From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 9 Mar 2021 17:43:27 +0000 (+0000) Subject: Merge pull request #2780 in SNORT/snort3 from ~SATHIRKA/snort3:smtps_imaps_fix to... X-Git-Tag: 3.1.2.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c45dcc614be2723c772a7af5236cbe6a02bb5cf;p=thirdparty%2Fsnort3.git Merge pull request #2780 in SNORT/snort3 from ~SATHIRKA/snort3:smtps_imaps_fix to master Squashed commit of the following: commit 338c24caf91f531338b043703ad2928819768006 Author: Sreeja Athirkandathil Narayanan Date: Thu Mar 4 17:07:27 2021 -0500 appid: Use opportunistic tls event to set decryption countdown for SMTP detector; Update IMAP service detector pattern --- diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 151ffaaec..eb725b67e 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -157,6 +157,7 @@ set ( APPID_SOURCES appid_ha.h appid_http_session.cc appid_http_session.h + appid_opportunistic_tls_event_handler.h appid_peg_counts.h appid_peg_counts.cc appid_session.cc diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index 3f9b89e6b..3cbbd783c 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -40,6 +40,7 @@ #include "appid_discovery.h" #include "appid_ha.h" #include "appid_http_event_handler.h" +#include "appid_opportunistic_tls_event_handler.h" #include "appid_peg_counts.h" #include "appid_session.h" #include "appid_stats.h" @@ -132,6 +133,8 @@ bool AppIdInspector::configure(SnortConfig* sc) DataBus::subscribe_global(DCERPC_EXP_SESSION_EVENT_KEY, new DceExpSsnEventHandler(), sc); + DataBus::subscribe_global(OPPORTUNISTIC_TLS_EVENT, new AppIdOpportunisticTlsEventHandler(), sc); + return true; } diff --git a/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h b/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h new file mode 100644 index 000000000..23aca31f1 --- /dev/null +++ b/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h @@ -0,0 +1,50 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2021-2021 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// appid_opportunistic_tls_event_handler.h +// author Sreeja Athirkandathil Narayanan + +#ifndef APPID_OPPORTUNISTIC_TLS_EVENT_HANDLER_H +#define APPID_OPPORTUNISTIC_TLS_EVENT_HANDLER_H + +#include "pub_sub/opportunistic_tls_event.h" +#include "appid_session.h" + +class AppIdOpportunisticTlsEventHandler : public snort::DataHandler +{ +public: + AppIdOpportunisticTlsEventHandler() : DataHandler(MOD_NAME) { } + + void handle(snort::DataEvent&, snort::Flow* flow) override + { + assert(flow); + AppIdSession* asd = snort::appid_api.get_appid_session(*flow); + if (!asd) + return; + + // Skip sessions using old odp context after reload detectors + if (!pkt_thread_odp_ctxt or + (pkt_thread_odp_ctxt->get_version() != asd->get_odp_ctxt_version())) + return; + + asd->set_session_flags(APPID_SESSION_OPPORTUNISTIC_TLS); + } +}; + +#endif + diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index 2898b0a2a..baa2b6585 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -90,6 +90,7 @@ namespace snort #define APPID_SESSION_HOST_CACHE_MATCHED (1ULL << 41) #define APPID_SESSION_DECRYPT_MONITOR (1ULL << 42) #define APPID_SESSION_HTTP_TUNNEL (1ULL << 43) +#define APPID_SESSION_OPPORTUNISTIC_TLS (1ULL << 44) #define APPID_SESSION_IGNORE_ID_FLAGS \ (APPID_SESSION_FUTURE_FLOW | \ APPID_SESSION_NOT_A_SERVICE | \ diff --git a/src/network_inspectors/appid/detector_plugins/detector_imap.cc b/src/network_inspectors/appid/detector_plugins/detector_imap.cc index e54b55f2e..c5c5764b0 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_imap.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_imap.cc @@ -108,6 +108,7 @@ enum IMAPState }; static const char IMAP_PATTERN[] = "* OK"; +static const char CAPA_PATTERN[] = "* CAPABILITY"; enum IMAPClientState { @@ -837,7 +838,8 @@ ImapServiceDetector::ImapServiceDetector(ServiceDiscovery* sd) tcp_patterns = { - { (const uint8_t*)IMAP_PATTERN, sizeof(IMAP_PATTERN) - 1, 0, 0, 0 } + { (const uint8_t*)IMAP_PATTERN, sizeof(IMAP_PATTERN) - 1, 0, 0, 0 }, + { (const uint8_t*)CAPA_PATTERN, sizeof(CAPA_PATTERN) - 1, 0, 1, 0 } }; appid_registry = diff --git a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc index 701151205..1ec382fcc 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc @@ -844,14 +844,10 @@ int SmtpServiceDetector::validate(AppIdDiscoveryArgs& args) { dd->client.flags |= CLIENT_FLAG_STARTTLS_SUCCESS; - #ifndef REG_TEST - if (args.asd.get_session_flags(APPID_SESSION_DECRYPT_MONITOR)) - #endif + if (args.asd.get_session_flags(APPID_SESSION_OPPORTUNISTIC_TLS)) dd->client.decryption_countdown = SSL_WAIT_PACKETS; // start a countdown - #ifndef REG_TEST else dd->client.decryption_countdown = 1; - #endif add_service(args.change_bits, args.asd, args.pkt, args.dir, APP_ID_SMTPS);