From: Hui Cao (huica) Date: Wed, 12 Oct 2016 17:29:53 +0000 (-0400) Subject: Merge pull request #674 in SNORT/snort3 from appid_stateVariable_fix to master X-Git-Tag: 3.0.0-233~225 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=225a9f854ee566faf3ceaad6729e04f41928f844;p=thirdparty%2Fsnort3.git Merge pull request #674 in SNORT/snort3 from appid_stateVariable_fix to master Squashed commit of the following: commit 26d0620068bff59c165585dcc2fd387b74f1cfb8 Author: shaslad Date: Wed Oct 12 11:05:00 2016 -0400 Adding fix for pattern and added app stat variable for few app --- diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index dcd32fe65..58d7b6ba6 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -41,13 +41,16 @@ const PegInfo appid_pegs[] = { "packets", "count of packets received by appid inspector" }, { "processed packets", "count of packets processed by appid inspector" }, { "ignored packets", "count of packets ignored by appid inspector" }, + { "aim_clients", "count of aim clients discovered by appid" }, { "battlefield_flows", "count of battle field flows discovered by appid" }, { "bgp_flows", "count of bgp flows discovered by appid" }, { "bit_clients", "count of bittorrent clients discovered by appid" }, { "bit_flows", "count of bittorrent flows discovered by appid" }, { "bittracker_clients", "count of bittorrent tracker clients discovered by appid" }, + { "bootp_flows", "count of bootp flows discovered by appid" }, { "dcerpc_tcp_flows", "count of dce rpc flows over tcp discovered by appid" }, { "dcerpc_udp_flows", "count of dce rpc flows over udp discovered by appid" }, + { "direct_connect_flows", "count of direct connect flows discovered by appid" }, { "dns_tcp_flows", "count of dns flows over tcp discovered by appid" }, { "dns_udp_flows", "count of dns flows over udp discovered by appid" }, { "ftp_flows", "count of ftp flows discovered by appid" }, @@ -60,10 +63,23 @@ const PegInfo appid_pegs[] = { "kerberos_users", "count of kerberos users discovered by appid" }, { "lpr_flows", "count of lpr service flows discovered by appid" }, { "mdns_flows", "count of mdns service flows discovered by appid" }, + { "msn_clients", "count of msn clients discovered by appid" }, { "mysql_flows", "count of mysql service flows discovered by appid" }, - { "netbios_flows", "count of netbios service flows discovered by appid" }, + { "netbios_dgm_flows", "count of netbios-dgm service flows discovered by appid" }, + { "netbios_ns_flows", "count of netbios-ns service flows discovered by appid" }, + { "netbios_ssn_flows", "count of netbios-ssn service flows discovered by appid" }, + { "nntp_flows", "count of nntp flows discovered by appid" }, + { "ntp_flows", "count of ntp flows discovered by appid" }, { "pop_flows", "count of pop service flows discovered by appid" }, + { "radius_flows", "count of radius flows discovered by appid" }, + { "rexec_flows", "count of rexec flows discovered by appid" }, + { "rfb_flows", "count of rfb flows discovered by appid" }, + { "rlogin_flows", "count of rlogin flows discovered by appid" }, + { "rpc_flows", "count of rpc flows discovered by appid" }, + { "rshell_flows", "count of rshell flows discovered by appid" }, { "rsync_flows", "count of rsync service flows discovered by appid" }, + { "rtmp_flows", "count of rtmp flows discovered by appid" }, + { "rtp_clients", "count of rtp clients discovered by appid" }, { "smtp_aol_clients", "count of AOL smtp clients discovered by appid" }, { "smtp_applemail_clients", "count of Apple Mail smtp clients discovered by appid" }, { "smtp_eudora_clients", "count of Eudora smtp clients discovered by appid" }, @@ -78,11 +94,17 @@ const PegInfo appid_pegs[] = { "smtp_thunderbird_clients", "count of Thunderbird smtp clients discovered by appid" }, { "smtp_flows", "count of smtp flows discovered by appid" }, { "smtps_flows", "count of smtps flows discovered by appid" }, + { "snmp_flows", "count of snmp flows discovered by appid" }, { "ssh_clients", "count of ssh clients discovered by appid" }, { "ssh_flows", "count of ssh flows discovered by appid" }, { "ssl_flows", "count of ssl flows discovered by appid" }, { "telnet_flows", "count of telnet flows discovered by appid" }, + { "tftp_flows", "count of tftp flows discovered by appid" }, { "timbuktu_flows", "count of timbuktu flows discovered by appid" }, + { "tns_clients", "count of tns clients discovered by appid" }, + { "tns_flows", "count of tns flows discovered by appid" }, + { "vnc_clients", "count of vnc clients discovered by appid" }, + { "yahoo_messenger_clients", "count of Yahoo Messenger clients discovered by appid" }, { nullptr, nullptr } }; diff --git a/src/network_inspectors/appid/appid_module.h b/src/network_inspectors/appid/appid_module.h index 8a72f8426..7c3df0265 100644 --- a/src/network_inspectors/appid/appid_module.h +++ b/src/network_inspectors/appid/appid_module.h @@ -36,13 +36,16 @@ struct AppIdStats PegCount packets; PegCount processed_packets; PegCount ignored_packets; + PegCount aim_clients; PegCount battlefield_flows; PegCount bgp_flows; PegCount bit_clients; PegCount bit_flows; PegCount bittracker_clients; + PegCount bootp_flows; PegCount dcerpc_tcp_flows; PegCount dcerpc_udp_flows; + PegCount direct_connect_flows; PegCount dns_tcp_flows; PegCount dns_udp_flows; PegCount ftp_flows; @@ -55,10 +58,23 @@ struct AppIdStats PegCount kerberos_users; PegCount lpr_flows; PegCount mdns_flows; + PegCount msn_clients; PegCount mysql_flows; - PegCount netbios_flows; + PegCount netbios_dgm_flows; + PegCount netbios_ns_flows; + PegCount netbios_ssn_flows; + PegCount nntp_flows; + PegCount ntp_flows; PegCount pop_flows; + PegCount radius_flows; + PegCount rexec_flows; + PegCount rfb_flows; + PegCount rlogin_flows; + PegCount rpc_flows; + PegCount rshell_flows; PegCount rsync_flows; + PegCount rtmp_flows; + PegCount rtp_clients; PegCount smtp_aol_clients; PegCount smtp_applemail_clients; PegCount smtp_eudora_clients; @@ -73,11 +89,17 @@ struct AppIdStats PegCount smtp_thunderbird_clients; PegCount smtp_flows; PegCount smtps_flows; + PegCount snmp_flows; PegCount ssh_clients; PegCount ssh_flows; PegCount ssl_flows; PegCount telnet_flows; + PegCount tftp_flows; PegCount timbuktu_flows; + PegCount tns_clients; + PegCount tns_flows; + PegCount vnc_clients; + PegCount yahoo_messenger_clients; }; extern THREAD_LOCAL AppIdStats appid_stats; diff --git a/src/network_inspectors/appid/client_plugins/client_app_aim.cc b/src/network_inspectors/appid/client_plugins/client_app_aim.cc index c3fb87bcc..9519705d7 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_aim.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_aim.cc @@ -32,6 +32,7 @@ #include "app_info_table.h" #include "application_ids.h" +#include "appid_module.h" #pragma pack(1) @@ -302,6 +303,7 @@ static CLIENT_APP_RETCODE aim_validate( const uint8_t* const data, uint16_t size aim_client_mod.api->add_app( flowp, APP_ID_AOL_INSTANT_MESSENGER, APP_ID_AOL_INSTANT_MESSENGER, version); + appid_stats.aim_clients++; } } } diff --git a/src/network_inspectors/appid/client_plugins/client_app_msn.cc b/src/network_inspectors/appid/client_plugins/client_app_msn.cc index fe23bef2c..bf4167b90 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_msn.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_msn.cc @@ -23,6 +23,7 @@ #include "main/snort_debug.h" #include "app_info_table.h" #include "application_ids.h" +#include "appid_module.h" #define MAX_VERSION_SIZE 64 @@ -53,7 +54,7 @@ static const uint8_t MSMSGS[] = "MSMSGS"; static Client_App_Pattern patterns[] = { - { VER, sizeof(VER)-1, 0, APP_ID_MSN }, + { VER, sizeof(VER)-1, -1, APP_ID_MSN }, { CVRMAIN, sizeof(CVRMAIN)-1, -1, APP_ID_MSN }, { MSNMSGR, sizeof(MSNMSGR)-1, -1, APP_ID_MSN_MESSENGER }, { MACMSGS, sizeof(MACMSGS)-1, -1, APP_ID_MSN_MESSENGER }, @@ -195,6 +196,7 @@ static CLIENT_APP_RETCODE msn_validate(const uint8_t* data, uint16_t size, const done: msn_client_mod.api->add_app(flowp, APP_ID_MSN_MESSENGER, product_id, (char*)version); flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + appid_stats.msn_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_rtp.cc b/src/network_inspectors/appid/client_plugins/client_app_rtp.cc index 90fc0d289..8a83e9de8 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_rtp.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_rtp.cc @@ -26,6 +26,7 @@ #include "application_ids.h" #include "client_app_api.h" +#include "appid_module.h" enum RTPState { @@ -111,118 +112,118 @@ struct Client_App_Pattern static Client_App_Pattern patterns[] = { - { (const uint8_t*)"\x000\x000", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x001", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x002", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x003", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x004", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x005", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x006", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x007", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x008", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x009", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x00a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x00b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x00c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x00d", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x00e", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x00f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x010", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x011", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x012", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x013", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x019", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x01a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x01b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x01c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x01f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x020", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x021", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x022", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x080", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x081", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x082", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x083", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x084", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x085", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x086", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x087", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x088", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x089", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x08a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x08b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x08c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x08d", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x08e", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x08f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x090", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x091", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x092", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x093", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x099", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x09a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x09b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x09c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x09f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x0a0", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x0a1", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x000\x0a2", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x000", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x001", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x002", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x003", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x004", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x005", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x006", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x007", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x008", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x009", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x00a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x00b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x00c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x00d", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x00e", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x00f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x010", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x011", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x012", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x013", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x019", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x01a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x01b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x01c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x01f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x020", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x021", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x022", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x080", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x081", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x082", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x083", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x084", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x085", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x086", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x087", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x088", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x089", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x08a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x08b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x08c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x08d", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x08e", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x08f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x090", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x091", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x092", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x093", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x099", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x09a", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x09b", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x09c", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x09f", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x0a0", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x0a1", 2, 0, APP_ID_RTP }, - { (const uint8_t*)"\x080\x0a2", 2, 0, APP_ID_RTP }, + { (const uint8_t*)"\x000\x000", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x001", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x002", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x003", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x004", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x005", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x006", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x007", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x008", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x009", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x00a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x00b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x00c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x00d", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x00e", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x00f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x010", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x011", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x012", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x013", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x019", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x01a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x01b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x01c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x01f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x020", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x021", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x022", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x080", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x081", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x082", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x083", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x084", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x085", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x086", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x087", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x088", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x089", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x08a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x08b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x08c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x08d", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x08e", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x08f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x090", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x091", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x092", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x093", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x099", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x09a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x09b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x09c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x09f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x0a0", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x0a1", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x000\x0a2", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x000", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x001", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x002", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x003", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x004", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x005", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x006", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x007", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x008", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x009", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x00a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x00b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x00c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x00d", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x00e", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x00f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x010", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x011", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x012", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x013", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x019", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x01a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x01b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x01c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x01f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x020", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x021", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x022", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x080", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x081", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x082", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x083", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x084", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x085", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x086", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x087", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x088", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x089", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x08a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x08b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x08c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x08d", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x08e", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x08f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x090", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x091", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x092", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x093", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x099", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x09a", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x09b", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x09c", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x09f", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x0a0", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x0a1", 2, -1, APP_ID_RTP }, + { (const uint8_t*)"\x080\x0a2", 2, -1, APP_ID_RTP }, }; static AppRegistryEntry appIdRegistry[] = @@ -353,6 +354,7 @@ static CLIENT_APP_RETCODE rtp_validate(const uint8_t* data, uint16_t size, const rtp_client_mod.api->add_app(flowp, APP_ID_RTP, APP_ID_RTP, nullptr); flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + appid_stats.rtp_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_tns.cc b/src/network_inspectors/appid/client_plugins/client_app_tns.cc index 2def02df3..b2e625506 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_tns.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_tns.cc @@ -27,6 +27,7 @@ #include "app_info_table.h" #include "application_ids.h" #include "client_app_api.h" +#include "appid_module.h" static const char TNS_BANNER[] = "\000\000"; #define TNS_BANNER_LEN (sizeof(TNS_BANNER)-1) @@ -158,7 +159,7 @@ struct Client_App_Pattern static Client_App_Pattern patterns[] = { - { (const uint8_t*)TNS_BANNER, sizeof(TNS_BANNER)-1, 2, APP_ID_ORACLE_DATABASE }, + { (const uint8_t*)TNS_BANNER, sizeof(TNS_BANNER)-1, -1, APP_ID_ORACLE_DATABASE }, }; static AppRegistryEntry appIdRegistry[] = @@ -431,6 +432,7 @@ done: tns_client_mod.api->add_user(flowp, username, APP_ID_ORACLE_DATABASE, 1); } flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + appid_stats.tns_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_vnc.cc b/src/network_inspectors/appid/client_plugins/client_app_vnc.cc index e680a50ad..cc32082ee 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_vnc.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_vnc.cc @@ -27,6 +27,7 @@ #include "app_info_table.h" #include "application_ids.h" #include "client_app_api.h" +#include "appid_module.h" static const char VNC_BANNER[] = "RFB "; static const char VNC_BANNER2[] = "."; @@ -84,7 +85,7 @@ struct Client_App_Pattern static Client_App_Pattern patterns[] = { - { (const uint8_t*)VNC_BANNER, sizeof(VNC_BANNER)-1, 0, APP_ID_VNC }, + { (const uint8_t*)VNC_BANNER, sizeof(VNC_BANNER)-1, -1, APP_ID_VNC }, { (const uint8_t*)VNC_BANNER2, sizeof(VNC_BANNER2)-1, 7, APP_ID_VNC }, }; @@ -198,6 +199,7 @@ inprocess: done: vnc_client_mod.api->add_app(flowp, APP_ID_VNC_RFB, APP_ID_VNC, (const char*)fd->version); flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + appid_stats.vnc_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/client_plugins/client_app_ym.cc b/src/network_inspectors/appid/client_plugins/client_app_ym.cc index ff9dbe740..508a44716 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_ym.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_ym.cc @@ -28,6 +28,7 @@ #include "app_info_table.h" #include "application_ids.h" #include "client_app_api.h" +#include "appid_module.h" struct YM_CLIENT_APP_CONFIG { @@ -70,7 +71,7 @@ static const uint8_t APP_YMSG[] = "YMSG"; static Client_App_Pattern patterns[] = { - { APP_YMSG, sizeof(APP_YMSG)-1, 0, APP_ID_YAHOO_MSG }, + { APP_YMSG, sizeof(APP_YMSG)-1, -1, APP_ID_YAHOO_MSG }, }; static AppRegistryEntry appIdRegistry[] = @@ -222,6 +223,7 @@ static CLIENT_APP_RETCODE ym_validate(const uint8_t* data, uint16_t size, const done: ym_client_mod.api->add_app(flowp, APP_ID_YAHOO, product_id, (char*)version); flowp->setAppIdFlag(APPID_SESSION_CLIENT_DETECTED); + appid_stats.yahoo_messenger_clients++; return CLIENT_APP_SUCCESS; } diff --git a/src/network_inspectors/appid/service_plugins/service_bootp.cc b/src/network_inspectors/appid/service_plugins/service_bootp.cc index d703683e9..11d2d6a0f 100644 --- a/src/network_inspectors/appid/service_plugins/service_bootp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bootp.cc @@ -24,6 +24,7 @@ #include "protocols/eth.h" #include "app_info_table.h" #include "application_ids.h" +#include "appid_module.h" #define DHCP_MAGIC_COOKIE 0x63825363 @@ -310,6 +311,7 @@ success: flowp->setAppIdFlag(APPID_SESSION_CONTINUE); bootp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_DHCP, nullptr, nullptr, nullptr); + appid_stats.bootp_flows++; } return SERVICE_SUCCESS; diff --git a/src/network_inspectors/appid/service_plugins/service_direct_connect.cc b/src/network_inspectors/appid/service_plugins/service_direct_connect.cc index aaeb84d8f..2288f69a7 100644 --- a/src/network_inspectors/appid/service_plugins/service_direct_connect.cc +++ b/src/network_inspectors/appid/service_plugins/service_direct_connect.cc @@ -25,6 +25,8 @@ #include "main/snort_debug.h" #include "utils/util.h" +#include "appid_module.h" + enum CONNECTION_STATES { CONN_STATE_INIT, @@ -262,6 +264,7 @@ success: directconnect_service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_DIRECT_CONNECT, nullptr, nullptr, nullptr); + appid_stats.direct_connect_flows++; return SERVICE_SUCCESS; fail: @@ -314,6 +317,7 @@ success: reportSuccess: directconnect_service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_DIRECT_CONNECT, nullptr, nullptr, nullptr); + appid_stats.direct_connect_flows++; return SERVICE_SUCCESS; fail: diff --git a/src/network_inspectors/appid/service_plugins/service_netbios.cc b/src/network_inspectors/appid/service_plugins/service_netbios.cc index 1b35736d1..4b657f39c 100644 --- a/src/network_inspectors/appid/service_plugins/service_netbios.cc +++ b/src/network_inspectors/appid/service_plugins/service_netbios.cc @@ -611,7 +611,7 @@ static int nbns_validate(ServiceValidationArgs* args) success: netbios_service_mod.api->add_service(flowp, args->pkt, dir, &nbns_svc_element, APP_ID_NETBIOS_NS, nullptr, nullptr, nullptr); - appid_stats.netbios_flows++; + appid_stats.netbios_ns_flows++; return SERVICE_SUCCESS; inprocess: @@ -1065,7 +1065,7 @@ static int nbss_validate(ServiceValidationArgs* args) { netbios_service_mod.api->add_misc(flowp, nd->miscAppId); } - appid_stats.netbios_flows++; + appid_stats.netbios_ssn_flows++; } return SERVICE_SUCCESS; @@ -1228,7 +1228,7 @@ success: { netbios_service_mod.api->add_misc(flowp, miscAppId); } - appid_stats.netbios_flows++; + appid_stats.netbios_dgm_flows++; } } return SERVICE_SUCCESS; diff --git a/src/network_inspectors/appid/service_plugins/service_nntp.cc b/src/network_inspectors/appid/service_plugins/service_nntp.cc index 07a8cc986..87303333e 100644 --- a/src/network_inspectors/appid/service_plugins/service_nntp.cc +++ b/src/network_inspectors/appid/service_plugins/service_nntp.cc @@ -25,6 +25,7 @@ #include "utils/util.h" #include "appid_session.h" +#include "appid_module.h" #include "application_ids.h" #include "service_api.h" @@ -380,6 +381,7 @@ inprocess: success: nntp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_NNTP, nullptr, nullptr, nullptr); + appid_stats.nntp_flows++; return SERVICE_SUCCESS; fail: diff --git a/src/network_inspectors/appid/service_plugins/service_ntp.cc b/src/network_inspectors/appid/service_plugins/service_ntp.cc index 427fba10a..ed20da310 100644 --- a/src/network_inspectors/appid/service_plugins/service_ntp.cc +++ b/src/network_inspectors/appid/service_plugins/service_ntp.cc @@ -24,6 +24,7 @@ #include "main/snort_debug.h" #include "appid_session.h" +#include "appid_module.h" #include "application_ids.h" #include "service_api.h" @@ -164,6 +165,7 @@ static int ntp_validate(ServiceValidationArgs* args) ntp_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_NTP, nullptr, nullptr, nullptr); + appid_stats.ntp_flows++; return SERVICE_SUCCESS; inprocess: diff --git a/src/network_inspectors/appid/service_plugins/service_radius.cc b/src/network_inspectors/appid/service_plugins/service_radius.cc index 86ec57799..9b68b3dc8 100644 --- a/src/network_inspectors/appid/service_plugins/service_radius.cc +++ b/src/network_inspectors/appid/service_plugins/service_radius.cc @@ -28,6 +28,7 @@ #include "appid_session.h" #include "application_ids.h" #include "service_api.h" +#include "appid_module.h" #define RADIUS_CODE_ACCESS_REQUEST 1 #define RADIUS_CODE_ACCESS_ACCEPT 2 @@ -223,6 +224,7 @@ inprocess: success: radius_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, APP_ID_RADIUS, nullptr, nullptr, nullptr); + appid_stats.radius_flows++; return SERVICE_SUCCESS; not_compatible: @@ -325,6 +327,7 @@ inprocess: success: radius_service_mod.api->add_service(flowp, args->pkt, dir, &acct_svc_element, APP_ID_RADIUS_ACCT, nullptr, nullptr, nullptr); + appid_stats.radius_flows++; return SERVICE_SUCCESS; not_compatible: diff --git a/src/network_inspectors/appid/service_plugins/service_rexec.cc b/src/network_inspectors/appid/service_plugins/service_rexec.cc index 35b9b7afb..6fa2db0bc 100644 --- a/src/network_inspectors/appid/service_plugins/service_rexec.cc +++ b/src/network_inspectors/appid/service_plugins/service_rexec.cc @@ -36,6 +36,7 @@ #include "appid_api.h" #include "app_info_table.h" #include "appid_session.h" +#include "appid_module.h" #include "application_ids.h" #include "service_api.h" #include "service_base.h" @@ -328,6 +329,7 @@ success: { rexec_service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_EXEC, nullptr, nullptr, nullptr); + appid_stats.rexec_flows++; } return SERVICE_SUCCESS; diff --git a/src/network_inspectors/appid/service_plugins/service_rfb.cc b/src/network_inspectors/appid/service_plugins/service_rfb.cc index 11d06997e..efb4c56d7 100644 --- a/src/network_inspectors/appid/service_plugins/service_rfb.cc +++ b/src/network_inspectors/appid/service_plugins/service_rfb.cc @@ -24,6 +24,7 @@ #include "service_api.h" #include "app_info_table.h" #include "application_ids.h" +#include "appid_module.h" #include "main/snort_debug.h" @@ -129,6 +130,7 @@ static int rfb_validate(ServiceValidationArgs* args) *v = 0; rfb_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_VNC_RFB, nullptr, version, nullptr); + appid_stats.rfb_flows++; return SERVICE_SUCCESS; inprocess: diff --git a/src/network_inspectors/appid/service_plugins/service_rlogin.cc b/src/network_inspectors/appid/service_plugins/service_rlogin.cc index b467beab7..9abded9be 100644 --- a/src/network_inspectors/appid/service_plugins/service_rlogin.cc +++ b/src/network_inspectors/appid/service_plugins/service_rlogin.cc @@ -23,6 +23,7 @@ #include "service_api.h" #include "application_ids.h" +#include "appid_module.h" #include "main/snort_debug.h" #include "protocols/tcp.h" @@ -165,6 +166,7 @@ inprocess: success: rlogin_service_mod.api->add_service(flowp, pkt, args->dir, &svc_element, APP_ID_RLOGIN, nullptr, nullptr, nullptr); + appid_stats.rlogin_flows++; return SERVICE_SUCCESS; fail: diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc index 0f8d25d17..8e83b8496 100644 --- a/src/network_inspectors/appid/service_plugins/service_rpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc @@ -41,6 +41,7 @@ #include "application_ids.h" #include "target_based/snort_protocols.h" #include "utils/util.h" +#include "appid_module.h" /*#define RNA_DEBUG_RPC 1 */ @@ -543,8 +544,9 @@ done: } else subtype = nullptr; - rpc_service_mod.api->add_service(flowp, pkt, dir, &svc_element, - APP_ID_SUN_RPC, nullptr, nullptr, subtype); + rpc_service_mod.api->add_service(flowp, pkt, dir, &svc_element, + APP_ID_SUN_RPC, nullptr, nullptr, subtype); + appid_stats.rpc_flows++; } flowp->setAppIdFlag(APPID_SESSION_CONTINUE); return SERVICE_SUCCESS; @@ -911,8 +913,9 @@ inprocess: } else subtype = nullptr; - rpc_service_mod.api->add_service(flowp, pkt, dir, &tcp_svc_element, - APP_ID_SUN_RPC, nullptr, nullptr, subtype); + rpc_service_mod.api->add_service(flowp, pkt, dir, &tcp_svc_element, + APP_ID_SUN_RPC, nullptr, nullptr, subtype); + appid_stats.rpc_flows++; } flowp->setAppIdFlag(APPID_SESSION_CONTINUE); return SERVICE_SUCCESS; diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index 6a57a9bce..2ac18582b 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -25,6 +25,7 @@ #include "service_api.h" #include "service_base.h" #include "app_info_table.h" +#include "appid_module.h" #include "log/messages.h" #include "main/snort_debug.h" @@ -330,6 +331,7 @@ inprocess: success: rshell_service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_SHELL, nullptr, nullptr, nullptr); + appid_stats.rshell_flows++; return SERVICE_SUCCESS; bail: diff --git a/src/network_inspectors/appid/service_plugins/service_rtmp.cc b/src/network_inspectors/appid/service_plugins/service_rtmp.cc index 2beb7bfc3..e91be8ff4 100644 --- a/src/network_inspectors/appid/service_plugins/service_rtmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_rtmp.cc @@ -24,6 +24,7 @@ #include "application_ids.h" #include "service_api.h" #include "app_info_table.h" +#include "appid_module.h" #include "log/messages.h" #include "main/snort_debug.h" @@ -702,6 +703,7 @@ success: } rtmp_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element, APP_ID_RTMP, nullptr, nullptr, nullptr); + appid_stats.rtmp_flows++; return SERVICE_SUCCESS; } diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index 8dd44c1f4..681162205 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -26,6 +26,7 @@ #include "utils/util.h" #include "appid_api.h" +#include "appid_module.h" #include "app_info_table.h" #include "service_base.h" #include "application_ids.h" @@ -614,6 +615,7 @@ success: snmp_service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_SNMP, SNMP_VENDOR_STR, version_str, nullptr); + appid_stats.snmp_flows++; return SERVICE_SUCCESS; bail: diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index 1500fd832..893d1f78c 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -34,6 +34,7 @@ #include "app_info_table.h" #include "appid_api.h" #include "appid_session.h" +#include "appid_module.h" #include "application_ids.h" #include "service_api.h" #include "service_base.h" @@ -367,6 +368,7 @@ success: LogMessage("AppIdDbg %s tftp success\n", app_id_debug_session); tftp_service_mod.api->add_service(flowp, pkt, dir, &svc_element, APP_ID_TFTP, nullptr, nullptr, nullptr); + appid_stats.tftp_flows++; return SERVICE_SUCCESS; bail: diff --git a/src/network_inspectors/appid/service_plugins/service_tns.cc b/src/network_inspectors/appid/service_plugins/service_tns.cc index d66776281..75243a3f5 100644 --- a/src/network_inspectors/appid/service_plugins/service_tns.cc +++ b/src/network_inspectors/appid/service_plugins/service_tns.cc @@ -21,6 +21,7 @@ #include "app_info_table.h" #include "appid_session.h" +#include "appid_module.h" #include "application_ids.h" #include "service_api.h" @@ -307,6 +308,7 @@ inprocess: success: tns_service_mod.api->add_service(flowp, args->pkt, args->dir, &svc_element, APP_ID_ORACLE_TNS, nullptr, ss->version ? ss->version : nullptr, nullptr); + appid_stats.tns_flows++; return SERVICE_SUCCESS; fail: