; + list = &service_config->tcp_service_list; } else if (pp->proto == IpProtocol::UDP) { if (!pp->reversed_validation) { - services = serviceConfig->udp_services; - list = &serviceConfig->udp_service_list; + services = service_config->udp_services; + list = &service_config->udp_service_list; } else { - services = serviceConfig->udp_reversed_services; - list = &serviceConfig->udp_reversed_service_list; + services = service_config->udp_reversed_services; + list = &service_config->udp_reversed_service_list; } } else @@ -715,8 +710,8 @@ static int CServiceAddPort(const RNAServiceValidationPort* pp, RNAServiceValidat void add_service_to_active_list(RNAServiceValidationModule* service) { - service->next = serviceConfig->active_service_list; - serviceConfig->active_service_list = service; + service->next = service_config->active_service_list; + service_config->active_service_list = service; } static int serviceLoadForConfigCallback(void* symbol) @@ -739,8 +734,8 @@ static int serviceLoadForConfigCallback(void* symbol) if (svm->init(&svc_init_api)) ErrorMessage("Error initializing service %s\n",svm->name); - svm->next = serviceConfig->active_service_list; - serviceConfig->active_service_list = svm; + svm->next = service_config->active_service_list; + service_config->active_service_list = svm; svm->flow_data_index = service_module_index | APPID_SESSION_DATA_SERVICE_MODSTATE_BIT; service_module_index++; @@ -755,9 +750,9 @@ int serviceLoadCallback(void* symbol) static int load_service_detectors() { - svc_init_api.instance_id = pAppidActiveConfig->mod_config->instance_id; - svc_init_api.debug = pAppidActiveConfig->mod_config->debug; - svc_init_api.pAppidConfig = pAppidActiveConfig; + svc_init_api.instance_id = AppIdConfig::get_appid_config()->mod_config->instance_id; + svc_init_api.debug = AppIdConfig::get_appid_config()->mod_config->debug; + svc_init_api.pAppidConfig = AppIdConfig::get_appid_config(); for ( unsigned i = 0; i < NUM_STATIC_SERVICES; i++) { @@ -770,7 +765,7 @@ static int load_service_detectors() void init_service_plugins() { - serviceConfig = new ServiceConfig; + service_config = new ServiceConfig; if ( load_service_detectors() ) exit(-1); @@ -779,8 +774,8 @@ void init_service_plugins() void finalize_service_patterns() { ServicePatternData* curr; - ServicePatternData* lists[] = { serviceConfig->tcp_pattern_data, - serviceConfig->udp_pattern_data }; + ServicePatternData* lists[] = { service_config->tcp_pattern_data, + service_config->udp_pattern_data }; for ( unsigned i = 0; i < (sizeof(lists) / sizeof(*lists)); i++) { curr = lists[i]; @@ -805,41 +800,40 @@ void finalize_service_patterns() } } - if (serviceConfig->tcp_patterns) - serviceConfig->tcp_patterns->prep(); - if (serviceConfig->udp_patterns) - serviceConfig->udp_patterns->prep(); + if (service_config->tcp_patterns) + service_config->tcp_patterns->prep(); + if (service_config->udp_patterns) + service_config->udp_patterns->prep(); } void clean_service_plugins() { ServicePatternData* pattern; RNAServiceElement* se; - ServiceMatch* sm; RNAServiceValidationModule* svm; FpSMBData* sd; DHCPInfo* info; - if (serviceConfig->tcp_patterns) + if (service_config->tcp_patterns) { - delete serviceConfig->tcp_patterns; - serviceConfig->tcp_patterns = nullptr; + delete service_config->tcp_patterns; + service_config->tcp_patterns = nullptr; } - if (serviceConfig->udp_patterns) + if (service_config->udp_patterns) { - delete serviceConfig->udp_patterns; - serviceConfig->udp_patterns = nullptr; + delete service_config->udp_patterns; + service_config->udp_patterns = nullptr; } - while ((pattern = serviceConfig->tcp_pattern_data)) + while ((pattern = service_config->tcp_pattern_data)) { - serviceConfig->tcp_pattern_data = pattern->next; + service_config->tcp_pattern_data = pattern->next; snort_free(pattern); } - while ((pattern = serviceConfig->udp_pattern_data)) + while ((pattern = service_config->udp_pattern_data)) { - serviceConfig->udp_pattern_data = pattern->next; + service_config->udp_pattern_data = pattern->next; snort_free(pattern); } @@ -849,21 +843,21 @@ void clean_service_plugins() snort_free(pattern); } - while ((se = serviceConfig->tcp_service_list)) + while ((se = service_config->tcp_service_list)) { - serviceConfig->tcp_service_list = se->next; + service_config->tcp_service_list = se->next; delete se; } - while ((se = serviceConfig->udp_service_list)) + while ((se = service_config->udp_service_list)) { - serviceConfig->udp_service_list = se->next; + service_config->udp_service_list = se->next; delete se; } - while ((se = serviceConfig->udp_reversed_service_list)) + while ((se = service_config->udp_reversed_service_list)) { - serviceConfig->udp_reversed_service_list = se->next; + service_config->udp_reversed_service_list = se->next; delete se; } @@ -879,22 +873,9 @@ void clean_service_plugins() snort_free(info); } - while ((sm = free_service_match)) - { - free_service_match = sm->next; - snort_free(sm); - } - - if (smOrderedList) - { - // FIXIT-M: still allocated with calloc/realloc - vector coming soon... - free(smOrderedList); - smOrderedListSize = 32; - } - RemoveAllServicePorts(); - for (svm = serviceConfig->active_service_list; svm; svm = svm->next) + for (svm = service_config->active_service_list; svm; svm = svm->next) { if (svm->clean) svm->clean(); @@ -902,7 +883,7 @@ void clean_service_plugins() clean_service_port_patterns(); - delete serviceConfig; + delete service_config; } static int AppIdPatternPrecedence(const void* a, const void* b) @@ -930,92 +911,35 @@ static inline RNAServiceElement* AppIdGetServiceByPattern(const Packet* pkt, IpP { SearchTool* patterns = nullptr; ServiceMatch* match_list; - ServiceMatch* sm; - uint32_t count; uint32_t i; RNAServiceElement* service = nullptr; + std::vector smOrderedList; if (proto == IpProtocol::TCP) - patterns = serviceConfig->tcp_patterns; + patterns = service_config->tcp_patterns; else - patterns = serviceConfig->udp_patterns; + patterns = service_config->udp_patterns; if (!patterns) { -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Pattern bailing due to no patterns\n"); -#endif + APPID_LOG_SERVICE("Pattern bailing due to no patterns\n"); return nullptr; } - if (!smOrderedList) - { - // FIXIT-M: - using calloc because this may be realloc'ed later, change to vector asap - smOrderedList = (ServiceMatch**)calloc(smOrderedListSize, sizeof(ServiceMatch*)); - if (!smOrderedList) - { - ErrorMessage("Pattern bailing due to failed allocation"); - return nullptr; - } - } - -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) - { -#endif - fprintf(SF_DEBUG_FILE, "Matching\n"); - DumpHex(SF_DEBUG_FILE, pkt->data, pkt->dsize); -#if SERVICE_DEBUG_PORT -} - -#endif -#endif /*FRE didn't search */ match_list = nullptr; patterns->find_all((char*)pkt->data, pkt->dsize, &pattern_match, false, (void*)&match_list); - count = 0; - for (sm = match_list; sm; sm = sm->next) - { - if (count >= smOrderedListSize) - { - ServiceMatch** tmp; - smOrderedListSize *= 2; - assert(smOrderedListSize > 0); - - tmp = (ServiceMatch**)realloc(smOrderedList, - smOrderedListSize * sizeof(*smOrderedList)); - - if (!tmp) - { - ErrorMessage("Realloc failure %u\n",smOrderedListSize); - smOrderedListSize /= 2; - - /*free the remaining elements. */ - AppIdFreeServiceMatchList(sm); - - break; - } - ErrorMessage("Realloc %u\n",smOrderedListSize); - - smOrderedList = tmp; - } - - smOrderedList[count++] = sm; - } + for (ServiceMatch* sm = match_list; sm; sm = sm->next) + smOrderedList.push_back(sm); - if (!count) + if (smOrderedList.size() == 0) return nullptr; - qsort(smOrderedList, count, sizeof(*smOrderedList), AppIdPatternPrecedence); + std::sort(smOrderedList.begin(), smOrderedList.end(), AppIdPatternPrecedence); - /*rearrange the matchlist now */ - for (i = 0; i < (count-1); i++) - smOrderedList[i]->next = smOrderedList[i+1]; + for (i = 0; i < smOrderedList.size() - 1; i++) + smOrderedList[i]->next = smOrderedList[i + 1]; smOrderedList[i]->next = nullptr; service = smOrderedList[0]->svc; @@ -1023,24 +947,19 @@ static inline RNAServiceElement* AppIdGetServiceByPattern(const Packet* pkt, IpP if (id_state) { id_state->svc = service; - if (id_state->serviceList != nullptr) - { - AppIdFreeServiceMatchList(id_state->serviceList); - } - id_state->serviceList = smOrderedList[0]; - id_state->currenService = smOrderedList[0]; + if (id_state->service_list != nullptr) + AppIdFreeServiceMatchList(id_state->service_list); + + id_state->service_list = smOrderedList[0]; + id_state->current_service = smOrderedList[0]; } else AppIdFreeServiceMatchList(smOrderedList[0]); -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Pattern service for protocol %u (%u->%u), %s\n", + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, + "Pattern service for protocol %u (%u->%u), %s\n", (unsigned)proto, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, - (service && service->name) ? service->name.c_str() : "UNKNOWN"); -#endif + (service && service->name) ? service->name : "UNKNOWN"); return service; } @@ -1052,8 +971,8 @@ static inline RNAServiceElement* AppIdGetServiceByBruteForce(IpProtocol protocol if (lasService) service = lasService->next; else - service = ((protocol == IpProtocol::TCP) ? serviceConfig->tcp_service_list : - serviceConfig->udp_service_list); + service = ((protocol == IpProtocol::TCP) ? service_config->tcp_service_list : + service_config->udp_service_list); while (service && !service->current_ref_count) service = service->next; @@ -1061,38 +980,38 @@ static inline RNAServiceElement* AppIdGetServiceByBruteForce(IpProtocol protocol return service; } -static void AppIdAddHostInfo(AppIdSession*, SERVICE_HOST_INFO_CODE, const void*) +static void add_host_info(AppIdSession*, SERVICE_HOST_INFO_CODE, const void*) { } -void AppIdFreeDhcpData(DhcpFPData* dd) +void AppIdFreeDhcpData(DHCPData* dd) { snort_free(dd); } -static int AppIdAddDHCP(AppIdSession* flowp, unsigned op55_len, const uint8_t* op55, unsigned +static int add_dhcp_info(AppIdSession* asd, unsigned op55_len, const uint8_t* op55, unsigned op60_len, const uint8_t* op60, const uint8_t* mac) { if (op55_len && op55_len <= DHCP_OPTION55_LEN_MAX - && !flowp->getAppIdFlag(APPID_SESSION_HAS_DHCP_FP)) + && !asd->get_session_flags(APPID_SESSION_HAS_DHCP_FP)) { - DhcpFPData* rdd; + DHCPData* rdd; - rdd = (DhcpFPData*)snort_calloc(sizeof(*rdd)); - if (flowp->add_flow_data(rdd, APPID_SESSION_DATA_DHCP_FP_DATA, + rdd = (DHCPData*)snort_calloc(sizeof(*rdd)); + if (asd->add_flow_data(rdd, APPID_SESSION_DATA_DHCP_FP_DATA, (AppIdFreeFCN)AppIdFreeDhcpData)) { AppIdFreeDhcpData(rdd); return -1; } - flowp->setAppIdFlag(APPID_SESSION_HAS_DHCP_FP); + asd->set_session_flags(APPID_SESSION_HAS_DHCP_FP); rdd->op55_len = (op55_len > DHCP_OP55_MAX_SIZE) ? DHCP_OP55_MAX_SIZE : op55_len; memcpy(rdd->op55, op55, rdd->op55_len); rdd->op60_len = (op60_len > DHCP_OP60_MAX_SIZE) ? DHCP_OP60_MAX_SIZE : op60_len; if (op60_len) memcpy(rdd->op60, op60, rdd->op60_len); - memcpy(rdd->mac, mac, sizeof(rdd->mac)); + memcpy(rdd->eth_addr, mac, sizeof(rdd->eth_addr)); } return 0; } @@ -1106,7 +1025,22 @@ void AppIdFreeDhcpInfo(DHCPInfo* dd) } } -static void AppIdAddHostIP(AppIdSession* flow, const uint8_t* mac, uint32_t ip, int32_t zone, +static unsigned isIPv4HostMonitored(uint32_t ip4, int32_t zone) +{ + NetworkSet* net_list; + unsigned flags; + AppIdConfig* pConfig = AppIdConfig::get_appid_config(); + + if (zone >= 0 && zone < MAX_ZONES && pConfig->net_list_by_zone[zone]) + net_list = pConfig->net_list_by_zone[zone]; + else + net_list = pConfig->net_list; + + NetworkSet_ContainsEx(net_list, ip4, &flags); + return flags; +} + +static void add_host_ip_info(AppIdSession* asd, const uint8_t* mac, uint32_t ip, int32_t zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router) { DHCPInfo* info; @@ -1115,8 +1049,8 @@ static void AppIdAddHostIP(AppIdSession* flow, const uint8_t* mac, uint32_t ip, if (memcmp(mac, zeromac, 6) == 0 || ip == 0) return; - if (!flow->getAppIdFlag(APPID_SESSION_DO_RNA) - || flow->getAppIdFlag(APPID_SESSION_HAS_DHCP_INFO)) + if (!asd->get_session_flags(APPID_SESSION_DO_RNA) + || asd->get_session_flags(APPID_SESSION_HAS_DHCP_INFO)) return; flags = isIPv4HostMonitored(ntohl(ip), zone); @@ -1131,15 +1065,15 @@ static void AppIdAddHostIP(AppIdSession* flow, const uint8_t* mac, uint32_t ip, else info = (DHCPInfo*)snort_calloc(sizeof(DHCPInfo)); - if (flow->add_flow_data(info, APPID_SESSION_DATA_DHCP_INFO, + if (asd->add_flow_data(info, APPID_SESSION_DATA_DHCP_INFO, (AppIdFreeFCN)AppIdFreeDhcpInfo)) { AppIdFreeDhcpInfo(info); return; } - flow->setAppIdFlag(APPID_SESSION_HAS_DHCP_INFO); + asd->set_session_flags(APPID_SESSION_HAS_DHCP_INFO); info->ipAddr = ip; - memcpy(info->macAddr, mac, sizeof(info->macAddr)); + memcpy(info->eth_addr, mac, sizeof(info->eth_addr)); info->subnetmask = subnetmask; info->leaseSecs = leaseSecs; info->router = router; @@ -1154,7 +1088,7 @@ void AppIdFreeSMBData(FpSMBData* sd) } } -static void AppIdAddSMBData(AppIdSession* flow, unsigned major, unsigned minor, uint32_t flags) +static void add_smb_info(AppIdSession* asd, unsigned major, unsigned minor, uint32_t flags) { FpSMBData* sd; @@ -1169,55 +1103,54 @@ static void AppIdAddSMBData(AppIdSession* flow, unsigned major, unsigned minor, else sd = (FpSMBData*)snort_calloc(sizeof(FpSMBData)); - if (flow->add_flow_data(sd, APPID_SESSION_DATA_SMB_DATA, (AppIdFreeFCN)AppIdFreeSMBData)) + if (asd->add_flow_data(sd, APPID_SESSION_DATA_SMB_DATA, (AppIdFreeFCN)AppIdFreeSMBData)) { AppIdFreeSMBData(sd); return; } - flow->setAppIdFlag(APPID_SESSION_HAS_SMB_INFO); + asd->set_session_flags(APPID_SESSION_HAS_SMB_INFO); sd->major = major; sd->minor = minor; sd->flags = flags & FINGERPRINT_UDP_FLAGS_MASK; } -static int AppIdServiceAddServiceEx(AppIdSession* flow, const Packet* pkt, int dir, - const RNAServiceElement* svc_element, - AppId appId, const char* vendor, const char* version) +static int AppIdServiceAddServiceEx(AppIdSession* asd, const Packet* pkt, int dir, + const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version) { AppIdServiceIDState* id_state; uint16_t port; const sfip_t* ip; - if (!flow || !pkt || !svc_element) + if (!asd || !pkt || !svc_element) { ErrorMessage("Invalid arguments to absinthe_add_appId"); return SERVICE_EINVALID; } - flow->serviceData = svc_element; + asd->serviceData = svc_element; if (vendor) { - if (flow->serviceVendor) - snort_free(flow->serviceVendor); - flow->serviceVendor = snort_strdup(vendor); + if (asd->serviceVendor) + snort_free(asd->serviceVendor); + asd->serviceVendor = snort_strdup(vendor); } if (version) { - if (flow->serviceVersion) - snort_free(flow->serviceVersion); - flow->serviceVersion = snort_strdup(version); + if (asd->serviceVersion) + snort_free(asd->serviceVersion); + asd->serviceVersion = snort_strdup(version); } - flow->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); - flow->serviceAppId = appId; + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); + asd->serviceAppId = appId; checkSandboxDetection(appId); - if (flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST)) + if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST)) return SERVICE_SUCCESS; - if (!flow->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + if (!asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { if (dir == APP_ID_FROM_INITIATOR) { @@ -1229,8 +1162,8 @@ static int AppIdServiceAddServiceEx(AppIdSession* flow, const Packet* pkt, int d ip = pkt->ptrs.ip_api.get_src(); port = pkt->ptrs.sp; } - if (flow->service_port) - port = flow->service_port; + if (asd->service_port) + port = asd->service_port; } else { @@ -1248,45 +1181,44 @@ static int AppIdServiceAddServiceEx(AppIdSession* flow, const Packet* pkt, int d /* If we ended up with UDP reversed, make sure we're pointing to the * correct host tracker entry. */ - if (flow->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { - flow->id_state = AppIdGetServiceIDState(ip, flow->protocol, port, - AppIdServiceDetectionLevel(flow)); + asd->id_state = get_service_id_state(ip, asd->protocol, port, + AppIdServiceDetectionLevel(asd)); } - if (!(id_state = flow->id_state)) + if (!(id_state = asd->id_state)) { - if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel( - flow)))) + if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel( + asd)))) { ErrorMessage("Add service failed to create state"); return SERVICE_ENOMEM; } - flow->id_state = id_state; - flow->service_ip = *ip; - flow->service_port = port; + + asd->id_state = id_state; + asd->service_ip = *ip; + asd->service_port = port; } else { - if (id_state->serviceList) + if (id_state->service_list) { - AppIdFreeServiceMatchList(id_state->serviceList); - id_state->serviceList = nullptr; - id_state->currenService = nullptr; + AppIdFreeServiceMatchList(id_state->service_list); + id_state->service_list = nullptr; + id_state->current_service = nullptr; } - if (!sfip_is_set(&flow->service_ip)) + + if (!sfip_is_set(&asd->service_ip)) { - flow->service_ip = *ip; - flow->service_port = port; + asd->service_ip = *ip; + asd->service_port = port; } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Service %d for protocol %u on port %u (%u->%u) is valid\n", - (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port, + + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, + "Service %d for protocol %u on port %u (%u->%u) is valid\n", + (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp); -#endif } id_state->reset_time = 0; if (id_state->state != SERVICE_ID_VALID) @@ -1300,19 +1232,10 @@ static int AppIdServiceAddServiceEx(AppIdSession* flow, const Packet* pkt, int d } id_state->svc = svc_element; -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - { - char ipstr[INET6_ADDRSTRLEN]; - - ipstr[0] = 0; - sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr)); - fprintf(SF_DEBUG_FILE, "Valid: %s:%u:%u %p %d\n", ipstr, (unsigned)flow->proto, - (unsigned)flow->service_port, id_state, (int)id_state->state); - } -#endif + APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, asd->service_ip, + "Valid: %s:%u:%u %p %d\n", + ipstr, (unsigned)asd->protocol, (unsigned)asd->service_port, + (void*)id_state, (int)id_state->state); if (!id_state->valid_count) { @@ -1328,42 +1251,31 @@ static int AppIdServiceAddServiceEx(AppIdSession* flow, const Packet* pkt, int d /* Done looking for this session. */ id_state->searching = false; -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Service %d for protocol %u on port %u (%u->%u) is valid\n", - (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port, (unsigned)pkt->ptrs.sp, - (unsigned)pkt->ptrs.dp); -#endif + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, + "Service %d for protocol %u on port %u (%u->%u) is valid\n", + (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port, + (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp); return SERVICE_SUCCESS; } -int AppIdServiceAddServiceSubtype(AppIdSession* flow, const Packet* pkt, int dir, - const RNAServiceElement* svc_element, - AppId appId, const char* vendor, const char* version, +int AppIdServiceAddServiceSubtype(AppIdSession* asd, const Packet* pkt, int dir, + const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version, RNAServiceSubtype* subtype) { - flow->subtype = subtype; + asd->subtype = subtype; if (!svc_element->current_ref_count) { -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, "Service %d for protocol %u on port %u (%u->%u) is valid, but skipped\n", - (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port, + (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp); -#endif return SERVICE_SUCCESS; } - return AppIdServiceAddServiceEx(flow, pkt, dir, svc_element, appId, vendor, version); + return AppIdServiceAddServiceEx(asd, pkt, dir, svc_element, appId, vendor, version); } -int AppIdServiceAddService(AppIdSession* flow, const Packet* pkt, int dir, - const RNAServiceElement* svc_element, - AppId appId, const char* vendor, const char* version, +int AppIdServiceAddService(AppIdSession* asd, const Packet* pkt, int dir, + const RNAServiceElement* svc_element, AppId appId, const char* vendor, const char* version, const RNAServiceSubtype* subtype) { RNAServiceSubtype* new_subtype = nullptr; @@ -1371,15 +1283,10 @@ int AppIdServiceAddService(AppIdSession* flow, const Packet* pkt, int dir, if (!svc_element->current_ref_count) { -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, "Service %d for protocol %u on port %u (%u->%u) is valid, but skipped\n", - (int)appId, (unsigned)flow->proto, (unsigned)flow->service_port, + (int)appId, (unsigned)asd->protocol, (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp); -#endif return SERVICE_SUCCESS; } @@ -1398,89 +1305,66 @@ int AppIdServiceAddService(AppIdSession* flow, const Packet* pkt, int dir, tmp_subtype->next = new_subtype; new_subtype = tmp_subtype; } - flow->subtype = new_subtype; - return AppIdServiceAddServiceEx(flow, pkt, dir, svc_element, appId, vendor, version); + asd->subtype = new_subtype; + return AppIdServiceAddServiceEx(asd, pkt, dir, svc_element, appId, vendor, version); } -int AppIdServiceInProcess(AppIdSession* flow, const Packet* pkt, int dir, +int AppIdServiceInProcess(AppIdSession* asd, const Packet* pkt, int dir, const RNAServiceElement* svc_element) { AppIdServiceIDState* id_state; - if (!flow || !pkt) + if (!asd || !pkt) { ErrorMessage("Invalid arguments to service_in_process"); return SERVICE_EINVALID; } - if (dir == APP_ID_FROM_INITIATOR || flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST| + if (dir == APP_ID_FROM_INITIATOR || asd->get_session_flags(APPID_SESSION_IGNORE_HOST| APPID_SESSION_UDP_REVERSED)) return SERVICE_SUCCESS; - if (!(id_state = flow->id_state)) + if (!(id_state = asd->id_state)) { uint16_t port; const sfip_t* ip; ip = pkt->ptrs.ip_api.get_src(); - port = flow->service_port ? flow->service_port : pkt->ptrs.sp; + port = asd->service_port ? asd->service_port : pkt->ptrs.sp; - if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel( - flow)))) + if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel( + asd)))) { ErrorMessage("In-process service failed to create state"); return SERVICE_ENOMEM; } - flow->id_state = id_state; - flow->service_ip = *ip; - flow->service_port = port; + asd->id_state = id_state; + asd->service_ip = *ip; + asd->service_port = port; id_state->state = SERVICE_ID_NEW; id_state->svc = svc_element; } else { - if (!sfip_is_set(&flow->service_ip)) + if (!sfip_is_set(&asd->service_ip)) { const sfip_t* ip = pkt->ptrs.ip_api.get_src(); - flow->service_ip = *ip; - if (!flow->service_port) - flow->service_port = pkt->ptrs.sp; + asd->service_ip = *ip; + if (!asd->service_port) + asd->service_port = pkt->ptrs.sp; } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Service for protocol %u on port %u is in process (%u->%u), %p %s", - (unsigned)flow->proto, (unsigned)flow->service_port, (unsigned)pkt->ptrs.sp, - (unsigned)pkt->ptrs.dp, - svc_element->validate, svc_element->name ? : "UNKNOWN"); -#endif } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - { - char ipstr[INET6_ADDRSTRLEN]; - - ipstr[0] = 0; - sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr)); - fprintf(SF_DEBUG_FILE, "Inprocess: %s:%u:%u %p %d\n", ipstr, (unsigned)flow->proto, - (unsigned)flow->service_port, - id_state, (int)id_state->state); - } -#endif + APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp,asd->service_ip, + "Inprocess: %s:%u:%u %p %d\n", ipstr, + (unsigned)asd->protocol, (unsigned)asd->service_port, (void*)id_state, + (int)id_state->state); -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "Service for protocol %u on port %u is in process (%u->%u), %s\n", - (unsigned)flow->proto, (unsigned)flow->service_port, (unsigned)pkt->ptrs.sp, + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, + "Service for protocol %u on port %u is in process (%u->%u), %s\n", + (unsigned)asd->protocol, (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, - svc_element->name ? : "UNKNOWN"); -#endif + svc_element->name ? svc_element->name : "UNKNOWN"); return SERVICE_SUCCESS; } @@ -1491,177 +1375,138 @@ int AppIdServiceInProcess(AppIdSession* flow, const Packet* pkt, int dir, * client ultimately we will have to fail the service. If the same behavior is seen from different * clients going to same service then this most likely the service is something else. */ -int AppIdServiceIncompatibleData(AppIdSession* flow, const Packet* pkt, int dir, +int AppIdServiceIncompatibleData(AppIdSession* asd, const Packet* pkt, int dir, const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*) { AppIdServiceIDState* id_state; - if (!flow || !pkt) + if (!asd || !pkt) { ErrorMessage("Invalid arguments to service_incompatible_data"); return SERVICE_EINVALID; } if (flow_data_index != APPID_SESSION_DATA_NONE) - flow->free_flow_data_by_id(flow_data_index); + asd->free_flow_data_by_id(flow_data_index); /* If we're still working on a port/pattern list of detectors, then ignore * individual fails until we're done looking at everything. */ - if ( (flow->serviceData == nullptr) /* we're - working - on a list - of - detectors, - and... */ - && (flow->candidate_service_list != nullptr) - && (flow->id_state != nullptr) ) - { - if (sflist_count(flow->candidate_service_list) != 0) + if ( (asd->serviceData == nullptr) && (asd->candidate_service_list != nullptr) + && (asd->id_state != nullptr) ) + { + if (sflist_count(asd->candidate_service_list) != 0) { return SERVICE_SUCCESS; } - else if ((flow->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES) - || (flow->id_state->state == SERVICE_ID_BRUTE_FORCE) ) + else if ((asd->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES) + || (asd->id_state->state == SERVICE_ID_BRUTE_FORCE) ) { return SERVICE_SUCCESS; } } - flow->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); - flow->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); + asd->clear_session_flags(APPID_SESSION_CONTINUE); - flow->serviceAppId = APP_ID_NONE; + asd->serviceAppId = APP_ID_NONE; - if (flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST|APPID_SESSION_UDP_REVERSED) || (svc_element && + if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST|APPID_SESSION_UDP_REVERSED) || (svc_element && !svc_element->current_ref_count)) return SERVICE_SUCCESS; if (dir == APP_ID_FROM_INITIATOR) { - flow->setAppIdFlag(APPID_SESSION_INCOMPATIBLE); + asd->set_session_flags(APPID_SESSION_INCOMPATIBLE); return SERVICE_SUCCESS; } - if (!(id_state = flow->id_state)) + if (!(id_state = asd->id_state)) { uint16_t port; const sfip_t* ip; ip = pkt->ptrs.ip_api.get_src(); - port = flow->service_port ? flow->service_port : pkt->ptrs.sp; + port = asd->service_port ? asd->service_port : pkt->ptrs.sp; - if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel( - flow)))) + if (!(id_state = add_service_id_state(ip, asd->protocol, port, AppIdServiceDetectionLevel( + asd)))) { ErrorMessage("Incompatible service failed to create state"); return SERVICE_ENOMEM; } - flow->id_state = id_state; - flow->service_ip = *ip; - flow->service_port = port; + + //id_state->service_list = nullptr; id_state->state = SERVICE_ID_NEW; id_state->svc = svc_element; + asd->id_state = id_state; + asd->service_ip = *ip; + asd->service_port = port; } else { - if (!sfip_is_set(&flow->service_ip)) + if (!sfip_is_set(&asd->service_ip)) { const sfip_t* ip = pkt->ptrs.ip_api.get_src(); - flow->service_ip = *ip; - if (!flow->service_port) - flow->service_port = pkt->ptrs.sp; -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, + asd->service_ip = *ip; + if (!asd->service_port) + asd->service_port = pkt->ptrs.sp; + + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, "service_IC: Changed State to %s for protocol %u on port %u (%u->%u), count %u, %s\n", - serviceIdStateName[id_state->state], (unsigned)flow->proto, - (unsigned)flow->service_port, + service_id_state_name[id_state->state], (unsigned)asd->protocol, + (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count, (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN"); -#endif } id_state->reset_time = 0; } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, "service_IC: State %s for protocol %u on port %u (%u->%u), count %u, %s\n", - serviceIdStateName[id_state->state], (unsigned)flow->proto, (unsigned)flow->service_port, + service_id_state_name[id_state->state], (unsigned)asd->protocol, (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count, (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN"); -#endif - -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - { - char ipstr[INET6_ADDRSTRLEN]; - ipstr[0] = 0; - sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr)); - fprintf(SF_DEBUG_FILE, "Incompat: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto, - (unsigned)flow->service_port, - id_state, (int)id_state->state, + APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, asd->service_ip, + "Incompat: %s:%u:%u %p %d %s\n", + ipstr, (unsigned)asd->protocol, (unsigned)asd->service_port, (void*)id_state, + (int)id_state->state, (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN"); - } -#endif - -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - { - char ipstr[INET6_ADDRSTRLEN]; - - ipstr[0] = 0; - sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr)); - fprintf(SF_DEBUG_FILE, "Incompat End: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto, - (unsigned)flow->service_port, - id_state, (int)id_state->state, (id_state->svc && id_state->svc->name) ? - id_state->svc->name : "UNKNOWN"); - } -#endif return SERVICE_SUCCESS; } -int AppIdServiceFailService(AppIdSession* flow, const Packet* pkt, int dir, - const RNAServiceElement* svc_element, unsigned flow_data_index, const AppIdConfig*) +int AppIdServiceFailService(AppIdSession* asd, const Packet* pkt, int dir, + const RNAServiceElement* svc_element, unsigned flow_data_index) { AppIdServiceIDState* id_state; if (flow_data_index != APPID_SESSION_DATA_NONE) - flow->free_flow_data_by_id(flow_data_index); + asd->free_flow_data_by_id(flow_data_index); /* If we're still working on a port/pattern list of detectors, then ignore * individual fails until we're done looking at everything. */ - if ( (flow->serviceData == nullptr) - && (flow->candidate_service_list != nullptr) - && (flow->id_state != nullptr) ) + if ( (asd->serviceData == nullptr) + && (asd->candidate_service_list != nullptr) + && (asd->id_state != nullptr) ) { - if (sflist_count(flow->candidate_service_list) != 0) + if (sflist_count(asd->candidate_service_list) != 0) return SERVICE_SUCCESS; - else if ( (flow->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES) - || (flow->id_state->state == SERVICE_ID_BRUTE_FORCE) ) + else if ( (asd->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES) + || (asd->id_state->state == SERVICE_ID_BRUTE_FORCE) ) return SERVICE_SUCCESS; } - flow->serviceAppId = APP_ID_NONE; + asd->serviceAppId = APP_ID_NONE; - flow->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); - flow->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); + asd->clear_session_flags(APPID_SESSION_CONTINUE); - /* detectors should be careful in marking flow UDP_REVERSED otherwise the same detector + /* detectors should be careful in marking session UDP_REVERSED otherwise the same detector * gets all future flows. UDP_REVERSE should be marked only when detector positively * matches opposite direction patterns. */ - if (flow->getAppIdFlag(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED) + if (asd->get_session_flags(APPID_SESSION_IGNORE_HOST | APPID_SESSION_UDP_REVERSED) || (svc_element && !svc_element->current_ref_count)) return SERVICE_SUCCESS; @@ -1669,97 +1514,56 @@ int AppIdServiceFailService(AppIdSession* flow, const Packet* pkt, int dir, * otherwise the service will show up on client side. */ if (dir == APP_ID_FROM_INITIATOR) { - flow->setAppIdFlag(APPID_SESSION_INCOMPATIBLE); + asd->set_session_flags(APPID_SESSION_INCOMPATIBLE); return SERVICE_SUCCESS; } - if (!(id_state = flow->id_state)) + if (!(id_state = asd->id_state)) { uint16_t port; const sfip_t* ip; ip = pkt->ptrs.ip_api.get_src(); - port = flow->service_port ? flow->service_port : pkt->ptrs.sp; + port = asd->service_port ? asd->service_port : pkt->ptrs.sp; - if (!(id_state = AppIdAddServiceIDState(ip, flow->protocol, port, AppIdServiceDetectionLevel( - flow)))) + if (!(id_state = add_service_id_state(ip, asd->protocol, port, + AppIdServiceDetectionLevel(asd)))) { ErrorMessage("Fail service failed to create state"); return SERVICE_ENOMEM; } - flow->id_state = id_state; - flow->service_ip = *ip; - flow->service_port = port; + + //id_state->service_list = nullptr; id_state->state = SERVICE_ID_NEW; id_state->svc = svc_element; + asd->id_state = id_state; + asd->service_ip = *ip; + asd->service_port = port; } else { - if (!sfip_is_set(&flow->service_ip)) + if (!sfip_is_set(&asd->service_ip)) { const sfip_t* ip = pkt->ptrs.ip_api.get_src(); - flow->service_ip = *ip; - if (!flow->service_port) - flow->service_port = pkt->ptrs.sp; + asd->service_ip = *ip; + if (!asd->service_port) + asd->service_port = pkt->ptrs.sp; } -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, - "service_fail: State %s for protocol %u on port %u (%u->%u), count %u, valid count %u, currSvc %s\n", - serviceIdStateName[id_state->state], (unsigned)flow->proto, - (unsigned)flow->service_port, - (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count, - id_state->valid_count, - (svc_element && svc_element->name) ? svc_element->name : "UNKNOWN"); -#endif } id_state->reset_time = 0; -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, - "service_fail: State %s for protocol %u on port %u (%u->%u), count %u, valid count %u, currSvc %s\n", - serviceIdStateName[id_state->state], (unsigned)flow->proto, (unsigned)flow->service_port, - (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, id_state->invalid_client_count, - id_state->valid_count, - (svc_element && svc_element->name) ? svc_element->name : "UNKNOWN"); -#endif - -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - { - char ipstr[INET6_ADDRSTRLEN]; + APPID_LOG_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, + "service_fail: State %s for protocol %u on port %u (%u->%u), count %u, valid count %u, currSvc %s\n", + service_id_state_name[id_state->state], (unsigned)asd->protocol, + (unsigned)asd->service_port, (unsigned)pkt->ptrs.sp, (unsigned)pkt->ptrs.dp, + id_state->invalid_client_count, id_state->valid_count, + (svc_element && svc_element->name) ? svc_element->name : "UNKNOWN"); - ipstr[0] = 0; - sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr)); - fprintf(SF_DEBUG_FILE, "Fail: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto, - (unsigned)flow->service_port, - id_state, (int)id_state->state, + APPID_LOG_IP_FILTER_PORTS(pkt->ptrs.dp, pkt->ptrs.sp, asd->service_ip, + "Fail: %s:%u:%u %p %d %s\n", + ipstr, (unsigned)asd->protocol, (unsigned)asd->service_port, (void*)id_state, + (int)id_state->state, (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN"); - } -#endif - -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (pkt->ptrs.dp == SERVICE_DEBUG_PORT || pkt->ptrs.sp == SERVICE_DEBUG_PORT) -#endif - { - char ipstr[INET6_ADDRSTRLEN]; - - ipstr[0] = 0; - sfip_ntop(&flow->service_ip, ipstr, sizeof(ipstr)); - fprintf(SF_DEBUG_FILE, "Fail End: %s:%u:%u %p %d %s\n", ipstr, (unsigned)flow->proto, - (unsigned)flow->service_port, - id_state, (int)id_state->state, (id_state->svc && id_state->svc->name) ? - id_state->svc->name : "UNKNOWN"); - } -#endif return SERVICE_SUCCESS; } @@ -1770,10 +1574,8 @@ int AppIdServiceFailService(AppIdSession* flow, const Packet* pkt, int dir, * - invalid_client_count: If our service detector search had trouble * simply because of unrecognized client data, then consider retrying * the search again. */ -static void HandleFailure(AppIdSession* flowp, - AppIdServiceIDState* id_state, - const sfip_t* client_ip, - unsigned timeout) +static void HandleFailure(AppIdSession* asd, AppIdServiceIDState* id_state, + const sfip_t* client_ip, unsigned timeout) { /* If we had a valid detector, check for too many fails. If so, start * search sequence again. */ @@ -1825,14 +1627,14 @@ static void HandleFailure(AppIdSession* flowp, } /* If we were port/pattern searching and timed out, just restart over next * time. */ - else if (timeout && (flowp->candidate_service_list != nullptr)) + else if (timeout && (asd->candidate_service_list != nullptr)) { id_state->state = SERVICE_ID_NEW; } /* If we were working on a port/pattern list of detectors, see if we * should restart search (because of invalid clients) or just let it * naturally continue onto brute force next. */ - else if ( (flowp->candidate_service_list != nullptr) + else if ( (asd->candidate_service_list != nullptr) && (id_state->state == SERVICE_ID_BRUTE_FORCE) ) { /* If we're getting some invalid clients, keep retrying @@ -1858,61 +1660,44 @@ static void HandleFailure(AppIdSession* flowp, * * @note Packet may be nullptr when this function is called upon session timeout. */ -void FailInProcessService(AppIdSession* flowp, const AppIdConfig*) +void FailInProcessService(AppIdSession* asd, const AppIdConfig*) { AppIdServiceIDState* id_state; - if (flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED|APPID_SESSION_UDP_REVERSED)) + if (asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_UDP_REVERSED)) return; - id_state = AppIdGetServiceIDState(&flowp->service_ip, flowp->protocol, flowp->service_port, - AppIdServiceDetectionLevel(flowp)); + id_state = get_service_id_state(&asd->service_ip, asd->protocol, asd->service_port, + AppIdServiceDetectionLevel(asd)); -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (flowp->service_port == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "FailInProcess %" PRIx64 ", %08X:%u proto %u\n", - flowp->common.flags, flowp->common.initiator_ip.ip32[3], - (unsigned)flowp->service_port, (unsigned)flowp->proto); -#endif + APPID_LOG_FILTER_SERVICE_PORT(asd->service_port, + "FailInProcess %" PRIx64 ", %08X:%u proto %u\n", asd->common.flags, + asd->common.initiator_ip.ip32[3], (unsigned)asd->service_port, + (unsigned)asd->protocol); if (!id_state || (id_state->svc && !id_state->svc->current_ref_count)) return; -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (flowp->service_port == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, "FailInProcess: State %s for protocol %u on port %u, count %u, %s\n", - serviceIdStateName[id_state->state], (unsigned)flowp->proto, (unsigned)flowp->service_port, - id_state->invalid_client_count, (id_state->svc && id_state->svc->name) ? - id_state->svc->name : "UNKNOWN"); -#endif + APPID_LOG_FILTER_SERVICE_PORT(asd->service_port, + "FailInProcess: State %s for protocol %u on port %u, count %u, %s\n", + service_id_state_name[id_state->state], (unsigned)asd->protocol, + (unsigned)asd->service_port, id_state->invalid_client_count, + (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN"); id_state->invalid_client_count += STATE_ID_INCONCLUSIVE_SERVICE_WEIGHT; + if (sfip_fast_eq6(&asd->flow->server_ip, &asd->service_ip)) + HandleFailure(asd, id_state, &asd->flow->client_ip, 1); + else + HandleFailure(asd, id_state, &asd->flow->server_ip, 1); - // FIXIT-M: we need a Flow to get the ip address of client/server... -#ifdef REMOVED_WHILE_NOT_IN_USE - sfip_t* tmp_ip = _dpd.sessionAPI->get_session_ip_address(flowp->ssn, SSN_DIR_FROM_SERVER); - if (sfip_fast_eq6(tmp_ip, &flowp->service_ip)) - tmp_ip = _dpd.sessionAPI->get_session_ip_address(flowp->ssn, SSN_DIR_FROM_CLIENT); - - HandleFailure(flowp, id_state, tmp_ip, 1); -#endif - -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - if (flowp->service_port == SERVICE_DEBUG_PORT) -#endif - fprintf(SF_DEBUG_FILE, - "FailInProcess: Changed State to %s for protocol %u on port %u, count %u, %s\n", - serviceIdStateName[id_state->state], (unsigned)flowp->proto, (unsigned)flowp->service_port, - id_state->invalid_client_count, (id_state->svc && id_state->svc->name) ? - id_state->svc->name : "UNKNOWN"); -#endif + APPID_LOG_FILTER_SERVICE_PORT(asd->service_port, + "FailInProcess: Changed State to %s for protocol %u on port %u, count %u, %s\n", + service_id_state_name[id_state->state], (unsigned)asd->protocol, + (unsigned)asd->service_port, id_state->invalid_client_count, + (id_state->svc && id_state->svc->name) ? id_state->svc->name : "UNKNOWN"); } + /* This function should be called to find the next service detector to try when * we have not yet found a valid detector in the host tracker. It will try * both port and/or pattern (but not brute force - that should be done outside @@ -1926,10 +1711,10 @@ void FailInProcessService(AppIdSession* flowp, const AppIdConfig*) * been specified (serviceData). Basically, this function handles going * through the main port/pattern search (and returning which detector to add * next to the list of detectors to try (even if only 1)). */ -static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int dir, - AppIdSession* rnaData, AppIdServiceIDState* id_state) +static const RNAServiceElement* get_next_service(const Packet* p, const int dir, + AppIdSession* asd, AppIdServiceIDState* id_state) { - auto proto = rnaData->protocol; + auto proto = asd->protocol; /* If NEW, just advance onto trying ports. */ if (id_state->state == SERVICE_ID_NEW) @@ -1942,7 +1727,7 @@ static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int di if (id_state->state == SERVICE_ID_PORT) { id_state->svc = AppIdGetNexServiceByPort(proto, (uint16_t)((dir == - APP_ID_FROM_RESPONDER) ? p->ptrs.sp : p->ptrs.dp), id_state->svc, rnaData); + APP_ID_FROM_RESPONDER) ? p->ptrs.sp : p->ptrs.dp), id_state->svc, asd); if (id_state->svc != nullptr) { return id_state->svc; @@ -1951,15 +1736,10 @@ static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int di { id_state->state = SERVICE_ID_PATTERN; id_state->svc = nullptr; - if (id_state->serviceList != nullptr) - { - id_state->currenService = id_state->serviceList; - } + if (id_state->service_list != nullptr) + id_state->current_service = id_state->service_list; else - { - id_state->serviceList = nullptr; - id_state->currenService = nullptr; - } + id_state->current_service = nullptr; } } @@ -1969,23 +1749,24 @@ static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int di * first with UDP reversed services before moving onto pattern matches. */ if (dir == APP_ID_FROM_INITIATOR) { - if (!rnaData->getAppIdFlag(APPID_SESSION_ADDITIONAL_PACKET) - && (proto == IpProtocol::UDP) && !rnaData->tried_reverse_service ) + if (!asd->get_session_flags(APPID_SESSION_ADDITIONAL_PACKET) + && (proto == IpProtocol::UDP) && !asd->tried_reverse_service ) { SF_LNODE* iter; AppIdServiceIDState* reverse_id_state; const RNAServiceElement* reverse_service = nullptr; const sfip_t* reverse_ip = p->ptrs.ip_api.get_src(); - rnaData->tried_reverse_service = true; - if ((reverse_id_state = AppIdGetServiceIDState(reverse_ip, proto, p->ptrs.sp, - AppIdServiceDetectionLevel(rnaData)))) + asd->tried_reverse_service = true; + if ((reverse_id_state = get_service_id_state(reverse_ip, proto, p->ptrs.sp, + AppIdServiceDetectionLevel(asd)))) { reverse_service = reverse_id_state->svc; } + if ( reverse_service - || (serviceConfig->udp_reversed_services[p->ptrs.sp] && + || (service_config->udp_reversed_services[p->ptrs.sp] && (reverse_service = ( RNAServiceElement*)sflist_first( - serviceConfig->udp_reversed_services[p->ptrs.sp], &iter))) + service_config->udp_reversed_services[p->ptrs.sp], &iter))) || (p->dsize && (reverse_service = AppIdGetServiceByPattern(p, proto, dir, nullptr))) ) { @@ -1995,24 +1776,13 @@ static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int di } return nullptr; } - /* Try pattern match detectors. If not, give up, and go to brute - * force. */ - else /* APP_ID_FROM_RESPONDER */ + else { - if (id_state->serviceList == nullptr) /* no list yet (need to make one) */ - { + // Try pattern match detectors. If not, give up, and go to brute force. + if (id_state->service_list == nullptr) /* no list yet (need to make one) */ id_state->svc = AppIdGetServiceByPattern(p, proto, dir, id_state); - } else /* already have a pattern service list (just use it) */ - { - id_state->svc = AppIdNexServiceByPattern(id_state -#ifdef SERVICE_DEBUG -#if SERVICE_DEBUG_PORT - , flow->service_port -#endif -#endif - ); - } + id_state->svc = get_service_by_pattern(id_state, asd->service_port); if (id_state->svc != nullptr) { @@ -2031,8 +1801,7 @@ static const RNAServiceElement* AppIdGetNexService(const Packet* p, const int di return nullptr; } -int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, - const AppIdConfig* pConfig) +int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* asd) { const sfip_t* ip; int ret = SERVICE_NOMATCH; @@ -2042,11 +1811,11 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, ServiceValidationArgs args; /* Get packet info. */ - auto proto = rnaData->protocol; - if (sfip_is_set(&rnaData->service_ip)) + auto proto = asd->protocol; + if (sfip_is_set(&asd->service_ip)) { - ip = &rnaData->service_ip; - port = rnaData->service_port; + ip = &asd->service_ip; + port = asd->service_port; } else { @@ -2063,71 +1832,72 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, } /* Get host tracker state. */ - id_state = rnaData->id_state; + id_state = asd->id_state; if (id_state == nullptr) { - id_state = AppIdGetServiceIDState(ip, proto, port, AppIdServiceDetectionLevel(rnaData)); + id_state = get_service_id_state(ip, proto, port, AppIdServiceDetectionLevel(asd)); /* Create it if it doesn't exist yet. */ if (id_state == nullptr) { - if (!(id_state = AppIdAddServiceIDState(ip, proto, port, - AppIdServiceDetectionLevel(rnaData)))) + if (!(id_state = add_service_id_state(ip, proto, port, + AppIdServiceDetectionLevel(asd)))) { ErrorMessage("Discover service failed to create state"); return SERVICE_ENOMEM; } memset(id_state, 0, sizeof(*id_state)); } - rnaData->id_state = id_state; + + //id_state->service_list = nullptr; + asd->id_state = id_state; } - if (rnaData->serviceData == nullptr) + if (asd->serviceData == nullptr) { /* If a valid service already exists in host tracker, give it a try. */ if ((id_state->svc != nullptr) && (id_state->state == SERVICE_ID_VALID)) { - rnaData->serviceData = id_state->svc; + asd->serviceData = id_state->svc; } /* If we've gotten to brute force, give next detector a try. */ - else if ( (id_state->state == SERVICE_ID_BRUTE_FORCE) - && (rnaData->num_candidate_services_tried == 0) + else if ((id_state->state == SERVICE_ID_BRUTE_FORCE) + && (asd->num_candidate_services_tried == 0) && !id_state->searching ) { - rnaData->serviceData = AppIdGetServiceByBruteForce(proto, id_state->svc); - id_state->svc = rnaData->serviceData; + asd->serviceData = AppIdGetServiceByBruteForce(proto, id_state->svc); + id_state->svc = asd->serviceData; } } args.data = p->data; args.size = p->dsize; args.dir = dir; - args.flowp = rnaData; + args.asd = asd; args.pkt = p; - args.pConfig = pConfig; - args.app_id_debug_session_flag = app_id_debug_session_flag; - args.app_id_debug_session = app_id_debug_session; + args.pConfig = AppIdConfig::get_appid_config(); + args.session_logging_enabled = asd->session_logging_enabled; + args.session_logging_id = asd->session_logging_id; /* If we already have a service to try, then try it out. */ - if (rnaData->serviceData != nullptr) + if (asd->serviceData != nullptr) { - service = rnaData->serviceData; + service = asd->serviceData; args.userdata = service->userdata; ret = service->validate(&args); if (ret == SERVICE_NOT_COMPATIBLE) - rnaData->got_incompatible_services = 1; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s %s returned %d\n", app_id_debug_session, + asd->got_incompatible_services = 1; + if (asd->session_logging_enabled) + LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id, service->name ? service->name : "UNKNOWN", ret); } - /* Else, try to find detector(s) to use based on ports and patterns. */ else { - if (rnaData->candidate_service_list == nullptr) + if (asd->candidate_service_list == nullptr) { - rnaData->candidate_service_list = (SF_LIST*)snort_calloc(sizeof(SF_LIST)); - sflist_init(rnaData->candidate_service_list); - rnaData->num_candidate_services_tried = 0; + asd->candidate_service_list = (SF_LIST*)snort_calloc(sizeof(SF_LIST)); + sflist_init(asd->candidate_service_list); + asd->num_candidate_services_tried = 0; /* This is our first time in for this session, and we're about to * search for a service, because we don't have any solid history on @@ -2144,21 +1914,21 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, || (id_state->state == SERVICE_ID_PORT) || ((id_state->state == SERVICE_ID_PATTERN) && (dir == APP_ID_FROM_RESPONDER)) ) { - while (rnaData->num_candidate_services_tried < MAX_CANDIDATE_SERVICES) + while (asd->num_candidate_services_tried < MAX_CANDIDATE_SERVICES) { - const RNAServiceElement* tmp = AppIdGetNexService(p, dir, rnaData, id_state); + const RNAServiceElement* tmp = get_next_service(p, dir, asd, id_state); if (tmp != nullptr) { SF_LNODE* iter = nullptr; /* Add to list (if not already there). */ - service = (RNAServiceElement*)sflist_first(rnaData->candidate_service_list, + service = (RNAServiceElement*)sflist_first(asd->candidate_service_list, &iter); while (service && (service != tmp)) service = (RNAServiceElement*)sflist_next(&iter); if (service == nullptr) { - sflist_add_tail(rnaData->candidate_service_list, (void*)tmp); - rnaData->num_candidate_services_tried++; + sflist_add_tail(asd->candidate_service_list, (void*)tmp); + asd->num_candidate_services_tried++; } } else @@ -2171,7 +1941,7 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, /* Run all of the detectors that we currently have. */ ret = SERVICE_INPROCESS; SF_LNODE* iter; - service = (RNAServiceElement*)sflist_first(rnaData->candidate_service_list, &iter); + service = (RNAServiceElement*)sflist_first(asd->candidate_service_list, &iter); while (service) { int result; @@ -2179,23 +1949,23 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, args.userdata = service->userdata; result = service->validate(&args); if (result == SERVICE_NOT_COMPATIBLE) - rnaData->got_incompatible_services = 1; - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s %s returned %d\n", app_id_debug_session, + asd->got_incompatible_services = 1; + if (asd->session_logging_enabled) + LogMessage("AppIdDbg %s %s returned %d\n", asd->session_logging_id, service->name ? service->name : "UNKNOWN", result); if (result == SERVICE_SUCCESS) { ret = SERVICE_SUCCESS; - rnaData->serviceData = service; - sflist_free(rnaData->candidate_service_list); - rnaData->candidate_service_list = nullptr; + asd->serviceData = service; + sflist_free(asd->candidate_service_list); + asd->candidate_service_list = nullptr; break; /* done */ } else if (result != SERVICE_INPROCESS) /* fail */ { - sflist_remove_node(rnaData->candidate_service_list, iter); - service = (RNAServiceElement*)sflist_first(rnaData->candidate_service_list, &iter); + sflist_remove_node(asd->candidate_service_list, iter); + service = (RNAServiceElement*)sflist_first(asd->candidate_service_list, &iter); } else service = (RNAServiceElement*)sflist_next(&iter); @@ -2204,12 +1974,11 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, /* If we tried everything and found nothing, then fail. */ if (ret != SERVICE_SUCCESS) { - if ( (sflist_count(rnaData->candidate_service_list) == 0) - && ( (rnaData->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES) + if ( (sflist_count(asd->candidate_service_list) == 0) + && ( (asd->num_candidate_services_tried >= MAX_CANDIDATE_SERVICES) || (id_state->state == SERVICE_ID_BRUTE_FORCE) ) ) { - AppIdServiceFailService(rnaData, p, dir, nullptr, APPID_SESSION_DATA_NONE, - pConfig); + AppIdServiceFailService(asd, p, dir, nullptr, APPID_SESSION_DATA_NONE); ret = SERVICE_NOMATCH; } } @@ -2222,9 +1991,9 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, else if (dir == APP_ID_FROM_RESPONDER) /* we have seen bidirectional exchange and have not identified any service */ { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s no RNA service detector\n", app_id_debug_session); - AppIdServiceFailService(rnaData, p, dir, nullptr, APPID_SESSION_DATA_NONE, pConfig); + if (asd->session_logging_enabled) + LogMessage("AppIdDbg %s no RNA service detector\n", asd->session_logging_id); + AppIdServiceFailService(asd, p, dir, nullptr, APPID_SESSION_DATA_NONE); ret = SERVICE_NOMATCH; } @@ -2237,7 +2006,7 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, else tmp_ip = p->ptrs.ip_api.get_src(); - if (rnaData->got_incompatible_services) + if (asd->got_incompatible_services) { if (id_state->invalid_client_count < STATE_ID_INVALID_CLIENT_THRESHOLD) { @@ -2251,33 +2020,32 @@ int AppIdDiscoverService(Packet* p, const int dir, AppIdSession* rnaData, } } - HandleFailure(rnaData, id_state, tmp_ip, 0); + HandleFailure(asd, id_state, tmp_ip, 0); } /* Can free up any pattern match lists if done with them. */ if ( (id_state->state == SERVICE_ID_BRUTE_FORCE) || (id_state->state == SERVICE_ID_VALID) ) { - if (id_state->serviceList != nullptr) - { - AppIdFreeServiceMatchList(id_state->serviceList); - } - id_state->serviceList = nullptr; - id_state->currenService = nullptr; + if (id_state->service_list != nullptr) + AppIdFreeServiceMatchList(id_state->service_list); + + id_state->service_list = nullptr; + id_state->current_service = nullptr; } return ret; } -static void* service_flowdata_get(AppIdSession* flow, unsigned service_id) +static void* service_flowdata_get(AppIdSession* asd, unsigned service_id) { - return flow->get_flow_data(service_id); + return asd->get_flow_data(service_id); } -static int service_flowdata_add(AppIdSession* flow, void* data, unsigned service_id, AppIdFreeFCN +static int service_flowdata_add(AppIdSession* asd, void* data, unsigned service_id, AppIdFreeFCN fcn) { - return flow->add_flow_data(data, service_id, fcn); + return asd->add_flow_data(data, service_id, fcn); } static void dumpServices(FILE* stream, SF_LIST* const* parray) @@ -2299,16 +2067,83 @@ static void dumpServices(FILE* stream, SF_LIST* const* parray) void dumpPorts(FILE* stream) { fprintf(stream,"(tcp "); - dumpServices(stream, serviceConfig->tcp_services); + dumpServices(stream, service_config->tcp_services); fprintf(stream,") \n"); fprintf(stream,"(udp "); - dumpServices(stream, serviceConfig->udp_services); + dumpServices(stream, service_config->udp_services); fprintf(stream,") \n"); } -static void AppIdServiceAddMisc(AppIdSession* flow, AppId miscId) +static void add_miscellaneous_info(AppIdSession* asd, AppId miscId) { - if (flow != nullptr) - flow->misc_app_id = miscId; + if (asd != nullptr) + asd->misc_app_id = miscId; } +static void add_dns_query_info(AppIdSession* asd, uint16_t id, const uint8_t* host, uint8_t host_len, + uint16_t host_offset, uint16_t record_type) +{ + if ( asd->dsession ) + { + if ( ( asd->dsession->state != 0 ) && ( asd->dsession->id != id ) ) + reset_dns_info(asd); + } + else + asd->dsession = (dnsSession*)snort_calloc(sizeof(dnsSession)); + + if (asd->dsession->state & DNS_GOT_QUERY) + return; + asd->dsession->state |= DNS_GOT_QUERY; + + asd->dsession->id = id; + asd->dsession->record_type = record_type; + + if (!asd->dsession->host) + { + if ((host != nullptr) && (host_len > 0) && (host_offset > 0)) + { + asd->dsession->host_len = host_len; + asd->dsession->host_offset = host_offset; + asd->dsession->host = dns_parse_host(host, host_len); + } + } +} + +static void add_dns_response_info(AppIdSession* asd, uint16_t id, const uint8_t* host, + uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl) +{ + if ( asd->dsession ) + { + if ( ( asd->dsession->state != 0 ) && ( asd->dsession->id != id ) ) + reset_dns_info(asd); + } + else + asd->dsession = (dnsSession*)snort_calloc(sizeof(*asd->dsession)); + + if (asd->dsession->state & DNS_GOT_RESPONSE) + return; + asd->dsession->state |= DNS_GOT_RESPONSE; + + asd->dsession->id = id; + asd->dsession->response_type = response_type; + asd->dsession->ttl = ttl; + + if (!asd->dsession->host) + { + if ((host != nullptr) && (host_len > 0) && (host_offset > 0)) + { + asd->dsession->host_len = host_len; + asd->dsession->host_offset = host_offset; + asd->dsession->host = dns_parse_host(host, host_len); + } + } +} + +static void reset_dns_info(AppIdSession* asd) +{ + if (asd->dsession) + { + snort_free(asd->dsession->host); + memset(asd->dsession, 0, sizeof(*(asd->dsession))); + } +} diff --git a/src/network_inspectors/appid/service_plugins/service_base.h b/src/network_inspectors/appid/service_plugins/service_base.h index cbb4dffe8..c952587b8 100644 --- a/src/network_inspectors/appid/service_plugins/service_base.h +++ b/src/network_inspectors/appid/service_plugins/service_base.h @@ -32,7 +32,7 @@ class AppIdConfig; class AppIdSession; struct RNAServiceElement; -struct DhcpFPData; +struct DHCPData; struct FpSMBData; struct Packet; struct ServiceMatch; @@ -53,7 +53,7 @@ int ServiceAddPort(const RNAServiceValidationPort*, RNAServiceValidationModule*, void ServiceRemovePorts(RNAServiceValidationFCN, Detector*); void ServiceRegisterPatternDetector(RNAServiceValidationFCN, IpProtocol proto, const uint8_t* pattern, unsigned size, int position, Detector*, const char* name); -int AppIdDiscoverService(Packet*, int direction, AppIdSession*, const AppIdConfig*); +int AppIdDiscoverService(Packet*, int direction, AppIdSession*); AppId getPortServiceId(IpProtocol proto, uint16_t port, const AppIdConfig*); void AppIdFreeServiceIDState(AppIdServiceIDState*); int AppIdServiceAddService(AppIdSession*, const Packet*, int dir, const RNAServiceElement*, @@ -64,14 +64,13 @@ int AppIdServiceInProcess(AppIdSession*, const Packet*, int dir, const RNAServic int AppIdServiceIncompatibleData(AppIdSession*, const Packet*, int dir, const RNAServiceElement*, unsigned flow_data_index, const AppIdConfig*); int AppIdServiceFailService(AppIdSession*, const Packet*, int dir, const RNAServiceElement*, - unsigned flow_data_index, const AppIdConfig*); + unsigned flow_data_index); int AddFTPServiceState(AppIdSession*); void AppIdFreeDhcpInfo(DHCPInfo*); void AppIdFreeSMBData(FpSMBData*); -void AppIdFreeDhcpData(DhcpFPData*); +void AppIdFreeDhcpData(DHCPData*); void dumpPorts(FILE*); -const RNAServiceElement* ServiceGetServiceElement(RNAServiceValidationFCN, Detector*); - +const RNAServiceElement* get_service_element(RNAServiceValidationFCN, Detector*); void add_service_to_active_list(RNAServiceValidationModule* service); extern uint32_t app_id_instance_id; @@ -87,17 +86,17 @@ inline bool compareServiceElements(const RNAServiceElement* first, return (first->validate != second->validate || first->userdata != second->userdata); } -inline uint32_t AppIdServiceDetectionLevel(AppIdSession* session) +inline uint32_t AppIdServiceDetectionLevel(AppIdSession* asd) { - if (session->getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (asd->get_session_flags(APPID_SESSION_DECRYPTED)) return 1; return 0; } inline void PopulateExpectedFlow(AppIdSession* parent, AppIdSession* expected, uint64_t flags) { - expected->setAppIdFlag(flags | - parent->getAppIdFlag(APPID_SESSION_RESPONDER_MONITORED | + expected->set_session_flags(flags | + parent->get_session_flags(APPID_SESSION_RESPONDER_MONITORED | APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_RESPONDER_CHECKED | diff --git a/src/network_inspectors/appid/service_plugins/service_battle_field.cc b/src/network_inspectors/appid/service_plugins/service_battle_field.cc index 9bb72d8eb..0c7a55fcc 100644 --- a/src/network_inspectors/appid/service_plugins/service_battle_field.cc +++ b/src/network_inspectors/appid/service_plugins/service_battle_field.cc @@ -47,7 +47,7 @@ struct ServiceData static int battle_field_init(const IniServiceAPI* const init_api); static int battle_field_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &battle_field_validate, @@ -59,7 +59,7 @@ static RNAServiceElement svc_element = "battle_field" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &battle_field_validate, 4711, IpProtocol::TCP, 0 }, { &battle_field_validate, 16567, IpProtocol::UDP, 0 }, @@ -114,7 +114,6 @@ static int battle_field_init(const IniServiceAPI* const init_api) unsigned i; for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { - DebugFormat(DEBUG_INSPECTOR,"registering appId: %d\n",appIdRegistry[i].appId); init_api->RegisterAppId(&battle_field_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo); } @@ -125,7 +124,7 @@ static int battle_field_init(const IniServiceAPI* const init_api) static int battle_field_validate(ServiceValidationArgs* args) { ServiceData* fd; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; uint16_t size = args->size; @@ -135,12 +134,12 @@ static int battle_field_validate(ServiceValidationArgs* args) goto inprocess_nofd; } - fd = (ServiceData*)battlefield_service_mod.api->data_get(flowp, + fd = (ServiceData*)battlefield_service_mod.api->data_get(asd, battlefield_service_mod.flow_data_index); if (!fd) { fd = (ServiceData*)snort_calloc(sizeof(ServiceData)); - battlefield_service_mod.api->data_add(flowp, fd, + battlefield_service_mod.api->data_add(asd, fd, battlefield_service_mod.flow_data_index, &snort_free); } @@ -201,9 +200,8 @@ static int battle_field_validate(ServiceValidationArgs* args) goto success; } - battlefield_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element, - battlefield_service_mod.flow_data_index, - args->pConfig); + battlefield_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element, + battlefield_service_mod.flow_data_index); return SERVICE_NOMATCH; inprocess: @@ -211,7 +209,7 @@ inprocess: if (fd->packetCount >= MAX_PACKET_INSPECTION_COUNT) goto fail; inprocess_nofd: - battlefield_service_mod.api->service_inprocess(flowp, pkt, args->dir, &svc_element); + battlefield_service_mod.api->service_inprocess(asd, pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: @@ -221,15 +219,14 @@ success: goto inprocess; } - battlefield_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element, + battlefield_service_mod.api->add_service(asd, pkt, args->dir, &svc_element, APP_ID_BATTLEFIELD, nullptr, nullptr, nullptr); appid_stats.battlefield_flows++; return SERVICE_SUCCESS; fail: - battlefield_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element, - battlefield_service_mod.flow_data_index, - args->pConfig); + battlefield_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element, + battlefield_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_bgp.cc b/src/network_inspectors/appid/service_plugins/service_bgp.cc index 6d7624026..b9b5aa02b 100644 --- a/src/network_inspectors/appid/service_plugins/service_bgp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bgp.cc @@ -89,7 +89,7 @@ struct ServiceBGPV1Open static int bgp_init(const IniServiceAPI* const init_api); static int bgp_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &bgp_validate, @@ -101,7 +101,7 @@ static RNAServiceElement svc_element = "bgp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &bgp_validate, BGP_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -149,7 +149,7 @@ static int bgp_validate(ServiceValidationArgs* args) { ServiceBGPData* bd; const ServiceBGPHeader* bh; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; uint16_t len; @@ -162,11 +162,11 @@ static int bgp_validate(ServiceValidationArgs* args) if (size < sizeof(ServiceBGPHeader)) goto fail; - bd = (ServiceBGPData*)bgp_service_mod.api->data_get(flowp, bgp_service_mod.flow_data_index); + bd = (ServiceBGPData*)bgp_service_mod.api->data_get(asd, bgp_service_mod.flow_data_index); if (!bd) { bd = (ServiceBGPData*)snort_calloc(sizeof(ServiceBGPData)); - bgp_service_mod.api->data_add(flowp, bd, bgp_service_mod.flow_data_index, &snort_free); + bgp_service_mod.api->data_add(asd, bd, bgp_service_mod.flow_data_index, &snort_free); bd->state = BGP_STATE_CONNECTION; } @@ -241,16 +241,16 @@ static int bgp_validate(ServiceValidationArgs* args) } inprocess: - bgp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + bgp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; fail: - bgp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - bgp_service_mod.flow_data_index, args->pConfig); + bgp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + bgp_service_mod.flow_data_index); return SERVICE_NOMATCH; success: - bgp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + bgp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_BGP, nullptr, nullptr, nullptr); appid_stats.bgp_flows++; return SERVICE_SUCCESS; diff --git a/src/network_inspectors/appid/service_plugins/service_bit.cc b/src/network_inspectors/appid/service_plugins/service_bit.cc index 060b0b743..ba54191b0 100644 --- a/src/network_inspectors/appid/service_plugins/service_bit.cc +++ b/src/network_inspectors/appid/service_plugins/service_bit.cc @@ -69,7 +69,7 @@ struct ServiceBITMsg static int bit_init(const IniServiceAPI* const init_api); static int bit_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &bit_validate, @@ -81,7 +81,7 @@ static RNAServiceElement svc_element = "bit" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &bit_validate, BIT_PORT, IpProtocol::TCP, 0 }, { &bit_validate, BIT_PORT+1, IpProtocol::TCP, 0 }, @@ -95,7 +95,6 @@ static RNAServiceValidationPort pp[] = { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } }; -// FIXIT - Why is there no service_bit.h that declares this extern like all the others? SO_PUBLIC RNAServiceValidationModule bit_service_mod = { svc_name, @@ -131,7 +130,7 @@ static int bit_init(const IniServiceAPI* const init_api) static int bit_validate(ServiceValidationArgs* args) { ServiceBITData* ss; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; uint16_t offset; @@ -141,11 +140,11 @@ static int bit_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - ss = (ServiceBITData*)bit_service_mod.api->data_get(flowp, bit_service_mod.flow_data_index); + ss = (ServiceBITData*)bit_service_mod.api->data_get(asd, bit_service_mod.flow_data_index); if (!ss) { ss = (ServiceBITData*)snort_calloc(sizeof(ServiceBITData)); - bit_service_mod.api->data_add(flowp, ss, bit_service_mod.flow_data_index, &snort_free); + bit_service_mod.api->data_add(asd, ss, bit_service_mod.flow_data_index, &snort_free); ss->state = BIT_STATE_BANNER; } @@ -199,18 +198,18 @@ static int bit_validate(ServiceValidationArgs* args) } inprocess: - bit_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + bit_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - bit_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + bit_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_BITTORRENT, nullptr, nullptr, nullptr); appid_stats.bit_flows++; return SERVICE_SUCCESS; fail: - bit_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - bit_service_mod.flow_data_index, args->pConfig); + bit_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + bit_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_bootp.cc b/src/network_inspectors/appid/service_plugins/service_bootp.cc index 11d2d6a0f..7fccf531b 100644 --- a/src/network_inspectors/appid/service_plugins/service_bootp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bootp.cc @@ -69,7 +69,7 @@ struct ServiceDHCPOption static int bootp_init(const IniServiceAPI* const init_api); static int bootp_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &bootp_validate, @@ -81,7 +81,7 @@ static RNAServiceElement svc_element = "bootp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &bootp_validate, 67, IpProtocol::UDP, 0 }, { &bootp_validate, 67, IpProtocol::UDP, 1 }, @@ -127,7 +127,7 @@ static int bootp_validate(ServiceValidationArgs* args) unsigned op60_len=0; const uint8_t* op55=nullptr; const uint8_t* op60=nullptr; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -182,7 +182,7 @@ static int bootp_validate(ServiceValidationArgs* args) if (option53 && op55_len && (memcmp(eh->ether_src, bh->chaddr, 6) == 0)) { - if (bootp_service_mod.api->data_add_dhcp(flowp, op55_len, op55, + if (bootp_service_mod.api->data_add_dhcp(asd, op55_len, op55, op60_len, op60, bh->chaddr)) { @@ -229,11 +229,11 @@ static int bootp_validate(ServiceValidationArgs* args) if (dir == APP_ID_FROM_INITIATOR) { - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); } else { - flowp->clearAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->clear_session_flags(APPID_SESSION_UDP_REVERSED); } if (size > sizeof(ServiceBOOTPHeader) + 4) @@ -259,7 +259,7 @@ static int bootp_validate(ServiceValidationArgs* args) goto fail; if (option53 && (memcmp(eh->ether_dst, bh->chaddr, 6) == 0)) - bootp_service_mod.api->dhcpNewLease(flowp, bh->chaddr, bh->yiaddr, + bootp_service_mod.api->dhcpNewLease(asd, bh->chaddr, bh->yiaddr, pkt->pkth->ingress_group, ntohl(subnet), ntohl(leaseTime), router); goto success; @@ -306,35 +306,35 @@ static int bootp_validate(ServiceValidationArgs* args) } success: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); - bootp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + asd->set_session_flags(APPID_SESSION_CONTINUE); + bootp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_DHCP, nullptr, nullptr, nullptr); appid_stats.bootp_flows++; } return SERVICE_SUCCESS; inprocess: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - bootp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + bootp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); } return SERVICE_INPROCESS; fail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - bootp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - bootp_service_mod.flow_data_index, args->pConfig); + bootp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + bootp_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; not_compatible: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - bootp_service_mod.api->incompatible_data(flowp, args->pkt, args->dir, &svc_element, + bootp_service_mod.api->incompatible_data(asd, args->pkt, args->dir, &svc_element, bootp_service_mod.flow_data_index, args->pConfig); } return SERVICE_NOT_COMPATIBLE; diff --git a/src/network_inspectors/appid/service_plugins/service_dcerpc.cc b/src/network_inspectors/appid/service_plugins/service_dcerpc.cc index 4cdc1eeef..1525ccb48 100644 --- a/src/network_inspectors/appid/service_plugins/service_dcerpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_dcerpc.cc @@ -40,7 +40,7 @@ static int dcerpc_init(const IniServiceAPI* const init_api); static int dcerpc_tcp_validate(ServiceValidationArgs* args); static int dcerpc_udp_validate(ServiceValidationArgs* args); -static RNAServiceElement tcp_svc_element = +static const RNAServiceElement tcp_svc_element = { nullptr, &dcerpc_tcp_validate, @@ -51,7 +51,7 @@ static RNAServiceElement tcp_svc_element = 0, "dcerpc" }; -static RNAServiceElement udp_svc_element = +static const RNAServiceElement udp_svc_element = { nullptr, &dcerpc_udp_validate, @@ -63,7 +63,7 @@ static RNAServiceElement udp_svc_element = "udp dcerpc" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &dcerpc_tcp_validate, 135, IpProtocol::TCP, 0 }, { &dcerpc_udp_validate, 135, IpProtocol::UDP, 0 }, @@ -105,7 +105,7 @@ static int dcerpc_tcp_validate(ServiceValidationArgs* args) ServiceDCERPCData* dd; int retval = SERVICE_INPROCESS; int length; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -114,12 +114,12 @@ static int dcerpc_tcp_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(flowp, + dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(asd, dcerpc_service_mod.flow_data_index); if (!dd) { dd = (ServiceDCERPCData*)snort_calloc(sizeof(ServiceDCERPCData)); - dcerpc_service_mod.api->data_add(flowp, dd, dcerpc_service_mod.flow_data_index, + dcerpc_service_mod.api->data_add(asd, dd, dcerpc_service_mod.flow_data_index, &snort_free); } @@ -136,19 +136,19 @@ static int dcerpc_tcp_validate(ServiceValidationArgs* args) } if (retval == SERVICE_SUCCESS) { - dcerpc_service_mod.api->add_service(flowp, args->pkt, args->dir, &tcp_svc_element, + dcerpc_service_mod.api->add_service(asd, args->pkt, args->dir, &tcp_svc_element, APP_ID_DCE_RPC, nullptr, nullptr, nullptr); appid_stats.dcerpc_tcp_flows++; return SERVICE_SUCCESS; } inprocess: - dcerpc_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &tcp_svc_element); + dcerpc_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &tcp_svc_element); return SERVICE_INPROCESS; fail: - dcerpc_service_mod.api->fail_service(flowp, args->pkt, args->dir, &tcp_svc_element, - dcerpc_service_mod.flow_data_index, args->pConfig); + dcerpc_service_mod.api->fail_service(asd, args->pkt, args->dir, &tcp_svc_element, + dcerpc_service_mod.flow_data_index); return SERVICE_NOMATCH; } @@ -157,7 +157,7 @@ static int dcerpc_udp_validate(ServiceValidationArgs* args) ServiceDCERPCData* dd; int retval = SERVICE_NOMATCH; int length; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -166,12 +166,12 @@ static int dcerpc_udp_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(flowp, + dd = (ServiceDCERPCData*)dcerpc_service_mod.api->data_get(asd, dcerpc_service_mod.flow_data_index); if (!dd) { dd = (ServiceDCERPCData*)snort_calloc(sizeof(ServiceDCERPCData)); - dcerpc_service_mod.api->data_add(flowp, dd, dcerpc_service_mod.flow_data_index, + dcerpc_service_mod.api->data_add(asd, dd, dcerpc_service_mod.flow_data_index, &snort_free); } @@ -188,19 +188,19 @@ static int dcerpc_udp_validate(ServiceValidationArgs* args) } if (retval == SERVICE_SUCCESS) { - dcerpc_service_mod.api->add_service(flowp, args->pkt, args->dir, &udp_svc_element, + dcerpc_service_mod.api->add_service(asd, args->pkt, args->dir, &udp_svc_element, APP_ID_DCE_RPC, nullptr, nullptr, nullptr); appid_stats.dcerpc_udp_flows++; return SERVICE_SUCCESS; } inprocess: - dcerpc_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &udp_svc_element); + dcerpc_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &udp_svc_element); return SERVICE_INPROCESS; fail: - dcerpc_service_mod.api->fail_service(flowp, args->pkt, args->dir, &udp_svc_element, - dcerpc_service_mod.flow_data_index, args->pConfig); + dcerpc_service_mod.api->fail_service(asd, args->pkt, args->dir, &udp_svc_element, + dcerpc_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_direct_connect.cc b/src/network_inspectors/appid/service_plugins/service_direct_connect.cc index 2288f69a7..891c39ab5 100644 --- a/src/network_inspectors/appid/service_plugins/service_direct_connect.cc +++ b/src/network_inspectors/appid/service_plugins/service_direct_connect.cc @@ -47,13 +47,11 @@ struct ServiceData static int direct_connect_init(const IniServiceAPI* const init_api); static int direct_connect_validate(ServiceValidationArgs* args); static int validateDirectConnectTcp(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData, - const AppIdConfig* pConfig); + AppIdSession* asd, const Packet* pkt, ServiceData* serviceData); static int validateDirectConnectUdp(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData, - const AppIdConfig* pConfig); + AppIdSession* asd, const Packet* pkt, ServiceData* serviceData); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &direct_connect_validate, @@ -65,7 +63,7 @@ static RNAServiceElement svc_element = "direct_connect" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &direct_connect_validate, 411, IpProtocol::TCP, 0 }, { &direct_connect_validate, 411, IpProtocol::UDP, 0 }, @@ -134,37 +132,34 @@ static int direct_connect_init(const IniServiceAPI* const init_api) static int direct_connect_validate(ServiceValidationArgs* args) { ServiceData* fd; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; if (!size) { - directconnect_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, + directconnect_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; } - fd = (ServiceData*)directconnect_service_mod.api->data_get(flowp, + fd = (ServiceData*)directconnect_service_mod.api->data_get(asd, directconnect_service_mod.flow_data_index); if (!fd) { fd = (ServiceData*)snort_calloc(sizeof(ServiceData)); - directconnect_service_mod.api->data_add(flowp, fd, + directconnect_service_mod.api->data_add(asd, fd, directconnect_service_mod.flow_data_index, &snort_free); } - if (flowp->protocol == IpProtocol::TCP) - return validateDirectConnectTcp(data, size, args->dir, flowp, args->pkt, fd, - args->pConfig); + if (asd->protocol == IpProtocol::TCP) + return validateDirectConnectTcp(data, size, args->dir, asd, args->pkt, fd); else - return validateDirectConnectUdp(data, size, args->dir, flowp, args->pkt, fd, - args->pConfig); + return validateDirectConnectUdp(data, size, args->dir, asd, args->pkt, fd); } static int validateDirectConnectTcp(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData, - const AppIdConfig* pConfig) + AppIdSession* asd, const Packet* pkt, ServiceData* serviceData) { switch (serviceData->state) { @@ -252,7 +247,7 @@ inprocess: if (serviceData->packetCount >= MAX_PACKET_INSPECTION_COUNT) goto fail; - directconnect_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + directconnect_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; success: @@ -262,20 +257,19 @@ success: goto inprocess; } - directconnect_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + directconnect_service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_DIRECT_CONNECT, nullptr, nullptr, nullptr); appid_stats.direct_connect_flows++; return SERVICE_SUCCESS; fail: - directconnect_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - directconnect_service_mod.flow_data_index, pConfig); + directconnect_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + directconnect_service_mod.flow_data_index); return SERVICE_NOMATCH; } static int validateDirectConnectUdp(const uint8_t* data, uint16_t size, const int dir, - AppIdSession* flowp, const Packet* pkt, ServiceData* serviceData, - const AppIdConfig* pConfig) + AppIdSession* asd, const Packet* pkt, ServiceData* serviceData) { if (dir == APP_ID_FROM_RESPONDER && serviceData->state == CONN_STATE_SERVICE_DETECTED) { @@ -304,7 +298,7 @@ inprocess: if (serviceData->packetCount >= MAX_PACKET_INSPECTION_COUNT) goto fail; - directconnect_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + directconnect_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; success: @@ -315,14 +309,14 @@ success: } reportSuccess: - directconnect_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + directconnect_service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_DIRECT_CONNECT, nullptr, nullptr, nullptr); appid_stats.direct_connect_flows++; return SERVICE_SUCCESS; fail: - directconnect_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - directconnect_service_mod.flow_data_index, pConfig); + directconnect_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + directconnect_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_flap.cc b/src/network_inspectors/appid/service_plugins/service_flap.cc index 718b287b7..97654dbc0 100644 --- a/src/network_inspectors/appid/service_plugins/service_flap.cc +++ b/src/network_inspectors/appid/service_plugins/service_flap.cc @@ -77,7 +77,7 @@ struct FLAPHeader static int flap_init(const IniServiceAPI* const init_api); static int flap_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &flap_validate, @@ -89,7 +89,7 @@ static RNAServiceElement svc_element = "flap" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &flap_validate, 5190, IpProtocol::TCP, 0 }, { &flap_validate, 9898, IpProtocol::TCP, 0 }, @@ -138,7 +138,7 @@ static int flap_validate(ServiceValidationArgs* args) const FLAPHeader* hdr = (const FLAPHeader*)args->data; const FLAPFNAC* ff; const FLAPTLV* tlv; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; uint16_t size = args->size; uint16_t len; @@ -147,11 +147,11 @@ static int flap_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - sf = (ServiceFLAPData*)flap_service_mod.api->data_get(flowp, flap_service_mod.flow_data_index); + sf = (ServiceFLAPData*)flap_service_mod.api->data_get(asd, flap_service_mod.flow_data_index); if (!sf) { sf = (ServiceFLAPData*)snort_calloc(sizeof(ServiceFLAPData)); - flap_service_mod.api->data_add(flowp, sf, flap_service_mod.flow_data_index, &snort_free); + flap_service_mod.api->data_add(asd, sf, flap_service_mod.flow_data_index, &snort_free); sf->state = FLAP_STATE_ACK; } @@ -226,17 +226,17 @@ static int flap_validate(ServiceValidationArgs* args) } fail: - flap_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - flap_service_mod.flow_data_index, args->pConfig); + flap_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + flap_service_mod.flow_data_index); return SERVICE_NOMATCH; success: - flap_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + flap_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_AOL_INSTANT_MESSENGER, nullptr, nullptr, nullptr); return SERVICE_SUCCESS; inprocess: - flap_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + flap_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; } diff --git a/src/network_inspectors/appid/service_plugins/service_ftp.cc b/src/network_inspectors/appid/service_plugins/service_ftp.cc index f241a600f..74573a3dc 100644 --- a/src/network_inspectors/appid/service_plugins/service_ftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_ftp.cc @@ -23,7 +23,6 @@ #include "main/snort_debug.h" #include "sfip/sf_ip.h" -#include "target_based/snort_protocols.h" #include "utils/util.h" #include "app_info_table.h" @@ -34,12 +33,7 @@ #include "service_util.h" #include "appid_module.h" -// FIXIT-H This needs to use a real SFIP function -static SFIP_RET sfip_convert_ip_text_to_binary(const int, const char*, void*) -{ return SFIP_SUCCESS; } - #define FTP_PORT 21 -/*#define RNA_FTP_EXPECTED_ON_PORT 1 */ enum FTPState { @@ -91,7 +85,7 @@ struct ServiceFTPCode static int ftp_init(const IniServiceAPI* const init_api); static int ftp_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &ftp_validate, @@ -103,7 +97,7 @@ static RNAServiceElement svc_element = "ftp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &ftp_validate, FTP_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -138,7 +132,7 @@ static int16_t ftp_data_app_id = 0; static int ftp_init(const IniServiceAPI* const init_api) { - ftp_data_app_id = AddProtocolReference("ftp-data"); + ftp_data_app_id = add_appid_protocol_reference("ftp-data"); init_api->RegisterPattern(&ftp_validate, IpProtocol::TCP, (uint8_t*)FTP_PATTERN1, sizeof(FTP_PATTERN1)-1, 0, "ftp"); @@ -776,8 +770,7 @@ static addr_family_map RFC2428_known_address_families[] = { 0, 0 } }; -static int ftp_validate_eprt(const uint8_t* data, uint16_t size, - sfip_t* address, uint16_t* port) +static int ftp_validate_eprt(const uint8_t* data, uint16_t size, sfip_t* address, uint16_t* port) { int index; int addrFamilySupported = 0; @@ -786,7 +779,7 @@ static int ftp_validate_eprt(const uint8_t* data, uint16_t size, uint32_t tmp; char tmp_str[INET6_ADDRSTRLEN+1]; - memset(address,0,sizeof(sfip_t)); + memset(address, 0, sizeof(sfip_t)); *port = 0; end = data + size; @@ -815,6 +808,7 @@ static int ftp_validate_eprt(const uint8_t* data, uint16_t size, } tmp_str[index] = '\0'; // make the copied portion be nul terminated. + // FIXIT-L recode logic above and this call to call sfip_pton instead... if (sfip_convert_ip_text_to_binary(addrFamilySupported, tmp_str, &address) != SFIP_SUCCESS) return -1; @@ -829,19 +823,19 @@ static int ftp_validate_eprt(const uint8_t* data, uint16_t size, return 0; } -static inline void WatchForCommandResult(ServiceFTPData* fd, AppIdSession* flowp, FTPCmd command) +static inline void WatchForCommandResult(ServiceFTPData* fd, AppIdSession* asd, FTPCmd command) { if (fd->state != FTP_STATE_MONITOR) { - flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE); fd->state = FTP_STATE_MONITOR; } fd->cmd = command; } -static inline void InitializeDataSession(AppIdSession* flowp,AppIdSession* fp) +static inline void InitializeDataSession(AppIdSession* asd, AppIdSession* fp) { - unsigned encryptedFlag = flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED | + unsigned encryptedFlag = asd->get_session_flags(APPID_SESSION_ENCRYPTED | APPID_SESSION_DECRYPTED); if (encryptedFlag == APPID_SESSION_ENCRYPTED) { @@ -853,7 +847,7 @@ static inline void InitializeDataSession(AppIdSession* flowp,AppIdSession* fp) // zeroes. fp->serviceAppId = APP_ID_FTP_DATA; } - PopulateExpectedFlow(flowp, fp, APPID_SESSION_IGNORE_ID_FLAGS | encryptedFlag); + PopulateExpectedFlow(asd, fp, APPID_SESSION_IGNORE_ID_FLAGS | encryptedFlag); } static int ftp_validate(ServiceValidationArgs* args) @@ -871,7 +865,7 @@ static int ftp_validate(ServiceValidationArgs* args) uint16_t port; AppIdSession* fp; int retval = SERVICE_INPROCESS; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -884,19 +878,19 @@ static int ftp_validate(ServiceValidationArgs* args) //to direct traffic to SSL detector to extract payload from certs. This will require // manintaining //two detector states at the same time. - if (flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED)) + if (asd->get_session_flags(APPID_SESSION_ENCRYPTED)) { - if (!flowp->getAppIdFlag(APPID_SESSION_DECRYPTED)) + if (!asd->get_session_flags(APPID_SESSION_DECRYPTED)) { goto inprocess; } } - fd = (ServiceFTPData*)ftp_service_mod.api->data_get(flowp, ftp_service_mod.flow_data_index); + fd = (ServiceFTPData*)ftp_service_mod.api->data_get(asd, ftp_service_mod.flow_data_index); if (!fd) { fd = (ServiceFTPData*)snort_calloc(sizeof(ServiceFTPData)); - ftp_service_mod.api->data_add(flowp, fd, ftp_service_mod.flow_data_index, &snort_free); + ftp_service_mod.api->data_add(asd, fd, ftp_service_mod.flow_data_index, &snort_free); fd->state = FTP_STATE_CONNECTION; fd->rstate = FTP_REPLY_BEGIN; fd->cmd = FTP_CMD_NONE; @@ -914,7 +908,7 @@ static int ftp_validate(ServiceValidationArgs* args) size-(sizeof(FTP_PORT_CMD)-1), &fd->address, &fd->port) == 0) { - WatchForCommandResult(fd, flowp, FTP_CMD_PORT_EPRT); + WatchForCommandResult(fd, asd, FTP_CMD_PORT_EPRT); } } else if (size > sizeof(FTP_EPRT_CMD)-1 && @@ -924,7 +918,7 @@ static int ftp_validate(ServiceValidationArgs* args) size-(sizeof(FTP_EPRT_CMD)-1), &fd->address, &fd->port) == 0) { - WatchForCommandResult(fd, flowp, FTP_CMD_PORT_EPRT); + WatchForCommandResult(fd, asd, FTP_CMD_PORT_EPRT); } } else if ( size > sizeof(FTP_PASV_CMD)-1 && @@ -932,7 +926,7 @@ static int ftp_validate(ServiceValidationArgs* args) strncasecmp((char*)data, FTP_EPSV_CMD, sizeof(FTP_EPSV_CMD)-1) == 0 ) ) { - WatchForCommandResult(fd, flowp, FTP_CMD_PASV_EPSV); + WatchForCommandResult(fd, asd, FTP_CMD_PASV_EPSV); } goto inprocess; } @@ -989,7 +983,7 @@ static int ftp_validate(ServiceValidationArgs* args) case 551: /*requested action aborted :page type unknown */ case 552: /*requested action aborted */ case 553: /*requested action not taken file name is not allowed */ - flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CONTINUE); fd->state = FTP_STATE_MONITOR; break; case 221: /*good bye */ @@ -1011,20 +1005,20 @@ static int ftp_validate(ServiceValidationArgs* args) fd->state = FTP_STATE_CONNECTION_ERROR; break; case 230: - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); fd->state = FTP_STATE_MONITOR; retval = SERVICE_SUCCESS; break; case 234: { - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); retval = SERVICE_SUCCESS; /* // we do not set the state to FTP_STATE_MONITOR here because we don't know // if there will be SSL decryption to allow us to see what we are interested in. // Let the WatchForCommandResult() usage elsewhere take care of it. */ - flowp->setAppIdFlag(APPID_SESSION_CONTINUE | APPID_SESSION_ENCRYPTED | + asd->set_session_flags(APPID_SESSION_CONTINUE | APPID_SESSION_ENCRYPTED | APPID_SESSION_STICKY_SERVICE); } break; @@ -1075,7 +1069,7 @@ static int ftp_validate(ServiceValidationArgs* args) break; case 202: case 230: - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); fd->state = FTP_STATE_MONITOR; retval = SERVICE_SUCCESS; default: @@ -1128,7 +1122,7 @@ static int ftp_validate(ServiceValidationArgs* args) { case 202: case 230: - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); fd->state = FTP_STATE_MONITOR; retval = SERVICE_SUCCESS; default: @@ -1191,19 +1185,19 @@ static int ftp_validate(ServiceValidationArgs* args) sip = pkt->ptrs.ip_api.get_src(); addr = htonl(address); sfip_set_raw(&ip, &addr, AF_INET); - fp = AppIdSession::create_future_session(pkt, dip, 0, &ip, port, flowp->protocol, ftp_data_app_id, + fp = AppIdSession::create_future_session(pkt, dip, 0, &ip, port, asd->protocol, ftp_data_app_id, APPID_EARLY_SESSION_FLAG_FW_RULE); if (fp) - InitializeDataSession(flowp,fp); + InitializeDataSession(asd,fp); if (!sfip_fast_eq6(&ip, sip)) { - fp = flowp->create_future_session(pkt, dip, 0, sip, port, flowp->protocol, ftp_data_app_id, + fp = asd->create_future_session(pkt, dip, 0, sip, port, asd->protocol, ftp_data_app_id, APPID_EARLY_SESSION_FLAG_FW_RULE); if (fp) - InitializeDataSession(flowp,fp); + InitializeDataSession(asd,fp); } - ftp_service_mod.api->add_payload(flowp, APP_ID_FTP_PASSIVE); + ftp_service_mod.api->add_payload(asd, APP_ID_FTP_PASSIVE); } else if (code < 0) goto fail; @@ -1221,12 +1215,12 @@ static int ftp_validate(ServiceValidationArgs* args) const sfip_t* dip; dip = pkt->ptrs.ip_api.get_dst(); sip = pkt->ptrs.ip_api.get_src(); - fp = flowp->create_future_session(pkt, dip, 0, sip, port, flowp->protocol, + fp = asd->create_future_session(pkt, dip, 0, sip, port, asd->protocol, ftp_data_app_id, APPID_EARLY_SESSION_FLAG_FW_RULE); if (fp) - InitializeDataSession(flowp,fp); - ftp_service_mod.api->add_payload(flowp, APP_ID_FTP_PASSIVE); + InitializeDataSession(asd,fp); + ftp_service_mod.api->add_payload(asd, APP_ID_FTP_PASSIVE); } else if (code < 0) goto fail; @@ -1237,11 +1231,11 @@ static int ftp_validate(ServiceValidationArgs* args) { const sfip_t* sip; sip = pkt->ptrs.ip_api.get_src(); - fp = flowp->create_future_session(pkt, sip, 0, &fd->address, fd->port, flowp->protocol, ftp_data_app_id, + fp = asd->create_future_session(pkt, sip, 0, &fd->address, fd->port, asd->protocol, ftp_data_app_id, APPID_EARLY_SESSION_FLAG_FW_RULE); if (fp) - InitializeDataSession(flowp,fp); - ftp_service_mod.api->add_payload(flowp, APP_ID_FTP_ACTIVE); // Active mode FTP + InitializeDataSession(asd,fp); + ftp_service_mod.api->add_payload(asd, APP_ID_FTP_ACTIVE); // Active mode FTP // is reported as a // payload id } @@ -1262,20 +1256,20 @@ static int ftp_validate(ServiceValidationArgs* args) default: case SERVICE_INPROCESS: inprocess: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - ftp_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + ftp_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); } return SERVICE_INPROCESS; case SERVICE_SUCCESS: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - uint64_t encryptedFlag = flowp->getAppIdFlag( + uint64_t encryptedFlag = asd->get_session_flags( APPID_SESSION_ENCRYPTED | APPID_SESSION_DECRYPTED); // FTPS only when encrypted==1 decrypted==0 - ftp_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + ftp_service_mod.api->add_service(asd, pkt, dir, &svc_element, encryptedFlag == APPID_SESSION_ENCRYPTED ? APP_ID_FTPS : APP_ID_FTP_CONTROL, fd->vendor[0] ? fd->vendor : nullptr, @@ -1290,12 +1284,12 @@ inprocess: case SERVICE_NOMATCH: fail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - ftp_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - ftp_service_mod.flow_data_index, args->pConfig); + ftp_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + ftp_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; } } diff --git a/src/network_inspectors/appid/service_plugins/service_irc.cc b/src/network_inspectors/appid/service_plugins/service_irc.cc index b9db1704c..8183a852d 100644 --- a/src/network_inspectors/appid/service_plugins/service_irc.cc +++ b/src/network_inspectors/appid/service_plugins/service_irc.cc @@ -68,7 +68,7 @@ struct ServiceIRCData static int irc_init(const IniServiceAPI* const init_api); static int irc_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &irc_validate, @@ -80,7 +80,7 @@ static RNAServiceElement svc_element = "irc" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &irc_validate, 6667, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -123,7 +123,7 @@ static int irc_validate(ServiceValidationArgs* args) IRCState* state; unsigned* pos; const char** command; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -131,11 +131,11 @@ static int irc_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - id = (ServiceIRCData*)irc_service_mod.api->data_get(flowp, irc_service_mod.flow_data_index); + id = (ServiceIRCData*)irc_service_mod.api->data_get(asd, irc_service_mod.flow_data_index); if (!id) { id = (ServiceIRCData*)snort_calloc(sizeof(ServiceIRCData)); - irc_service_mod.api->data_add(flowp, id, irc_service_mod.flow_data_index, &snort_free); + irc_service_mod.api->data_add(asd, id, irc_service_mod.flow_data_index, &snort_free); id->initiator_state = IRC_STATE_BEGIN; id->state = IRC_STATE_BEGIN; } @@ -315,11 +315,11 @@ static int irc_validate(ServiceValidationArgs* args) } } inprocess: - irc_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element); + irc_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element); return SERVICE_INPROCESS; success: - irc_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, + irc_service_mod.api->add_service(asd, args->pkt, dir, &svc_element, APP_ID_IRCD, nullptr, nullptr, nullptr); appid_stats.irc_flows++; return SERVICE_SUCCESS; @@ -327,12 +327,12 @@ success: fail: if (dir == APP_ID_FROM_RESPONDER) { - irc_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element, - irc_service_mod.flow_data_index, args->pConfig); + irc_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element, + irc_service_mod.flow_data_index); } else { - irc_service_mod.api->incompatible_data(flowp, args->pkt, dir, &svc_element, + irc_service_mod.api->incompatible_data(asd, args->pkt, dir, &svc_element, irc_service_mod.flow_data_index, args->pConfig); } return SERVICE_NOMATCH; diff --git a/src/network_inspectors/appid/service_plugins/service_lpr.cc b/src/network_inspectors/appid/service_plugins/service_lpr.cc index ea92497b0..df424521a 100644 --- a/src/network_inspectors/appid/service_plugins/service_lpr.cc +++ b/src/network_inspectors/appid/service_plugins/service_lpr.cc @@ -65,7 +65,7 @@ struct ServiceLPRData static int lpr_init(const IniServiceAPI* const init_api); static int lpr_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &lpr_validate, @@ -77,7 +77,7 @@ static RNAServiceElement svc_element = "lpr" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &lpr_validate, 515, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -117,7 +117,7 @@ static int lpr_validate(ServiceValidationArgs* args) { ServiceLPRData* ld; int i; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -125,11 +125,11 @@ static int lpr_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - ld = (ServiceLPRData*)lpr_service_mod.api->data_get(flowp, lpr_service_mod.flow_data_index); + ld = (ServiceLPRData*)lpr_service_mod.api->data_get(asd, lpr_service_mod.flow_data_index); if (!ld) { ld = (ServiceLPRData*)snort_calloc(sizeof(ServiceLPRData)); - lpr_service_mod.api->data_add(flowp, ld, lpr_service_mod.flow_data_index, &snort_free); + lpr_service_mod.api->data_add(asd, ld, lpr_service_mod.flow_data_index, &snort_free); ld->state = LPR_STATE_COMMAND; } @@ -242,22 +242,22 @@ static int lpr_validate(ServiceValidationArgs* args) goto bail; } inprocess: - lpr_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element); + lpr_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element); return SERVICE_INPROCESS; success: - lpr_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, + lpr_service_mod.api->add_service(asd, args->pkt, dir, &svc_element, APP_ID_PRINTSRV, nullptr, nullptr, nullptr); appid_stats.lpr_flows++; return SERVICE_SUCCESS; fail: - lpr_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element, - lpr_service_mod.flow_data_index, args->pConfig); + lpr_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element, + lpr_service_mod.flow_data_index); return SERVICE_NOMATCH; bail: - lpr_service_mod.api->incompatible_data(flowp, args->pkt, dir, &svc_element, + lpr_service_mod.api->incompatible_data(asd, args->pkt, dir, &svc_element, lpr_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; } diff --git a/src/network_inspectors/appid/service_plugins/service_mdns.cc b/src/network_inspectors/appid/service_plugins/service_mdns.cc index 254afb8b5..82c2f8321 100644 --- a/src/network_inspectors/appid/service_plugins/service_mdns.cc +++ b/src/network_inspectors/appid/service_plugins/service_mdns.cc @@ -105,7 +105,7 @@ static void mdnsMatchListFind(const char* dataPtr, uint16_t index, const char** static void mdnsMatchListDestroy(); static void MDNS_clean(); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &MDNS_validate, @@ -117,7 +117,7 @@ static RNAServiceElement svc_element = "MDNS" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &MDNS_validate, 5353, IpProtocol::UDP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -246,7 +246,7 @@ static int ReferencePointer(const char* start_ptr, const char** resp_endptr, i 2. Calls the function which scans for pattern to identify the user 3. Calls the function which does the Username reporting along with the host MDNS User Analysis*/ -static int MDNSUserAnalyser(AppIdSession* flowp, const Packet* pkt, uint16_t size, const +static int MDNSUserAnalyser(AppIdSession* asd, const Packet* pkt, uint16_t size, const AppIdConfig* pConfig) { const char* query_val; @@ -312,7 +312,7 @@ static int MDNSUserAnalyser(AppIdSession* flowp, const Packet* pkt, uint16_t siz user_index++; } - mdns_service_mod.api->add_user(flowp, user_name, APP_ID_MDNS, 1); + mdns_service_mod.api->add_user(asd, user_name, APP_ID_MDNS, 1); break; } /* Find the length to Jump to the next response */ @@ -365,7 +365,7 @@ static int MDNSUserAnalyser(AppIdSession* flowp, const Packet* pkt, uint16_t siz memcpy(user_name, user_name_bkp + user_index, user_name_len - user_index); user_name[ user_name_len - user_index ] = '\0'; - mdns_service_mod.api->add_user(flowp, user_name, APP_ID_MDNS, 1); + mdns_service_mod.api->add_user(asd, user_name, APP_ID_MDNS, 1); return 1; } else @@ -393,16 +393,16 @@ static int MDNS_validate(ServiceValidationArgs* args) { ServiceMDNSData* fd; int ret_val; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; uint16_t size = args->size; - fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(flowp, mdns_service_mod.flow_data_index); + fd = (ServiceMDNSData*)mdns_service_mod.api->data_get(asd, mdns_service_mod.flow_data_index); if (!fd) { fd = (ServiceMDNSData*)snort_calloc(sizeof(ServiceMDNSData)); - mdns_service_mod.api->data_add(flowp, fd, mdns_service_mod.flow_data_index, &snort_free); + mdns_service_mod.api->data_add(asd, fd, mdns_service_mod.flow_data_index, &snort_free); fd->state = MDNS_STATE_CONNECTION; } @@ -411,9 +411,9 @@ static int MDNS_validate(ServiceValidationArgs* args) ret_val = MDNS_validate_reply(data, size); if (ret_val == 1) { - if (pAppidActiveConfig->mod_config->mdns_user_reporting) + if (AppIdConfig::get_appid_config()->mod_config->mdns_user_reporting) { - MDNSUserAnalyser(flowp, pkt, size, args->pConfig); + MDNSUserAnalyser(asd, pkt, size, args->pConfig); mdnsMatchListDestroy(); goto success; } @@ -426,14 +426,14 @@ static int MDNS_validate(ServiceValidationArgs* args) goto fail; success: - mdns_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element, + mdns_service_mod.api->add_service(asd, pkt, args->dir, &svc_element, APP_ID_MDNS, nullptr, nullptr, nullptr); appid_stats.mdns_flows++; return SERVICE_SUCCESS; fail: - mdns_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element, - mdns_service_mod.flow_data_index, args->pConfig); + mdns_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element, + mdns_service_mod.flow_data_index); return SERVICE_NOMATCH; } @@ -462,14 +462,14 @@ static int mdnsMatcherCreate() (char*)patterns[i].pattern, patterns[i].length, &patterns[i]); pMdnsConfig->mdnsMatcher->prep(); - pAppidActiveConfig->add_generic_config_element(svc_element.name, pMdnsConfig); + AppIdConfig::get_appid_config()->add_generic_config_element(svc_element.name, pMdnsConfig); return 1; } static void mdnsMatcherDestroy() { MdnsConfig* pMdnsConfig = - (MdnsConfig*)pAppidActiveConfig->find_generic_config_element(svc_element.name); + (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name); MatchedPatterns* node; if (pMdnsConfig->mdnsMatcher) delete pMdnsConfig->mdnsMatcher; @@ -483,7 +483,7 @@ static void mdnsMatcherDestroy() snort_free(node); } snort_free(pMdnsConfig); - pAppidActiveConfig->remove_generic_config_element(svc_element.name); + AppIdConfig::get_appid_config()->remove_generic_config_element(svc_element.name); } static int mdns_pattern_match(void* id, void*, int index, void* data, void*) @@ -574,7 +574,7 @@ static void mdnsMatchListDestroy() MatchedPatterns* element; MdnsConfig* pMdnsConfig = - (MdnsConfig*)pAppidActiveConfig->find_generic_config_element(svc_element.name); + (MdnsConfig*)AppIdConfig::get_appid_config()->find_generic_config_element(svc_element.name); while (pMdnsConfig->patternList) { element = pMdnsConfig->patternList; diff --git a/src/network_inspectors/appid/service_plugins/service_mysql.cc b/src/network_inspectors/appid/service_plugins/service_mysql.cc index cc1e76d52..52a56a6c3 100644 --- a/src/network_inspectors/appid/service_plugins/service_mysql.cc +++ b/src/network_inspectors/appid/service_plugins/service_mysql.cc @@ -51,7 +51,7 @@ struct ServiceMYSQLHdr static int svc_mysql_init(const IniServiceAPI* const init_api); static int svc_mysql_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element +static const RNAServiceElement svc_element { nullptr, &svc_mysql_validate, @@ -63,7 +63,7 @@ static RNAServiceElement svc_element "mysql" }; -static RNAServiceValidationPort pp[] +static const RNAServiceValidationPort pp[] { { &svc_mysql_validate, 3306, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -105,7 +105,7 @@ static int svc_mysql_validate(ServiceValidationArgs* args) uint32_t len; const uint8_t* end; const uint8_t* p = nullptr; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; uint16_t size = args->size; if (!size) @@ -149,18 +149,18 @@ static int svc_mysql_validate(ServiceValidationArgs* args) data += 6; if (data >= end) goto fail; - mysql_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + mysql_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_MYSQL, nullptr, (char*)p, nullptr); appid_stats.mysql_flows++; return SERVICE_SUCCESS; inprocess: - mysql_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + mysql_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; fail: - mysql_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - mysql_service_mod.flow_data_index, args->pConfig); + mysql_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + mysql_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_netbios.cc b/src/network_inspectors/appid/service_plugins/service_netbios.cc index 4b657f39c..b02047758 100644 --- a/src/network_inspectors/appid/service_plugins/service_netbios.cc +++ b/src/network_inspectors/appid/service_plugins/service_netbios.cc @@ -287,7 +287,7 @@ static int nbns_validate(ServiceValidationArgs* args); static int nbss_validate(ServiceValidationArgs* args); static int nbdgm_validate(ServiceValidationArgs* args); -static RNAServiceElement nbns_svc_element +static const RNAServiceElement nbns_svc_element = { nullptr, &nbns_validate, @@ -298,7 +298,7 @@ static RNAServiceElement nbns_svc_element 0, "nbns" }; -static RNAServiceElement nbdgm_svc_element +static const RNAServiceElement nbdgm_svc_element = { nullptr, &nbdgm_validate, @@ -309,7 +309,7 @@ static RNAServiceElement nbdgm_svc_element 0, "nbdgm" }; -static RNAServiceElement nbss_svc_element +static const RNAServiceElement nbss_svc_element = { nullptr, &nbss_validate, @@ -321,7 +321,7 @@ static RNAServiceElement nbss_svc_element "nbss" }; -static RNAServiceValidationPort pp[] +static const RNAServiceValidationPort pp[] { { &nbns_validate, 137, IpProtocol::TCP, 0 }, { &nbns_validate, 137, IpProtocol::UDP, 0 }, @@ -522,7 +522,7 @@ static int nbns_validate(ServiceValidationArgs* args) const NBNSHeader* hdr; const uint8_t* begin; const uint8_t* end; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -552,7 +552,7 @@ static int nbns_validate(ServiceValidationArgs* args) { if (dir == APP_ID_FROM_RESPONDER) { - if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) goto success; goto fail; } @@ -604,28 +604,27 @@ static int nbns_validate(ServiceValidationArgs* args) if (dir == APP_ID_FROM_INITIATOR) { - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); goto inprocess; } success: - netbios_service_mod.api->add_service(flowp, args->pkt, dir, &nbns_svc_element, + netbios_service_mod.api->add_service(asd, args->pkt, dir, &nbns_svc_element, APP_ID_NETBIOS_NS, nullptr, nullptr, nullptr); appid_stats.netbios_ns_flows++; return SERVICE_SUCCESS; inprocess: - netbios_service_mod.api->service_inprocess(flowp, args->pkt, dir, &nbns_svc_element); + netbios_service_mod.api->service_inprocess(asd, args->pkt, dir, &nbns_svc_element); return SERVICE_INPROCESS; fail: - netbios_service_mod.api->fail_service(flowp, args->pkt, dir, &nbns_svc_element, - netbios_service_mod.flow_data_index, - args->pConfig); + netbios_service_mod.api->fail_service(asd, args->pkt, dir, &nbns_svc_element, + netbios_service_mod.flow_data_index); return SERVICE_NOMATCH; not_compatible: - netbios_service_mod.api->incompatible_data(flowp, args->pkt, dir, &nbns_svc_element, + netbios_service_mod.api->incompatible_data(asd, args->pkt, dir, &nbns_svc_element, netbios_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; @@ -687,7 +686,7 @@ static inline void smb_domain_skip_string(const uint8_t** data, uint16_t* size, } static inline void smb_find_domain(const uint8_t* data, uint16_t size, const int, - AppIdSession* flowp, const Packet* pkt) + AppIdSession* asd, const Packet* pkt) { const ServiceSMBHeader* smb; const ServiceSMBAndXResponse* resp; @@ -853,8 +852,8 @@ static inline void smb_find_domain(const uint8_t* data, uint16_t size, const int domain, smb->command, pkt->src_ip.s_addr, pkt->src_port, pkt->dst_ip.s_addr, pkt->dst_port); #endif - if (!flowp->netbios_domain) - flowp->netbios_domain = snort_strdup(domain); + if (!asd->netbios_domain) + asd->netbios_domain = snort_strdup(domain); } } @@ -865,7 +864,7 @@ static int nbss_validate(ServiceValidationArgs* args) const uint8_t* end; uint32_t tmp; int retval = -1; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; Packet* pkt = args->pkt; const uint8_t* data = args->data; const int dir = args->dir; @@ -876,12 +875,12 @@ static int nbss_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - nd = (ServiceNBSSData*)netbios_service_mod.api->data_get(flowp, + nd = (ServiceNBSSData*)netbios_service_mod.api->data_get(asd, netbios_service_mod.flow_data_index); if (!nd) { nd = (ServiceNBSSData*)snort_calloc(sizeof(ServiceNBSSData)); - netbios_service_mod.api->data_add(flowp, nd, + netbios_service_mod.api->data_add(asd, nd, netbios_service_mod.flow_data_index, &nbss_free_state); nd->state = NBSS_STATE_CONNECTION; nd->serviceAppId = APP_ID_NETBIOS_SSN; @@ -934,7 +933,7 @@ static int nbss_validate(ServiceValidationArgs* args) { smb_find_domain(data + sizeof(NB_SMB_BANNER), nd->length - sizeof(NB_SMB_BANNER), - dir, flowp, pkt); + dir, asd, pkt); } } else if (tmp >= 4 && nd->length >= 4 && @@ -996,7 +995,7 @@ static int nbss_validate(ServiceValidationArgs* args) } if (nd->length <= tmp) { - smb_find_domain(data + sizeof(NB_SMB_BANNER), nd->length, dir, flowp, pkt); + smb_find_domain(data + sizeof(NB_SMB_BANNER), nd->length, dir, asd, pkt); } } else if (tmp >= 4 && nd->length >= 4 && @@ -1058,29 +1057,29 @@ static int nbss_validate(ServiceValidationArgs* args) if (retval == -1) goto inprocess; - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - if (netbios_service_mod.api->add_service(flowp, pkt, dir, &nbss_svc_element, + if (netbios_service_mod.api->add_service(asd, pkt, dir, &nbss_svc_element, nd->serviceAppId, nullptr, nullptr, nullptr) == SERVICE_SUCCESS) { - netbios_service_mod.api->add_misc(flowp, nd->miscAppId); + netbios_service_mod.api->add_misc(asd, nd->miscAppId); } appid_stats.netbios_ssn_flows++; } return SERVICE_SUCCESS; inprocess: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - netbios_service_mod.api->service_inprocess(flowp, pkt, dir, &nbss_svc_element); + netbios_service_mod.api->service_inprocess(asd, pkt, dir, &nbss_svc_element); } return SERVICE_INPROCESS; fail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - netbios_service_mod.api->fail_service(flowp, pkt, dir, &nbss_svc_element, - netbios_service_mod.flow_data_index, args->pConfig); + netbios_service_mod.api->fail_service(asd, pkt, dir, &nbss_svc_element, + netbios_service_mod.flow_data_index); } return SERVICE_NOMATCH; } @@ -1098,7 +1097,7 @@ static int nbdgm_validate(ServiceValidationArgs* args) uint32_t server_type; AppId serviceAppId = APP_ID_NETBIOS_DGM; AppId miscAppId = APP_ID_NONE; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -1148,7 +1147,7 @@ static int nbdgm_validate(ServiceValidationArgs* args) if (end-data >= (int)sizeof(NB_SMB_BANNER) && !memcmp(data, NB_SMB_BANNER, sizeof(NB_SMB_BANNER))) { - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { serviceAppId = APP_ID_NETBIOS_DGM; } @@ -1183,13 +1182,13 @@ static int nbdgm_validate(ServiceValidationArgs* args) goto not_mailslot; } server_type = LETOHL(&browser->server_type); - netbios_service_mod.api->analyzefp(flowp, browser->major, browser->minor, server_type); + netbios_service_mod.api->analyzefp(asd, browser->major, browser->minor, server_type); } not_mailslot: if (source_name[0]) - netbios_service_mod.api->add_host_info(flowp, SERVICE_HOST_INFO_NETBIOS_NAME, + netbios_service_mod.api->add_host_info(asd, SERVICE_HOST_INFO_NETBIOS_NAME, source_name); - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); goto success; case NBDGM_TYPE_ERROR: if (end-data < (int)sizeof(NBDgmError)) @@ -1209,24 +1208,23 @@ not_mailslot: } fail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - netbios_service_mod.api->fail_service(flowp, pkt, dir, &nbdgm_svc_element, - netbios_service_mod.flow_data_index, - args->pConfig); + netbios_service_mod.api->fail_service(asd, pkt, dir, &nbdgm_svc_element, + netbios_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; success: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { if (dir == APP_ID_FROM_RESPONDER) { - if (netbios_service_mod.api->add_service(flowp, pkt, dir, &nbdgm_svc_element, + if (netbios_service_mod.api->add_service(asd, pkt, dir, &nbdgm_svc_element, serviceAppId, nullptr, nullptr, nullptr) == SERVICE_SUCCESS) { - netbios_service_mod.api->add_misc(flowp, miscAppId); + netbios_service_mod.api->add_misc(asd, miscAppId); } appid_stats.netbios_dgm_flows++; } @@ -1234,9 +1232,9 @@ success: return SERVICE_SUCCESS; inprocess: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - netbios_service_mod.api->service_inprocess(flowp, pkt, dir, &nbdgm_svc_element); + netbios_service_mod.api->service_inprocess(asd, pkt, dir, &nbdgm_svc_element); } return SERVICE_INPROCESS; } diff --git a/src/network_inspectors/appid/service_plugins/service_nntp.cc b/src/network_inspectors/appid/service_plugins/service_nntp.cc index 87303333e..b28482567 100644 --- a/src/network_inspectors/appid/service_plugins/service_nntp.cc +++ b/src/network_inspectors/appid/service_plugins/service_nntp.cc @@ -65,7 +65,7 @@ struct ServiceNNTPCode static int nntp_init(const IniServiceAPI* const init_api); static int nntp_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &nntp_validate, @@ -77,7 +77,7 @@ static RNAServiceElement svc_element = "nntp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &nntp_validate, NNTP_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -298,7 +298,7 @@ static int nntp_validate(ServiceValidationArgs* args) ServiceNNTPData* nd; uint16_t offset; int code; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -307,11 +307,11 @@ static int nntp_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - nd = (ServiceNNTPData*)nntp_service_mod.api->data_get(flowp, nntp_service_mod.flow_data_index); + nd = (ServiceNNTPData*)nntp_service_mod.api->data_get(asd, nntp_service_mod.flow_data_index); if (!nd) { nd = (ServiceNNTPData*)snort_calloc(sizeof(ServiceNNTPData)); - nntp_service_mod.api->data_add(flowp, nd, nntp_service_mod.flow_data_index, &snort_free); + nntp_service_mod.api->data_add(asd, nd, nntp_service_mod.flow_data_index, &snort_free); nd->state = NNTP_STATE_CONNECTION; } @@ -375,18 +375,18 @@ static int nntp_validate(ServiceValidationArgs* args) } inprocess: - nntp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + nntp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - nntp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + nntp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_NNTP, nullptr, nullptr, nullptr); appid_stats.nntp_flows++; return SERVICE_SUCCESS; fail: - nntp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - nntp_service_mod.flow_data_index, args->pConfig); + nntp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + nntp_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_ntp.cc b/src/network_inspectors/appid/service_plugins/service_ntp.cc index ed20da310..ebfe60985 100644 --- a/src/network_inspectors/appid/service_plugins/service_ntp.cc +++ b/src/network_inspectors/appid/service_plugins/service_ntp.cc @@ -62,7 +62,7 @@ struct ServiceNTPOptional static int ntp_init(const IniServiceAPI* const init_api); static int ntp_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &ntp_validate, @@ -74,7 +74,7 @@ static RNAServiceElement svc_element = "ntp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &ntp_validate, 123, IpProtocol::UDP, 0 }, { &ntp_validate, 123, IpProtocol::TCP, 0 }, @@ -116,7 +116,7 @@ static int ntp_validate(ServiceValidationArgs* args) const ServiceNTPHeader* nh; uint8_t ver; uint8_t mode; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -163,18 +163,18 @@ static int ntp_validate(ServiceValidationArgs* args) goto fail; } - ntp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + ntp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_NTP, nullptr, nullptr, nullptr); appid_stats.ntp_flows++; return SERVICE_SUCCESS; inprocess: - ntp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + ntp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; fail: - ntp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - ntp_service_mod.flow_data_index, args->pConfig); + ntp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + ntp_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_radius.cc b/src/network_inspectors/appid/service_plugins/service_radius.cc index 9b68b3dc8..f449f67b8 100644 --- a/src/network_inspectors/appid/service_plugins/service_radius.cc +++ b/src/network_inspectors/appid/service_plugins/service_radius.cc @@ -65,7 +65,7 @@ static int radius_init(const IniServiceAPI* const init_api); static int radius_validate(ServiceValidationArgs* args); static int radius_validate_accounting(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &radius_validate, @@ -77,7 +77,7 @@ static RNAServiceElement svc_element = "radius" }; -static RNAServiceElement acct_svc_element = +static const RNAServiceElement acct_svc_element = { nullptr, &radius_validate_accounting, @@ -89,7 +89,7 @@ static RNAServiceElement acct_svc_element = "radacct" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &radius_validate, 1812, IpProtocol::UDP, 0 }, { &radius_validate, 1812, IpProtocol::UDP, 1 }, @@ -135,7 +135,7 @@ static int radius_validate(ServiceValidationArgs* args) const RADIUSHeader* hdr = (const RADIUSHeader*)args->data; uint16_t len; int new_dir; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const int dir = args->dir; uint16_t size = args->size; @@ -144,12 +144,12 @@ static int radius_validate(ServiceValidationArgs* args) if (size < sizeof(RADIUSHeader)) goto fail; - rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(flowp, + rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(asd, radius_service_mod.flow_data_index); if (!rd) { rd = (ServiceRADIUSData*)snort_calloc(sizeof(ServiceRADIUSData)); - radius_service_mod.api->data_add(flowp, rd, radius_service_mod.flow_data_index, + radius_service_mod.api->data_add(asd, rd, radius_service_mod.flow_data_index, &snort_free); rd->state = RADIUS_STATE_REQUEST; } @@ -161,12 +161,12 @@ static int radius_validate(ServiceValidationArgs* args) hdr->code == RADIUS_CODE_ACCESS_REJECT || hdr->code == RADIUS_CODE_ACCESS_CHALLENGE) { - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); rd->state = RADIUS_STATE_RESPONSE; new_dir = APP_ID_FROM_RESPONDER; } } - else if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + else if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { new_dir = (dir == APP_ID_FROM_RESPONDER) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; } @@ -218,23 +218,23 @@ static int radius_validate(ServiceValidationArgs* args) goto fail; } inprocess: - radius_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element); + radius_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element); return SERVICE_INPROCESS; success: - radius_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, + radius_service_mod.api->add_service(asd, args->pkt, dir, &svc_element, APP_ID_RADIUS, nullptr, nullptr, nullptr); appid_stats.radius_flows++; return SERVICE_SUCCESS; not_compatible: - radius_service_mod.api->incompatible_data(flowp, args->pkt, dir, &svc_element, + radius_service_mod.api->incompatible_data(asd, args->pkt, dir, &svc_element, radius_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; fail: - radius_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element, - radius_service_mod.flow_data_index, args->pConfig); + radius_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element, + radius_service_mod.flow_data_index); return SERVICE_NOMATCH; } @@ -244,7 +244,7 @@ static int radius_validate_accounting(ServiceValidationArgs* args) const RADIUSHeader* hdr = (const RADIUSHeader*)args->data; uint16_t len; int new_dir; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const int dir = args->dir; uint16_t size = args->size; @@ -253,12 +253,12 @@ static int radius_validate_accounting(ServiceValidationArgs* args) if (size < sizeof(RADIUSHeader)) goto fail; - rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(flowp, + rd = (ServiceRADIUSData*)radius_service_mod.api->data_get(asd, radius_service_mod.flow_data_index); if (!rd) { rd = (ServiceRADIUSData*)snort_calloc(sizeof(ServiceRADIUSData)); - radius_service_mod.api->data_add(flowp, rd, radius_service_mod.flow_data_index, + radius_service_mod.api->data_add(asd, rd, radius_service_mod.flow_data_index, &snort_free); rd->state = RADIUS_STATE_REQUEST; } @@ -268,12 +268,12 @@ static int radius_validate_accounting(ServiceValidationArgs* args) { if (hdr->code == RADIUS_CODE_ACCOUNTING_RESPONSE) { - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); rd->state = RADIUS_STATE_RESPONSE; new_dir = APP_ID_FROM_RESPONDER; } } - else if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + else if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { new_dir = (dir == APP_ID_FROM_RESPONDER) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; } @@ -321,23 +321,23 @@ static int radius_validate_accounting(ServiceValidationArgs* args) goto fail; } inprocess: - radius_service_mod.api->service_inprocess(flowp, args->pkt, dir, &acct_svc_element); + radius_service_mod.api->service_inprocess(asd, args->pkt, dir, &acct_svc_element); return SERVICE_INPROCESS; success: - radius_service_mod.api->add_service(flowp, args->pkt, dir, &acct_svc_element, + radius_service_mod.api->add_service(asd, args->pkt, dir, &acct_svc_element, APP_ID_RADIUS_ACCT, nullptr, nullptr, nullptr); appid_stats.radius_flows++; return SERVICE_SUCCESS; not_compatible: - radius_service_mod.api->incompatible_data(flowp, args->pkt, dir, &acct_svc_element, + radius_service_mod.api->incompatible_data(asd, args->pkt, dir, &acct_svc_element, radius_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; fail: - radius_service_mod.api->fail_service(flowp, args->pkt, dir, &acct_svc_element, - radius_service_mod.flow_data_index, args->pConfig); + radius_service_mod.api->fail_service(asd, args->pkt, dir, &acct_svc_element, + radius_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_rexec.cc b/src/network_inspectors/appid/service_plugins/service_rexec.cc index 6fa2db0bc..952b9f842 100644 --- a/src/network_inspectors/appid/service_plugins/service_rexec.cc +++ b/src/network_inspectors/appid/service_plugins/service_rexec.cc @@ -30,7 +30,6 @@ #include "protocols/packet.h" #include "main/snort_debug.h" -#include "target_based/snort_protocols.h" #include "utils/util.h" #include "appid_api.h" @@ -40,6 +39,7 @@ #include "application_ids.h" #include "service_api.h" #include "service_base.h" +#include "service_util.h" #define REXEC_PORT 512 #define REXEC_MAX_PORT_PACKET 6 @@ -67,7 +67,7 @@ struct ServiceREXECData static int rexec_init(const IniServiceAPI* const init_api); static int rexec_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rexec_validate, @@ -79,7 +79,7 @@ static RNAServiceElement svc_element = "rexec" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rexec_validate, REXEC_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -108,7 +108,7 @@ static int rexec_init(const IniServiceAPI* const init_api) { unsigned i; - app_id = AddProtocolReference("rexec"); + app_id = add_appid_protocol_reference("rexec"); for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { @@ -145,21 +145,21 @@ static int rexec_validate(ServiceValidationArgs* args) int i; uint32_t port; AppIdSession* pf; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; uint16_t size = args->size; ServiceREXECData* rd = (ServiceREXECData*)rexec_service_mod.api->data_get( - flowp, rexec_service_mod.flow_data_index); + asd, rexec_service_mod.flow_data_index); if (!rd) { if (!size) goto inprocess; rd = (ServiceREXECData*)snort_calloc(sizeof(ServiceREXECData)); - rexec_service_mod.api->data_add(flowp, rd, + rexec_service_mod.api->data_add(asd, rd, rexec_service_mod.flow_data_index, &rexec_free_state); rd->state = REXEC_STATE_PORT; } @@ -212,7 +212,7 @@ static int rexec_validate(ServiceValidationArgs* args) rd->state = REXEC_STATE_SERVER_CONNECT; pf->rnaServiceState = RNA_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; - PopulateExpectedFlow(flowp, pf, + PopulateExpectedFlow(asd, pf, APPID_SESSION_CONTINUE | APPID_SESSION_REXEC_STDERR | APPID_SESSION_NO_TPI | @@ -310,7 +310,7 @@ static int rexec_validate(ServiceValidationArgs* args) if (rd->parent && rd->parent->state == REXEC_STATE_SERVER_CONNECT) { rd->parent->state = REXEC_STATE_USERNAME; - flowp->clearAppIdFlag(APPID_SESSION_REXEC_STDERR); + asd->clear_session_flags(APPID_SESSION_REXEC_STDERR); } goto bail; default: @@ -318,39 +318,38 @@ static int rexec_validate(ServiceValidationArgs* args) } inprocess: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rexec_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + rexec_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); } return SERVICE_INPROCESS; success: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rexec_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + rexec_service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_EXEC, nullptr, nullptr, nullptr); appid_stats.rexec_flows++; } return SERVICE_SUCCESS; bail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rexec_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element, + rexec_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element, rexec_service_mod.flow_data_index, args->pConfig); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOT_COMPATIBLE; fail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rexec_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - rexec_service_mod.flow_data_index, - args->pConfig); + rexec_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + rexec_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_rfb.cc b/src/network_inspectors/appid/service_plugins/service_rfb.cc index efb4c56d7..1ba4061a7 100644 --- a/src/network_inspectors/appid/service_plugins/service_rfb.cc +++ b/src/network_inspectors/appid/service_plugins/service_rfb.cc @@ -35,7 +35,7 @@ static int rfb_init(const IniServiceAPI* const init_api); static int rfb_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rfb_validate, @@ -47,7 +47,7 @@ static RNAServiceElement svc_element = "rfb" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rfb_validate, 5900, IpProtocol::TCP, 0 }, { &rfb_validate, 5901, IpProtocol::TCP, 0 }, @@ -99,7 +99,7 @@ static int rfb_validate(ServiceValidationArgs* args) unsigned i; char* v; const unsigned char* p; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -128,18 +128,18 @@ static int rfb_validate(ServiceValidationArgs* args) p++; } *v = 0; - rfb_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + rfb_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_VNC_RFB, nullptr, version, nullptr); appid_stats.rfb_flows++; return SERVICE_SUCCESS; inprocess: - rfb_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + rfb_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; fail: - rfb_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - rfb_service_mod.flow_data_index, args->pConfig); + rfb_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + rfb_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_rlogin.cc b/src/network_inspectors/appid/service_plugins/service_rlogin.cc index 9abded9be..b3e302ebf 100644 --- a/src/network_inspectors/appid/service_plugins/service_rlogin.cc +++ b/src/network_inspectors/appid/service_plugins/service_rlogin.cc @@ -47,7 +47,7 @@ struct ServiceRLOGINData static int rlogin_init(const IniServiceAPI* const init_api); static int rlogin_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rlogin_validate, @@ -59,7 +59,7 @@ static RNAServiceElement svc_element = "rlogin" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rlogin_validate, 513, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -98,7 +98,7 @@ static int rlogin_init(const IniServiceAPI* const init_api) static int rlogin_validate(ServiceValidationArgs* args) { ServiceRLOGINData* rd; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; Packet* pkt = args->pkt; const uint8_t* data = args->data; uint16_t size = args->size; @@ -108,12 +108,12 @@ static int rlogin_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - rd = (ServiceRLOGINData*)rlogin_service_mod.api->data_get(flowp, + rd = (ServiceRLOGINData*)rlogin_service_mod.api->data_get(asd, rlogin_service_mod.flow_data_index); if (!rd) { rd = (ServiceRLOGINData*)snort_calloc(sizeof(ServiceRLOGINData)); - rlogin_service_mod.api->data_add(flowp, rd, rlogin_service_mod.flow_data_index, + rlogin_service_mod.api->data_add(asd, rd, rlogin_service_mod.flow_data_index, &snort_free); rd->state = RLOGIN_STATE_HANDSHAKE; } @@ -160,18 +160,18 @@ static int rlogin_validate(ServiceValidationArgs* args) } inprocess: - rlogin_service_mod.api->service_inprocess(flowp, pkt, args->dir, &svc_element); + rlogin_service_mod.api->service_inprocess(asd, pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - rlogin_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element, + rlogin_service_mod.api->add_service(asd, pkt, args->dir, &svc_element, APP_ID_RLOGIN, nullptr, nullptr, nullptr); appid_stats.rlogin_flows++; return SERVICE_SUCCESS; fail: - rlogin_service_mod.api->fail_service(flowp, pkt, args->dir, &svc_element, - rlogin_service_mod.flow_data_index, args->pConfig); + rlogin_service_mod.api->fail_service(asd, pkt, args->dir, &svc_element, + rlogin_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc index 8e83b8496..d9f0af384 100644 --- a/src/network_inspectors/appid/service_plugins/service_rpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc @@ -33,13 +33,13 @@ #include #endif +#include "application_ids.h" #include "service_api.h" #include "app_info_table.h" +#include "service_util.h" #include "log/messages.h" #include "main/snort_debug.h" -#include "application_ids.h" -#include "target_based/snort_protocols.h" #include "utils/util.h" #include "appid_module.h" @@ -108,7 +108,7 @@ struct ServiceRPCPortmap { uint32_t program; uint32_t version; - uint32_t proto; + IpProtocol proto; uint32_t port; }; @@ -152,7 +152,7 @@ struct ServiceRPCData uint32_t program; uint32_t procedure; uint32_t xid; - uint32_t proto; + IpProtocol proto; uint32_t tcpsize[APP_ID_APPID_SESSION_DIRECTION_MAX]; uint32_t tcpfragpos[APP_ID_APPID_SESSION_DIRECTION_MAX]; uint32_t tcpauthsize[APP_ID_APPID_SESSION_DIRECTION_MAX]; @@ -165,7 +165,7 @@ static int rpc_init(const IniServiceAPI* const init_api); static int rpc_validate(ServiceValidationArgs* args); static int rpc_tcp_validate(ServiceValidationArgs* args); -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rpc_validate, @@ -176,7 +176,7 @@ static RNAServiceElement svc_element = 0, "rpc" }; -static RNAServiceElement tcp_svc_element = +static const RNAServiceElement tcp_svc_element = { nullptr, &rpc_tcp_validate, @@ -193,7 +193,7 @@ static RNAServiceElement tcp_svc_element = #define RPC_PORT_MOUNTD 4046 #define RPC_PORT_NLOCKMGR 4045 -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rpc_validate, RPC_PORT_PORTMAPPER, IpProtocol::UDP, 0 }, { &rpc_validate, RPC_PORT_PORTMAPPER, IpProtocol::UDP, 1 }, @@ -246,7 +246,7 @@ static int rpc_init(const IniServiceAPI* const init_api) struct rpcent* rpc; RPCProgram* prog; - app_id = AddProtocolReference("sunrpc"); + app_id = add_appid_protocol_reference("sunrpc"); if (!rpc_programs) { @@ -296,9 +296,8 @@ static const RPCProgram* FindRPCProgram(uint32_t program) return rpc; } -static int validate_packet(const uint8_t* data, uint16_t size, int dir, - AppIdSession* flowp, Packet* pkt, ServiceRPCData* rd, - const char** pname, uint32_t* program) +static int validate_packet(const uint8_t* data, uint16_t size, int dir, AppIdSession* asd, + Packet* pkt, ServiceRPCData* rd, const char** pname, uint32_t* program) { const ServiceRPCCall* call; const ServiceRPCReply* reply; @@ -317,7 +316,7 @@ static int validate_packet(const uint8_t* data, uint16_t size, int dir, end = data + size; - if (flowp->protocol == IpProtocol::UDP) + if (asd->protocol == IpProtocol::UDP) { if (!rd->once) { @@ -327,12 +326,12 @@ static int validate_packet(const uint8_t* data, uint16_t size, int dir, rpc = (ServiceRPC*)data; if (ntohl(rpc->type) == RPC_TYPE_REPLY) { - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); rd->state = RPC_STATE_REPLY; dir = APP_ID_FROM_RESPONDER; } } - else if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + else if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { dir = (dir == APP_ID_FROM_RESPONDER) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; } @@ -430,14 +429,13 @@ static int validate_packet(const uint8_t* data, uint16_t size, int dir, sip = pkt->ptrs.ip_api.get_src(); tmp = ntohl(pmr->port); pf = AppIdSession::create_future_session(pkt, dip, 0, sip, (uint16_t)tmp, - // FIXIT-H: Change rd->proto to be IpProtocol - (IpProtocol)ntohl(rd->proto), app_id, 0); + (IpProtocol)ntohl((uint32_t)rd->proto), app_id, 0); if (pf) { pf->add_flow_data_id((uint16_t)tmp, - flowp->protocol == IpProtocol::TCP ? &tcp_svc_element : &svc_element); + asd->protocol == IpProtocol::TCP ? &tcp_svc_element : &svc_element); pf->rnaServiceState = RNA_STATE_STATEFUL; - pf->setAppIdFlag(flowp->getAppIdFlag(APPID_SESSION_RESPONDER_MONITORED | + pf->set_session_flags(asd->get_session_flags(APPID_SESSION_RESPONDER_MONITORED | APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_RESPONDER_CHECKED | @@ -483,7 +481,7 @@ static int rpc_validate(ServiceValidationArgs* args) uint32_t program = 0; const char* pname = nullptr; int rval; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -495,39 +493,39 @@ static int rpc_validate(ServiceValidationArgs* args) goto done; } - rd = (ServiceRPCData*)rpc_service_mod.api->data_get(flowp, rpc_service_mod.flow_data_index); + rd = (ServiceRPCData*)rpc_service_mod.api->data_get(asd, rpc_service_mod.flow_data_index); if (!rd) { rd = (ServiceRPCData*)snort_calloc(sizeof(ServiceRPCData)); - rpc_service_mod.api->data_add(flowp, rd, rpc_service_mod.flow_data_index, &snort_free); + rpc_service_mod.api->data_add(asd, rd, rpc_service_mod.flow_data_index, &snort_free); rd->state = (dir == APP_ID_FROM_INITIATOR) ? RPC_STATE_CALL : RPC_STATE_REPLY; rd->xid = 0xFFFFFFFF; } #ifdef RNA_DEBUG_RPC fprintf(SF_DEBUG_FILE, "Begin %u -> %u %u %d state %d\n", pkt->src_port, pkt->dst_port, - flowp->proto, dir, rd->state); + asd->proto, dir, rd->state); #endif - rval = validate_packet(data, size, dir, flowp, pkt, rd, &pname, &program); + rval = validate_packet(data, size, dir, asd, pkt, rd, &pname, &program); #ifdef RNA_DEBUG_RPC fprintf(SF_DEBUG_FILE, "End %u -> %u %u %d state %d rval %d\n", pkt->src_port, pkt->dst_port, - flowp->proto, dir, rd->state, rval); + asd->proto, dir, rd->state, rval); #endif done: switch (rval) { case SERVICE_INPROCESS: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rpc_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + rpc_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); } return SERVICE_INPROCESS; case SERVICE_SUCCESS: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { if (pname && *pname) { @@ -544,31 +542,30 @@ done: } else subtype = nullptr; - rpc_service_mod.api->add_service(flowp, pkt, dir, &svc_element, - APP_ID_SUN_RPC, nullptr, nullptr, subtype); + rpc_service_mod.api->add_service(asd, pkt, dir, &svc_element, + APP_ID_SUN_RPC, nullptr, nullptr, subtype); appid_stats.rpc_flows++; } - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); return SERVICE_SUCCESS; case SERVICE_NOT_COMPATIBLE: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rpc_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element, + rpc_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element, rpc_service_mod.flow_data_index, args->pConfig); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOT_COMPATIBLE; case SERVICE_NOMATCH: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rpc_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - rpc_service_mod.flow_data_index, - args->pConfig); + rpc_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + rpc_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; default: return rval; @@ -592,7 +589,7 @@ static int rpc_tcp_validate(ServiceValidationArgs* args) uint32_t program = 0; const char* pname = nullptr; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; @@ -601,11 +598,11 @@ static int rpc_tcp_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - rd = (ServiceRPCData*)rpc_service_mod.api->data_get(flowp, rpc_service_mod.flow_data_index); + rd = (ServiceRPCData*)rpc_service_mod.api->data_get(asd, rpc_service_mod.flow_data_index); if (!rd) { rd = (ServiceRPCData*)snort_calloc(sizeof(ServiceRPCData)); - rpc_service_mod.api->data_add(flowp, rd, rpc_service_mod.flow_data_index, &snort_free); + rpc_service_mod.api->data_add(asd, rd, rpc_service_mod.flow_data_index, &snort_free); rd->state = RPC_STATE_CALL; for (ret=0; rettcppos[dir] >= sizeof(ServiceRPCAuth)) { - // FIXIT-M: the typecast for all the rd->tcpdata[dir] refs in this function cause + // FIXIT-M the typecast for all the rd->tcpdata[dir] refs in this function cause // this warning: // dereferencing type-punned pointer will break strict-aliasing rules // investigate recoding to eliminate this and improve readability @@ -763,16 +760,15 @@ static int rpc_tcp_validate(ServiceValidationArgs* args) { #ifdef RNA_DEBUG_RPC fprintf(SF_DEBUG_FILE, "V Begin %u -> %u %u %d state %d\n", - pkt->src_port, pkt->dst_port, flowp->proto, dir, rd->state); + pkt->src_port, pkt->dst_port, asd->proto, dir, rd->state); #endif - ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, flowp, - pkt, - rd, &pname, &program); + ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, asd, + pkt, rd, &pname, &program); #ifdef RNA_DEBUG_RPC fprintf(SF_DEBUG_FILE, "V End %u -> %u %u %d state %d rval %d\n", - pkt->src_port, pkt->dst_port, flowp->proto, dir, rd->state, ret); + pkt->src_port, pkt->dst_port, asd->proto, dir, rd->state, ret); #endif if (retval == -1) @@ -841,15 +837,15 @@ static int rpc_tcp_validate(ServiceValidationArgs* args) { #ifdef RNA_DEBUG_RPC fprintf(SF_DEBUG_FILE, "P Begin %u -> %u %u %d state %d\n", pkt->src_port, - pkt->dst_port, flowp->proto, dir, rd->state); + pkt->dst_port, asd->proto, dir, rd->state); #endif - ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, flowp, pkt, + ret = validate_packet(rd->tcpdata[dir], rd->tcppos[dir], dir, asd, pkt, rd, &pname, &program); #ifdef RNA_DEBUG_RPC fprintf(SF_DEBUG_FILE, "P End %u -> %u %u %d state %d rval %d\n", - pkt->src_port, pkt->dst_port, flowp->proto, dir, rd->state, ret); + pkt->src_port, pkt->dst_port, asd->proto, dir, rd->state, ret); #endif if (retval == -1) @@ -867,7 +863,7 @@ static int rpc_tcp_validate(ServiceValidationArgs* args) goto fail; else { - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); goto done; } } @@ -889,14 +885,14 @@ done: { case SERVICE_INPROCESS: inprocess: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rpc_service_mod.api->service_inprocess(flowp, pkt, dir, &tcp_svc_element); + rpc_service_mod.api->service_inprocess(asd, pkt, dir, &tcp_svc_element); } return SERVICE_INPROCESS; case SERVICE_SUCCESS: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { if (pname && *pname) { @@ -913,39 +909,38 @@ inprocess: } else subtype = nullptr; - rpc_service_mod.api->add_service(flowp, pkt, dir, &tcp_svc_element, - APP_ID_SUN_RPC, nullptr, nullptr, subtype); + rpc_service_mod.api->add_service(asd, pkt, dir, &tcp_svc_element, + APP_ID_SUN_RPC, nullptr, nullptr, subtype); appid_stats.rpc_flows++; } - flowp->setAppIdFlag(APPID_SESSION_CONTINUE); + asd->set_session_flags(APPID_SESSION_CONTINUE); return SERVICE_SUCCESS; case SERVICE_NOT_COMPATIBLE: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rpc_service_mod.api->incompatible_data(flowp, pkt, dir, &tcp_svc_element, + rpc_service_mod.api->incompatible_data(asd, pkt, dir, &tcp_svc_element, rpc_service_mod.flow_data_index, args->pConfig); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOT_COMPATIBLE; case SERVICE_NOMATCH: fail: - if (!flowp->getAppIdFlag(APPID_SESSION_SERVICE_DETECTED)) + if (!asd->get_session_flags(APPID_SESSION_SERVICE_DETECTED)) { - rpc_service_mod.api->fail_service(flowp, pkt, dir, &tcp_svc_element, - rpc_service_mod.flow_data_index, - args->pConfig); + rpc_service_mod.api->fail_service(asd, pkt, dir, &tcp_svc_element, + rpc_service_mod.flow_data_index); } - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); return SERVICE_NOMATCH; default: return retval; } bail: - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); rd->tcpstate[APP_ID_FROM_INITIATOR] = RPC_TCP_STATE_DONE; rd->tcpstate[APP_ID_FROM_RESPONDER] = RPC_TCP_STATE_DONE; if (dir == APP_ID_FROM_INITIATOR) diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index 2ac18582b..b0a743338 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -24,12 +24,12 @@ #include "application_ids.h" #include "service_api.h" #include "service_base.h" +#include "service_util.h" #include "app_info_table.h" #include "appid_module.h" #include "log/messages.h" #include "main/snort_debug.h" -#include "target_based/snort_protocols.h" #include "utils/util.h" #define RSHELL_PORT 514 @@ -58,8 +58,7 @@ struct ServiceRSHELLData static int rshell_init(const IniServiceAPI* const init_api); static int rshell_validate(ServiceValidationArgs* args); -// FIXIT-L: Make the globals const or, if necessary, thread-local. -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rshell_validate, @@ -71,7 +70,7 @@ static RNAServiceElement svc_element = "rshell" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rshell_validate, RSHELL_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -100,7 +99,7 @@ static int rshell_init(const IniServiceAPI* const init_api) { unsigned i; - app_id = AddProtocolReference("rsh-error"); + app_id = add_appid_protocol_reference("rsh-error"); for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { @@ -139,28 +138,26 @@ static int rshell_validate(ServiceValidationArgs* args) int i; uint32_t port; AppIdSession* pf; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; uint16_t size = args->size; - bool app_id_debug_session_flag = args->app_id_debug_session_flag; - char* app_id_debug_session = args->app_id_debug_session; - rd = (ServiceRSHELLData*)rshell_service_mod.api->data_get(flowp, + rd = (ServiceRSHELLData*)rshell_service_mod.api->data_get(asd, rshell_service_mod.flow_data_index); if (!rd) { if (!size) goto inprocess; rd = (ServiceRSHELLData*)snort_calloc(sizeof(ServiceRSHELLData)); - rshell_service_mod.api->data_add(flowp, rd, + rshell_service_mod.api->data_add(asd, rd, rshell_service_mod.flow_data_index, &rshell_free_state); rd->state = RSHELL_STATE_PORT; } - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s rshell state %d\n", app_id_debug_session, rd->state); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s rshell state %d\n", args->session_logging_id, rd->state); switch (rd->state) { @@ -191,7 +188,6 @@ static int rshell_validate(ServiceValidationArgs* args) tmp_rd->parent = rd; dip = pkt->ptrs.ip_api.get_dst(); sip = pkt->ptrs.ip_api.get_src(); - // FIXIT-M can flow_new return null? pf = AppIdSession::create_future_session(pkt, dip, 0, sip, (uint16_t)port, IpProtocol::TCP, app_id, APPID_EARLY_SESSION_FLAG_FW_RULE); if (pf) @@ -207,7 +203,7 @@ static int rshell_validate(ServiceValidationArgs* args) return SERVICE_ENOMEM; } pf->scan_flags |= SCAN_HOST_PORT_FLAG; - PopulateExpectedFlow(flowp, pf, + PopulateExpectedFlow(asd, pf, APPID_SESSION_NO_TPI | APPID_SESSION_IGNORE_HOST | APPID_SESSION_NOT_A_SERVICE | @@ -318,30 +314,30 @@ static int rshell_validate(ServiceValidationArgs* args) case RSHELL_STATE_STDERR_CONNECT_SYN_ACK: if (rd->parent && rd->parent->state == RSHELL_STATE_SERVER_CONNECT) rd->parent->state = RSHELL_STATE_USERNAME; - flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED); return SERVICE_SUCCESS; default: goto bail; } inprocess: - rshell_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + rshell_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; success: - rshell_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + rshell_service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_SHELL, nullptr, nullptr, nullptr); appid_stats.rshell_flows++; return SERVICE_SUCCESS; bail: - rshell_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element, + rshell_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element, rshell_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; fail: - rshell_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - rshell_service_mod.flow_data_index, args->pConfig); + rshell_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + rshell_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.h b/src/network_inspectors/appid/service_plugins/service_rshell.h index a1ebe5b94..7364420b9 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.h +++ b/src/network_inspectors/appid/service_plugins/service_rshell.h @@ -23,7 +23,6 @@ #define SERVICE_RSHELL_H struct RNAServiceValidationModule; -// FIXIT-L: Make the globals const or, if necessary, thread-local. extern RNAServiceValidationModule rshell_service_mod; #endif diff --git a/src/network_inspectors/appid/service_plugins/service_rsync.cc b/src/network_inspectors/appid/service_plugins/service_rsync.cc index ebeae0f3a..3cab8babb 100644 --- a/src/network_inspectors/appid/service_plugins/service_rsync.cc +++ b/src/network_inspectors/appid/service_plugins/service_rsync.cc @@ -48,8 +48,7 @@ struct ServiceRSYNCData static int rsync_init(const IniServiceAPI* const init_api); static int rsync_validate(ServiceValidationArgs* args); -// FIXIT-L: Make the globals const or, if necessary, thread-local. -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rsync_validate, @@ -61,7 +60,7 @@ static RNAServiceElement svc_element = "rsync" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rsync_validate, RSYNC_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -104,11 +103,9 @@ static int rsync_validate(ServiceValidationArgs* args) ServiceRSYNCData* rd; int i; - // FIXIT-L: Should this be an assert instead? - if (!args) - return SERVICE_NOMATCH; + assert(args); - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -117,12 +114,12 @@ static int rsync_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - rd = (ServiceRSYNCData*)rsync_service_mod.api->data_get(flowp, + rd = (ServiceRSYNCData*)rsync_service_mod.api->data_get(asd, rsync_service_mod.flow_data_index); if (!rd) { rd = (ServiceRSYNCData*)snort_calloc(sizeof(ServiceRSYNCData)); - rsync_service_mod.api->data_add(flowp, rd, rsync_service_mod.flow_data_index, &snort_free); + rsync_service_mod.api->data_add(asd, rd, rsync_service_mod.flow_data_index, &snort_free); rd->state = RSYNC_STATE_BANNER; } @@ -155,18 +152,18 @@ static int rsync_validate(ServiceValidationArgs* args) } inprocess: - rsync_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + rsync_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - rsync_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + rsync_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_RSYNC, nullptr, nullptr, nullptr); appid_stats.rsync_flows++; return SERVICE_SUCCESS; fail: - rsync_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - rsync_service_mod.flow_data_index, args->pConfig); + rsync_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + rsync_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_rsync.h b/src/network_inspectors/appid/service_plugins/service_rsync.h index ee4103027..a185e49c8 100644 --- a/src/network_inspectors/appid/service_plugins/service_rsync.h +++ b/src/network_inspectors/appid/service_plugins/service_rsync.h @@ -24,7 +24,6 @@ #include "service_api.h" -// FIXIT-L: Make the globals const or, if necessary, thread-local. extern RNAServiceValidationModule rsync_service_mod; #endif diff --git a/src/network_inspectors/appid/service_plugins/service_rtmp.cc b/src/network_inspectors/appid/service_plugins/service_rtmp.cc index e91be8ff4..0c030ef89 100644 --- a/src/network_inspectors/appid/service_plugins/service_rtmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_rtmp.cc @@ -83,8 +83,7 @@ struct ServiceRTMPData static int rtmp_init(const IniServiceAPI* const api); static int rtmp_validate(ServiceValidationArgs* args); -// FIXIT-L: Make the globals const or, if necessary, thread-local. -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &rtmp_validate, @@ -96,7 +95,7 @@ static RNAServiceElement svc_element = "rtmp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &rtmp_validate, 1935, IpProtocol::TCP, 0 }, { &rtmp_validate, 1935, IpProtocol::UDP, 0 }, @@ -451,7 +450,7 @@ parse_rtmp_message_fail: static int rtmp_validate(ServiceValidationArgs* args) { ServiceRTMPData* ss; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -459,11 +458,11 @@ static int rtmp_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - ss = (ServiceRTMPData*)rtmp_service_mod.api->data_get(flowp, rtmp_service_mod.flow_data_index); + ss = (ServiceRTMPData*)rtmp_service_mod.api->data_get(asd, rtmp_service_mod.flow_data_index); if (!ss) { ss = (ServiceRTMPData*)snort_calloc(sizeof(ServiceRTMPData)); - rtmp_service_mod.api->data_add(flowp, ss, rtmp_service_mod.flow_data_index, &rtmp_free); + rtmp_service_mod.api->data_add(asd, ss, rtmp_service_mod.flow_data_index, &rtmp_free); } /* Client -> Server */ @@ -655,33 +654,33 @@ static int rtmp_validate(ServiceValidationArgs* args) } /* Give up if it's taking us too long to figure out this thing. */ - if (flowp->session_packet_count >= pAppidActiveConfig->mod_config->rtmp_max_packets) + if (asd->session_packet_count >= AppIdConfig::get_appid_config()->mod_config->rtmp_max_packets) { goto fail; } inprocess: - rtmp_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element); + rtmp_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element); return SERVICE_INPROCESS; fail: snort_free(ss->swfUrl); snort_free(ss->pageUrl); ss->swfUrl = ss->pageUrl = nullptr; - rtmp_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element, - rtmp_service_mod.flow_data_index, args->pConfig); + rtmp_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element, + rtmp_service_mod.flow_data_index); return SERVICE_NOMATCH; success: if (ss->swfUrl != nullptr) { - if (!flowp->hsession) - flowp->hsession = (httpSession*)snort_calloc(sizeof(httpSession)); + if (!asd->hsession) + asd->hsession = (httpSession*)snort_calloc(sizeof(httpSession)); - if (flowp->hsession->url == nullptr) + if (asd->hsession->url == nullptr) { - flowp->hsession->url = ss->swfUrl; - flowp->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; + asd->hsession->url = ss->swfUrl; + asd->scan_flags |= SCAN_HTTP_HOST_URL_FLAG; } else { @@ -691,17 +690,17 @@ success: } if (ss->pageUrl != nullptr) { - if (!flowp->hsession) - flowp->hsession = (httpSession*)snort_calloc(sizeof(httpSession)); + if (!asd->hsession) + asd->hsession = (httpSession*)snort_calloc(sizeof(httpSession)); - if (!pAppidActiveConfig->mod_config->referred_appId_disabled && - (flowp->hsession->referer == nullptr)) - flowp->hsession->referer = ss->pageUrl; + if (!AppIdConfig::get_appid_config()->mod_config->referred_appId_disabled && + (asd->hsession->referer == nullptr)) + asd->hsession->referer = ss->pageUrl; else snort_free(ss->pageUrl); ss->pageUrl = nullptr; } - rtmp_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, + rtmp_service_mod.api->add_service(asd, args->pkt, dir, &svc_element, APP_ID_RTMP, nullptr, nullptr, nullptr); appid_stats.rtmp_flows++; return SERVICE_SUCCESS; diff --git a/src/network_inspectors/appid/service_plugins/service_rtmp.h b/src/network_inspectors/appid/service_plugins/service_rtmp.h index f2d00f14b..1790b0041 100644 --- a/src/network_inspectors/appid/service_plugins/service_rtmp.h +++ b/src/network_inspectors/appid/service_plugins/service_rtmp.h @@ -23,7 +23,6 @@ #define SERVICE_RTMP_H struct RNAServiceValidationModule; -// FIXIT-L: Make the globals const or, if necessary, thread-local. extern RNAServiceValidationModule rtmp_service_mod; #endif diff --git a/src/network_inspectors/appid/service_plugins/service_smtp.cc b/src/network_inspectors/appid/service_plugins/service_smtp.cc index 89aeddfc8..89bd835bf 100644 --- a/src/network_inspectors/appid/service_plugins/service_smtp.cc +++ b/src/network_inspectors/appid/service_plugins/service_smtp.cc @@ -62,8 +62,7 @@ struct ServiceSMTPCode static int smtp_init(const IniServiceAPI* const init_api); static int smtp_validate(ServiceValidationArgs* args); -// FIXIT-L: Make the globals const or, if necessary, thread-local. -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &smtp_validate, @@ -75,7 +74,7 @@ static RNAServiceElement svc_element = "smtp" }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &smtp_validate, 25, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } @@ -237,7 +236,7 @@ static int smtp_validate_reply(const uint8_t* data, uint16_t* offset, static int smtp_validate(ServiceValidationArgs* args) { ServiceSMTPData* fd; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; uint16_t offset; @@ -247,16 +246,16 @@ static int smtp_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - fd = (ServiceSMTPData*)smtp_service_mod.api->data_get(flowp, smtp_service_mod.flow_data_index); + fd = (ServiceSMTPData*)smtp_service_mod.api->data_get(asd, smtp_service_mod.flow_data_index); if (!fd) { fd = (ServiceSMTPData*)snort_calloc(sizeof(ServiceSMTPData)); - smtp_service_mod.api->data_add(flowp, fd, smtp_service_mod.flow_data_index, &snort_free); + smtp_service_mod.api->data_add(asd, fd, smtp_service_mod.flow_data_index, &snort_free); fd->state = SMTP_STATE_CONNECTION; } else { - if (flowp->getAppIdFlag(APPID_SESSION_ENCRYPTED) && fd->state == SMTP_STATE_TRANSFER) + if (asd->get_session_flags(APPID_SESSION_ENCRYPTED) && fd->state == SMTP_STATE_TRANSFER) { fd->state = SMTP_STATE_STARTTLS; } @@ -265,7 +264,7 @@ static int smtp_validate(ServiceValidationArgs* args) if (!fd->set_flags) { fd->set_flags = 1; - flowp->setAppIdFlag(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + asd->set_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); } offset = 0; @@ -316,7 +315,7 @@ static int smtp_validate(ServiceValidationArgs* args) if (fd->code == 220) goto success; /* STARTTLS failed. */ - flowp->clearAppIdFlag(APPID_SESSION_ENCRYPTED); // not encrypted after all + asd->clear_session_flags(APPID_SESSION_ENCRYPTED); // not encrypted after all fd->state = SMTP_STATE_HELO; // revert the state break; case SMTP_STATE_TRANSFER: @@ -328,11 +327,11 @@ static int smtp_validate(ServiceValidationArgs* args) } inprocess: - smtp_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + smtp_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - smtp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + smtp_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, fd->state == SMTP_STATE_STARTTLS ? APP_ID_SMTPS : APP_ID_SMTP, nullptr, nullptr, nullptr); if (fd->state == SMTP_STATE_STARTTLS) @@ -343,8 +342,8 @@ success: return SERVICE_SUCCESS; fail: - smtp_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - smtp_service_mod.flow_data_index, args->pConfig); + smtp_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + smtp_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_smtp.h b/src/network_inspectors/appid/service_plugins/service_smtp.h index 4b9239f9e..2318aaef9 100644 --- a/src/network_inspectors/appid/service_plugins/service_smtp.h +++ b/src/network_inspectors/appid/service_plugins/service_smtp.h @@ -24,7 +24,6 @@ #include "detector_plugins/detector_api.h" -// FIXIT-L: Make the globals const or, if necessary, thread-local. extern RNAServiceValidationModule smtp_service_mod; #endif diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index 681162205..0920046c2 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -22,13 +22,13 @@ #include "service_snmp.h" #include "log/messages.h" -#include "target_based/snort_protocols.h" #include "utils/util.h" #include "appid_api.h" #include "appid_module.h" #include "app_info_table.h" #include "service_base.h" +#include "service_util.h" #include "application_ids.h" #define SNMP_PORT 161 @@ -88,8 +88,7 @@ struct ServiceSNMPHeader static int snmp_init(const IniServiceAPI* const init_api); static int snmp_validate(ServiceValidationArgs* args); -// FIXIT-L: Make the globals const or, if necessary, thread-local. -static RNAServiceElement svc_element = +static const RNAServiceElement svc_element = { nullptr, &snmp_validate, @@ -101,7 +100,7 @@ static RNAServiceElement svc_element = "snmp", }; -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &snmp_validate, SNMP_PORT, IpProtocol::TCP, 0 }, { &snmp_validate, SNMP_PORT, IpProtocol::UDP, 0 }, @@ -134,7 +133,7 @@ static int16_t app_id = 0; static int snmp_init(const IniServiceAPI* const init_api) { - app_id = AddProtocolReference("snmp"); + app_id = add_appid_protocol_reference("snmp"); init_api->RegisterPattern(&snmp_validate, IpProtocol::UDP, SNMP_PATTERN_2, sizeof(SNMP_PATTERN_2), 2, "snmp"); @@ -446,30 +445,28 @@ static int snmp_validate(ServiceValidationArgs* args) const sfip_t* dip; uint8_t version; const char* version_str = nullptr; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; uint16_t size = args->size; - bool app_id_debug_session_flag = args->app_id_debug_session_flag; - char* app_id_debug_session = args->app_id_debug_session; if (!size) goto inprocess; - sd = (ServiceSNMPData*)snmp_service_mod.api->data_get(flowp, snmp_service_mod.flow_data_index); + sd = (ServiceSNMPData*)snmp_service_mod.api->data_get(asd, snmp_service_mod.flow_data_index); if (!sd) { sd = (ServiceSNMPData*)snort_calloc(sizeof(ServiceSNMPData)); - snmp_service_mod.api->data_add(flowp, sd, snmp_service_mod.flow_data_index, &snort_free); + snmp_service_mod.api->data_add(asd, sd, snmp_service_mod.flow_data_index, &snort_free); sd->state = SNMP_STATE_CONNECTION; } if (snmp_verify_packet(&data, data+size, &pdu, &version)) { - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s snmp payload verify failed\n", app_id_debug_session); - if (flowp->getAppIdFlag(APPID_SESSION_UDP_REVERSED)) + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s snmp payload verify failed\n", args->session_logging_id); + if (asd->get_session_flags(APPID_SESSION_UDP_REVERSED)) { if (dir == APP_ID_FROM_RESPONDER) goto bail; @@ -485,8 +482,8 @@ static int snmp_validate(ServiceValidationArgs* args) } } - if (app_id_debug_session_flag) - LogMessage("AppIdDbg %s snmp state %d\n", app_id_debug_session, sd->state); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s snmp state %d\n", args->session_logging_id, sd->state); switch (sd->state) { @@ -494,13 +491,13 @@ static int snmp_validate(ServiceValidationArgs* args) if (pdu != SNMP_PDU_GET_RESPONSE && dir == APP_ID_FROM_RESPONDER) { sd->state = SNMP_STATE_R_RESPONSE; - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); break; } if (pdu == SNMP_PDU_GET_RESPONSE && dir == APP_ID_FROM_INITIATOR) { sd->state = SNMP_STATE_R_REQUEST; - flowp->setAppIdFlag(APPID_SESSION_UDP_REVERSED); + asd->set_session_flags(APPID_SESSION_UDP_REVERSED); break; } @@ -512,9 +509,9 @@ static int snmp_validate(ServiceValidationArgs* args) if (pdu == SNMP_PDU_TRAP || pdu == SNMP_PDU_TRAPV2) { - flowp->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE); - flowp->clearAppIdFlag(APPID_SESSION_CONTINUE); - flowp->serviceAppId = APP_ID_SNMP; + asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_NOT_A_SERVICE); + asd->clear_session_flags(APPID_SESSION_CONTINUE); + asd->serviceAppId = APP_ID_SNMP; break; } sd->state = SNMP_STATE_RESPONSE; @@ -522,7 +519,7 @@ static int snmp_validate(ServiceValidationArgs* args) /*adding expected connection in case the server doesn't send from 161*/ dip = pkt->ptrs.ip_api.get_dst(); sip = pkt->ptrs.ip_api.get_src(); - pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, flowp->protocol, app_id, 0); + pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, asd->protocol, app_id, 0); if (pf) { tmp_sd = (ServiceSNMPData*)snort_calloc(sizeof(ServiceSNMPData)); @@ -531,12 +528,12 @@ static int snmp_validate(ServiceValidationArgs* args) snmp_service_mod.flow_data_index, &snort_free); if (pf->add_flow_data_id(pkt->ptrs.dp, &svc_element)) { - pf->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); - pf->clearAppIdFlag(APPID_SESSION_CONTINUE); + pf->set_session_flags(APPID_SESSION_SERVICE_DETECTED); + pf->clear_session_flags(APPID_SESSION_CONTINUE); tmp_sd->state = SNMP_STATE_ERROR; return SERVICE_ENULL; } - PopulateExpectedFlow(flowp, pf, APPID_SESSION_EXPECTED_EVALUATE); + PopulateExpectedFlow(asd, pf, APPID_SESSION_EXPECTED_EVALUATE); pf->rnaServiceState = RNA_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; pf->common.initiator_ip = *sip; @@ -590,7 +587,7 @@ static int snmp_validate(ServiceValidationArgs* args) } inprocess: - snmp_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + snmp_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; success: @@ -612,22 +609,21 @@ success: version_str = nullptr; break; } - snmp_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + snmp_service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_SNMP, SNMP_VENDOR_STR, version_str, nullptr); appid_stats.snmp_flows++; return SERVICE_SUCCESS; bail: - snmp_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element, + snmp_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element, snmp_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; fail: - snmp_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - snmp_service_mod.flow_data_index, - args->pConfig); + snmp_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + snmp_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.h b/src/network_inspectors/appid/service_plugins/service_snmp.h index 5709119f3..0ce25a26f 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.h +++ b/src/network_inspectors/appid/service_plugins/service_snmp.h @@ -26,7 +26,6 @@ #include "detector_plugins/detector_api.h" -// FIXIT-L: Make the globals const or, if necessary, thread-local. extern RNAServiceValidationModule snmp_service_mod; #endif diff --git a/src/network_inspectors/appid/service_plugins/service_ssh.cc b/src/network_inspectors/appid/service_plugins/service_ssh.cc index 2f0e2bb12..8e67314dd 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssh.cc +++ b/src/network_inspectors/appid/service_plugins/service_ssh.cc @@ -142,15 +142,12 @@ static const RNAServiceElement svc_element = "ssh", }; -// FIXIT can this be const? That would require that RNAServiceValidationModule.pp be const which -// I don't know about. Otherwise we have a thread safety issue here. -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &ssh_validate, SSH_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } }; -// FIXIT maybe this can be const, else thread safety issue RNAServiceValidationModule ssh_service_mod = { "SSH", @@ -396,18 +393,18 @@ static int ssh_validate(ServiceValidationArgs* args) const char* end; unsigned len; int client_major; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; if (!size) goto inprocess; - ss = (ServiceSSHData*)ssh_service_mod.api->data_get(flowp, ssh_service_mod.flow_data_index); + ss = (ServiceSSHData*)ssh_service_mod.api->data_get(asd, ssh_service_mod.flow_data_index); if (!ss) { ss = (ServiceSSHData*)snort_calloc(sizeof(ServiceSSHData)); - ssh_service_mod.api->data_add(flowp, ss, + ssh_service_mod.api->data_add(asd, ss, ssh_service_mod.flow_data_index, &ssh_free_state); ss->state = SSH_STATE_BANNER; ss->hstate = SSH_HEADER_BEGIN; @@ -562,23 +559,23 @@ done: { case SERVICE_INPROCESS: inprocess: - ssh_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + ssh_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; case SERVICE_SUCCESS: - ssh_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + ssh_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_SSH, ss->vendor, ss->version, nullptr); appid_stats.ssh_flows++; return SERVICE_SUCCESS; case SERVICE_NOMATCH: fail: - ssh_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - ssh_service_mod.flow_data_index, args->pConfig); + ssh_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + ssh_service_mod.flow_data_index); return SERVICE_NOMATCH; not_compatible: - ssh_service_mod.api->incompatible_data(flowp, args->pkt, args->dir, &svc_element, + ssh_service_mod.api->incompatible_data(asd, args->pkt, args->dir, &svc_element, ssh_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; diff --git a/src/network_inspectors/appid/service_plugins/service_ssh.h b/src/network_inspectors/appid/service_plugins/service_ssh.h index 194f9ef1e..01a78cc22 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssh.h +++ b/src/network_inspectors/appid/service_plugins/service_ssh.h @@ -24,7 +24,6 @@ #include "detector_plugins/detector_api.h" -// FIXIT-L: Make the globals const or, if necessary, thread-local. extern RNAServiceValidationModule ssh_service_mod; #endif diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc index 5122170c9..a178c4699 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssl.cc +++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc @@ -636,7 +636,7 @@ static int ssl_validate(ServiceValidationArgs* args) const ServiceSSLV3Record* rec; const ServiceSSLV3CertsRecord* certs_rec; uint16_t ver; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; const int dir = args->dir; uint16_t size = args->size; @@ -644,11 +644,11 @@ static int ssl_validate(ServiceValidationArgs* args) if (!size) goto inprocess; - ss = (ServiceSSLData*)ssl_service_mod.api->data_get(flowp, ssl_service_mod.flow_data_index); + ss = (ServiceSSLData*)ssl_service_mod.api->data_get(asd, ssl_service_mod.flow_data_index); if (!ss) { ss = (ServiceSSLData*)snort_calloc(sizeof(ServiceSSLData)); - ssl_service_mod.api->data_add(flowp, ss, ssl_service_mod.flow_data_index, &ssl_free); + ssl_service_mod.api->data_add(asd, ss, ssl_service_mod.flow_data_index, &ssl_free); ss->state = SSL_STATE_INITIATE; } /* Start off with a Client Hello from client to server. */ @@ -872,7 +872,7 @@ not_v2:; } inprocess: - ssl_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element); + ssl_service_mod.api->service_inprocess(asd, args->pkt, dir, &svc_element); return SERVICE_INPROCESS; fail: @@ -882,8 +882,8 @@ fail: snort_free(ss->org_name); ss->certs_data = nullptr; ss->host_name = ss->common_name = ss->org_name = nullptr; - ssl_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element, - ssl_service_mod.flow_data_index, args->pConfig); + ssl_service_mod.api->fail_service(asd, args->pkt, dir, &svc_element, + ssl_service_mod.flow_data_index); return SERVICE_NOMATCH; success: @@ -894,54 +894,54 @@ success: goto fail; } } - flowp->setAppIdFlag(APPID_SESSION_SSL_SESSION); + asd->set_session_flags(APPID_SESSION_SSL_SESSION); if (ss->host_name || ss->common_name || ss->org_name) { - if (!flowp->tsession) - flowp->tsession = (tlsSession*)snort_calloc(sizeof(tlsSession)); + if (!asd->tsession) + asd->tsession = (tlsSession*)snort_calloc(sizeof(tlsSession)); /* TLS Host */ if (ss->host_name) { - if (flowp->tsession->tls_host) - snort_free(flowp->tsession->tls_host); - flowp->tsession->tls_host = ss->host_name; - flowp->tsession->tls_host_strlen = ss->host_name_strlen; - flowp->scan_flags |= SCAN_SSL_HOST_FLAG; + if (asd->tsession->tls_host) + snort_free(asd->tsession->tls_host); + asd->tsession->tls_host = ss->host_name; + asd->tsession->tls_host_strlen = ss->host_name_strlen; + asd->scan_flags |= SCAN_SSL_HOST_FLAG; } else if (ss->common_name) { // use common name (from server) if we didn't see host name (from client) char* common_name = snort_strdup(ss->common_name); - if (flowp->tsession->tls_host) - snort_free(flowp->tsession->tls_host); - flowp->tsession->tls_host = common_name; - flowp->tsession->tls_host_strlen = ss->common_name_strlen; - flowp->scan_flags |= SCAN_SSL_HOST_FLAG; + if (asd->tsession->tls_host) + snort_free(asd->tsession->tls_host); + asd->tsession->tls_host = common_name; + asd->tsession->tls_host_strlen = ss->common_name_strlen; + asd->scan_flags |= SCAN_SSL_HOST_FLAG; } /* TLS Common Name */ if (ss->common_name) { - if (flowp->tsession->tls_cname) - snort_free(flowp->tsession->tls_cname); - flowp->tsession->tls_cname = ss->common_name; - flowp->tsession->tls_cname_strlen = ss->common_name_strlen; + if (asd->tsession->tls_cname) + snort_free(asd->tsession->tls_cname); + asd->tsession->tls_cname = ss->common_name; + asd->tsession->tls_cname_strlen = ss->common_name_strlen; } /* TLS Org Unit */ if (ss->org_name) { - if (flowp->tsession->tls_orgUnit) - snort_free(flowp->tsession->tls_orgUnit); - flowp->tsession->tls_orgUnit = ss->org_name; - flowp->tsession->tls_orgUnit_strlen = ss->org_name_strlen; + if (asd->tsession->tls_orgUnit) + snort_free(asd->tsession->tls_orgUnit); + asd->tsession->tls_orgUnit = ss->org_name; + asd->tsession->tls_orgUnit_strlen = ss->org_name_strlen; } ss->host_name = ss->common_name = ss->org_name = nullptr; } - ssl_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, + ssl_service_mod.api->add_service(asd, args->pkt, dir, &svc_element, getSslServiceAppId(args->pkt->ptrs.sp), nullptr, nullptr, nullptr); appid_stats.ssl_flows++; return SERVICE_SUCCESS; @@ -1152,7 +1152,7 @@ bool setSSLSquelch(Packet* p, int type, AppId appId) const sfip_t* dip; AppIdSession* f; - if (!appInfoEntryFlagGet(appId, APPINFO_FLAG_SSL_SQUELCH)) + if (!AppInfoManager::get_instance().get_app_info_flags(appId, APPINFO_FLAG_SSL_SQUELCH)) return false; dip = p->ptrs.ip_api.get_dst(); diff --git a/src/network_inspectors/appid/service_plugins/service_telnet.cc b/src/network_inspectors/appid/service_plugins/service_telnet.cc index 9dd0f4197..acc0455d9 100644 --- a/src/network_inspectors/appid/service_plugins/service_telnet.cc +++ b/src/network_inspectors/appid/service_plugins/service_telnet.cc @@ -83,15 +83,13 @@ static const RNAServiceElement svc_element = "telnet", }; -// FIXIT thread safety, can this be const? -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &telnet_validate, 23, IpProtocol::TCP, 0 }, { &telnet_validate, 23, IpProtocol::UDP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } }; -// FIXIT thread safety, can this be const? RNAServiceValidationModule telnet_service_mod = { "TELNET", @@ -125,7 +123,7 @@ static int telnet_validate(ServiceValidationArgs* args) { ServiceTelnetData* td; const uint8_t* end; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -134,12 +132,12 @@ static int telnet_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - td = (ServiceTelnetData*)telnet_service_mod.api->data_get(flowp, + td = (ServiceTelnetData*)telnet_service_mod.api->data_get(asd, telnet_service_mod.flow_data_index); if (!td) { td = (ServiceTelnetData*)snort_calloc(sizeof(ServiceTelnetData)); - telnet_service_mod.api->data_add(flowp, td, telnet_service_mod.flow_data_index, + telnet_service_mod.api->data_add(asd, td, telnet_service_mod.flow_data_index, &snort_free); } @@ -170,18 +168,18 @@ static int telnet_validate(ServiceValidationArgs* args) } } inprocess: - telnet_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + telnet_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - telnet_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + telnet_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_TELNET, nullptr, nullptr, nullptr); appid_stats.telnet_flows++; return SERVICE_SUCCESS; fail: - telnet_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - telnet_service_mod.flow_data_index, args->pConfig); + telnet_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + telnet_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index 893d1f78c..04ef1e867 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -38,6 +38,7 @@ #include "application_ids.h" #include "service_api.h" #include "service_base.h" +#include "service_util.h" #define TFTP_PORT 69 @@ -90,14 +91,12 @@ static const RNAServiceElement svc_element = "tftp", }; -// FIXIT thread safety, can this be const? -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &tftp_validate, 69, IpProtocol::UDP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } }; -// FIXIT thread safety, can this be const? RNAServiceValidationModule tftp_service_mod = { "TFTP", @@ -119,7 +118,8 @@ static int16_t app_id = 0; static int tftp_init(const IniServiceAPI* const init_api) { - app_id = AddProtocolReference("tftp"); + app_id = add_appid_protocol_reference("tftp"); + for (unsigned i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++) { DebugFormat(DEBUG_LOG,"registering appId: %d\n",appIdRegistry[i].appId); @@ -171,25 +171,24 @@ static int tftp_validate(ServiceValidationArgs* args) AppIdSession* pf; const sfip_t* sip; const sfip_t* dip; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; Packet* pkt = args->pkt; const int dir = args->dir; uint16_t size = args->size; - char* app_id_debug_session = args->app_id_debug_session; if (!size) goto inprocess; - td = (ServiceTFTPData*)tftp_service_mod.api->data_get(flowp, tftp_service_mod.flow_data_index); + td = (ServiceTFTPData*)tftp_service_mod.api->data_get(asd, tftp_service_mod.flow_data_index); if (!td) { td = (ServiceTFTPData*)snort_calloc(sizeof(ServiceTFTPData)); - tftp_service_mod.api->data_add(flowp, td, tftp_service_mod.flow_data_index, &snort_free); + tftp_service_mod.api->data_add(asd, td, tftp_service_mod.flow_data_index, &snort_free); td->state = TFTP_STATE_CONNECTION; } - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp state %d\n", app_id_debug_session, td->state); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp state %d\n", args->session_logging_id, td->state); if (td->state == TFTP_STATE_CONNECTION && dir == APP_ID_FROM_RESPONDER) goto fail; @@ -230,7 +229,7 @@ static int tftp_validate(ServiceValidationArgs* args) tmp_td->state = TFTP_STATE_TRANSFER; dip = pkt->ptrs.ip_api.get_dst(); sip = pkt->ptrs.ip_api.get_src(); - pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, flowp->protocol, app_id, + pf = AppIdSession::create_future_session(pkt, dip, 0, sip, pkt->ptrs.sp, asd->protocol, app_id, APPID_EARLY_SESSION_FLAG_FW_RULE); if (pf) { @@ -238,12 +237,12 @@ static int tftp_validate(ServiceValidationArgs* args) tftp_service_mod.flow_data_index, &snort_free); if (pf->add_flow_data_id(pkt->ptrs.dp, &svc_element)) { - pf->setAppIdFlag(APPID_SESSION_SERVICE_DETECTED); - pf->clearAppIdFlag(APPID_SESSION_CONTINUE); + pf->set_session_flags(APPID_SESSION_SERVICE_DETECTED); + pf->clear_session_flags(APPID_SESSION_CONTINUE); tmp_td->state = TFTP_STATE_ERROR; return SERVICE_ENOMEM; } - PopulateExpectedFlow(flowp, pf, APPID_SESSION_EXPECTED_EVALUATE); + PopulateExpectedFlow(asd, pf, APPID_SESSION_EXPECTED_EVALUATE); pf->common.initiator_ip = *sip; pf->rnaServiceState = RNA_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; @@ -258,12 +257,12 @@ static int tftp_validate(ServiceValidationArgs* args) case TFTP_STATE_TRANSFER: if ((mode=tftp_verify_header(data, size, &block)) < 0) { - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp failed to verify\n", app_id_debug_session); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp failed to verify\n", args->session_logging_id); goto fail; } - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp mode %d and block %u\n", app_id_debug_session, + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp mode %d and block %u\n", args->session_logging_id, mode, (unsigned)block); if (mode == TFTP_STATE_ACK) { @@ -301,13 +300,13 @@ static int tftp_validate(ServiceValidationArgs* args) goto fail; else { - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp failed to verify\n", app_id_debug_session); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp failed to verify\n", args->session_logging_id); goto bail; } } - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp mode %d\n", app_id_debug_session, mode); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp mode %d\n", args->session_logging_id, mode); if (mode == TFTP_STATE_ERROR) { td->state = TFTP_STATE_TRANSFER; @@ -315,8 +314,8 @@ static int tftp_validate(ServiceValidationArgs* args) } if (dir == APP_ID_FROM_INITIATOR && mode != TFTP_STATE_DATA) { - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp bad mode\n", app_id_debug_session); + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp bad mode\n", args->session_logging_id); goto bail; } if (dir == APP_ID_FROM_RESPONDER && mode != TFTP_STATE_ACK) @@ -360,25 +359,25 @@ static int tftp_validate(ServiceValidationArgs* args) } inprocess: - tftp_service_mod.api->service_inprocess(flowp, pkt, dir, &svc_element); + tftp_service_mod.api->service_inprocess(asd, pkt, dir, &svc_element); return SERVICE_INPROCESS; success: - if (args->app_id_debug_session_flag) - LogMessage("AppIdDbg %s tftp success\n", app_id_debug_session); - tftp_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + if (args->session_logging_enabled) + LogMessage("AppIdDbg %s tftp success\n", args->session_logging_id); + tftp_service_mod.api->add_service(asd, pkt, dir, &svc_element, APP_ID_TFTP, nullptr, nullptr, nullptr); appid_stats.tftp_flows++; return SERVICE_SUCCESS; bail: - tftp_service_mod.api->incompatible_data(flowp, pkt, dir, &svc_element, + tftp_service_mod.api->incompatible_data(asd, pkt, dir, &svc_element, tftp_service_mod.flow_data_index, args->pConfig); return SERVICE_NOT_COMPATIBLE; fail: - tftp_service_mod.api->fail_service(flowp, pkt, dir, &svc_element, - tftp_service_mod.flow_data_index, args->pConfig); + tftp_service_mod.api->fail_service(asd, pkt, dir, &svc_element, + tftp_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_timbuktu.cc b/src/network_inspectors/appid/service_plugins/service_timbuktu.cc index 7717b015f..5e6e1a526 100644 --- a/src/network_inspectors/appid/service_plugins/service_timbuktu.cc +++ b/src/network_inspectors/appid/service_plugins/service_timbuktu.cc @@ -73,14 +73,12 @@ static const RNAServiceElement svc_element = "timbuktu" }; -// FIXIT thread safety, can this be const? -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &timbuktu_validate, TIMBUKTU_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } }; -// FIXIT thread safety, can this be const? SO_PUBLIC RNAServiceValidationModule timbuktu_service_mod = { svc_name, @@ -116,7 +114,7 @@ static int timbuktu_init(const IniServiceAPI* const init_api) static int timbuktu_validate(ServiceValidationArgs* args) { ServiceTIMBUKTUData* ss; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; uint16_t offset=0; @@ -126,12 +124,12 @@ static int timbuktu_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - ss = (ServiceTIMBUKTUData*)timbuktu_service_mod.api->data_get(flowp, + ss = (ServiceTIMBUKTUData*)timbuktu_service_mod.api->data_get(asd, timbuktu_service_mod.flow_data_index); if (!ss) { ss = (ServiceTIMBUKTUData*)snort_calloc(sizeof(ServiceTIMBUKTUData)); - timbuktu_service_mod.api->data_add(flowp, ss, + timbuktu_service_mod.api->data_add(asd, ss, timbuktu_service_mod.flow_data_index, &snort_free); ss->state = TIMBUKTU_STATE_BANNER; } @@ -184,19 +182,18 @@ static int timbuktu_validate(ServiceValidationArgs* args) } inprocess: - timbuktu_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + timbuktu_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - timbuktu_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, + timbuktu_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_TIMBUKTU, nullptr, nullptr, nullptr); appid_stats.timbuktu_flows++; return SERVICE_SUCCESS; fail: - timbuktu_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - timbuktu_service_mod.flow_data_index, - args->pConfig); + timbuktu_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + timbuktu_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_tns.cc b/src/network_inspectors/appid/service_plugins/service_tns.cc index 75243a3f5..3f0874ded 100644 --- a/src/network_inspectors/appid/service_plugins/service_tns.cc +++ b/src/network_inspectors/appid/service_plugins/service_tns.cc @@ -102,14 +102,12 @@ static const RNAServiceElement svc_element = "tns" }; -// FIXIT thread safety, can this be const? -static RNAServiceValidationPort pp[] = +static const RNAServiceValidationPort pp[] = { { &tns_validate, TNS_PORT, IpProtocol::TCP, 0 }, { nullptr, 0, IpProtocol::PROTO_NOT_SET, 0 } }; -// FIXIT thread safety, can this be const? SO_PUBLIC RNAServiceValidationModule tns_service_mod = { svc_name, @@ -145,7 +143,7 @@ static int tns_validate(ServiceValidationArgs* args) { ServiceTNSData* ss; uint16_t offset; - AppIdSession* flowp = args->flowp; + AppIdSession* asd = args->asd; const uint8_t* data = args->data; uint16_t size = args->size; @@ -154,11 +152,11 @@ static int tns_validate(ServiceValidationArgs* args) if (args->dir != APP_ID_FROM_RESPONDER) goto inprocess; - ss = (ServiceTNSData*)tns_service_mod.api->data_get(flowp, tns_service_mod.flow_data_index); + ss = (ServiceTNSData*)tns_service_mod.api->data_get(asd, tns_service_mod.flow_data_index); if (!ss) { ss = (ServiceTNSData*)snort_calloc(sizeof(ServiceTNSData)); - tns_service_mod.api->data_add(flowp, ss, tns_service_mod.flow_data_index, &snort_free); + tns_service_mod.api->data_add(asd, ss, tns_service_mod.flow_data_index, &snort_free); ss->state = TNS_STATE_MESSAGE_LEN; } @@ -302,18 +300,18 @@ static int tns_validate(ServiceValidationArgs* args) } inprocess: - tns_service_mod.api->service_inprocess(flowp, args->pkt, args->dir, &svc_element); + tns_service_mod.api->service_inprocess(asd, args->pkt, args->dir, &svc_element); return SERVICE_INPROCESS; success: - tns_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_ORACLE_TNS, + tns_service_mod.api->add_service(asd, args->pkt, args->dir, &svc_element, APP_ID_ORACLE_TNS, nullptr, ss->version ? ss->version : nullptr, nullptr); appid_stats.tns_flows++; return SERVICE_SUCCESS; fail: - tns_service_mod.api->fail_service(flowp, args->pkt, args->dir, &svc_element, - tns_service_mod.flow_data_index, args->pConfig); + tns_service_mod.api->fail_service(asd, args->pkt, args->dir, &svc_element, + tns_service_mod.flow_data_index); return SERVICE_NOMATCH; } diff --git a/src/network_inspectors/appid/service_plugins/service_util.h b/src/network_inspectors/appid/service_plugins/service_util.h index c99cbd2f1..33d21b6bd 100644 --- a/src/network_inspectors/appid/service_plugins/service_util.h +++ b/src/network_inspectors/appid/service_plugins/service_util.h @@ -24,6 +24,9 @@ #include #include +#include + +#include "target_based/snort_protocols.h" inline const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len, const uint8_t* needle, unsigned needle_len) @@ -40,4 +43,14 @@ inline const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_ return nullptr; } +inline int16_t add_appid_protocol_reference(const char* protocol) +{ + static std::mutex apr_mutex; + + apr_mutex.lock(); + int16_t id = AddProtocolReference(protocol); + apr_mutex.unlock(); + return id; +} + #endif diff --git a/src/network_inspectors/appid/service_plugins/test/service_rsync_test.cc b/src/network_inspectors/appid/service_plugins/test/service_rsync_test.cc index f94bca47c..963c9f6a6 100644 --- a/src/network_inspectors/appid/service_plugins/test/service_rsync_test.cc +++ b/src/network_inspectors/appid/service_plugins/test/service_rsync_test.cc @@ -50,7 +50,7 @@ int fake_data_add(AppIdSession*, void* data, unsigned, AppIdFreeFCN) return -1; } -int fake_fail_service(AppIdSession*, const Packet*, int, const RNAServiceElement*, unsigned, const AppIdConfig*) +int fake_fail_service(AppIdSession*, const Packet*, int, const RNAServiceElement*, unsigned) { mock().actualCall("fail_service"); return -1; @@ -99,11 +99,6 @@ TEST_GROUP(service_rsync) } }; -TEST(service_rsync, rsync_validate_null_args) -{ - LONGS_EQUAL(SERVICE_NOMATCH, rsync_validate(nullptr)); -} - TEST(service_rsync, rsync_validate_zero_size) { ServiceValidationArgs args; diff --git a/src/network_inspectors/appid/service_state.cc b/src/network_inspectors/appid/service_state.cc index 6ea30ca2d..6c73e944b 100644 --- a/src/network_inspectors/appid/service_state.cc +++ b/src/network_inspectors/appid/service_state.cc @@ -25,8 +25,9 @@ #include "log/messages.h" #include "service_plugins/service_base.h" #include "sfip/sf_ip.h" +#include "utils/util.h" -/*#define DEBUG_SERVICE_STATE 1*/ +//#define DEBUG_SERVICE_STATE 1 static THREAD_LOCAL SFXHASH* serviceStateCache4; static THREAD_LOCAL SFXHASH* serviceStateCache6; @@ -36,10 +37,11 @@ static THREAD_LOCAL SFXHASH* serviceStateCache6; static int AppIdServiceStateFree(void*, void* data) { AppIdServiceIDState* id_state = (AppIdServiceIDState*)data; - if (id_state->serviceList) + + if (id_state->service_list) { - AppIdFreeServiceMatchList(id_state->serviceList); - id_state->serviceList = nullptr; + AppIdFreeServiceMatchList(id_state->service_list); + id_state->service_list = nullptr; } return 0; @@ -48,26 +50,16 @@ static int AppIdServiceStateFree(void*, void* data) int init_service_state(unsigned long memcap) { serviceStateCache4 = sfxhash_new(SERVICE_STATE_CACHE_ROWS, - sizeof(AppIdServiceStateKey4), - sizeof(AppIdServiceIDState), - memcap >> 1, - 1, - &AppIdServiceStateFree, - &AppIdServiceStateFree, - 1); + sizeof(AppIdServiceStateKey4), sizeof(AppIdServiceIDState), memcap >> 1, 1, + &AppIdServiceStateFree, &AppIdServiceStateFree, 1); if (!serviceStateCache4) { ErrorMessage("Failed to allocate a hash table"); return -1; } serviceStateCache6 = sfxhash_new(SERVICE_STATE_CACHE_ROWS, - sizeof(AppIdServiceStateKey6), - sizeof(AppIdServiceIDState), - memcap >> 1, - 1, - &AppIdServiceStateFree, - &AppIdServiceStateFree, - 1); + sizeof(AppIdServiceStateKey6), sizeof(AppIdServiceIDState), memcap >> 1, 1, + &AppIdServiceStateFree, &AppIdServiceStateFree, 1); if (!serviceStateCache6) { ErrorMessage("Failed to allocate a hash table"); @@ -83,6 +75,7 @@ void clean_service_state(void) sfxhash_delete(serviceStateCache4); serviceStateCache4 = nullptr; } + if (serviceStateCache6) { sfxhash_delete(serviceStateCache6); @@ -90,8 +83,7 @@ void clean_service_state(void) } } -#ifdef APPID_UNUSED_CODE -static void AppIdRemoveServiceIDState(const sfip_t* ip, IpProtocol proto, uint16_t port, uint32_t level) +void remove_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port, uint32_t level) { AppIdServiceStateKey k; SFXHASH* cache; @@ -118,18 +110,18 @@ static void AppIdRemoveServiceIDState(const sfip_t* ip, IpProtocol proto, uint16 ipstr[0] = 0; sfip_ntop(ip, ipstr, sizeof(ipstr)); - ErrorMessage("Failed to remove from hash: %s:%u:%u\n",ipstr, (unsigned)proto, + ErrorMessage("Failed to remove from hash: %s:%u:%u\n", ipstr, (unsigned)proto, (unsigned)port); } } -#endif -AppIdServiceIDState* AppIdGetServiceIDState(const sfip_t* ip, IpProtocol proto, - uint16_t port, uint32_t level) +AppIdServiceIDState* get_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port, + uint32_t level) { - AppIdServiceStateKey k; SFXHASH* cache; - AppIdServiceIDState* ss; + AppIdServiceStateKey k; + char ipstr[INET6_ADDRSTRLEN]; // FIXIT-M ASAN reports mem leak on ServiceMatch* objects if this is not defined + // which makes no sense, need to investigate further if (sfip_family(ip) == AF_INET6) { @@ -147,15 +139,15 @@ AppIdServiceIDState* AppIdGetServiceIDState(const sfip_t* ip, IpProtocol proto, k.key4.level = level; cache = serviceStateCache4; } - ss = (AppIdServiceIDState*)sfxhash_find(cache, &k); + AppIdServiceIDState* ss = (AppIdServiceIDState*)sfxhash_find(cache, &k); #ifdef DEBUG_SERVICE_STATE - char ipstr[INET6_ADDRSTRLEN]; - ipstr[0] = 0; sfip_ntop(ip, ipstr, sizeof(ipstr)); - LogMessage("ServiceState: Read from hash: %s:%u:%u:%u %p %u %p\n",ipstr, (unsigned)proto, - (unsigned)port, level, ss, ss ? ss->state : 0, ss ? ss->svc : nullptr); + DebugFormat(DEBUG_APPID, "ServiceState: Read from hash: %s:%u:%u:%u %p %u %p\n", ipstr, (unsigned)proto, + (unsigned)port, level, (void*)ss, ss ? ss->state : 0, ss ? (void*)ss->svc : nullptr); +#else + UNUSED(ipstr); #endif if (ss && ss->svc && !ss->svc->ref_count) @@ -167,14 +159,12 @@ AppIdServiceIDState* AppIdGetServiceIDState(const sfip_t* ip, IpProtocol proto, return ss; } -AppIdServiceIDState* AppIdAddServiceIDState(const sfip_t* ip, IpProtocol proto, uint16_t port, - uint32_t - level) +AppIdServiceIDState* add_service_id_state(const sfip_t* ip, IpProtocol proto, uint16_t port, + uint32_t level) { AppIdServiceStateKey k; AppIdServiceIDState* ss; SFXHASH* cache; - char ipstr[INET6_ADDRSTRLEN]; if (sfip_family(ip) == AF_INET6) { @@ -192,26 +182,30 @@ AppIdServiceIDState* AppIdAddServiceIDState(const sfip_t* ip, IpProtocol proto, k.key4.level = level; cache = serviceStateCache4; } -#ifdef DEBUG_SERVICE_STATE - ipstr[0] = 0; - sfip_ntop(ip, ipstr, sizeof(ipstr)); -#endif + if ((sfxhash_add_return_data_ptr(cache, &k, (void**)&ss) < 0) || !ss) { - ipstr[0] = 0; + char ipstr[INET6_ADDRSTRLEN]; + sfip_ntop(ip, ipstr, sizeof(ipstr)); - ErrorMessage("ServiceState: Failed to add to hash: %s:%u:%u:%u\n",ipstr, (unsigned)proto, + ErrorMessage("ServiceState: Failed to add to hash: %s:%u:%u:%u\n", ipstr, (unsigned)proto, (unsigned)port, level); return nullptr; } + #ifdef DEBUG_SERVICE_STATE - LogMessage("ServiceState: Added to hash: %s:%u:%u:%u %p\n",ipstr, (unsigned)proto, - (unsigned)port, level, ss); + char ipstr[INET6_ADDRSTRLEN]; + + ipstr[0] = 0; + sfip_ntop(ip, ipstr, sizeof(ipstr)); + DebugFormat(DEBUG_APPID, "ServiceState: Added to hash: %s:%u:%u:%u %p\n", ipstr, (unsigned)proto, + (unsigned)port, level, (void*)ss); #endif + return ss; } -void AppIdServiceStateDumpStats(void) +void dump_service_state_stats(void) { LogMessage("Service State:\n"); if (serviceStateCache4) diff --git a/src/network_inspectors/appid/service_state.h b/src/network_inspectors/appid/service_state.h index cfbb57b25..6b8832af8 100644 --- a/src/network_inspectors/appid/service_state.h +++ b/src/network_inspectors/appid/service_state.h @@ -96,8 +96,8 @@ struct AppIdServiceIDState * matching, but has the disadvantage of making one flow match dependent on first instance of the * same flow. */ - ServiceMatch* serviceList; - ServiceMatch* currenService; + ServiceMatch* service_list; + ServiceMatch* current_service; /** Is this entry currently being used in an active session? */ bool searching; @@ -127,9 +127,9 @@ union AppIdServiceStateKey int init_service_state(unsigned long memcap); void clean_service_state(); -void AppIdRemoveServiceIDState(sfip_t*, IpProtocol proto, uint16_t port, uint32_t level); -AppIdServiceIDState* AppIdGetServiceIDState( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level); -AppIdServiceIDState* AppIdAddServiceIDState( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level); -void AppIdServiceStateDumpStats(); +void remove_service_id_state(const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level); +AppIdServiceIDState* get_service_id_state( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level); +AppIdServiceIDState* add_service_id_state( const sfip_t*, IpProtocol proto, uint16_t port, uint32_t level); +void dump_service_state_stats(); #endif diff --git a/src/network_inspectors/appid/test/CMakeLists.txt b/src/network_inspectors/appid/test/CMakeLists.txt deleted file mode 100644 index 7a294db6d..000000000 --- a/src/network_inspectors/appid/test/CMakeLists.txt +++ /dev/null @@ -1,9 +0,0 @@ -set ( - APPID_LIBS - appid -) - -add_cpputest(appid_simple_test appid) -#add_cpputest(host_cache_module_test host_tracker ${HOST_TRACKER_MODULE_LIBS} hash) -#add_cpputest(host_tracker_module_test host_tracker ${HOST_TRACKER_MODULE_LIBS}) -#add_cpputest(host_tracker_test host_tracker) diff --git a/src/network_inspectors/appid/test/Makefile.am b/src/network_inspectors/appid/test/Makefile.am deleted file mode 100644 index 8447f7943..000000000 --- a/src/network_inspectors/appid/test/Makefile.am +++ /dev/null @@ -1,121 +0,0 @@ - -AM_CPPFLAGS+=-I$(top_srcdir)/src/network_inspectors/appid -AM_DEFAULT_SOURCE_EXT = .cc - -check_PROGRAMS = \ -appid_simple_test \ -process_http_test - -TESTS = $(check_PROGRAMS) - -lib_list = \ -../../../network_inspectors/arp_spoof/libarp_spoof.a \ -../../../network_inspectors/packet_capture/libpacket_capture.a \ -../../../service_inspectors/back_orifice/libback_orifice.a \ -../../../service_inspectors/dce_rpc/libdce_rpc.a \ -../../../service_inspectors/dnp3/libdnp3.a \ -../../../service_inspectors/dns/libdns.a \ -../../../service_inspectors/ftp_telnet/libftp_telnet.a \ -../../../service_inspectors/gtp/libgtp_inspect.a \ -../../../service_inspectors/modbus/libmodbus.a \ -../../../service_inspectors/http_inspect/libhttp_inspect.a \ -../../../service_inspectors/rpc_decode/librpc_decode.a \ -../../../service_inspectors/sip/libsip.a \ -../../../service_inspectors/ssh/libssh.a \ -../../../service_inspectors/wizard/libwizard.a - -if STATIC_CODECS -codec_list = \ -../../../codecs/root/libroot_codecs.a \ -../../../codecs/link/liblink_codecs.a -endif - - -test_list = ../../../catch/libcatch_tests.a - -if ENABLE_PIGLET -pig_list = \ -piglet/libpiglet.a \ -piglet_plugins/libpiglet_plugins.a -endif - -# order libs to avoid undefined symbols -# from gnu linker -snort_LIBS = \ -$(test_list) \ -../../../managers/libmanagers.a \ -../../../loggers/libloggers.a \ -../../../codecs/libcodecs.a \ -../../../codecs/ip/libip_codecs.a \ -../../../codecs/misc/libmisc_codecs.a \ -$(codec_list) \ -../../../network_inspectors/libnetwork_inspectors.a \ -../../../network_inspectors/binder/libbinder.a \ -../../../network_inspectors/normalize/libnormalize.a \ -../../../network_inspectors/perf_monitor/libperf_monitor.a \ -../../../network_inspectors/reputation/libreputation.a \ -../../../network_inspectors/appid/libappid.a \ -../../../network_inspectors/appid/client_plugins/libclient_plugins.a \ -../../../network_inspectors/appid/detector_plugins/libdetector_plugins.a \ -../../../network_inspectors/appid/service_plugins/libservice_plugins.a \ -../../../network_inspectors/appid/util/libappidutil.a \ -../../../service_inspectors/libservice_inspectors.a \ -$(lib_list) \ -../../../service_inspectors/imap/libimap.a \ -../../../service_inspectors/pop/libpop.a \ -../../../service_inspectors/smtp/libsmtp.a \ -../../../service_inspectors/ssl/libssl.a \ -../../../network_inspectors/port_scan/libport_scan.a \ -../../../stream/libstream.a \ -../../../stream/base/libstream_base.a \ -../../../stream/ip/libstream_ip.a \ -../../../stream/icmp/libstream_icmp.a \ -../../../stream/tcp/libstream_tcp.a \ -../../../stream/libtcp/libstream_libtcp.a \ -../../../stream/udp/libstream_udp.a \ -../../../stream/user/libstream_user.a \ -../../../stream/file/libstream_file.a \ -../../../stream/libstream_paf.a \ -../../../file_api/libfile_api.a \ -../../../mime/libmime.a \ -../../../service_inspectors/http_inspect/libhttp_inspect.a \ -$(pig_list) \ -../../../ips_options/libips_options.a \ -../../../search_engines/libsearch_engines.a \ -../../../target_based/libtarget_based.a \ -../../../main/libmain.a \ -../../../codecs/libcodec_module.a \ -../../../memory/libmemory.a \ -../../../host_tracker/libhost_tracker.a \ -../../../parser/libparser.a \ -../../../flow/libflow.a \ -../../../control/libcontrol.a \ -../../../filters/libfilter.a \ -../../../detection/libdetection.a \ -../../../framework/libframework.a \ -../../../time/libtime.a \ -../../../latency/liblatency.a \ -../../../profiler/libprofiler.a \ -../../../actions/libips_actions.a \ -../../../events/libevents.a \ -../../../hash/libhash.a \ -../../../log/liblog.a \ -../../../packet_io/libpacket_io.a \ -../../../helpers/libhelpers.a \ -../../../lua/liblua.a \ -../../../decompress/libdecompress.a \ -../../../sfip/libsfip.a \ -../../../sfrt/libsfrt.a \ -../../../protocols/libprotocols.a \ -../../../connectors/libconnectors.a \ -../../../connectors/file_connector/libfile_connector.a \ -../../../side_channel/libside_channel.a \ -../../../ports/libports.a \ -../../../utils/libutils.a - -appid_simple_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@ -appid_simple_test_LDADD = ${snort_LIBS} @CPPUTEST_LDFLAGS@ -process_http_test_CPPFLAGS = $(AM_CPPFLAGS) @CPPUTEST_CPPFLAGS@ -process_http_test_LDADD = ${snort_LIBS} @CPPUTEST_LDFLAGS@ - - diff --git a/src/network_inspectors/appid/test/appid_simple_test.cc b/src/network_inspectors/appid/test/appid_simple_test.cc deleted file mode 100644 index 64097d1da..000000000 --- a/src/network_inspectors/appid/test/appid_simple_test.cc +++ /dev/null @@ -1,46 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2016-2016 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// appid_simple_test.cc author stechew - -// Make some API calls to demonstrate that we can link with appid libs. - -#if 0 -#include -#include "appid_utils/fw_avltree.h" -#include "protocols/protocol_ids.h" -#include "sfip/sfip_t.h" -#include "sfip/sf_ip.h" -#include "fw_appid.h" -#endif -int main() -{ -#if 0 - IpProtocol proto=IpProtocol::TCP; - sfip_t* ip = nullptr; - SFIP_RET status; - - printf("Testing...\n"); - - ip = sfip_alloc("10.1.1.1", &status); - fwAvlInit(); - appSharedDataAlloc(proto, ip); -#endif - return 0; -} - diff --git a/src/network_inspectors/appid/test/appid_tests.cc b/src/network_inspectors/appid/test/appid_tests.cc deleted file mode 100644 index e18ae630c..000000000 --- a/src/network_inspectors/appid/test/appid_tests.cc +++ /dev/null @@ -1,843 +0,0 @@ -#include -#include -#include - -#include - -#include "parser/mstring.h" - -#include "appid_config.h" - -#include "external_apis.h" -#include "fw_appid.h" -#include "session_file.h" - -#if 1 // FIXIT-M hacks -// not sure where this is defined; outside the appid tree probably -using ControlDataSendFunc = void (*)(); -#endif - -extern void AppIdReload(struct _SnortConfig* sc, char* args, void** new_config); -extern void* AppIdReloadSwap(struct _SnortConfig* sc, void* swap_config); -extern void AppIdReloadFree(void* old_context); -extern int AppIdReconfigure(uint16_t type, const uint8_t* data, uint32_t length, - void** new_context, - char* statusBuf, int statusBuf_len); -extern int AppIdReconfigureSwap(uint16_t type, void* new_context, void** old_context); -extern void AppIdReconfigureFree(uint16_t type, void* old_context, struct _THREAD_ELEMENT* te, - ControlDataSendFunc f); - -extern int processHTTPPacket(Packet* p, AppIdSession* session, int direction, - HttpParsedHeaders* const headers, const AppIdConfig* pConfig); -extern void appIdApiInit(struct AppIdApi*); -extern void sfiph_build(Packet* p, const void* hdr, int family); -extern void pickHttpXffAddress(Packet* p, AppIdSession* appIdSession, - ThirdPartyAppIDAttributeData* attribute_data); - -AppIdApi appIdApi; - -// FIXIT: use APIs instead of using global -extern AppIdSession* pAppIdData; - -static char* testFilesPath = nullptr; -static char rnaConfPath[PATH_MAX] = { 0 }; - -static void testProcessHttpPacket(const char* useragent, const char* host, const char* referer, - const char* trailer) -{ - // FIXIT-M J these need to be cleared, probably - Packet p; - AppIdSession session; - - char buf[1024]; - int bufLen; - - session.common.flags = 0x311380; - session.hsession = (decltype(session.hsession))snort_calloc(sizeof(httpSession)); - if (host) - { - session.hsession->host = snort_strdup(host); - strcpy(buf, "http://"); - strcat(buf, host); - if (trailer) - strcat(buf, trailer); - else - strcat(buf, "/"); - session.hsession->url = snort_strdup(buf); - } - if (useragent) - session.hsession->useragent = snort_strdup(useragent); - if (referer) - session.hsession->referer = snort_strdup(referer); - session.hsession->uri = snort_strdup("/"); - session.hsession->cookie = snort_strdup( - "s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug=" - "4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C" - "1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13"); - session.serviceAppId = APP_ID_NONE; - session.payload_app_id = APP_ID_NONE; - session.tp_payload_app_id = 1190; - session.scan_flags = 0x26; - session.client_app_id = 0; - - strcpy(buf, "GET / HTTP/1.1\r\n"); - strcat(buf, "Host: "); - strcat(buf, host); - strcat(buf, "\r\nUser-Agent: "); - strcat(buf, useragent); - if (referer) - { - strcat(buf, "\r\nReferer: "); - strcat(buf, referer); - } - strcat(buf, "\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); - strcat(buf, - "Accept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"); - strcat(buf, "Keep-Alive: 115\r\nConnection: keep-alive\r\n"); - bufLen = strlen(buf); - strncat(buf, - "Cookie: s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug=4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13\r\n\r\n", - sizeof(buf) - bufLen - 1); - - p.data = (decltype(p.data))snort_strdup(buf); - p.dsize = strlen((const char*)p.data); - - processHTTPPacket(&p, &session, APP_ID_FROM_INITIATOR, nullptr, pAppidActiveConfig); - - if (host) - { - snort_free(session.hsession->host); - snort_free(session.hsession->url); - } - if (referer) - snort_free(session.hsession->referer); - if (useragent) - snort_free(session.hsession->useragent); - snort_free(session.hsession->uri); - snort_free(session.hsession->cookie); - snort_free(session.hsession); - - snort_free((uint8_t*)p.data); -} - -void testFwAppIdSearch(const char* fileName) -{ - Packet pkt; - Flow flow; - - FILE* file; - HttpParsedHeaders* httpHeader = nullptr; - AppId service; - bool isLoginSuccessful; - char* userName; - char* serviceVendor; - char* serviceVersion; - RNAServiceSubtype* serviceSubtype; - int moreData = 0; - char filePath[PATH_MAX]; - - strcpy(filePath, testFilesPath); - strcat(filePath, "/sessions/"); - strcat(filePath, fileName); - - file = fopen(filePath, "r"); - assert(file != nullptr); - - do - { - sessionFileReadSession(file, &flow); - moreData = sessionFileReadPacket(file, &pkt, &httpHeader); - - pkt.flow = &flow; - - sfiph_build(&pkt, &pkt.ip4h, pkt.family); - - if (httpHeader) - { - //httpHeaderCallback(&pkt, httpHeader); - } - else - { - do_application_discovery(&pkt); - } - - if (pkt.data) - snort_free((uint8_t*)pkt.data); - memset(&pkt, 0, sizeof(pkt)); - - if (httpHeader) - { - if (httpHeader->host.start) - snort_free((uint8_t*)httpHeader->host.start); - if (httpHeader->url.start) - snort_free((uint8_t*)httpHeader->url.start); - if (httpHeader->method.start) - snort_free((uint8_t*)httpHeader->method.start); - if (httpHeader->userAgent.start) - snort_free((uint8_t*)httpHeader->userAgent.start); - if (httpHeader->referer.start) - snort_free((uint8_t*)httpHeader->referer.start); - if (httpHeader->via.start) - snort_free((uint8_t*)httpHeader->via.start); - if (httpHeader->responseCode.start) - snort_free((uint8_t*)httpHeader->responseCode.start); - if (httpHeader->server.start) - snort_free((uint8_t*)httpHeader->server.start); - if (httpHeader->xWorkingWith.start) - snort_free((uint8_t*)httpHeader->xWorkingWith.start); - if (httpHeader->contentType.start) - snort_free((uint8_t*)httpHeader->contentType.start); - snort_free(httpHeader); - httpHeader = nullptr; - } - } - while (moreData != -1); - - LogMessage("==========================================================\n"); - LogMessage("App name = %s\n", appGeAppName(appIdApi.geServiceAppId(pAppIdData))); - LogMessage("AppId = %d\n", appGeAppId(appGeAppName(appIdApi.geServiceAppId(pAppIdData)))); - LogMessage("Service AppId = %d\n", appIdApi.geServiceAppId(pAppIdData)); - LogMessage("Only Service AppId = %d\n", appIdApi.get_only_service_app_id(pAppIdData)); - LogMessage("Misc AppId = %d\n", appIdApi.get_misc_app_id(pAppIdData)); - LogMessage("Client AppId = %d\n", appIdApi.get_client_app_id(pAppIdData)); - LogMessage("Payload AppId = %d\n", appIdApi.get_payload_app_id(pAppIdData)); - LogMessage("Referred AppId = %d\n", appIdApi.get_referred_app_id(pAppIdData)); - LogMessage("Fw Service AppId = %d\n", appIdApi.get_fw_service_app_id(pAppIdData)); - LogMessage("Fw Misc AppId = %d\n", appIdApi.get_fw_misc_app_id(pAppIdData)); - LogMessage("Fw Client AppId = %d\n", appIdApi.get_fw_client_app_id(pAppIdData)); - LogMessage("Fw Payload AppId = %d\n", appIdApi.get_fw_payload_app_id(pAppIdData)); - LogMessage("Fw Referred AppId = %d\n", appIdApi.get_fw_feferred_app_id(pAppIdData)); - LogMessage("Is Session SSL Decrypted = %d\n", appIdApi.is_ssl_session_decrypted(pAppIdData)); - LogMessage("Is AppId Inspecting Session = %d\n", appIdApi.is_appid_inspecting_session( - pAppIdData)); - LogMessage("Is AppId Available = %d\n", appIdApi.is_appid_available(pAppIdData)); - userName = appIdApi.get_user_name(pAppIdData, &service, &isLoginSuccessful); - LogMessage("User name = %s, service = %d, isLoginSuccessful = %d\n", - userName, service, isLoginSuccessful); - LogMessage("Client version = %s\n", appIdApi.geClientVersion(pAppIdData)); - // TODO: Is the flag argument correct? - LogMessage("Session attribute = %" PRIx64 "\n", appIdApi.get_appid_session_attribute(pAppIdData, - 0)); - LogMessage("Flow type = %08X\n", appIdApi.get_flow_type(pAppIdData)); - appIdApi.geServiceInfo(pAppIdData, &serviceVendor, &serviceVersion, &serviceSubtype); - LogMessage("Service vendor = %s, version = %s\n", - serviceVendor, serviceVersion); - LogMessage("Service port = %d\n", appIdApi.geServicePort(pAppIdData)); - LogMessage("Service IP = %s\n", inet_ntoa(appIdApi.geServiceIp(pAppIdData))); - LogMessage("HTTP user agent = %s\n", appIdApi.get_http_user_agent(pAppIdData)); - LogMessage("HTTP host = %s\n", appIdApi.getHttpHost(pAppIdData)); - LogMessage("HTTP URL = %s\n", appIdApi.get_http_url(pAppIdData)); - LogMessage("HTTP referer = %s\n", appIdApi.get_http_referer(pAppIdData)); - LogMessage("TLS host = %s\n", appIdApi.getTlsHost(pAppIdData)); - LogMessage("NetBIOS name = %s\n", appIdApi.get_netbios_name(pAppIdData)); - - fclose(file); -} - -START_TEST(ConfigParseTest) -{ - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - appIdConfigParse( - "conf rna.conf, debug yes, dump_ports, memcap 0, app_stats_filename stats, app_stats_period 60, app_stats_rollover_size 100000, app_stats_rollover_time 60, app_detector_dir appid, instance_id 1, thirdparty_appid_dir thirdparty_appid"); - - ck_assert_str_eq(appidStaticConfig.conf_file, "rna.conf"); - ck_assert_int_eq(appidStaticConfig.app_id_debug, 1); - ck_assert_int_eq(appidStaticConfig.app_id_dump_ports, 1); - ck_assert_uint_eq(appidStaticConfig.memcap, (32*1024*1024ULL)); - ck_assert_str_eq(appidStaticConfig.app_stats_filename, "stats"); - ck_assert_uint_eq(appidStaticConfig.app_stats_period, 60); - ck_assert_uint_eq(appidStaticConfig.app_stats_rollover_size, 100000); - ck_assert_uint_eq(appidStaticConfig.app_stats_rollover_time, 60); - ck_assert_str_eq(appidStaticConfig.app_id_detector_path, "appid"); - ck_assert_uint_eq(appidStaticConfig.instance_id, 1); - ck_assert_str_eq(appidStaticConfig.appid_thirdparty_dir, "thirdparty_appid"); -} -END_TEST START_TEST(InitFiniTest) -{ - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - AppIdCommonFini(); -} - -END_TEST START_TEST(ReloadTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReload(nullptr, nullptr, (void**)&pNewConfig); - pOldConfig = AppIdReloadSwap(nullptr, pNewConfig); - AppIdReloadFree(pOldConfig); - - AppIdCommonFini(); -} - -END_TEST START_TEST(ReconfigureTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0); - AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig); - AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpTest) -{ - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - testProcessHttpPacket( - "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", - "www.cnn.com", - nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpAfterReloadTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReload(nullptr, nullptr, (void**)&pNewConfig); - pOldConfig = AppIdReloadSwap(nullptr, pNewConfig); - AppIdReloadFree(pOldConfig); - - testProcessHttpPacket( - "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", - "www.cnn.com", - nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpAfterReconfigureTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0); - AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig); - AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr); - - testProcessHttpPacket("Wget/1.9.1", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30", - "www.cnn.com", - nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpAfterReloadReconfigureTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReload(nullptr, nullptr, (void**)&pNewConfig); - pOldConfig = AppIdReloadSwap(nullptr, pNewConfig); - AppIdReloadFree(pOldConfig); - - pNewConfig = nullptr; - pOldConfig = nullptr; - - AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0); - AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig); - AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr); - - testProcessHttpPacket( - "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30", - "www.123.com", - "http://www.cnn.com", nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7", - "www.cnn.com", - nullptr, "/tech?a=1&b=2"); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpXffTest) -{ - Packet p = { 0 }; - AppIdSession session = { 0 }; - httpSession hsession = { 0 }; - ThirdPartyAppIDAttributeData tpData = { 0 }; - SFIP_RET status; - sfaddr_t* xffAddr = sfaddr_alloc("1.1.1.1", &status); - - // Only X-Forwarded-For - session.hsession = &hsession; - tpData.numXffFields = 1; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[0].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - // Only True-Client-IP - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - tpData.numXffFields = 1; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP; - tpData.xffFieldValue[0].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - // X-Forwarded-For and True-Client-IP - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - tpData.numXffFields = 2; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP; - tpData.xffFieldValue[0].value = "2.2.2.2"; - tpData.xffFieldValue[1].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[1].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - // Comma-separated list in X-Forwarded-For - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - tpData.numXffFields = 1; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[0].value = snort_strdup("1.1.1.1, 2.2.2.2"); - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - snort_free(tpData.xffFieldValue[0].value); - sfaddr_free(session.hsession->xffAddr); - - // Custom XFF - static char* defaultXffPrecedence[] = { "Custom-XFF", HTTP_XFF_FIELD_X_FORWARDED_FOR, - HTTP_XFF_FIELD_TRUE_CLIENT_IP }; - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - session.hsession->xffPrecedence = defaultXffPrecedence; - session.hsession->numXffFields = 3; - tpData.numXffFields = 2; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[0].value = "2.2.2.2"; - tpData.xffFieldValue[1].field = "Custom-XFF"; - tpData.xffFieldValue[1].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - sfaddr_free(xffAddr); - - snort_free((uint8_t*)p.data); -} - -END_TEST START_TEST(AimSessionTest) -{ - testFwAppIdSearch("aim.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "AOL Instant Messenger"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_AOL_INSTANT_MESSENGER); - ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_AOL_INSTANT_MESSENGER); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(CnnSessionTest) -{ - testFwAppIdSearch("cnn.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "HTTP"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_HTTP); - ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_FIREFOX); - ck_assert_uint_eq(appIdApi.get_payload_app_id(pAppIdData), 1190); // CNN app - ck_assert_str_eq(appIdApi.getHttpHost(pAppIdData), "www.cnn.com"); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(DnsSessionTest) -{ - testFwAppIdSearch("dns.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "DNS"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_DNS); - ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_DNS); - ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 53); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(ImapSessionTest) -{ - testFwAppIdSearch("imap.ssn"); - - // TODO: Investigate why IMAP appids are not showing up - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(MdnsSessionTest) -{ - testFwAppIdSearch("mdns.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "MDNS"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_MDNS); - ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 5353); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(MsnSessionTest) -{ - testFwAppIdSearch("msn.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "MSN Messenger"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_MSN_MESSENGER); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(NetbiosNsSessionTest) -{ - testFwAppIdSearch("netbios_ns.ssn"); - - // TODO: Investigate why NetBIOS name service appids are not showing up - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(NetbiosSsSessionTest) -{ - testFwAppIdSearch("netbios_ss.ssn"); - - // TODO: Investigate why NetBIOS ss appids are not showing up - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(PatternSessionTest) -{ - testFwAppIdSearch("pattern.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "3Com AMP3"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), 3000); - ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), 3000); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(Pop3SessionTest) -{ - testFwAppIdSearch("pop3.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "POP3"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_POP3); - ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 110); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(RfbSessionTest) -{ - testFwAppIdSearch("rfb.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "RFB"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_VNC_RFB); - ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), APP_ID_VNC); - ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 5900); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(RtpSessionTest) -{ - testFwAppIdSearch("rtp.ssn"); - - // TODO: Investigate why RTP appids are not showing up - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(SmtpSessionTest) -{ - testFwAppIdSearch("smtp.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "SMTP"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_SMTP); - ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 25); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(TimbuktuSessionTest) -{ - testFwAppIdSearch("timbuktu.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "Timbuktu"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_TIMBUKTU); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_TIMBUKTU); - ck_assert_uint_eq(appIdApi.geServicePort(pAppIdData), 407); - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(WebexSessionTest) -{ - testFwAppIdSearch("webex.ssn"); - - ck_assert_str_eq(appGeAppName(appIdApi.geServiceAppId(pAppIdData)), "HTTP"); - ck_assert_uint_eq(appIdApi.geServiceAppId(pAppIdData), APP_ID_HTTP); - ck_assert_uint_eq(appIdApi.get_client_app_id(pAppIdData), 2932); // WebEx - ck_assert_uint_eq(appIdApi.get_payload_app_id(pAppIdData), 2932); // WebEx - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST START_TEST(YmSessionTest) -{ - testFwAppIdSearch("ym.ssn"); - - // TODO: Investigate why Yahoo messenger appids are not showing up - - appSharedDataDelete(pAppIdData); - pAppIdData = nullptr; -} - -END_TEST - -static void appIdTestSetup(void) -{ - testFilesPath = getenv("APPID_TESTS_PATH"); - - if (testFilesPath == nullptr) - { - printf("Env variable APPID_TESTS_PATH is not set. Exiting ...\n"); - exit(-1); - } - - strcpy(rnaConfPath, testFilesPath); - strcat(rnaConfPath, "/rna.conf"); -} - -static void sessionTcaseSetup(void) -{ - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); -} - -static void sessionTcaseClean(void) -{ - AppIdCommonFini(); -} - -static Suite* setupAppIdSuite(void) -{ - Suite* appIdSuite; - TCase* frameworkTcase; - TCase* httpTcase; - TCase* sessionTcase; - - appIdSuite = suite_create("AppId"); - - // Create Framework test case - frameworkTcase = tcase_create("FrameworkTestCase"); - tcase_add_checked_fixture(frameworkTcase, nullptr, nullptr); - - // Add tests to Framework test case - tcase_add_test(frameworkTcase, ConfigParseTest); - tcase_add_test(frameworkTcase, InitFiniTest); - tcase_add_test(frameworkTcase, ReloadTest); - tcase_add_test(frameworkTcase, ReconfigureTest); - - suite_add_tcase(appIdSuite, frameworkTcase); - - // Create Http test case - httpTcase = tcase_create("HttpTestCase"); - tcase_add_checked_fixture(httpTcase, nullptr, nullptr); - - // Add tests to Http test case - tcase_add_test(httpTcase, HttpTest); - tcase_add_test(httpTcase, HttpAfterReloadTest); - tcase_add_test(httpTcase, HttpAfterReconfigureTest); - tcase_add_test(httpTcase, HttpAfterReloadReconfigureTest); - tcase_add_test(httpTcase, HttpXffTest); - - suite_add_tcase(appIdSuite, httpTcase); - - // Create Session test case - sessionTcase = tcase_create("SessionTestCase"); - tcase_add_checked_fixture(sessionTcase, nullptr, nullptr); - - // Add tests to Session test case - tcase_add_test(sessionTcase, AimSessionTest); - tcase_add_test(sessionTcase, CnnSessionTest); - tcase_add_test(sessionTcase, DnsSessionTest); - tcase_add_test(sessionTcase, ImapSessionTest); - tcase_add_test(sessionTcase, MdnsSessionTest); - tcase_add_test(sessionTcase, MsnSessionTest); - tcase_add_test(sessionTcase, NetbiosNsSessionTest); - tcase_add_test(sessionTcase, NetbiosSsSessionTest); - tcase_add_test(sessionTcase, PatternSessionTest); - tcase_add_test(sessionTcase, Pop3SessionTest); - tcase_add_test(sessionTcase, RfbSessionTest); - tcase_add_test(sessionTcase, RtpSessionTest); - tcase_add_test(sessionTcase, SmtpSessionTest); - tcase_add_test(sessionTcase, TimbuktuSessionTest); - tcase_add_test(sessionTcase, WebexSessionTest); - tcase_add_test(sessionTcase, YmSessionTest); - - suite_add_tcase(appIdSuite, sessionTcase); - - return appIdSuite; -} - -int main(int argc, char* argv[]) -{ - int opt, debug = 0; - int numberFailed; - Suite* appIdSuite; - SRunner* appIdRunner; - - while ((opt = getopt(argc, argv, "dh")) != -1) - { - switch (opt) - { - case 'd': - debug = 1; - break; - case 'h': - printf( - "Usage:\n\ - -d: Run test in no fork mode for debugging in gdb.\n\ - -h: This text.\n"); - return EXIT_SUCCESS; - } - } - - appIdTestSetup(); - - // Create a test runner for AppId suite - appIdSuite = setupAppIdSuite(); - appIdRunner = srunner_create(appIdSuite); - - if (debug) - { - srunner_set_fork_status(appIdRunner, CK_NOFORK); - } - - // Set test results format to TAP and specify file name - srunner_set_tap(appIdRunner, "AppIdTests.tap~"); - - // Run test cases in AppId suite - srunner_run(appIdRunner, nullptr, "FrameworkTestCase", CK_NORMAL); - - system("cp AppIdTests.tap~ AppIdTests.tap"); - - srunner_run(appIdRunner, nullptr, "HttpTestCase", CK_NORMAL); - - system("cat AppIdTests.tap~ >> AppIdTests.tap"); - - sessionTcaseSetup(); - srunner_run(appIdRunner, nullptr, "SessionTestCase", CK_NORMAL); - sessionTcaseClean(); - - system("cat AppIdTests.tap~ >> AppIdTests.tap"); - - numberFailed = srunner_ntests_failed(appIdRunner); - srunner_free(appIdRunner); - return (numberFailed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; -} - diff --git a/src/network_inspectors/appid/test/external_apis.cc b/src/network_inspectors/appid/test/external_apis.cc deleted file mode 100644 index e68cf3770..000000000 --- a/src/network_inspectors/appid/test/external_apis.cc +++ /dev/null @@ -1,244 +0,0 @@ -//#include -#include "external_apis.h" -#include "session_file.h" -#include "appid_session.h" - -#include "protocols/packet.h" -#include "protocols/tcp.h" -#include "protocols/udp.h" - -AppIdSession* pAppIdData = nullptr; - -/*********************************************************** - * Local functions - **********************************************************/ -static void determinePacketDirection(Packet* p, uint16_t p_port, uint16_t scb_port, int is_sport) -{ - if (is_sport) - p->packet_flags |= (p_port == scb_port) ? PKT_FROM_CLIENT : PKT_FROM_SERVER; - else - p->packet_flags |= (p_port == scb_port) ? PKT_FROM_SERVER : PKT_FROM_CLIENT; -} - -static void setPacketDirectionFlag(Packet* p, SessionControlBlock* session) -{ - if (p->is_ip4()) - { - if (sfip_fast_eq4(p->ptrs.ip_api.get_src(), &session->client_ip)) - { - if (p->is_tcp()) - determinePacketDirection(p, p->ptrs.tcph->src_port(), session->client_port, true); - else if (p->is_udp()) - determinePacketDirection(p, p->ptrs.udph->src_port(), session->client_port, true); - else - p->packet_flags |= PKT_FROM_CLIENT; - } - else if (sfip_fast_eq4(p->ptrs.ip_api.get_dst(), &session->client_ip)) - { - if (p->is_tcp()) - determinePacketDirection(p, p->ptrs.tcph->dst_port(), session->client_port, false); - else if (p->is_udp()) - determinePacketDirection(p, p->ptrs.udph->dst_port(), session->client_port, false); - else - p->packet_flags |= PKT_FROM_SERVER; - } - } - else - { - if (sfip_fast_eq6(p->ptrs.ip_api.get_src(), &session->client_ip)) - { - if (p->is_tcp()) - determinePacketDirection(p, p->ptrs.tcph->src_port(), session->client_port, true); - else if (p->is_udp()) - determinePacketDirection(p, p->ptrs.udph->src_port(), session->client_port, true); - else - p->packet_flags |= PKT_FROM_CLIENT; - } - else if (sfip_fast_eq6(p->ptrs.ip_api.get_dst(), &session->client_ip)) - { - if (p->is_tcp()) - determinePacketDirection(p, p->ptrs.tcph->dst_port(), session->client_port, false); - else if (p->is_udp()) - determinePacketDirection(p, p->ptrs.udph->dst_port(), session->client_port, false); - else - p->packet_flags |= PKT_FROM_SERVER; - } - } -} - -NORETURN void FatalError(const char* format,...) -{ - va_list arg; - - printf("FATAL ERROR: "); - - va_start (arg, format); - vfprintf (stdout, format, arg); - va_end (arg); - fflush(stdout); - - exit(-1); -} - -void LogMessage(const char* format,...) -{ - va_list arg; - - printf("LOG MESSAGE: "); - - va_start (arg, format); - vfprintf (stdout, format, arg); - va_end (arg); - fflush(stdout); -} - -/*********************************************************** - * _dpd APIs - **********************************************************/ -void logMsg(const char* format, ...) -{ - va_list arg; - - printf("LOG: "); - - va_start (arg, format); - vfprintf (stdout, format, arg); - va_end (arg); - fflush(stdout); -} - -void errMsg(const char* format, ...) -{ - va_list arg; - - printf("ERROR: "); - - va_start (arg, format); - vfprintf (stdout, format, arg); - va_end (arg); - fflush(stdout); -} - -void debugMsg(uint64_t, const char* format, ...) -{ - va_list arg; - - printf("DEBUG: "); - - va_start (arg, format); - vfprintf (stdout, format, arg); - va_end (arg); - fflush(stdout); -} - -int16_t addProtocolReference(const char*) -{ - return 0; -} - -void* addPreproc(struct _SnortConfig*, void (*)(void*, void*), uint16_t, uint32_t, uint32_t) -{ - return nullptr; -} - -tSfPolicyId getParserPolicy(struct _SnortConfig*) -{ - return 0; -} - -tSfPolicyId getDefaultPolicy(void) -{ - return 1; -} - -bool isAppIdRequired(void) -{ - return false; -} - -uint32_t getSnortInstance(void) -{ - return 0; -} - -int16_t findProtocolReference(const char*) -{ - return 0; -} - -/*********************************************************** - * Session APIs - **********************************************************/ -void enable_preproc_all_ports(struct _SnortConfig*, uint32_t, uint32_t) -{ -} - -void* get_flow_data(void*, uint32_t) -{ - return pAppIdData; -} - -int set_flow_data(void*, uint32_t, AppIdSession* data, StreamAppDataFree) -{ - pAppIdData = data; - - return 0; -} - -uint32_t get_packet_direction(Packet* p) -{ - if ((p == nullptr) || (p->flow == nullptr)) - return 0; - - setPacketDirectionFlag(p, p->flow); - - return (p->packet_flags & (PKT_FROM_SERVER | PKT_FROM_CLIENT)); -} - -uint32_t get_session_flags(void* ssnptr) -{ - SessionControlBlock* scb = (SessionControlBlock*)ssnptr; - return scb->ha_state.session_flags; -} - -sfaddr_t* get_session_ip_address(void* scbptr, uint32_t direction) -{ - SessionControlBlock* scb = (SessionControlBlock*)scbptr; - - if (scb != nullptr) - { - switch (direction) - { - case SSN_DIR_FROM_SERVER: - return (sfaddr_t*)(&(scb)->server_ip); - - case SSN_DIR_FROM_CLIENT: - return (sfaddr_t*)(&(scb)->client_ip); - - default: - break; - } - } - - return nullptr; -} - -void set_application_id(void*, int16_t, int16_t, int16_t, int16_t) -{ -} - -bool is_session_http2(void*) -{ - return false; -} - -int16_t get_application_protocol_id(void*) -{ - return 0; -} - -char** get_http_xff_precedence(void*, uint32_t, int*) -{ - return nullptr; -} - diff --git a/src/network_inspectors/appid/test/external_apis.h b/src/network_inspectors/appid/test/external_apis.h deleted file mode 100644 index 7c2c540d2..000000000 --- a/src/network_inspectors/appid/test/external_apis.h +++ /dev/null @@ -1,71 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// external_apis.h author Sourcefire Inc. - -#ifndef EXTERNAL_APIS_H -#define EXTERNAL_APIS_H - -#include - -#include "flow/flow.h" - -struct sfaddr_t; -struct SnortConfig; -struct Packet; -using tSfPolicyId = int; - -#define PKT_FROM_SERVER 0x00000040 /* this packet came from the server - side of a connection (TCP) */ -#define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client - side of a connection (TCP) */ -// _dpd APIs -void logMsg(const char*, ...); -void errMsg(const char*, ...); -void debugMsg(uint64_t type, const char*, ...); -int16_t addProtocolReference(const char* protocol); - -void* addPreproc( - SnortConfig*, void (* pp_func)(void*, void*), uint16_t priority, - uint32_t appId, uint32_t flags); - -tSfPolicyId getParserPolicy(SnortConfig*); -tSfPolicyId getDefaultPolicy(); -bool isAppIdRequired(); -uint32_t getSnortInstance(); -int16_t findProtocolReference(const char* app); - -// Session APIs -void enable_preproc_all_ports(SnortConfig*, uint32_t appId, uint32_t flags); -void* get_flow_data(void* stream_session, uint32_t protocol); -int set_flow_data(void* scbptr, uint32_t protocol, void* data, StreamAppDataFree); -uint32_t get_packet_direction(Packet*); -uint32_t get_session_flags(void* ssnptr); -sfaddr_t* get_session_ip_address(void* scbptr, uint32_t direction); -int16_t get_application_protocol_id(void* scbptr); -char** get_http_xff_precedence(void* ssn, uint32_t flags, int* nFields); - -// Stream APIs -void set_application_id( - void* ssnptr, int16_t serviceAppid, int16_t ClientAppid, - int16_t payloadAppId, int16_t miscAppid); - -bool is_session_http2(void* ssn); - -#endif diff --git a/src/network_inspectors/appid/test/mpse.cc b/src/network_inspectors/appid/test/mpse.cc deleted file mode 100644 index bd3db5b04..000000000 --- a/src/network_inspectors/appid/test/mpse.cc +++ /dev/null @@ -1,729 +0,0 @@ -/* -* $Id: mpse.c,v 1.2 2015/03/25 14:45:18 andrbake Exp $ -* -* mpse.c -* -* An abstracted interface to the Multi-Pattern Matching routines, -* thats why we're passing 'void *' objects around. -* -* Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. -* Copyright (C) 2002-2013 Sourcefire, Inc. -* Marc A Norton -* -* Updates: -* 3/06 - Added AC_BNFA search -** -** This program is free software; you can redistribute it and/or modify -** it under the terms of the GNU General Public License Version 2 as -** published by the Free Software Foundation. You may not use, modify or -** distribute this program under any other version of the GNU General -** Public License. -** -** This program is distributed in the hope that it will be useful, -** but WITHOUT ANY WARRANTY; without even the implied warranty of -** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -** GNU General Public License for more details. -** -** You should have received a copy of the GNU General Public License -** along with this program; if not, write to the Free Software -** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -** -*/ -#include - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif -#include "bnfa_search.h" -#include "acsmx.h" -#include "acsmx2.h" -#include "sfksearch.h" -#include "mpse.h" -#include "snort_debug.h" -#include "sf_types.h" -#include "util.h" - -#ifdef INTEL_SOFT_CPM -#include "intel-soft-cpm.h" -#endif -#include "profiler.h" - -#include "snort.h" - -static uint64_t s_bcnt=0; - -typedef struct _mpse_struct -{ - int method; - void* obj; - int verbose; - uint64_t bcnt; - char inc_global_counter; -} MPSE; - -void* mpseNew(int method, int use_global_counter_flag, - void (* userfree)(void* p), - void (* optiontreefree)(void** p), - void (* neg_list_free)(void** p)) -{ - MPSE* p; - - p = (MPSE*)snort_calloc(sizeof(MPSE) ); - p->method = method; - p->verbose = 0; - p->obj = nullptr; - p->bcnt = 0; - p->inc_global_counter = (char)use_global_counter_flag; - - switch ( method ) - { - case MPSE_AC_BNFA: - p->obj=bnfaNew(userfree, optiontreefree, neg_list_free); - if (p->obj) - ((bnfa_struct_t*)(p->obj))->bnfaMethod = 1; - break; - case MPSE_AC_BNFA_Q: - p->obj=bnfaNew(userfree, optiontreefree, neg_list_free); - if (p->obj) - ((bnfa_struct_t*)(p->obj))->bnfaMethod = 0; - break; - case MPSE_AC: - p->obj = acsmNew(userfree, optiontreefree, neg_list_free); - break; - case MPSE_ACF: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULL); - break; - case MPSE_ACF_Q: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULLQ); - break; - case MPSE_ACS: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSE); - break; - case MPSE_ACB: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_BANDED); - break; - case MPSE_ACSB: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSEBANDS); - break; - case MPSE_LOWMEM: - p->obj = KTrieNew(0,userfree, optiontreefree, neg_list_free); - break; - case MPSE_LOWMEM_Q: - p->obj = KTrieNew(1,userfree, optiontreefree, neg_list_free); - break; - default: - /* p is free'd below if no case */ - break; - } - - if ( !p->obj ) - { - snort_free(p); - p = nullptr; - } - - return (void*)p; -} - -void* mpseNewWithSnortConfig(struct _SnortConfig* sc, - int method, int use_global_counter_flag, - void (* userfree)(void* p), - void (* optiontreefree)(void** p), - void (* neg_list_free)(void** p)) -{ - MPSE* p; - - p = (MPSE*)snort_calloc(sizeof(MPSE) ); - p->method = method; - p->verbose = 0; - p->obj = nullptr; - p->bcnt = 0; - p->inc_global_counter = (char)use_global_counter_flag; - - switch ( method ) - { - case MPSE_AC_BNFA: - p->obj=bnfaNew(userfree, optiontreefree, neg_list_free); - if (p->obj) - ((bnfa_struct_t*)(p->obj))->bnfaMethod = 1; - break; - case MPSE_AC_BNFA_Q: - p->obj=bnfaNew(userfree, optiontreefree, neg_list_free); - if (p->obj) - ((bnfa_struct_t*)(p->obj))->bnfaMethod = 0; - break; - case MPSE_AC: - p->obj = acsmNew(userfree, optiontreefree, neg_list_free); - break; - case MPSE_ACF: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULL); - break; - case MPSE_ACF_Q: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_FULLQ); - break; - case MPSE_ACS: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSE); - break; - case MPSE_ACB: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_BANDED); - break; - case MPSE_ACSB: - p->obj = acsmNew2(userfree, optiontreefree, neg_list_free); - if (p->obj) - acsmSelectFormat2((ACSM_STRUCT2*)p->obj,ACF_SPARSEBANDS); - break; - case MPSE_LOWMEM: - p->obj = KTrieNew(0,userfree, optiontreefree, neg_list_free); - break; - case MPSE_LOWMEM_Q: - p->obj = KTrieNew(1,userfree, optiontreefree, neg_list_free); - break; -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: - p->obj=IntelPmNew(sc, userfree, optiontreefree, neg_list_free); - break; -#endif - default: - /* p is free'd below if no case */ - break; - } - - if ( !p->obj ) - { - snort_free(p); - p = nullptr; - } - - return (void*)p; -} - -void mpseVerbose(void* pvoid) -{ - MPSE* p = (MPSE*)pvoid; - p->verbose = 1; -} - -void mpseSetOpt(void* pvoid, int flag) -{ - MPSE* p = (MPSE*)pvoid; - - if (p == nullptr) - return; - switch ( p->method ) - { - case MPSE_AC_BNFA_Q: - case MPSE_AC_BNFA: - if (p->obj) - bnfaSetOpt((bnfa_struct_t*)p->obj,flag); - break; - case MPSE_ACF: - case MPSE_ACF_Q: - if (p->obj) - acsmCompressStates((ACSM_STRUCT2*)p->obj, flag); - break; - default: - break; - } -} - -void mpseFree(void* pvoid) -{ - MPSE* p = (MPSE*)pvoid; - - if (p == nullptr) - return; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - if (p->obj) - bnfaFree((bnfa_struct_t*)p->obj); - snort_free(p); - return; - - case MPSE_AC: - if (p->obj) - acsmFree((ACSM_STRUCT*)p->obj); - snort_free(p); - return; - - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - if (p->obj) - acsmFree2((ACSM_STRUCT2*)p->obj); - snort_free(p); - return; - - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - if (p->obj) - KTrieDelete((KTRIE_STRUCT*)p->obj); - snort_free(p); - return; - -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: - if (p->obj) - IntelPmDelete((IntelPm*)p->obj); - snort_free(p); - break; -#endif - - default: - snort_free(p); - assert(false); - return; - } -} - -int mpseAddPattern(void* pvoid, void* P, int m, - unsigned noCase, unsigned offset, unsigned depth, - unsigned negative, void* ID, int IID) -{ - MPSE* p = (MPSE*)pvoid; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - return bnfaAddPattern( (bnfa_struct_t*)p->obj, (unsigned char*)P, m, - noCase, negative, ID); - - case MPSE_AC: - return acsmAddPattern( (ACSM_STRUCT*)p->obj, (unsigned char*)P, m, - noCase, offset, depth, negative, ID, IID); - - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - return acsmAddPattern2( (ACSM_STRUCT2*)p->obj, (unsigned char*)P, m, - noCase, offset, depth, negative, ID, IID); - - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - return KTrieAddPattern( (KTRIE_STRUCT*)p->obj, (unsigned char*)P, m, - noCase, negative, ID); - default: - return -1; - } -} - -int mpseAddPatternWithSnortConfig(SnortConfig* sc, void* pvoid, void* P, int m, - unsigned noCase, unsigned offset, unsigned depth, - unsigned negative, void* ID, int IID) -{ - MPSE* p = (MPSE*)pvoid; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - return bnfaAddPattern( (bnfa_struct_t*)p->obj, (unsigned char*)P, m, - noCase, negative, ID); - - case MPSE_AC: - return acsmAddPattern( (ACSM_STRUCT*)p->obj, (unsigned char*)P, m, - noCase, offset, depth, negative, ID, IID); - - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - return acsmAddPattern2( (ACSM_STRUCT2*)p->obj, (unsigned char*)P, m, - noCase, offset, depth, negative, ID, IID); - - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - return KTrieAddPattern( (KTRIE_STRUCT*)p->obj, (unsigned char*)P, m, - noCase, negative, ID); -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: - return IntelPmAddPattern(sc, (IntelPm*)p->obj, (unsigned char*)P, m, - noCase, negative, ID, IID); -#endif - default: - return -1; - } -} - -void mpseLargeShifts(void* pvoid, int flag) -{ - MPSE* p = (MPSE*)pvoid; - - switch ( p->method ) - { - default: - return; - } -} - -int mpsePrepPatterns(void* pvoid, - int ( * build_tree )(void* id, void** existing_tree), - int ( * neg_list_func )(void* id, void** list) ) -{ - int retv; - MPSE* p = (MPSE*)pvoid; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - retv = bnfaCompile( (bnfa_struct_t*)p->obj, build_tree, neg_list_func); - break; - - case MPSE_AC: - retv = acsmCompile( (ACSM_STRUCT*)p->obj, build_tree, neg_list_func); - break; - - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - retv = acsmCompile2( (ACSM_STRUCT2*)p->obj, build_tree, neg_list_func); - break; - - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - return KTrieCompile( (KTRIE_STRUCT*)p->obj, build_tree, neg_list_func); - - default: - retv = 1; - break; - } - - return retv; -} - -int mpsePrepPatternsWithSnortConf(struct _SnortConfig* sc, void* pvoid, - int ( * build_tree )(struct _SnortConfig*, void* id, void** existing_tree), - int ( * neg_list_func )(void* id, void** list) ) -{ - int retv; - MPSE* p = (MPSE*)pvoid; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - retv = bnfaCompileWithSnortConf(sc, (bnfa_struct_t*)p->obj, build_tree, neg_list_func); - break; - - case MPSE_AC: - retv = acsmCompileWithSnortConf(sc, (ACSM_STRUCT*)p->obj, build_tree, neg_list_func); - break; - - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - retv = acsmCompile2WithSnortConf(sc, (ACSM_STRUCT2*)p->obj, build_tree, neg_list_func); - break; - - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - return KTrieCompileWithSnortConf(sc, (KTRIE_STRUCT*)p->obj, build_tree, neg_list_func); - -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: - return IntelPmFinishGroup(sc, (IntelPm*)p->obj, build_tree, neg_list_func); -#endif - - default: - retv = 1; - break; - } - - return retv; -} - -int mpsePrintInfo(void* pvoid) -{ - MPSE* p = (MPSE*)pvoid; - - fflush(stderr); - fflush(stdout); - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - bnfaPrintInfo( (bnfa_struct_t*)p->obj); - break; - case MPSE_AC: - return acsmPrintDetailInfo( (ACSM_STRUCT*)p->obj); - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - return acsmPrintDetailInfo2( (ACSM_STRUCT2*)p->obj); - - default: - return 1; - } - fflush(stderr); - fflush(stdout); - - return 0; -} - -int mpsePrintSummary(int method) -{ - switch (method) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - bnfaPrintSummary(); - break; - case MPSE_AC: - acsmPrintSummaryInfo(); - break; - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - acsmPrintSummaryInfo2(); - break; - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - if ( KTrieMemUsed() ) - { - double x; - x = (double)KTrieMemUsed(); - LogMessage("[ LowMem Search-Method Memory Used : %g %s ]\n", - (x > 1.e+6) ? x/1.e+6 : x/1.e+3, - (x > 1.e+6) ? "MBytes" : "KBytes"); - } - break; - default: - break; - } - - return 0; -} - -int mpsePrintSummaryWithSnortConfig(SnortConfig* sc, int method) -{ - switch (method) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - bnfaPrintSummary(); - break; - case MPSE_AC: - acsmPrintSummaryInfo(); - break; - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - acsmPrintSummaryInfo2(); - break; - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - if ( KTrieMemUsed() ) - { - double x; - x = (double)KTrieMemUsed(); - LogMessage("[ LowMem Search-Method Memory Used : %g %s ]\n", - (x > 1.e+6) ? x/1.e+6 : x/1.e+3, - (x > 1.e+6) ? "MBytes" : "KBytes"); - } - break; - default: - break; - } - -#ifdef INTEL_SOFT_CPM - IntelPmPrintSummary(sc); -#endif - - return 0; -} - -void mpseInitSummary(void) -{ - acsm_init_summary(); - bnfaInitSummary(); - KTrieInitMemUsed(); -} - -int mpseSearch(void* pvoid, const unsigned char* T, int n, - int ( * action )(void* id, void* tree, int index, void* data, void* neg_list), - void* data, int* current_state) -{ - MPSE* p = (MPSE*)pvoid; - int ret; - PROFILE_VARS; - - PREPROC_PROFILE_START(mpsePerfStats); - - p->bcnt += n; - - if (p->inc_global_counter) - s_bcnt += n; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - /* return is actually the state */ - ret = bnfaSearch((bnfa_struct_t*)p->obj, (unsigned char*)T, n, - action, data, 0 /* start-state */, current_state); - PREPROC_PROFILE_END(mpsePerfStats); - return ret; - - case MPSE_AC: - ret = acsmSearch( (ACSM_STRUCT*)p->obj, (unsigned char*)T, n, action, data, current_state); - PREPROC_PROFILE_END(mpsePerfStats); - return ret; - - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - ret = acsmSearch2( (ACSM_STRUCT2*)p->obj, (unsigned char*)T, n, action, data, - current_state); - PREPROC_PROFILE_END(mpsePerfStats); - return ret; - - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - ret = KTrieSearch( (KTRIE_STRUCT*)p->obj, (unsigned char*)T, n, action, data); - *current_state = 0; - PREPROC_PROFILE_END(mpsePerfStats); - return ret; - -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: - ret = IntelPmSearch((IntelPm*)p->obj, (unsigned char*)T, n, action, data); - *current_state = 0; - PREPROC_PROFILE_END(mpsePerfStats); - return ret; -#endif - - default: - PREPROC_PROFILE_END(mpsePerfStats); - return 1; - } -} - -int mpseSearchAll(void* pvoid, const unsigned char* T, int n, - int ( * action )(void* id, void* tree, int index, void* data, void* neg_list), - void* data, int* current_state) -{ - MPSE* p = (MPSE*)pvoid; - int ret; - PROFILE_VARS; - - PREPROC_PROFILE_START(mpsePerfStats); - - p->bcnt += n; - - if (p->inc_global_counter) - s_bcnt += n; - - switch ( p->method ) - { - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - ret = acsmSearchAll2( (ACSM_STRUCT2*)p->obj, (unsigned char*)T, n, action, data, - current_state); - PREPROC_PROFILE_END(mpsePerfStats); - return ret; - - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - case MPSE_AC: - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: -#endif - default: - //search all not implemented. - PREPROC_PROFILE_END(mpsePerfStats); - return 1; - } -} - -int mpseGetPatternCount(void* pvoid) -{ - MPSE* p = (MPSE*)pvoid; - - if (p == nullptr) - return 0; - - switch ( p->method ) - { - case MPSE_AC_BNFA: - case MPSE_AC_BNFA_Q: - return bnfaPatternCount((bnfa_struct_t*)p->obj); - case MPSE_AC: - return acsmPatternCount((ACSM_STRUCT*)p->obj); - case MPSE_ACF: - case MPSE_ACF_Q: - case MPSE_ACS: - case MPSE_ACB: - case MPSE_ACSB: - return acsmPatternCount2((ACSM_STRUCT2*)p->obj); - case MPSE_LOWMEM: - case MPSE_LOWMEM_Q: - return KTriePatternCount((KTRIE_STRUCT*)p->obj); -#ifdef INTEL_SOFT_CPM - case MPSE_INTEL_CPM: - return IntelGetPatternCount((IntelPm*)p->obj); -#endif - } - return 0; -} - -uint64_t mpseGetPatByteCount(void) -{ - return s_bcnt; -} - -void mpseResetByteCount(void) -{ - s_bcnt = 0; -} - -void mpse_print_qinfo(void) -{ - sfksearch_print_qinfo(); - bnfa_print_qinfo(); - acsmx2_print_qinfo(); -} - diff --git a/src/network_inspectors/appid/test/process_http_test.cc b/src/network_inspectors/appid/test/process_http_test.cc deleted file mode 100644 index ed2232eda..000000000 --- a/src/network_inspectors/appid/test/process_http_test.cc +++ /dev/null @@ -1,513 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2016-2016 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -#include "appid_api.h" -#include "fw_appid.h" - -extern void appIdApiInit(struct AppIdApi*); - -AppIdApi appIdApi; - -static void appIdTestSetup() -{ -#ifdef REMOVED_WHILE_NOT_IN_USE - - testFilesPath = getenv("APPID_TESTS_PATH"); - - if (testFilesPath == nullptr) - { - printf("Env variable APPID_TESTS_PATH is not set. Exiting ...\n"); - exit(-1); - } - - strcpy(rnaConfPath, testFilesPath); - strcat(rnaConfPath, "/rna.conf"); - -#endif - -} - -#ifdef REMOVED_WHILE_NOT_IN_USE -#include -#include -#include - -#include - -#include "parser/mstring.h" - -#include "appid_config.h" - -#include "external_apis.h" -#include "fw_appid.h" -#include "session_file.h" - -#if 1 // FIXIT-M hacks -// not sure where this is defined; outside the appid tree probably -using ControlDataSendFunc = void (*)(); -#endif - -extern void AppIdReload(struct _SnortConfig* sc, char* args, void** new_config); -extern void* AppIdReloadSwap(struct _SnortConfig* sc, void* swap_config); -extern void AppIdReloadFree(void* old_context); -extern int AppIdReconfigure(uint16_t type, const uint8_t* data, uint32_t length, - void** new_context, - char* statusBuf, int statusBuf_len); -extern int AppIdReconfigureSwap(uint16_t type, void* new_context, void** old_context); -extern void AppIdReconfigureFree(uint16_t type, void* old_context, struct _THREAD_ELEMENT* te, - ControlDataSendFunc f); -#endif - -#ifdef REMOVED_WHILE_NOT_IN_USE -extern int processHTTPPacket(Packet* p, AppIdData* session, int direction, - HttpParsedHeaders* const headers, const AppIdConfig* pConfig); -extern void sfiph_build(Packet* p, const void* hdr, int family); -extern void pickHttpXffAddress(Packet* p, AppIdData* appIdSession, - ThirdPartyAppIDAttributeData* attribute_data); - -// FIXIT: use APIs instead of using global -extern AppIdData* pAppIdData; - -static char* testFilesPath = nullptr; -static char rnaConfPath[PATH_MAX] = { 0 }; - -static void testProcessHttpPacket(const char* useragent, const char* host, const char* referer, - const char* trailer) -{ - // FIXIT-M J these need to be cleared, probably - Packet p; - AppIdData session; - - char buf[1024]; - int bufLen; - - session.common.flags = 0x311380; - session.hsession = (decltype(session.hsession))snort_calloc(sizeof(httpSession)); - if (host) - { - session.hsession->host = snort_strdup(host); - strcpy(buf, "http://"); - strcat(buf, host); - if (trailer) - strcat(buf, trailer); - else - strcat(buf, "/"); - session.hsession->url = snort_strdup(buf); - } - if (useragent) - session.hsession->useragent = snort_strdup(useragent); - if (referer) - session.hsession->referer = snort_strdup(referer); - session.hsession->uri = snort_strdup("/"); - session.hsession->cookie = snort_strdup( - "s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug=" - "4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C" - "1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13"); - session.serviceAppId = APP_ID_NONE; - session.payloadAppId = APP_ID_NONE; - session.tpPayloadAppId = 1190; - session.scan_flags = 0x26; - session.ClientAppId = 0; - - strcpy(buf, "GET / HTTP/1.1\r\n"); - strcat(buf, "Host: "); - strcat(buf, host); - strcat(buf, "\r\nUser-Agent: "); - strcat(buf, useragent); - if (referer) - { - strcat(buf, "\r\nReferer: "); - strcat(buf, referer); - } - strcat(buf, "\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); - strcat(buf, - "Accept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"); - strcat(buf, "Keep-Alive: 115\r\nConnection: keep-alive\r\n"); - bufLen = strlen(buf); - strncat(buf, - "Cookie: s_vi=[CS]v1|25B026B7851D124A-6000012D802520B2[CE]; CG=US:MD:Laurel; mbox=check#true#1336576860|session#1336576799559-724714#1336578660; SelectedEdition=www; rsi_segs_ttn=A09801_10001|A09801_10313; ug=4faa8b240a5fef0aa5147448c8005347; ugs=1; tnr:usrvtstg01=1336576805411%7C0%7C0%7C1%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C1%7Cf%7C1%7C4%7C1336576805411; tnr:sesctmp01=1336576805411; s_cc=true; s_sq=%5B%5BB%5D%5D; adDEmas=R08&broadband&gblx.net&73&gbr&826027&0&10198&-&-&-&15275&; adDEon=true; s_ppv=13\r\n\r\n", - sizeof(buf) - bufLen - 1); - - p.data = (decltype(p.data))snort_strdup(buf); - p.dsize = strlen((const char*)p.data); - - processHTTPPacket(&p, &session, APP_ID_FROM_INITIATOR, nullptr, pAppidActiveConfig); - - if (host) - { - snort_free(session.hsession->host); - snort_free(session.hsession->url); - } - if (referer) - snort_free(session.hsession->referer); - if (useragent) - snort_free(session.hsession->useragent); - snort_free(session.hsession->uri); - snort_free(session.hsession->cookie); - snort_free(session.hsession); - - snort_free((uint8_t*)p.data); -} - -START_TEST(HttpTest) -{ - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - testProcessHttpPacket( - "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.1.17 (KHTML, like Gecko) Version/7.1 Safari/537.85.10", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", - "www.cnn.com", - nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST - -#ifdef REMOVED_WHILE_NOT_IN_USE -START_TEST(HttpAfterReloadTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReload(nullptr, nullptr, (void**)&pNewConfig); - pOldConfig = AppIdReloadSwap(nullptr, pNewConfig); - AppIdReloadFree(pOldConfig); - - testProcessHttpPacket( - "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (BlackBerry; U; BlackBerry 9900; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.346 Mobile Safari/534.11+", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", - "www.cnn.com", - nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpAfterReconfigureTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0); - AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig); - AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr); - - testProcessHttpPacket("Wget/1.9.1", - "www.cnn.com", - nullptr, nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30", - "www.cnn.com", - nullptr, nullptr); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpAfterReloadReconfigureTest) -{ - AppIdConfig* pNewConfig = nullptr; - AppIdConfig* pOldConfig = nullptr; - - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); - - AppIdReload(nullptr, nullptr, (void**)&pNewConfig); - pOldConfig = AppIdReloadSwap(nullptr, pNewConfig); - AppIdReloadFree(pOldConfig); - - pNewConfig = nullptr; - pOldConfig = nullptr; - - AppIdReconfigure(0, nullptr, 0, (void**)&pNewConfig, nullptr, 0); - AppIdReconfigureSwap(0, pNewConfig, (void**)&pOldConfig); - AppIdReconfigureFree(0, pOldConfig, nullptr, nullptr); - - testProcessHttpPacket( - "Mozilla/5.0 (Linux; U; Android 4.0.3; ko-kr; LG-L160L Build/IML74K) AppleWebkit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30", - "www.123.com", - "http://www.cnn.com", nullptr); - testProcessHttpPacket( - "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100715 Ubuntu/9.04 (jaunty) Firefox/3.6.7", - "www.cnn.com", - nullptr, "/tech?a=1&b=2"); - - AppIdCommonFini(); -} - -END_TEST START_TEST(HttpXffTest) -{ - Packet p = { 0 }; - AppIdData session = { 0 }; - httpSession hsession = { 0 }; - ThirdPartyAppIDAttributeData tpData = { 0 }; - SFIP_RET status; - sfaddr_t* xffAddr = sfaddr_alloc("1.1.1.1", &status); - - // Only X-Forwarded-For - session.hsession = &hsession; - tpData.numXffFields = 1; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[0].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - // Only True-Client-IP - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - tpData.numXffFields = 1; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP; - tpData.xffFieldValue[0].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - // X-Forwarded-For and True-Client-IP - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - tpData.numXffFields = 2; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_TRUE_CLIENT_IP; - tpData.xffFieldValue[0].value = "2.2.2.2"; - tpData.xffFieldValue[1].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[1].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - // Comma-separated list in X-Forwarded-For - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - tpData.numXffFields = 1; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[0].value = snort_strdup("1.1.1.1, 2.2.2.2"); - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - snort_free(tpData.xffFieldValue[0].value); - sfaddr_free(session.hsession->xffAddr); - - // Custom XFF - static char* defaultXffPrecedence[] = { "Custom-XFF", HTTP_XFF_FIELD_X_FORWARDED_FOR, - HTTP_XFF_FIELD_TRUE_CLIENT_IP }; - memset(&p, 0, sizeof(p)); - memset(&session, 0, sizeof(session)); - memset(&hsession, 0, sizeof(hsession)); - memset(&tpData, 0, sizeof(tpData)); - session.hsession = &hsession; - session.hsession->xffPrecedence = defaultXffPrecedence; - session.hsession->numXffFields = 3; - tpData.numXffFields = 2; - tpData.xffFieldValue[0].field = HTTP_XFF_FIELD_X_FORWARDED_FOR; - tpData.xffFieldValue[0].value = "2.2.2.2"; - tpData.xffFieldValue[1].field = "Custom-XFF"; - tpData.xffFieldValue[1].value = "1.1.1.1"; - pickHttpXffAddress(&p, &session, &tpData); - ck_assert_int_eq(sfip_compare(session.hsession->xffAddr, xffAddr), SFIP_EQUAL); - sfaddr_free(session.hsession->xffAddr); - - sfaddr_free(xffAddr); - - snort_free((uint8_t*)p.data); -} - -#endif - -static void sessionTcaseSetup(void) -{ - memset(&appidStaticConfig, 0, sizeof(appidStaticConfig)); - - strcpy(appidStaticConfig.conf_file, rnaConfPath); - strcpy(appidStaticConfig.app_id_detector_path, testFilesPath); - - AppIdCommonInit(&appidStaticConfig); -} - -static void sessionTcaseClean(void) -{ - AppIdCommonFini(); -} - -static Suite* setupAppIdSuite(void) -{ - Suite* appIdSuite; - TCase* frameworkTcase; - TCase* httpTcase; - TCase* sessionTcase; - - appIdSuite = suite_create("AppId"); - - // Create Framework test case - frameworkTcase = tcase_create("FrameworkTestCase"); - tcase_add_checked_fixture(frameworkTcase, nullptr, nullptr); - - // Add tests to Framework test case - tcase_add_test(frameworkTcase, ConfigParseTest); - tcase_add_test(frameworkTcase, InitFiniTest); - tcase_add_test(frameworkTcase, ReloadTest); - tcase_add_test(frameworkTcase, ReconfigureTest); - - suite_add_tcase(appIdSuite, frameworkTcase); - - // Create Http test case - httpTcase = tcase_create("HttpTestCase"); - tcase_add_checked_fixture(httpTcase, nullptr, nullptr); - - // Add tests to Http test case - tcase_add_test(httpTcase, HttpTest); - tcase_add_test(httpTcase, HttpAfterReloadTest); - tcase_add_test(httpTcase, HttpAfterReconfigureTest); - tcase_add_test(httpTcase, HttpAfterReloadReconfigureTest); - tcase_add_test(httpTcase, HttpXffTest); - - suite_add_tcase(appIdSuite, httpTcase); - - // Create Session test case - sessionTcase = tcase_create("SessionTestCase"); - tcase_add_checked_fixture(sessionTcase, nullptr, nullptr); - - // Add tests to Session test case - tcase_add_test(sessionTcase, AimSessionTest); - tcase_add_test(sessionTcase, CnnSessionTest); - tcase_add_test(sessionTcase, DnsSessionTest); - tcase_add_test(sessionTcase, ImapSessionTest); - tcase_add_test(sessionTcase, MdnsSessionTest); - tcase_add_test(sessionTcase, MsnSessionTest); - tcase_add_test(sessionTcase, NetbiosNsSessionTest); - tcase_add_test(sessionTcase, NetbiosSsSessionTest); - tcase_add_test(sessionTcase, PatternSessionTest); - tcase_add_test(sessionTcase, Pop3SessionTest); - tcase_add_test(sessionTcase, RfbSessionTest); - tcase_add_test(sessionTcase, RtpSessionTest); - tcase_add_test(sessionTcase, SmtpSessionTest); - tcase_add_test(sessionTcase, TimbuktuSessionTest); - tcase_add_test(sessionTcase, WebexSessionTest); - tcase_add_test(sessionTcase, YmSessionTest); - - suite_add_tcase(appIdSuite, sessionTcase); - - return appIdSuite; -} - -#endif - -int main() -{ -#ifdef REMOVED_WHILE_NOT_IN_USE - int opt, debug = 0; - int numberFailed; - Suite* appIdSuite; - SRunner* appIdRunner; - - while ((opt = getopt(argc, argv, "dh")) != -1) - { - switch (opt) - { - case 'd': - debug = 1; - break; - case 'h': - printf( - "Usage:\n\ - -d: Run test in no fork mode for debugging in gdb.\n\ - -h: This text.\n"); - return EXIT_SUCCESS; - } - } -#endif - - appIdTestSetup(); - -#ifdef REMOVED_WHILE_NOT_IN_USE - // Create a test runner for AppId suite - appIdSuite = setupAppIdSuite(); - appIdRunner = srunner_create(appIdSuite); - - if (debug) - { - srunner_set_fork_status(appIdRunner, CK_NOFORK); - } - - // Set test results format to TAP and specify file name - srunner_set_tap(appIdRunner, "AppIdTests.tap~"); - - // Run test cases in AppId suite - srunner_run(appIdRunner, nullptr, "FrameworkTestCase", CK_NORMAL); - - system("cp AppIdTests.tap~ AppIdTests.tap"); - - srunner_run(appIdRunner, nullptr, "HttpTestCase", CK_NORMAL); - - system("cat AppIdTests.tap~ >> AppIdTests.tap"); - - sessionTcaseSetup(); - srunner_run(appIdRunner, nullptr, "SessionTestCase", CK_NORMAL); - sessionTcaseClean(); - - system("cat AppIdTests.tap~ >> AppIdTests.tap"); - - numberFailed = srunner_ntests_failed(appIdRunner); - srunner_free(appIdRunner); - return (numberFailed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; -#endif -} - diff --git a/src/network_inspectors/appid/test/rna.conf b/src/network_inspectors/appid/test/rna.conf deleted file mode 100644 index ed8dc94e4..000000000 --- a/src/network_inspectors/appid/test/rna.conf +++ /dev/null @@ -1,26 +0,0 @@ -# -# Configuration generated for NetworkDiscovery -# -# FIXIT - Look into converting these configuration options to lua -# -config ModuleDirectory /var/sf/detection_engines/812d18e2-1851-11e6-9201-d085f23f50f8/libs/rna -config OutputMethod serial -f rna.bin -t 86400 -s 20 -config Database sfsnort correlator correlator - -config MaxHostClientApps 16 -config MaxHostServices 100 -config MaxPayloads 100 -config MaxHostServiceInfo 16 - -protoid BannerGrab 0 -pnd UpdateTimeout 3600 -userConfig captureFailedLoginAttempts 1 -# START Export Rule - 1 (5e30e278-1852-11e6-a7db-e1e48cc1c54d) -# Device Analyze -config AnalyzeApplication 0.0.0.0/0 -1 -config AnalyzeApplication ::/0 -1 -# Device Source Service Exclusion -# Device Destination Service Exclusion -# END - - diff --git a/src/network_inspectors/appid/test/session_file.cc b/src/network_inspectors/appid/test/session_file.cc deleted file mode 100644 index f6f90bb88..000000000 --- a/src/network_inspectors/appid/test/session_file.cc +++ /dev/null @@ -1,513 +0,0 @@ -#include -#include "session_file.h" - -static void sessionFileAdd(void* session, SessionFileData* data); -static SessionFileData* sessionFileFind(void* session); -static void sessionDataDump(FILE* file, SessionControlBlock* scb); -static void packetDataDump(FILE* file, uint32_t packetCount, Packet* pkt); -static void sessionDataRead(FILE* file, SessionControlBlock* scb); -static int packetDataRead(FILE* file, Packet* pkt, HttpParsedHeaders** pHttpHeader); -static void readHttpHeaderItem(FILE* file, HEADER_LOCATION* headerLocation); - -static SFXHASH* sessionFiles = nullptr; - -void sessionFileInit(void) -{ - sessionFiles = sfxhash_new(2048, - sizeof(void*), - sizeof(SessionFileData), - 0, - 0, - nullptr, - nullptr, - 0); -} - -void sessionFileFini(void) -{ - SFXHASH_NODE* node; - SessionFileData* data; - - for (node = sfxhash_findfirst(sessionFiles); - node; - node = sfxhash_findnext(sessionFiles)) - { - data = (SessionFileData*)node->data; - fclose(data->file); - } - - sfxhash_delete(sessionFiles); - sessionFiles = nullptr; -} - -FILE* sessionFileProcess(Packet* pkt) -{ - static uint32_t packetCount = 0; - static uint32_t sessionCount = 0; - SessionFileData* pSessionFileData; - SessionFileData sessionFileData; - SessionControlBlock* scb = (SessionControlBlock*)pkt->stream_session; - - packetCount++; - - if (!scb) - { - printf("Ignoring packet %d\n", packetCount); - return nullptr; - } - - pSessionFileData = sessionFileFind(scb); - - if (!pSessionFileData) - { - pSessionFileData = &sessionFileData; - - sessionCount++; - sprintf(pSessionFileData->fileName, "session%d.ssn", sessionCount); - pSessionFileData->file = fopen(pSessionFileData->fileName, "w"); - pSessionFileData->packetCount = 1; - - sessionFileAdd(scb, pSessionFileData); - } - else - { - pSessionFileData->packetCount++; - } - - sessionDataDump(pSessionFileData->file, scb); - - packetDataDump(pSessionFileData->file, pSessionFileData->packetCount, pkt); - - return pSessionFileData->file; -} - -void sessionFileProcessHttp(Packet* pkt, HttpParsedHeaders* headers) -{ - FILE* file = sessionFileProcess(pkt); - - if (file == nullptr) - return; - - if (headers->host.len > 0) - { - fprintf(file, " %u %d ", PACKET_HTTP_HOST, headers->host.len); - fwrite(headers->host.start, 1, headers->host.len, file); - } - if (headers->url.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_URL, headers->url.len); - fwrite(headers->url.start, 1, headers->url.len, file); - } - if (headers->method.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_METHOD, headers->method.len); - fwrite(headers->method.start, 1, headers->method.len, file); - } - if (headers->userAgent.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_USER_AGENT, headers->userAgent.len); - fwrite(headers->userAgent.start, 1, headers->userAgent.len, file); - } - if (headers->referer.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_REFERER, headers->referer.len); - fwrite(headers->referer.start, 1, headers->referer.len, file); - } - if (headers->via.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_VIA, headers->via.len); - fwrite(headers->via.start, 1, headers->via.len, file); - } - if (headers->responseCode.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_RESPONSE_CODE, headers->responseCode.len); - fwrite(headers->responseCode.start, 1, headers->responseCode.len, file); - } - if (headers->server.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_SERVER, headers->server.len); - fwrite(headers->server.start, 1, headers->server.len, file); - } - if (headers->xWorkingWith.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_X_WORKING_WITH, headers->xWorkingWith.len); - fwrite(headers->xWorkingWith.start, 1, headers->xWorkingWith.len, file); - } - if (headers->contentType.len > 0) - { - fprintf(file, "\n %u %d ", PACKET_HTTP_CONTENT_TYPE, headers->contentType.len); - fwrite(headers->contentType.start, 1, headers->contentType.len, file); - } - fprintf(file, "\n"); -} - -void sessionFileReadSession(FILE* file, SessionControlBlock* scb) -{ - char buf[16]; - - while (true) - { - fscanf(file, "%s\n", buf); - - if (strcmp(buf, "Session:") == 0) - { - sessionDataRead(file, scb); - return; - } - } -} - -int sessionFileReadPacket(FILE* file, Packet* pkt, HttpParsedHeaders** pHttpHeader) -{ - char buf[16]; - - while (true) - { - fscanf(file, "%s\n", buf); - - if (strncmp(buf, "Packet", 6) == 0) - { - fgets(buf, 16, file); - return packetDataRead(file, pkt, pHttpHeader); - } - } -} - -static void sessionFileAdd(void* session, SessionFileData* data) -{ - sfxhash_add(sessionFiles, &session, data); -} - -static SessionFileData* sessionFileFind(void* session) -{ - return (SessionFileData*)sfxhash_find(sessionFiles, &session); -} - -static void sessionDataDump(FILE* file, SessionControlBlock* scb) -{ - fprintf(file, "Session:\n"); - fprintf(file, " %u %08X %08X %08X %08X\n", SESSION_CLIENT_IP_IA32, - scb->client_ip.ia32[0], - scb->client_ip.ia32[1], - scb->client_ip.ia32[2], - scb->client_ip.ia32[3]); - fprintf(file, " %u %u\n", SESSION_CLIENT_PORT, scb->client_port); - fprintf(file, " %u %u\n", SESSION_HA_STATE_SESSION_FLAGS, scb->ha_state.session_flags); -} - -static void packetDataDump(FILE* file, uint32_t packetCount, Packet* pkt) -{ - fprintf(file, "Packet %d:\n", packetCount); - - if (pkt->pkt_header) - { - fprintf(file, " %u %u\n", PACKET_PKT_HEADER_TS_TV_SEC, (unsigned - int)pkt->pkt_header->ts.tv_sec); - fprintf(file, " %u %d\n", PACKET_PKT_HEADER_INGRESS_GROUP, - pkt->pkt_header->ingress_group); - fprintf(file, " %u %u\n", PACKET_PKT_HEADER_PKTLEN, pkt->pkt_header->pktlen); - } - - if (pkt->tcp_header) - { - fprintf(file, " %u %u\n", PACKET_TCP_HEADER_SOURCE_PORT, pkt->tcp_header->source_port); - fprintf(file, " %u %u\n", PACKET_TCP_HEADER_FLAGS, pkt->tcp_header->flags); - } - - if (pkt->udp_header) - { - fprintf(file, " %u %u\n", PACKET_UDP_HEADER_SOURCE_PORT, pkt->udp_header->source_port); - } - - if (pkt->is_ip4()) - { - fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP4H_IP_ADDRS_IP_SRC_IA32, - pkt->ip4h->ip_addrs->ip_src.ia32[0], - pkt->ip4h->ip_addrs->ip_src.ia32[1], - pkt->ip4h->ip_addrs->ip_src.ia32[2], - pkt->ip4h->ip_addrs->ip_src.ia32[3]); - fprintf(file, " %u %u\n", PACKET_IP4H_IP_ADDRS_IP_SRC_FAMILY, - pkt->ip4h->ip_addrs->ip_src.family); - fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP4H_IP_ADDRS_IP_DST_IA32, - pkt->ip4h->ip_addrs->ip_dst.ia32[0], - pkt->ip4h->ip_addrs->ip_dst.ia32[1], - pkt->ip4h->ip_addrs->ip_dst.ia32[2], - pkt->ip4h->ip_addrs->ip_dst.ia32[3]); - fprintf(file, " %u %u\n", PACKET_IP4H_IP_ADDRS_IP_DST_FAMILY, - pkt->ip4h->ip_addrs->ip_dst.family); - fprintf(file, " %u %u\n", PACKET_IP4H_IP_PROTO, pkt->ip4h->ip_proto); - } - - if (pkt->ip6h) - { - fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP6H_IP_ADDRS_IP_SRC_IA32, - pkt->ip6h->ip_addrs->ip_src.ia32[0], - pkt->ip6h->ip_addrs->ip_src.ia32[1], - pkt->ip6h->ip_addrs->ip_src.ia32[2], - pkt->ip6h->ip_addrs->ip_src.ia32[3]); - fprintf(file, " %u %u\n", PACKET_IP6H_IP_ADDRS_IP_SRC_FAMILY, - pkt->ip6h->ip_addrs->ip_src.family); - fprintf(file, " %u %08X %08X %08X %08X\n", PACKET_IP6H_IP_ADDRS_IP_DST_IA32, - pkt->ip6h->ip_addrs->ip_dst.ia32[0], - pkt->ip6h->ip_addrs->ip_dst.ia32[1], - pkt->ip6h->ip_addrs->ip_dst.ia32[2], - pkt->ip6h->ip_addrs->ip_dst.ia32[3]); - fprintf(file, " %u %u\n", PACKET_IP6H_IP_ADDRS_IP_DST_FAMILY, - pkt->ip6h->ip_addrs->ip_dst.family); - } - - fprintf(file, " %u %u\n", PACKET_FAMILY, pkt->family); - fprintf(file, " %u %08X\n", PACKET_FLAGS, pkt->flags); - fprintf(file, " %u %u\n", PACKET_SRC_PORT, pkt->src_port); - fprintf(file, " %u %u\n", PACKET_DST_PORT, pkt->dst_port); - if (pkt->payload_size) - { - fprintf(file, " %u %u ", PACKET_PAYLOAD, pkt->payload_size); - fwrite(pkt->payload, 1, pkt->payload_size, file); - fprintf(file, "\n"); - } -} - -void sessionDataRead(FILE* file, SessionControlBlock* scb) -{ - int match; - uint32_t type; - - while (true) - { - match = fscanf(file, "%u", &type); - - if ((match == EOF) || (match == 0)) - return; - - switch (type) - { - case SESSION_CLIENT_IP_IA32: - fscanf(file, "%x", &scb->client_ip.ia32[0]); - fscanf(file, "%x", &scb->client_ip.ia32[1]); - fscanf(file, "%x", &scb->client_ip.ia32[2]); - fscanf(file, "%x\n", &scb->client_ip.ia32[3]); - break; - case SESSION_CLIENT_PORT: - fscanf(file, "%u\n", (unsigned int*)&scb->client_port); - break; - case SESSION_HA_STATE_SESSION_FLAGS: - fscanf(file, "%u\n", &scb->ha_state.session_flags); - break; - default: - printf("Unknown session field\n"); - break; - } - } -} - -// FIXIT - M Must check to ensure memory allocated by snort_calloc's below is freed when -// the tests complete -static int packetDataRead(FILE* file, Packet* pkt, HttpParsedHeaders** pHttpHeader) -{ - static SFDAQ_PktHdr_t pkt_header = { 0 }; - static TCPHeader tcp_header = { 0 }; - static UDPHeader udp_header = { 0 }; - static IP4Hdr ip4h = { 0 }; - static IP6Hdr ip6h = { 0 }; - static IPAddresses ip4_addrs = { 0 }; - static IPAddresses ip6_addrs = { 0 }; - int match; - uint32_t type; - - memset(&pkt_header, 0, sizeof(pkt_header)); - memset(&tcp_header, 0, sizeof(tcp_header)); - memset(&udp_header, 0, sizeof(udp_header)); - memset(&ip4h, 0, sizeof(ip4h)); - memset(&ip6h, 0, sizeof(ip6h)); - memset(&ip4_addrs, 0, sizeof(ip4_addrs)); - memset(&ip6_addrs, 0, sizeof(ip6_addrs)); - - while (true) - { - match = fscanf(file, "%u", &type); - - if (match == EOF) - return -1; - if (match == 0) - return 0; - - switch (type) - { - case PACKET_PKT_HEADER_TS_TV_SEC: - pkt->pkt_header = &pkt_header; - fscanf(file, "%u\n", (unsigned int*)&pkt_header.ts.tv_sec); - break; - case PACKET_PKT_HEADER_INGRESS_GROUP: - pkt->pkt_header = &pkt_header; - fscanf(file, "%u\n", &pkt_header.ingress_group); - break; - case PACKET_PKT_HEADER_PKTLEN: - pkt->pkt_header = &pkt_header; - fscanf(file, "%u\n", &pkt_header.pktlen); - break; - case PACKET_TCP_HEADER_SOURCE_PORT: - pkt->tcp_header = &tcp_header; - fscanf(file, "%u\n", (unsigned int*)&tcp_header.source_port); - break; - case PACKET_TCP_HEADER_FLAGS: - pkt->tcp_header = &tcp_header; - fscanf(file, "%u\n", (unsigned int*)&tcp_header.flags); - break; - case PACKET_UDP_HEADER_SOURCE_PORT: - pkt->udp_header = &udp_header; - fscanf(file, "%u\n", (unsigned int*)&udp_header.source_port); - break; - case PACKET_IP4H_IP_ADDRS_IP_SRC_IA32: - ip4h.ip_addrs = &ip4_addrs; - pkt->ip4h = &ip4h; - - fscanf(file, "%x", &ip4_addrs.ip_src.ia32[0]); - fscanf(file, "%x", &ip4_addrs.ip_src.ia32[1]); - fscanf(file, "%x", &ip4_addrs.ip_src.ia32[2]); - fscanf(file, "%x\n", &ip4_addrs.ip_src.ia32[3]); - break; - case PACKET_IP4H_IP_ADDRS_IP_SRC_FAMILY: - ip4h.ip_addrs = &ip4_addrs; - pkt->ip4h = &ip4h; - - fscanf(file, "%u\n", (unsigned int*)&ip4_addrs.ip_src.family); - break; - case PACKET_IP4H_IP_ADDRS_IP_DST_IA32: - ip4h.ip_addrs = &ip4_addrs; - pkt->ip4h = &ip4h; - - fscanf(file, "%x", &ip4_addrs.ip_dst.ia32[0]); - fscanf(file, "%x", &ip4_addrs.ip_dst.ia32[1]); - fscanf(file, "%x", &ip4_addrs.ip_dst.ia32[2]); - fscanf(file, "%x\n", &ip4_addrs.ip_dst.ia32[3]); - break; - case PACKET_IP4H_IP_ADDRS_IP_DST_FAMILY: - ip4h.ip_addrs = &ip4_addrs; - pkt->ip4h = &ip4h; - - fscanf(file, "%u\n", (unsigned int*)&ip4_addrs.ip_dst.family); - break; - case PACKET_IP4H_IP_PROTO: - ip4h.ip_addrs = &ip4_addrs; - pkt->ip4h = &ip4h; - - fscanf(file, "%u\n", (unsigned int*)&ip4h.ip_proto); - break; - case PACKET_IP6H_IP_ADDRS_IP_SRC_IA32: - ip6h.ip_addrs = &ip6_addrs; - pkt->ip6h = &ip6h; - - fscanf(file, "%x", &ip6_addrs.ip_src.ia32[0]); - fscanf(file, "%x", &ip6_addrs.ip_src.ia32[1]); - fscanf(file, "%x", &ip6_addrs.ip_src.ia32[2]); - fscanf(file, "%x\n", &ip6_addrs.ip_src.ia32[3]); - break; - case PACKET_IP6H_IP_ADDRS_IP_SRC_FAMILY: - ip6h.ip_addrs = &ip6_addrs; - pkt->ip6h = &ip6h; - - fscanf(file, "%u\n", (unsigned int*)&ip6_addrs.ip_src.family); - break; - case PACKET_IP6H_IP_ADDRS_IP_DST_IA32: - ip6h.ip_addrs = &ip6_addrs; - pkt->ip6h = &ip6h; - - fscanf(file, "%x", &ip6_addrs.ip_dst.ia32[0]); - fscanf(file, "%x", &ip6_addrs.ip_dst.ia32[1]); - fscanf(file, "%x", &ip6_addrs.ip_dst.ia32[2]); - fscanf(file, "%x\n", &ip6_addrs.ip_dst.ia32[3]); - break; - case PACKET_IP6H_IP_ADDRS_IP_DST_FAMILY: - ip6h.ip_addrs = &ip6_addrs; - pkt->ip6h = &ip6h; - - fscanf(file, "%u\n", (unsigned int*)&ip6_addrs.ip_dst.family); - break; - case PACKET_FAMILY: - fscanf(file, "%u\n", &pkt->family); - break; - case PACKET_FLAGS: - fscanf(file, "%x\n", &pkt->flags); - break; - case PACKET_SRC_PORT: - fscanf(file, "%u\n", (unsigned int*)&pkt->src_port); - break; - case PACKET_DST_PORT: - fscanf(file, "%u\n", (unsigned int*)&pkt->dst_port); - break; - case PACKET_PAYLOAD: - fscanf(file, "%u", (unsigned int*)&pkt->payload_size); - fgetc(file); - pkt->payload = snort_calloc(sizeof(char)* pkt->payload_size); - fread((uint8_t*)pkt->payload, 1, pkt->payload_size, file); - break; - case PACKET_HTTP_HOST: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->host); - break; - case PACKET_HTTP_URL: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->url); - break; - case PACKET_HTTP_METHOD: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->method); - break; - case PACKET_HTTP_USER_AGENT: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->userAgent); - break; - case PACKET_HTTP_REFERER: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->referer); - break; - case PACKET_HTTP_VIA: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->via); - break; - case PACKET_HTTP_RESPONSE_CODE: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->responseCode); - break; - case PACKET_HTTP_SERVER: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->server); - break; - case PACKET_HTTP_X_WORKING_WITH: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->xWorkingWith); - break; - case PACKET_HTTP_CONTENT_TYPE: - if (!(*pHttpHeader)) - *pHttpHeader = snort_calloc(sizeof(HttpParsedHeaders)); - readHttpHeaderItem(file, &(*pHttpHeader)->contentType); - break; - default: - printf("Unknown packet field\n"); - break; - } - } -} - -static void readHttpHeaderItem(FILE* file, HEADER_LOCATION* headerLocation) -{ - uint8_t* start; - - fscanf(file, "%u", &headerLocation->len); - start = snort_calloc(headerLocation->len + 1); - fgetc(file); - fread(start, 1, headerLocation->len, file); - start[headerLocation->len] = '\0'; - headerLocation->start = start; -} - diff --git a/src/network_inspectors/appid/test/session_file.h b/src/network_inspectors/appid/test/session_file.h deleted file mode 100644 index dbf931d27..000000000 --- a/src/network_inspectors/appid/test/session_file.h +++ /dev/null @@ -1,169 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2015-2016 Cisco and/or its affiliates. All rights reserved. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// session_file.h author Shravan Rangarajuvenkata - -#ifndef SESSION_FILE_H -#define SESSION_FILE_H - -#include - -#define MAX_APP_PROTOCOL_ID 4 - -struct HttpParsedHeaders; -struct Packet; -struct SessionKey; -struct StreamAppData; - -enum SessionField -{ - SESSION_CLIENT_IP_IA32 = 1000, - SESSION_CLIENT_PORT, - SESSION_HA_STATE_SESSION_FLAGS -}; - -enum tPktField -{ - PACKET_PKT_HEADER_TS_TV_SEC = 1000, - PACKET_PKT_HEADER_INGRESS_GROUP, - PACKET_PKT_HEADER_PKTLEN, - - PACKET_TCP_HEADER_SOURCE_PORT = 2000, - PACKET_TCP_HEADER_FLAGS, - PACKET_UDP_HEADER_SOURCE_PORT, - - PACKET_IP4H_IP_ADDRS_IP_SRC_IA32 = 3000, - PACKET_IP4H_IP_ADDRS_IP_SRC_FAMILY, - PACKET_IP4H_IP_ADDRS_IP_DST_IA32, - PACKET_IP4H_IP_ADDRS_IP_DST_FAMILY, - PACKET_IP4H_IP_PROTO, - - PACKET_FAMILY = 4000, - PACKET_FLAGS, - PACKET_SRC_PORT, - PACKET_DST_PORT, - PACKET_PAYLOAD, - - PACKET_HTTP_HOST = 5000, - PACKET_HTTP_URL, - PACKET_HTTP_METHOD, - PACKET_HTTP_USER_AGENT, - PACKET_HTTP_REFERER, - PACKET_HTTP_VIA, - PACKET_HTTP_RESPONSE_CODE, - PACKET_HTTP_SERVER, - PACKET_HTTP_X_WORKING_WITH, - PACKET_HTTP_CONTENT_TYPE, - - PACKET_IP6H_IP_ADDRS_IP_SRC_IA32 = 6000, - PACKET_IP6H_IP_ADDRS_IP_SRC_FAMILY, - PACKET_IP6H_IP_ADDRS_IP_DST_IA32, - PACKET_IP6H_IP_ADDRS_IP_DST_FAMILY -}; - -struct SessionFileData -{ - uint32_t packetCount; - FILE* file; - char fileName[16]; -}; - -struct MPLS_Hdr -{ - uint16_t length; - uint8_t* start; -}; - -// FIXIT-M: Temporary structs and defines for initial appid port. -using tSfPolicyId = int; -#define SE_MAX 255 -struct StreamHAState { }; -// END FIXIT-M - -struct SessionControlBlock -{ - SessionKey* key; - - //MemBucket *proto_specific_data; - void* proto_specific_data; - StreamAppData* appDataList; - - //MemBucket *flowdata; /* add flowbits */ - void* flowdata; /* add flowbits */ - - long last_data_seen; - uint64_t expire_time; - - tSfPolicyId napPolicyId; - tSfPolicyId ipsPolicyId; - bool ips_os_selected; - //SessionConfiguration *session_config; - void* session_config; - void* stream_config; - void* proto_policy; - - //PreprocEnableMask enabled_pps; - uint32_t enabled_pps; - //PreprocEvalFuncNode *initial_pp; - void* initial_pp; - - uint16_t session_state; - uint8_t handler[SE_MAX]; - sfaddr_t client_ip; // FIXTHIS family and bits should be changed to uint16_t - sfaddr_t server_ip; // or uint8_t to reduce sizeof from 24 to 20 - uint16_t client_port; - uint16_t server_port; - bool port_guess; - - uint8_t protocol; - - uint8_t inner_client_ttl; - uint8_t inner_server_ttl; - uint8_t outer_client_ttl; - uint8_t outer_server_ttl; - - StreamHAState ha_state; - StreamHAState cached_ha_state; - - struct timeval ha_next_update; - uint8_t ha_pending_mask; - uint8_t ha_flags; - - bool session_established; - bool new_session; - - // pointers for linking into list of oneway sessions - struct _SessionControlBlock* ows_prev; - struct _SessionControlBlock* ows_next; - bool in_oneway_list; - - int16_t app_protocol_id[MAX_APP_PROTOCOL_ID]; - - MPLS_Hdr* clientMplsHeader; - MPLS_Hdr* serverMplsHeader; -}; - -void sessionFileInit(); -void sessionFileFini(); -FILE* sessionFileProcess(Packet*); -void sessionFileProcessHttp(Packet*, HttpParsedHeaders*); -void sessionFileReadSession(FILE*, SessionControlBlock*); -int sessionFileReadPacket(FILE*, Packet*, HttpParsedHeaders**); - -#endif - diff --git a/src/network_inspectors/appid/test/sf_iph.cc b/src/network_inspectors/appid/test/sf_iph.cc deleted file mode 100644 index bdf4e6ab9..000000000 --- a/src/network_inspectors/appid/test/sf_iph.cc +++ /dev/null @@ -1,491 +0,0 @@ -/* $Id: sf_iph.c,v 1.2 2015/03/25 14:45:18 andrbake Exp $ */ -/**************************************************************************** - * - * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. - * Copyright (C) 2007-2013 Sourcefire, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License Version 2 as - * published by the Free Software Foundation. You may not use, modify or - * distribute this program under any other version of the GNU General - * Public License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - ****************************************************************************/ - -#include -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif -#include "decode.h" - -#define FAILURE -1 -#define SUCCESS 0 -#define IP6_HEADER_LEN 40 - -/* Version is the first four bits of the uint32_t passed in */ -#define IP6_VER(x) \ - (ntohl(x) >> 28) - -/* The 'Packet' structure is almost always allocated on the stack. - * Likewise, return buffers will almost always be aswell. - * So, for performance reasons, argument validation can be disabled - * and removed from the code at compile time to prevent unecessary extra - * conditionals from being checked at run-time. */ -#define ERR_CHK_LVL 0 -#if ERR_CHK_LVL == 2 -#define VALIDATE(x,y) if (!x || !y) return FAILURE; -#elif ERR_CHK_LVL == 1 -#define VALIDATE(x,y) if (!y) return FAILURE; -#else -#define VALIDATE(x,y) -#endif - -sfaddr_t* ip6_ret_src(const Packet* p) -{ - VALIDATE(p, 1); - - return &p->ip6h->ip_addrs->ip_src; -} - -sfaddr_t* orig_ip6_ret_src(const Packet* p) -{ - VALIDATE(p, 1); - - return &p->orig_ip6h->ip_addrs->ip_src; -} - -sfaddr_t* ip6_ret_dst(const Packet* p) -{ - VALIDATE(p, 1); - - return &p->ip6h->ip_addrs->ip_dst; -} - -sfaddr_t* orig_ip6_ret_dst(const Packet* p) -{ - VALIDATE(p, 1); - - return &p->orig_ip6h->ip_addrs->ip_dst; -} - -uint16_t ip6_ret_toc(const Packet* p) -{ - uint16_t toc; - VALIDATE(p,1); - - toc = (uint16_t)((ntohl(p->ip6h->vcl) & 0x0FF00000) >> 20); - - return toc; -} - -uint16_t orig_ip6_ret_toc(const Packet* p) -{ - uint16_t toc; - VALIDATE(p,1); - - toc = (uint16_t)((ntohl(p->orig_ip6h->vcl) & 0x0FF00000) >> 20); - return toc; -} - -uint8_t ip6_ret_hops(const Packet* p) -{ -// VALIDATE(p,1); - - return p->ip6h->hop_lmt; -} - -uint8_t orig_ip6_ret_hops(const Packet* p) -{ -// VALIDATE(p,1); - - return p->orig_ip6h->hop_lmt; -} - -uint16_t ip6_ret_len(const Packet* p) -{ - VALIDATE(p,1); - - /* The length field does not include the header in IPv6, but does in IPv4. - * To make this analogous to IPv4, for Snort's purposes, we need to tack - * on the difference. */ - return p->ip6h->len; -} - -uint16_t orig_ip6_ret_len(const Packet* p) -{ - VALIDATE(p,1); - - return p->orig_ip6h->len; -} - -uint32_t ip6_ret_id(const Packet* p) -{ - IP6Frag* frag_hdr; - if (p->ip6_extension_count == 0) - return 0; - - frag_hdr = (IP6Frag*)p->ip6_extensions[p->ip6_frag_index].data; - - return frag_hdr->ip6f_ident; -} - -uint32_t orig_ip6_ret_id(const Packet* p) -{ -// XXX-IPv6 "NOT YET IMPLEMENTED - IP6 identification" - return 0; -} - -uint8_t ip6_ret_next(const Packet* p) -{ - VALIDATE(p,1); - return p->ip6h->next; -} - -uint8_t orig_ip6_ret_next(const Packet* p) -{ - VALIDATE(p,1); - return p->orig_ip6h->next; -} - -uint16_t ip6_ret_off(const Packet* p) -{ - IP6Frag* frag_hdr; - if (p->ip6_extension_count == 0) - return 0; - - frag_hdr = (IP6Frag*)p->ip6_extensions[p->ip6_frag_index].data; - - return frag_hdr->ip6f_offlg; -} - -uint16_t orig_ip6_ret_off(const Packet* p) -{ -// XXX-IPv6 "NOT YET IMPLEMENTED - IP6 frag offset" - return 0; -} - -uint8_t ip6_ret_ver(const Packet* p) -{ - return (uint8_t)IP6_VER(p->ip6h->vcl); -} - -uint8_t orig_ip6_ret_ver(const Packet* p) -{ - return (uint8_t)IP6_VER(p->orig_ip6h->vcl); -} - -sfaddr_t* ip4_ret_dst(const Packet* p) -{ - VALIDATE(p,1); - return &p->ip4h->ip_addrs->ip_dst; -} - -sfaddr_t* orig_ip4_ret_dst(const Packet* p) -{ - VALIDATE(p,1); - return &p->orig_ip4h->ip_addrs->ip_dst; -} - -sfaddr_t* ip4_ret_src(const Packet* p) -{ - VALIDATE(p,1); - return &p->ip4h->ip_addrs->ip_src; -} - -sfaddr_t* orig_ip4_ret_src(const Packet* p) -{ - VALIDATE(p,1); - return &p->orig_ip4h->ip_addrs->ip_src; -} - -uint16_t ip4_ret_tos(const Packet* p) -{ - VALIDATE(p,1); - - return p->ip4h->ip_tos; -} - -uint16_t orig_ip4_ret_tos(const Packet* p) -{ - VALIDATE(p,1); - - return p->orig_ip4h->ip_tos; -} - -uint8_t ip4_ret_ttl(const Packet* p) -{ - VALIDATE(p,1); - - return p->ip4h->ip_ttl; -} - -uint8_t orig_ip4_ret_ttl(const Packet* p) -{ - VALIDATE(p,1); - - return p->orig_ip4h->ip_ttl; -} - -uint16_t ip4_ret_len(const Packet* p) -{ - VALIDATE(p,1); - - return p->ip4h->ip_len; -} - -uint16_t orig_ip4_ret_len(const Packet* p) -{ - VALIDATE(p,1); - - return p->orig_ip4h->ip_len; -} - -uint32_t ip4_ret_id(const Packet* p) -{ - VALIDATE(p,1); - - return (uint32_t)p->ip4h->ip_id; -} - -uint32_t orig_ip4_ret_id(const Packet* p) -{ - VALIDATE(p,1); - - return (uint32_t)p->orig_ip4h->ip_id; -} - -uint8_t ip4_ret_proto(const Packet* p) -{ - // VALIDATION() - - return p->ip4h->ip_proto; -} - -uint8_t orig_ip4_ret_proto(const Packet* p) -{ - // VALIDATION() - - return p->orig_ip4h->ip_proto; -} - -uint16_t ip4_ret_off(const Packet* p) -{ - return p->ip4h->ip_off; -} - -uint16_t orig_ip4_ret_off(const Packet* p) -{ - return p->orig_ip4h->ip_off; -} - -uint8_t ip4_ret_ver(const Packet* p) -{ - return IP_VER(p->iph); -} - -uint8_t orig_ip4_ret_ver(const Packet* p) -{ - return IP_VER(p->orig_iph); -} - -uint8_t ip4_ret_hlen(const Packet* p) -{ - return IP_HLEN(p->iph); -} - -uint8_t orig_ip4_ret_hlen(const Packet* p) -{ - return IP_HLEN(p->orig_iph); -} - -uint8_t ip6_ret_hlen(const Packet* p) -{ - /* Snort is expecting this number to be in terms of 32 bit words */ - return IP6_HDR_LEN / 4; -} - -uint8_t orig_ip6_ret_hlen(const Packet* p) -{ - return IP6_HDR_LEN / 4; -} - -IPH_API ip4 = -{ - ip4_ret_src, - ip4_ret_dst, - ip4_ret_tos, - ip4_ret_ttl, - ip4_ret_len, - ip4_ret_id, - ip4_ret_proto, - ip4_ret_off, - ip4_ret_ver, - ip4_ret_hlen, - - orig_ip4_ret_src, - orig_ip4_ret_dst, - orig_ip4_ret_tos, - orig_ip4_ret_ttl, - orig_ip4_ret_len, - orig_ip4_ret_id, - orig_ip4_ret_proto, - orig_ip4_ret_off, - orig_ip4_ret_ver, - orig_ip4_ret_hlen, - - IPH_API_V4 -}; - -IPH_API ip6 = -{ - ip6_ret_src, - ip6_ret_dst, - ip6_ret_toc, - ip6_ret_hops, - ip6_ret_len, - ip6_ret_id, - ip6_ret_next, - ip6_ret_off, - ip6_ret_ver, - ip6_ret_hlen, - - orig_ip6_ret_src, - orig_ip6_ret_dst, - orig_ip6_ret_toc, - orig_ip6_ret_hops, - orig_ip6_ret_len, - orig_ip6_ret_id, - orig_ip6_ret_next, - orig_ip6_ret_off, - orig_ip6_ret_ver, - orig_ip6_ret_hlen, - - IPH_API_V6 -}; - -static inline void _set_callbacks(struct _Packet* p, int family, char orig) -{ - if ( !orig ) - { - if (family == AF_INET) - p->iph_api = &ip4; - else - p->iph_api = &ip6; - - p->family = family; - } - else - { - if (family == AF_INET) - p->orig_iph_api = &ip4; - else - p->orig_iph_api = &ip6; - - p->orig_family = family; - } -} - -void set_callbacks(struct _Packet* p, int family, char orig) -{ - _set_callbacks(p, family, orig); -} - -void sfiph_build(Packet* p, const void* hdr, int family) -{ - if (!p) - return; - - _set_callbacks(p, family, CALLBACK_IP); -} - -void sfiph_orig_build(Packet* p, const void* hdr, int family) -{ - IP6RawHdr* hdr6; - IPHdr* hdr4; - - if (!p || !hdr) - return; - - /* If iph_api is already set, we've been here before. - * That means this is a nested IP. */ - if (p->orig_iph_api) - { - memcpy(&p->outer_orig_ips, &p->inner_orig_ips, sizeof(p->outer_orig_ips)); - if (p->orig_iph_api->ver == IPH_API_V4) - { - memcpy(&p->outer_orig_ip4h, &p->inner_orig_ip4h, - sizeof(p->outer_orig_ip4h) - sizeof(p->outer_orig_ip4h.ip_addrs)); - p->outer_orig_ip4h.ip_addrs = &p->outer_orig_ips; - p->outer_orig_iph_api = p->orig_iph_api; - } - else if (p->orig_iph_api->ver == IPH_API_V6) - { - memcpy(&p->outer_orig_ip6h, &p->inner_orig_ip6h, - sizeof(p->outer_orig_ip6h) - sizeof(p->outer_orig_ip6h.ip_addrs)); - p->outer_orig_ip6h.ip_addrs = &p->outer_orig_ips; - p->outer_orig_iph_api = p->orig_iph_api; - } - } - - _set_callbacks(p, family, CALLBACK_ICMP_ORIG); - - if (family == AF_INET) - { - hdr4 = (IPHdr*)hdr; - - /* The struct Snort uses is identical to the actual IP6 struct, - * with the exception of the IP addresses. Copy over everything but - * the IPs */ - memcpy(&p->inner_orig_ip4h, hdr4, sizeof(IPHdr) - 8); - sfip_set_raw(&p->inner_orig_ips.ip_src, &hdr4->ip_src, family); - sfip_set_raw(&p->inner_orig_ips.ip_dst, &hdr4->ip_dst, family); - p->inner_orig_ip4h.ip_addrs = &p->inner_orig_ips; - p->actual_ip_len = ntohs(p->inner_orig_ip4h.ip_len); - p->orig_ip4h = &p->inner_orig_ip4h; - } - else - { - hdr6 = (IP6RawHdr*)hdr; - - /* The struct Snort uses is identical to the actual IP6 struct, - * with the exception of the IP addresses. Copy over everything but - * the IPs*/ - memcpy(&p->inner_orig_ip6h, hdr6, sizeof(IP6RawHdr) - 32); - sfip_set_raw(&p->inner_orig_ips.ip_src, &hdr6->ip6_src, family); - sfip_set_raw(&p->inner_orig_ips.ip_dst, &hdr6->ip6_dst, family); - p->inner_orig_ip6h.ip_addrs = &p->inner_orig_ips; - p->actual_ip_len = ntohs(p->inner_orig_ip6h.len) + IP6_HDR_LEN; - p->orig_ip6h = &p->inner_orig_ip6h; - } -} - -#ifdef TESTER -int main() -{ - Packet p; - IP4Hdr i4; - IP6Hdr i6; - - /* This test assumes we get an IPv4 packet and verifies - * that the correct callbacks are setup, and they return - * the correct values. */ - - _set_callbacks(&p, AF_INET, CALLBACK_IP); - - /* Same test as above, but with IPv6 */ - _set_callbacks(&p, AF_INET6, CALLBACK_IP); - - return 0; -} - -#endif - diff --git a/src/network_inspectors/appid/test/snort.lua b/src/network_inspectors/appid/test/snort.lua deleted file mode 100644 index 5700dbf47..000000000 --- a/src/network_inspectors/appid/test/snort.lua +++ /dev/null @@ -1,47 +0,0 @@ ---------------------------------------------------------------------------- --- Snort++ prototype configuration ---------------------------------------------------------------------------- - ---------------------------------------------------------------------------- --- setup environment ---------------------------------------------------------------------------- --- given: --- export DIR=/install/path --- configure --prefix=$DIR --- make install --- --- then: --- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\; --- export SNORT_LUA_PATH=$DIR/conf/ ---------------------------------------------------------------------------- - - - -require("snort_config") - -dir = os.getenv('SNORT_LUA_PATH') - -if ( not dir ) then - dir = '.' -end - -dofile(dir .. '/snort_defaults.lua') - - -appid = -{ - conf = 'rna.conf', - memcap = 15856401, - app_detector_dir = '/var/sf/appid', - thirdparty_appid_dir = '/var/sf/appid/thirdparty_appid', - app_stats_filename = '/var/sf/appid/appid_stats.log', - app_stats_period = 3600, - app_stats_rollover_size = 100000000, - app_stats_rollover_time = 12, - instance_id = 222, - debug = true, - dump_ports = true, -} - - - diff --git a/src/network_inspectors/appid/thirdparty_appid_api.h b/src/network_inspectors/appid/thirdparty_appid_api.h index 4d43ec787..9414f9154 100644 --- a/src/network_inspectors/appid/thirdparty_appid_api.h +++ b/src/network_inspectors/appid/thirdparty_appid_api.h @@ -56,16 +56,8 @@ using ThirdPartyAppIDModReconfigure = int(*)(ThirdPartyConfig*); using ThirdPartyAppIDModFini = int(*)(); using ThirdPartyAppIDSessionCreate = void*(*)(); using ThirdPartyAppIDSessionDelete = int(*)(void* tpsession, int just_reset_state); -// FIXIT-L J use references for output parameters -using ThirdPartyAppIDSessionProcess = int(*)( - void* tpsession, // in - Packet*, // in - int direction, // in - AppId*, // out - int* confidence, // out - AppId** proto_list, // out - ThirdPartyAppIDAttributeData** attribute_data // out -); +using ThirdPartyAppIDSessionProcess = int(*)( void* tpsession, Packet*, int direction, // in + AppId*, int* confidence, AppId** proto_list, ThirdPartyAppIDAttributeData** attribute_data ); using ThirdPartyAppIDPrintStats = int(*)(); using ThirdPartyAppIDResetStats = int(*)(); using ThirdPartyAppIDDisableFlags = int(*)(void* tpsession, uint32_t session_flags); diff --git a/src/network_inspectors/appid/thirdparty_appid_types.h b/src/network_inspectors/appid/thirdparty_appid_types.h index 8fa2b2f8b..774d594ec 100644 --- a/src/network_inspectors/appid/thirdparty_appid_types.h +++ b/src/network_inspectors/appid/thirdparty_appid_types.h @@ -23,10 +23,7 @@ #define THIRDPARTY_APPID_TYPES_H #include - -// FIXIT-H J pulled from session_api.h include tree. -// this belongs somewhere else... -#define HTTP_MAX_XFF_FIELDS 255 +#include "http_common.h" #define TP_SESSION_FLAG_DPI 0x00000001 #define TP_SESSION_FLAG_MUTABLE 0x00000002 diff --git a/src/network_inspectors/appid/thirdparty_appid_utils.cc b/src/network_inspectors/appid/thirdparty_appid_utils.cc index 067a84df7..39149d36f 100644 --- a/src/network_inspectors/appid/thirdparty_appid_utils.cc +++ b/src/network_inspectors/appid/thirdparty_appid_utils.cc @@ -34,9 +34,8 @@ THREAD_LOCAL void* module_handle = nullptr; THREAD_LOCAL struct ThirdPartyConfig thirdpartyConfig; THREAD_LOCAL ThirdPartyAppIDModule* thirdparty_appid_module = nullptr; -// FIXIT-L: these need to be define or otherwise obtained... -static char* defaultXffFields[] = { nullptr /* HTTP_XFF_FIELD_X_FORWARDED_FOR, */ - /* HTTP_XFF_FIELD_TRUE_CLIENT_IP */ }; +static char* defaultXffFields[] = { (char*)HTTP_XFF_FIELD_X_FORWARDED_FOR, + (char*)HTTP_XFF_FIELD_TRUE_CLIENT_IP }; #ifdef APPID_UNUSED_CODE static int LoadCallback(const char* const path, int /* indent */) { @@ -98,7 +97,7 @@ void ThirdPartyAppIDInit(AppIdModuleConfig* appidStaticConfig) || ( thirdparty_appid_dir[0] == 0 ) ) return; - // FIXIT-L: need to port loadAllLibs function to snort3 + // FIXIT-L need to port loadAllLibs function to snort3 // _dpd.loadAllLibs(thirdparty_appid_dir, LoadCallback); if (thirdparty_appid_module == nullptr) { @@ -118,12 +117,12 @@ void ThirdPartyAppIDInit(AppIdModuleConfig* appidStaticConfig) thirdpartyConfig.http_upgrade_reporting_enabled = 0; thirdpartyConfig.appid_tp_dir[0] = '\0'; // use default path - // FIXIT-L: need to provide log function and getSnortInstance function to 3rd party utils + // FIXIT-M need to provide log function and getSnortInstance function to 3rd party utils #ifdef REMOVED_WHILE_NOT_IN_USE thirdpartyUtils.logMsg = &DebugFormat; thirdpartyUtils.getSnortInstance = _dpd.getSnortInstance; - // FIXIT-L: need to get xff fields from http config + // FIXIT-M need to get xff fields from http config thirdpartyConfig.xffFields = _dpd.getHttpXffFields(&thirdpartyConfig.numXffFields); #endif @@ -161,7 +160,7 @@ void ThirdPartyAppIDReconfigure(void) thirdpartyConfig.oldNumXffFields = thirdpartyConfig.numXffFields; thirdpartyConfig.oldXffFields = thirdpartyConfig.xffFields; - // FIXIT-L: need to get xff fields from http config + // FIXIT-L need to get xff fields from http config // thirdpartyConfig.xffFields = _dpd.getHttpXffFields(&thirdpartyConfig.numXffFields); if (!thirdpartyConfig.xffFields) { diff --git a/src/protocols/packet.h b/src/protocols/packet.h index 43516ec39..d0bebea44 100644 --- a/src/protocols/packet.h +++ b/src/protocols/packet.h @@ -128,7 +128,7 @@ struct SO_PUBLIC Packet uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/ uint8_t num_layers; /* index into layers for next encap */ - // FIXIT-M: Consider moving ip_proto_next below `pkth`. + // FIXIT-M Consider moving ip_proto_next below `pkth`. IpProtocol ip_proto_next; /* the protocol ID after IP and all IP6 extension */ bool disable_inspect; // nothing after this point is zeroed ... diff --git a/src/search_engines/ac_bnfa.cc b/src/search_engines/ac_bnfa.cc index f429fabd3..1afa1aaed 100644 --- a/src/search_engines/ac_bnfa.cc +++ b/src/search_engines/ac_bnfa.cc @@ -85,7 +85,7 @@ public: obj, T, n, match, context, 0 /* start-state */, current_state); } - // FIXIT-L: Implement search_all method for AC_BNFA. + // FIXIT-L Implement search_all method for AC_BNFA. int print_info() override { diff --git a/src/service_inspectors/dce_rpc/dce_tcp_module.cc b/src/service_inspectors/dce_rpc/dce_tcp_module.cc index f892185b5..7a1d2050a 100644 --- a/src/service_inspectors/dce_rpc/dce_tcp_module.cc +++ b/src/service_inspectors/dce_rpc/dce_tcp_module.cc @@ -180,8 +180,8 @@ bool Dce2TcpModule::set(const char*, Value& v, SnortConfig*) { if (dce2_set_co_config(v,config.common)) return true; - - return false; + + return false; } void Dce2TcpModule::get_data(dce2TcpProtoConf& dce2_tcp_config) diff --git a/src/sfip/sf_ip.cc b/src/sfip/sf_ip.cc index 751008272..230e72cbe 100644 --- a/src/sfip/sf_ip.cc +++ b/src/sfip/sf_ip.cc @@ -120,7 +120,7 @@ static inline int sfip_cidr_mask(sfip_t* ip, int val) /* Converts string IP format to an array of values. Also checks IP address format. Specifically look for issues that inet_pton either overlooks or is inconsistent about. */ -static inline SFIP_RET sfip_convert_ip_text_to_binary(const int family, const char* ip, void* dst) +SFIP_RET sfip_convert_ip_text_to_binary(const int family, const char* ip, void* dst) { const char* my_ip = ip; diff --git a/src/sfip/sf_ip.h b/src/sfip/sf_ip.h index 367015bd6..5afced821 100644 --- a/src/sfip/sf_ip.h +++ b/src/sfip/sf_ip.h @@ -74,6 +74,9 @@ /* IP allocations and setting ******************************************/ +/* Converts string IP format to an array of values. Also checks IP address format. */ +SO_PUBLIC SFIP_RET sfip_convert_ip_text_to_binary(const int family, const char* ip, void* dst); + /* Parses "src" and stores results in "dst" If the conversion is invalid, returns SFIP_FAILURE */ SO_PUBLIC SFIP_RET sfip_pton(const char* src, sfip_t* dst); diff --git a/src/stream/tcp/tcp_state_established.cc b/src/stream/tcp/tcp_state_established.cc index 5958e49bc..654c39c56 100644 --- a/src/stream/tcp/tcp_state_established.cc +++ b/src/stream/tcp/tcp_state_established.cc @@ -54,7 +54,7 @@ bool TcpStateEstablished::syn_ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTrack { if ( trk.session->config->midstream_allowed(tsd.get_pkt()) ) { - // FIXIT-M: there may be an issue when syn/ack from server is seen + // FIXIT-M there may be an issue when syn/ack from server is seen // after ack from client which causes some tracker state variables to // not be initialized... update_tracker_ack_sent may fix that but needs // more testing