From: Shanmugam S (shanms) Date: Mon, 26 Sep 2022 13:37:09 +0000 (+0000) Subject: Pull request #3595: appid: handle http3 X-Git-Tag: 3.1.43.0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28026e76ea3c0ad7f4ba4f11f7f98b16fdacf058;p=thirdparty%2Fsnort3.git Pull request #3595: appid: handle http3 Merge in SNORT/snort3 from ~SHIKV/snort3:h3_appid to master Squashed commit of the following: commit 5a3b5213ebe21081b27d9c38cebd29844e8f9068 Author: shibin k v Date: Thu Sep 22 10:29:58 2022 +0000 appid: return appid set by eve for http/3 if no hsession is present, but prefer hsession appid over eve commit e6a449351595e205d4793d3fa132be23b5266b8e Author: shibin k v Date: Mon Sep 19 20:49:37 2022 +0000 appid: handle multistream http protocols(http2,http3) together --- diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index a1331e54f..894aa910a 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -158,7 +158,7 @@ set ( APPID_SOURCES appid_ha.h appid_http_session.cc appid_http_session.h - appid_http2_req_body_event_handler.h + appid_httpx_req_body_event_handler.h appid_opportunistic_tls_event_handler.h appid_peg_counts.h appid_peg_counts.cc diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 0fe89b2bb..247a6ccf8 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -178,7 +178,7 @@ static bool set_network_attributes(AppIdSession* asd, Packet* p, IpProtocol& pro protocol = IpProtocol::TCP; else if (p->is_udp()) protocol = IpProtocol::UDP; - else if (p->is_ip4() || p->is_ip6()) + else if (p->is_ip4() or p->is_ip6()) { protocol = p->get_ip_proto_next(); if (p->num_layers > 3) @@ -319,8 +319,8 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec if (p->ptrs.tcph and !asd->get_session_flags(APPID_SESSION_OOO)) { - if ((p->packet_flags & PKT_STREAM_ORDER_BAD) || - (p->dsize && !(p->packet_flags & (PKT_STREAM_ORDER_OK | PKT_REBUILT_STREAM)))) + if ((p->packet_flags & PKT_STREAM_ORDER_BAD) or + (p->dsize and !(p->packet_flags & (PKT_STREAM_ORDER_OK | PKT_REBUILT_STREAM)))) { asd->set_session_flags(APPID_SESSION_OOO | APPID_SESSION_OOO_CHECK_TP); if (appidDebug->is_active()) @@ -331,8 +331,8 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec // Shut off service/client discoveries, since they skip not-ok data packets and // may keep failing on subsequent data packets causing performance degradation - if (!asd->get_session_flags(APPID_SESSION_MID) || - (p->ptrs.sp != 21 && p->ptrs.dp != 21)) // exception for ftp-control + if (!asd->get_session_flags(APPID_SESSION_MID) or + (p->ptrs.sp != 21 and p->ptrs.dp != 21)) // exception for ftp-control { asd->service_disco_state = APPID_DISCO_STATE_FINISHED; if (asd->get_payload_id() == APP_ID_NONE and @@ -349,7 +349,7 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec else { const auto* tcph = p->ptrs.tcph; - if (tcph->is_rst() && asd->previous_tcp_flags == TH_SYN) + if (tcph->is_rst() and asd->previous_tcp_flags == TH_SYN) { uint16_t port = 0; const SfIp* ip = nullptr; @@ -443,7 +443,7 @@ bool AppIdDiscovery::do_host_port_based_discovery(Packet* p, AppIdSession& asd, asd.get_odp_ctxt().is_host_port_app_cache_runtime) check_dynamic = true; - if (!(check_static || check_dynamic)) + if (!(check_static or check_dynamic)) return false; uint16_t port; @@ -719,8 +719,8 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto } // Third party detection - // Skip third-party detection for http2 - if (tp_appid_ctxt and ((service_id = asd.pick_service_app_id()) != APP_ID_HTTP2)) + // Skip third-party detection for http2 and http3 + if (tp_appid_ctxt and ((service_id = asd.pick_service_app_id()) != APP_ID_HTTP2 and service_id != APP_ID_HTTP3)) { // Skip third-party inspection for sessions using old config if (asd.tpsession and asd.tpsession->get_ctxt_version() != tp_appid_ctxt->get_version()) @@ -757,7 +757,7 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto } } // FIXIT-M - snort 2.x has added a check for midstream pickup to this, do we need that? - else if (protocol != IpProtocol::TCP || (p->packet_flags & PKT_STREAM_ORDER_OK)) + else if (protocol != IpProtocol::TCP or (p->packet_flags & PKT_STREAM_ORDER_OK)) { if (asd.service_disco_state != APPID_DISCO_STATE_FINISHED) is_discovery_done = @@ -805,7 +805,7 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto bool is_http_tunnel = false; if (hsession) - is_http_tunnel = ((hsession->payload.get_id() == APP_ID_HTTP_TUNNEL) || + is_http_tunnel = ((hsession->payload.get_id() == APP_ID_HTTP_TUNNEL) or (hsession->payload.get_id() == APP_ID_HTTP_SSL_TUNNEL)) ? true : false; if (is_check_host_cache_valid(asd, service_id, client_id, payload_id, misc_id) or diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc index 242288dc6..162e8bf8c 100644 --- a/src/network_inspectors/appid/appid_http_event_handler.cc +++ b/src/network_inspectors/appid/appid_http_event_handler.cc @@ -96,10 +96,10 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) { if (direction == APP_ID_FROM_INITIATOR) { - if (asd->get_prev_http2_raw_packet() != asd->session_packet_count) + if (asd->get_prev_httpx_raw_packet() != asd->session_packet_count) { asd->delete_all_http_sessions(); - asd->set_prev_http2_raw_packet(asd->session_packet_count); + asd->set_prev_httpx_raw_packet(asd->session_packet_count); } hsession = asd->create_http_session(http_event->get_httpx_stream_id()); } @@ -158,7 +158,7 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) hsession->set_field(MISC_SERVER_FID, header_start, header_length, change_bits); int32_t responseCodeNum = http_event->get_response_code(); - if (responseCodeNum > 0 && responseCodeNum < 700) + if (responseCodeNum > 0 and responseCodeNum < 700) { unsigned int ret; char tmpstr[32]; @@ -185,19 +185,19 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) if (http_event->get_is_httpx()) { AppId http_app_id = flow->stream_intf->get_appid_from_stream(flow); - assert((http_app_id == APP_ID_HTTP2) || (http_app_id == APP_ID_HTTP3)); + assert((http_app_id == APP_ID_HTTP2) or (http_app_id == APP_ID_HTTP3)); asd->set_service_id(http_app_id, asd->get_odp_ctxt()); } hsession->process_http_packet(direction, change_bits, asd->get_odp_ctxt().get_http_matchers()); - if (asd->get_service_id() != APP_ID_HTTP2) + if (!http_event->get_is_httpx()) asd->set_ss_application_ids(asd->pick_service_app_id(), asd->pick_ss_client_app_id(), asd->pick_ss_payload_app_id(), asd->pick_ss_misc_app_id(), asd->pick_ss_referred_payload_app_id(), change_bits); else - asd->set_application_ids_service(APP_ID_HTTP2, change_bits); + asd->set_application_ids_service(asd->get_service_id(), change_bits); asd->publish_appid_event(change_bits, *p, http_event->get_is_httpx(), asd->get_api().get_hsessions_size() - 1); diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index 62c5e7fcb..a609f1f68 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -122,8 +122,8 @@ void AppIdHttpSession::set_scan_flags(HttpFieldIds id) void AppIdHttpSession::set_tun_dest() { assert(meta_data[REQ_URI_FID]); - char *host = nullptr, *host_start, *host_end = nullptr, *url_end; - char *port_str = nullptr; + char* host = nullptr, *host_start, *host_end = nullptr, *url_end; + char* port_str = nullptr; uint16_t port = 0; int is_IPv6 = 0; char* url = strdup(meta_data[REQ_URI_FID]->c_str()); @@ -134,7 +134,7 @@ void AppIdHttpSession::set_tun_dest() { is_IPv6 = 1; port_str = strchr(url, ']'); - if (port_str && port_str < url_end) + if (port_str and port_str < url_end) { if (*(++port_str) != ':') { @@ -142,19 +142,19 @@ void AppIdHttpSession::set_tun_dest() } } } - else if(isdigit(url[0])) + else if (isdigit(url[0])) { port_str = strrchr(url, ':'); } - if (port_str && port_str < url_end ) + if (port_str and port_str < url_end ) { host_end = port_str; if (*(++port_str) != '\0') { - char *end = nullptr; + char* end = nullptr; long ret = strtol(port_str, &end, 10); - if (end != port_str && *end == '\0' && ret >= 1 && ret <= PORT_MAX) + if (end != port_str and *end == '\0' and ret >= 1 and ret <= PORT_MAX) { port = (uint16_t)ret; } @@ -179,12 +179,12 @@ void AppIdHttpSession::set_tun_dest() } if (host) { - if(tun_dest) + if (tun_dest) delete tun_dest; tun_dest= new TunnelDest(host, port); free(host); } - free(url ); + free(url); } bool AppIdHttpSession::initial_chp_sweep(ChpMatchDescriptor& cmd, HttpPatternMatchers& http_matchers) @@ -193,7 +193,7 @@ bool AppIdHttpSession::initial_chp_sweep(ChpMatchDescriptor& cmd, HttpPatternMat for (unsigned i = 0; i <= MAX_KEY_PATTERN; i++) { - if (cmd.buffer[i] && cmd.length[i]) + if (cmd.buffer[i] and cmd.length[i]) { cmd.cur_ptype = (HttpFieldIds)i; http_matchers.scan_key_chp(cmd); @@ -234,8 +234,8 @@ bool AppIdHttpSession::initial_chp_sweep(ChpMatchDescriptor& cmd, HttpPatternMat { ptype_scan_counts[i] = cah->ptype_scan_counts[i]; ptype_req_counts[i] = cah->ptype_req_counts[i] + cah->ptype_rewrite_insert_used[i]; - if (i > 3 && !cah->ptype_scan_counts[i] - && !asd.get_session_flags(APPID_SESSION_SPDY_SESSION)) + if (i > 3 and !cah->ptype_scan_counts[i] + and !asd.get_session_flags(APPID_SESSION_SPDY_SESSION)) { asd.clear_session_flags(APPID_SESSION_CHP_INSPECTING); if (asd.tpsession) @@ -311,13 +311,13 @@ void AppIdHttpSession::process_chp_buffers(AppidChangeBits& change_bits, HttpPat if ( !ptype_scan_counts[i] ) continue; - if ( cmd.buffer[i] && cmd.length[i] ) + if ( cmd.buffer[i] and cmd.length[i] ) { int num_found = 0; cmd.cur_ptype = (HttpFieldIds)i; AppId ret = http_matchers.scan_chp(cmd, &version, &user, &num_found, this, asd.get_odp_ctxt()); total_found += num_found; - if (!ret || num_found < ptype_req_counts[i]) + if (!ret or num_found < ptype_req_counts[i]) { // No match at all or the required matches for the field was NOT made if (!num_matches) @@ -346,7 +346,7 @@ void AppIdHttpSession::process_chp_buffers(AppidChangeBits& change_bits, HttpPat // we finished the last scan // either the num_matches value was zero and we failed early-on or we need to check // for the min. - if (num_matches && total_found < num_matches) + if (num_matches and total_found < num_matches) { // There was a minimum scans match count (num_matches != 0) // And we did not reach that minimum @@ -442,7 +442,7 @@ void AppIdHttpSession::set_client(AppId app_id, AppidChangeBits& change_bits, assert(asd.flow); if (asd.flow->ha_state) asd.flow->ha_state->add(FlowHAState::MODIFIED | FlowHAState::MAJOR); - if (asd.get_service_id() == APP_ID_HTTP2) + if (asd.get_service_id() == APP_ID_HTTP2 or asd.get_service_id() == APP_ID_HTTP3) AppIdPegCounts::inc_client_count(app_id); if (version) @@ -453,7 +453,7 @@ void AppIdHttpSession::set_client(AppId app_id, AppidChangeBits& change_bits, if (appidDebug->is_active()) { - const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); + const char* app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); LogMessage("AppIdDbg %s %s is client %s (%d)\n", appidDebug->get_debug_session(), type, app_name ? app_name : "unknown", app_id); } @@ -470,14 +470,14 @@ void AppIdHttpSession::set_payload(AppId app_id, AppidChangeBits& change_bits, assert(asd.flow); if (asd.flow->ha_state) asd.flow->ha_state->add(FlowHAState::MODIFIED | FlowHAState::MAJOR); - if (asd.get_service_id() == APP_ID_HTTP2) + if (asd.get_service_id() == APP_ID_HTTP2 or asd.get_service_id() == APP_ID_HTTP3) AppIdPegCounts::inc_payload_count(app_id); payload.set_version(version); if (appidDebug->is_active()) { - const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); - if(app_id == APP_ID_UNKNOWN) + const char* app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); + if (app_id == APP_ID_UNKNOWN) LogMessage("AppIdDbg %s Payload is Unknown (%d)\n", appidDebug->get_debug_session(), app_id); else @@ -492,13 +492,13 @@ void AppIdHttpSession::set_referred_payload(AppId app_id, AppidChangeBits& chang return; referred_payload_app_id = app_id; - if (asd.get_service_id() == APP_ID_HTTP2) + if (asd.get_service_id() == APP_ID_HTTP2 or asd.get_service_id() == APP_ID_HTTP3) AppIdPegCounts::inc_referred_count(app_id); change_bits.set(APPID_REFERRED_BIT); if (appidDebug->is_active()) { - const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); + const char* app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); LogMessage("AppIdDbg %s URL is referred %s (%d)\n", appidDebug->get_debug_session(), app_name ? app_name : "unknown", app_id); } @@ -514,14 +514,14 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, // For fragmented HTTP headers, do not process if none of the fields are set. // These fields will get set when the HTTP header is reassembled. - if ( !useragent && !host && !referer && !uri ) + if ( !useragent and !host and !referer and !uri ) { if (!skip_simple_detect) asd.clear_http_flags(); return 0; } - if ( direction == APP_ID_FROM_RESPONDER && + if ( direction == APP_ID_FROM_RESPONDER and !asd.get_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED) ) { const std::string* response_code; @@ -552,7 +552,8 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, #endif } - if (asd.get_service_id() == APP_ID_NONE or asd.get_service_id() == APP_ID_HTTP2) + if (asd.get_service_id() == APP_ID_NONE or asd.get_service_id() == APP_ID_HTTP2 or + asd.get_service_id() == APP_ID_HTTP3) { if (asd.get_service_id() == APP_ID_NONE) asd.set_service_id(APP_ID_HTTP, asd.get_odp_ctxt()); @@ -560,7 +561,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, asd.service_disco_state = APPID_DISCO_STATE_FINISHED; } - if (!chp_finished || chp_hold_flow) + if (!chp_finished or chp_hold_flow) process_chp_buffers(change_bits, http_matchers); if (skip_simple_detect) // true if process_chp_buffers() found match @@ -572,8 +573,8 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, const std::string* server = meta_data[MISC_SERVER_FID]; if ( (asd.scan_flags & SCAN_HTTP_VENDOR_FLAG) and server) { - if ( asd.get_service_id() == APP_ID_NONE or asd.get_service_id() == APP_ID_HTTP or - asd.get_service_id() == APP_ID_HTTP2) + if (asd.get_service_id() == APP_ID_NONE or asd.get_service_id() == APP_ID_HTTP or + asd.get_service_id() == APP_ID_HTTP2 or asd.get_service_id() == APP_ID_HTTP3) { char* vendorVersion = nullptr; char* vendor = nullptr; @@ -581,7 +582,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, http_matchers.get_server_vendor_version(server->c_str(), server->size(), &vendorVersion, &vendor, &subtype); - if (vendor || vendorVersion) + if (vendor or vendorVersion) { asd.set_service_vendor(vendor, change_bits); asd.set_service_version(vendorVersion, change_bits); @@ -614,7 +615,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, if (service_id > APP_ID_NONE and service_id != APP_ID_HTTP and asd.get_service_id() != service_id) { - const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); + const char* app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); LogMessage("AppIdDbg %s User Agent is service %s (%d)\n", appidDebug->get_debug_session(), app_name ? app_name : "unknown", service_id); } @@ -658,7 +659,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, asd.set_service_appid_data(app_id, change_bits, version); if (appidDebug->is_active()) { - const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); + const char* app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(app_id); LogMessage("AppIdDbg %s X service %s (%d)\n", appidDebug->get_debug_session(), app_name ? app_name : "unknown", app_id); } @@ -672,7 +673,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, // Scan Content-Type Header for multimedia types and scan contents const std::string* content_type = meta_data[RSP_CONTENT_TYPE_FID]; if ( (asd.scan_flags & SCAN_HTTP_CONTENT_TYPE_FLAG) - and content_type and !asd.get_tp_payload_app_id() and payload.get_id() <= APP_ID_NONE) + and content_type and !asd.get_tp_payload_app_id() and payload.get_id() <= APP_ID_NONE) { AppId payload_id = http_matchers.get_appid_by_content_type(content_type->c_str(), content_type->size()); @@ -703,10 +704,10 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, if (asd.get_service_id() <= APP_ID_NONE) { - if (appidDebug->is_active() && service_id > APP_ID_NONE && service_id != - APP_ID_HTTP && asd.get_service_id() != service_id) + if (appidDebug->is_active() and service_id > APP_ID_NONE and service_id != + APP_ID_HTTP and asd.get_service_id() != service_id) { - const char *app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); + const char* app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id); LogMessage("AppIdDbg %s URL is service %s (%d)\n", appidDebug->get_debug_session(), app_name ? app_name : "unknown", @@ -736,7 +737,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, { entry = asd.get_odp_ctxt().get_app_info_mgr().get_app_info_entry(tp_payload_app_id); // only move tpPayloadAppId to client if client app id is valid - if (entry && entry->clientId > APP_ID_NONE) + if (entry and entry->clientId > APP_ID_NONE) { misc_app_id = client.get_id(); client.set_id(tp_payload_app_id); @@ -746,7 +747,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, { entry = asd.get_odp_ctxt().get_app_info_mgr().get_app_info_entry(payload.get_id()); // only move payload_app_id to client if it has a ClientAppid - if (entry && entry->clientId > APP_ID_NONE) + if (entry and entry->clientId > APP_ID_NONE) { misc_app_id = client.get_id(); client.set_id(payload.get_id()); @@ -754,8 +755,9 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, } } if (payload.get_id() <= APP_ID_NONE and is_payload_processed and - (asd.get_service_id() == APP_ID_HTTP2 or (asd.get_service_id() == APP_ID_HTTP and - asd.is_tp_appid_available()))) + (asd.get_service_id() == APP_ID_HTTP2 or asd.get_service_id() == APP_ID_HTTP3 or + (asd.get_service_id() == APP_ID_HTTP and + asd.is_tp_appid_available()))) set_payload(APP_ID_UNKNOWN, change_bits); asd.clear_http_flags(); @@ -842,7 +844,7 @@ void AppIdHttpSession::set_req_body_field(HttpFieldIds id, const uint8_t* str, i meta_data[id] = new std::string((const char*)str, len); else { - std::string *req_body = new std::string(*meta_data[id]); + std::string* req_body = new std::string(*meta_data[id]); delete meta_data[id]; req_body->append((const char*)str); meta_data[id] = req_body; @@ -854,6 +856,7 @@ void AppIdHttpSession::set_req_body_field(HttpFieldIds id, const uint8_t* str, i print_field(id, meta_data[id]); } } + void AppIdHttpSession::print_field(HttpFieldIds id, const std::string* field) { string field_name; @@ -861,7 +864,7 @@ void AppIdHttpSession::print_field(HttpFieldIds id, const std::string* field) if (asd.get_session_flags(APPID_SESSION_SPDY_SESSION)) field_name = "SPDY "; else if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION)) - field_name = "HTTP "; + field_name = "HTTP "; else // This could be RTMP session; not printing RTMP fields for now return; @@ -930,3 +933,4 @@ void AppIdHttpSession::print_field(HttpFieldIds id, const std::string* field) LogMessage("AppIdDbg %s %s is %s\n", appidDebug->get_debug_session(), field_name.c_str(), field->c_str()); } + diff --git a/src/network_inspectors/appid/appid_http2_req_body_event_handler.h b/src/network_inspectors/appid/appid_httpx_req_body_event_handler.h similarity index 90% rename from src/network_inspectors/appid/appid_http2_req_body_event_handler.h rename to src/network_inspectors/appid/appid_httpx_req_body_event_handler.h index f4e6e4dbf..ae87caa9f 100644 --- a/src/network_inspectors/appid/appid_http2_req_body_event_handler.h +++ b/src/network_inspectors/appid/appid_httpx_req_body_event_handler.h @@ -16,18 +16,18 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// appid_http2_req_body_event_handler.h +// appid_httpx_req_body_event_handler.h // author Kani -#ifndef APPID_HTTP2_REQ_BODY_EVENT_HANDLER_H -#define APPID_HTTP2_REQ_BODY_EVENT_HANDLER_H +#ifndef APPID_HTTPX_REQ_BODY_EVENT_HANDLER_H +#define APPID_HTTPX_REQ_BODY_EVENT_HANDLER_H #include "pub_sub/http_request_body_event.h" -class AppIdHttp2ReqBodyEventHandler : public snort::DataHandler +class AppIdHttpXReqBodyEventHandler : public snort::DataHandler { public: - AppIdHttp2ReqBodyEventHandler() : DataHandler(MOD_NAME){ } + AppIdHttpXReqBodyEventHandler() : DataHandler(MOD_NAME){ } void handle(snort::DataEvent& event, snort::Flow* flow) override { if (!pkt_thread_odp_ctxt) @@ -45,7 +45,7 @@ public: return; snort::HttpRequestBodyEvent* http_req_body = (snort::HttpRequestBodyEvent*)&event; AppIdHttpSession* hsession = asd->get_matching_http_session( - http_req_body->get_http2_stream_id()); + http_req_body->get_httpx_stream_id()); if (!hsession) return; diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index 7cc690415..df7703b43 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -41,7 +41,7 @@ #include "appid_eve_process_event_handler.h" #include "appid_ha.h" #include "appid_http_event_handler.h" -#include "appid_http2_req_body_event_handler.h" +#include "appid_httpx_req_body_event_handler.h" #include "appid_opportunistic_tls_event_handler.h" #include "appid_peg_counts.h" #include "appid_service_event_handler.h" @@ -68,7 +68,7 @@ static void add_appid_to_packet_trace(Flow& flow, const OdpContext& odp_context) { AppIdSession* session = appid_api.get_appid_session(flow); // Skip sessions using old odp context after odp reload - if (!session || (session->get_odp_ctxt_version() != odp_context.get_version())) + if (!session or (session->get_odp_ctxt_version() != odp_context.get_version())) return; AppId service_id, client_id, payload_id, misc_id; @@ -123,7 +123,7 @@ bool AppIdInspector::configure(SnortConfig* sc) DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler( HttpEventHandler::RESPONSE_EVENT, *this), *sc); - DataBus::subscribe_global(HTTP2_REQUEST_BODY_EVENT_KEY, new AppIdHttp2ReqBodyEventHandler(), *sc); + DataBus::subscribe_global(HTTPX_REQUEST_BODY_EVENT_KEY, new AppIdHttpXReqBodyEventHandler(), *sc); DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), *sc); diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 1dab790e9..08f25e8c0 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -76,8 +76,8 @@ static inline bool is_special_session_monitored(const Packet* p) { if (p->is_ip4()) { - if (p->is_udp() && ((p->ptrs.sp == 68 && p->ptrs.dp == 67) - || (p->ptrs.sp == 67 && p->ptrs.dp == 68))) + if (p->is_udp() and ((p->ptrs.sp == 68 and p->ptrs.dp == 67) + or (p->ptrs.sp == 67 and p->ptrs.dp == 68))) { return true; } @@ -110,7 +110,7 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, const SfIp* ip = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.ip_api.get_src() : p->ptrs.ip_api.get_dst(); - if ((proto == IpProtocol::TCP || proto == IpProtocol::UDP) && + if ((proto == IpProtocol::TCP or proto == IpProtocol::UDP) and (p->ptrs.sp != p->ptrs.dp)) port = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp; @@ -223,7 +223,7 @@ AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const S char dst_ip[INET6_ADDRSTRLEN]; AppIdInspector* inspector = (AppIdInspector*)ctrlPkt->flow->flow_data->get_handler(); - if ((inspector == nullptr) || strcmp(inspector->get_name(), MOD_NAME)) + if ((inspector == nullptr) or strcmp(inspector->get_name(), MOD_NAME)) inspector = (AppIdInspector*)InspectorManager::get_inspector(MOD_NAME, true); // FIXIT-RC - port parameter passed in as 0 since we may not know client port, verify @@ -383,7 +383,7 @@ void AppIdSession::check_ssl_detection_restart(AppidChangeBits& change_bits, // 1. Start off as SSL - captured with isSsl flag, OR // 2. It could start off as a non-SSL session and later change to SSL. For example, FTP->FTPS. // In this case APPID_SESSION_ENCRYPTED flag is set by the protocol state machine. - if (get_session_flags(APPID_SESSION_ENCRYPTED) || isSsl) + if (get_session_flags(APPID_SESSION_ENCRYPTED) or isSsl) { set_session_flags(APPID_SESSION_DECRYPTED); encrypted.service_id = service_id; @@ -457,9 +457,9 @@ void AppIdSession::update_encrypted_app_id(AppId service_id) switch (service_id) { case APP_ID_HTTP: - if (misc_app_id == APP_ID_NSIIOPS || - misc_app_id == APP_ID_DDM_SSL || - misc_app_id == APP_ID_MSFT_GC_SSL || + if (misc_app_id == APP_ID_NSIIOPS or + misc_app_id == APP_ID_DDM_SSL or + misc_app_id == APP_ID_MSFT_GC_SSL or misc_app_id == APP_ID_SF_APPLIANCE_MGMT) { break; @@ -597,7 +597,7 @@ void AppIdSession::examine_rtmp_metadata(AppidChangeBits& change_bits) const char* referer = hsession->get_cfield(REQ_REFERER_FID); if ((http_matchers.get_appid_from_url(nullptr, url, &version, referer, &client_id, &service_id, &payload_id, - &referred_payload_id, true, odp_ctxt)) || + &referred_payload_id, true, odp_ctxt)) or (http_matchers.get_appid_from_url(nullptr, url, &version, referer, &client_id, &service_id, &payload_id, &referred_payload_id, false, odp_ctxt))) @@ -617,7 +617,7 @@ void AppIdSession::examine_rtmp_metadata(AppidChangeBits& change_bits) void AppIdSession::set_client_appid_data(AppId id, AppidChangeBits& change_bits, char* version) { - if (id <= APP_ID_NONE || id == APP_ID_HTTP) + if (id <= APP_ID_NONE or id == APP_ID_HTTP) return; AppId cur_id = api.client.get_id(); @@ -667,8 +667,8 @@ void AppIdSession::set_service_appid_data(AppId id, AppidChangeBits& change_bits bool AppIdSession::is_svc_taking_too_much_time() const { - return (init_pkts_without_reply > odp_ctxt.max_packet_service_fail_ignore_bytes || - (init_pkts_without_reply > odp_ctxt.max_packet_before_service_fail && + return (init_pkts_without_reply > odp_ctxt.max_packet_service_fail_ignore_bytes or + (init_pkts_without_reply > odp_ctxt.max_packet_before_service_fail and init_bytes_without_reply > odp_ctxt.max_bytes_before_service_fail)); } @@ -724,7 +724,7 @@ void AppIdSession::free_flow_data_by_id(unsigned id) void AppIdSession::free_flow_data_by_mask(unsigned mask) { for (AppIdFlowDataIter it = flow_data.cbegin(); it != flow_data.cend();) - if (!mask || (it->second->fd_id & mask)) + if (!mask or (it->second->fd_id & mask)) { delete it->second; it = flow_data.erase(it); @@ -786,9 +786,9 @@ AppId AppIdSession::pick_service_app_id() const { if (is_service_detected()) { - bool deferred = api.service.get_deferred() || tp_app_id_deferred; + bool deferred = api.service.get_deferred() or tp_app_id_deferred; - if (api.service.get_id() > APP_ID_NONE && !deferred) + if (api.service.get_id() > APP_ID_NONE and !deferred) return api.service.get_id(); if (is_tp_appid_available()) { @@ -821,7 +821,7 @@ AppId AppIdSession::pick_service_app_id() const AppId AppIdSession::pick_ss_misc_app_id() const { - if (api.service.get_id() == APP_ID_HTTP2) + if (api.service.get_id() == APP_ID_HTTP2 or api.service.get_id() == APP_ID_HTTP3) return APP_ID_NONE; if (misc_app_id > APP_ID_NONE) @@ -838,7 +838,7 @@ AppId AppIdSession::pick_ss_misc_app_id() const AppId AppIdSession::pick_ss_client_app_id() const { - if (api.service.get_id() == APP_ID_HTTP2) + if (api.service.get_id() == APP_ID_HTTP2 or api.service.get_id() == APP_ID_HTTP3) return APP_ID_NONE; AppId tmp_id = APP_ID_NONE; @@ -868,7 +868,7 @@ AppId AppIdSession::pick_ss_client_app_id() const AppId AppIdSession::pick_ss_payload_app_id(AppId service_id) const { - if (service_id == APP_ID_HTTP2) + if (service_id == APP_ID_HTTP2 or service_id == APP_ID_HTTP3) return APP_ID_NONE; if (tp_payload_app_id_deferred) @@ -919,7 +919,7 @@ AppId AppIdSession::pick_ss_payload_app_id() const AppId AppIdSession::pick_ss_referred_payload_app_id() const { - if (api.service.get_id() == APP_ID_HTTP2) + if (api.service.get_id() == APP_ID_HTTP2 or api.service.get_id() == APP_ID_HTTP3) return APP_ID_NONE; AppId tmp_id = APP_ID_NONE; @@ -1044,14 +1044,14 @@ bool AppIdSession::is_tp_appid_done() const return false; unsigned state = tpsession->get_state(); - return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || + return (state == TP_STATE_CLASSIFIED or state == TP_STATE_TERMINATED or state == TP_STATE_HA); } bool AppIdSession::is_tp_processing_done() const { - if (!get_session_flags(APPID_SESSION_NO_TPI) && - (!is_tp_appid_done() || + if (!get_session_flags(APPID_SESSION_NO_TPI) and + (!is_tp_appid_done() or get_session_flags(APPID_SESSION_APP_REINSPECT | APPID_SESSION_APP_REINSPECT_SSL))) return false; @@ -1067,7 +1067,7 @@ bool AppIdSession::is_tp_appid_available() const unsigned state = tpsession->get_state(); - return (state == TP_STATE_CLASSIFIED || state == TP_STATE_TERMINATED || + return (state == TP_STATE_CLASSIFIED or state == TP_STATE_TERMINATED or state == TP_STATE_MONITORING); } diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 76549a523..6f21da590 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -323,7 +323,7 @@ public: AppId pick_service_app_id() const; // pick_ss_* and set_ss_* methods below are for application protocols that support only a single - // stream in a flow. They should not be used for HTTP2 sessions which can have multiple + // stream in a flow. They should not be used for HTTP2/HTTP3 sessions which can have multiple // streams within a single flow AppId pick_ss_misc_app_id() const; AppId pick_ss_client_app_id() const; @@ -421,14 +421,14 @@ public: inferred_svcs_ver++; } - uint16_t get_prev_http2_raw_packet() const + uint16_t get_prev_httpx_raw_packet() const { - return prev_http2_raw_packet; + return prev_httpx_raw_packet; } - void set_prev_http2_raw_packet(uint16_t packet_num) + void set_prev_httpx_raw_packet(uint16_t packet_num) { - prev_http2_raw_packet = packet_num; + prev_httpx_raw_packet = packet_num; } const snort::AppIdSessionApi& get_api() const @@ -663,7 +663,7 @@ public: } private: - uint16_t prev_http2_raw_packet = 0; + uint16_t prev_httpx_raw_packet = 0; void reinit_session_data(AppidChangeBits& change_bits, ThirdPartyAppIdContext* tp_appid_ctxt); void delete_session_data(); diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 2a194e2c4..6485237ec 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -68,12 +68,14 @@ const char* AppIdSessionApi::get_user_info(AppId& service, bool& login) const AppId AppIdSessionApi::get_misc_app_id(uint32_t stream_index) const { - if (get_service_app_id() == APP_ID_HTTP2) + if (get_service_app_id() == APP_ID_HTTP2 or get_service_app_id() == APP_ID_HTTP3) { - if (stream_index >= get_hsessions_size()) + if ((stream_index != 0) and (stream_index >= get_hsessions_size())) return APP_ID_NONE; else if (AppIdHttpSession* hsession = get_hsession(stream_index)) return hsession->misc_app_id; + else if ((get_service_app_id() == APP_ID_HTTP3) and (stream_index == 0)) + return application_ids[APP_PROTOID_MISC]; } else if (stream_index == 0) return application_ids[APP_PROTOID_MISC]; @@ -83,12 +85,14 @@ AppId AppIdSessionApi::get_misc_app_id(uint32_t stream_index) const AppId AppIdSessionApi::get_client_app_id(uint32_t stream_index) const { - if (get_service_app_id() == APP_ID_HTTP2) + if (get_service_app_id() == APP_ID_HTTP2 or get_service_app_id() == APP_ID_HTTP3) { - if (stream_index >= get_hsessions_size()) + if ((stream_index != 0) and (stream_index >= get_hsessions_size())) return APP_ID_NONE; else if (AppIdHttpSession* hsession = get_hsession(stream_index)) return hsession->client.get_id(); + else if ((get_service_app_id() == APP_ID_HTTP3) and (stream_index == 0)) + return application_ids[APP_PROTOID_CLIENT]; } else if (stream_index == 0) return application_ids[APP_PROTOID_CLIENT]; @@ -98,12 +102,14 @@ AppId AppIdSessionApi::get_client_app_id(uint32_t stream_index) const AppId AppIdSessionApi::get_payload_app_id(uint32_t stream_index) const { - if (get_service_app_id() == APP_ID_HTTP2) + if (get_service_app_id() == APP_ID_HTTP2 or get_service_app_id() == APP_ID_HTTP3) { - if (stream_index >= get_hsessions_size()) + if ((stream_index != 0) and (stream_index >= get_hsessions_size())) return APP_ID_NONE; else if (AppIdHttpSession* hsession = get_hsession(stream_index)) return hsession->payload.get_id(); + else if ((get_service_app_id() == APP_ID_HTTP3) and (stream_index == 0)) + return application_ids[APP_PROTOID_PAYLOAD]; } else if (stream_index == 0) return application_ids[APP_PROTOID_PAYLOAD]; @@ -113,7 +119,7 @@ AppId AppIdSessionApi::get_payload_app_id(uint32_t stream_index) const AppId AppIdSessionApi::get_referred_app_id(uint32_t stream_index) const { - if (get_service_app_id() == APP_ID_HTTP2) + if (get_service_app_id() == APP_ID_HTTP2 or get_service_app_id() == APP_ID_HTTP3) { if ((stream_index != 0) and (stream_index >= get_hsessions_size())) return APP_ID_UNKNOWN; @@ -129,7 +135,7 @@ AppId AppIdSessionApi::get_referred_app_id(uint32_t stream_index) const void AppIdSessionApi::get_app_id(AppId& service, AppId& client, AppId& payload, AppId& misc, AppId& referred, uint32_t stream_index) const { - if (get_service_app_id() == APP_ID_HTTP2) + if (get_service_app_id() == APP_ID_HTTP2 or get_service_app_id() == APP_ID_HTTP3) { if ((stream_index != 0) and (stream_index >= get_hsessions_size())) { @@ -154,7 +160,7 @@ void AppIdSessionApi::get_app_id(AppId& service, AppId& client, void AppIdSessionApi::get_app_id(AppId* service, AppId* client, AppId* payload, AppId* misc, AppId* referred, uint32_t stream_index) const { - if (get_service_app_id() == APP_ID_HTTP2) + if (get_service_app_id() == APP_ID_HTTP2 or get_service_app_id() == APP_ID_HTTP3) { if ((stream_index != 0) and (stream_index >= get_hsessions_size())) { @@ -243,12 +249,12 @@ bool AppIdSessionApi::is_appid_available(uint32_t stream_index) const { if (!asd) return false; - if (service.get_id() == APP_ID_HTTP2) + if (service.get_id() == APP_ID_HTTP2 or service.get_id() == APP_ID_HTTP3) return (get_payload_app_id(stream_index) != APP_ID_NONE); else - return ( (service.get_id() != APP_ID_NONE || - payload.get_id() != APP_ID_NONE) && - (asd->is_tp_appid_available() || + return ( (service.get_id() != APP_ID_NONE or + payload.get_id() != APP_ID_NONE) and + (asd->is_tp_appid_available() or asd->get_session_flags(APPID_SESSION_NO_TPI)) ); } @@ -411,11 +417,13 @@ void AppIdSessionApi::set_application_ids_service(AppId service_id, AppidChangeB } } +// For HTTP3, mercury can identify client,payload and misc. So check for them +// even if no hsession is present, but prefer appid stored in hsession. void AppIdSessionApi::get_first_stream_app_ids(AppId& service_id, AppId& client_id, AppId& payload_id, AppId& misc_id) const { service_id = application_ids[APP_PROTOID_SERVICE]; - if (service_id != APP_ID_HTTP2) + if (service_id != APP_ID_HTTP2 and service_id != APP_ID_HTTP3) { client_id = application_ids[APP_PROTOID_CLIENT]; payload_id = application_ids[APP_PROTOID_PAYLOAD]; @@ -427,6 +435,12 @@ void AppIdSessionApi::get_first_stream_app_ids(AppId& service_id, AppId& client_ payload_id = hsession->payload.get_id(); misc_id = hsession->misc_app_id; } + else if (service_id == APP_ID_HTTP3) + { + client_id = application_ids[APP_PROTOID_CLIENT]; + payload_id = application_ids[APP_PROTOID_PAYLOAD]; + misc_id = application_ids[APP_PROTOID_MISC]; + } else { client_id = APP_ID_NONE; @@ -439,7 +453,7 @@ void AppIdSessionApi::get_first_stream_app_ids(AppId& service_id, AppId& client_ AppId& payload_id) const { service_id = application_ids[APP_PROTOID_SERVICE]; - if (service_id != APP_ID_HTTP2) + if (service_id != APP_ID_HTTP2 and service_id != APP_ID_HTTP3) { client_id = application_ids[APP_PROTOID_CLIENT]; payload_id = application_ids[APP_PROTOID_PAYLOAD]; @@ -449,6 +463,11 @@ void AppIdSessionApi::get_first_stream_app_ids(AppId& service_id, AppId& client_ client_id = hsession->client.get_id(); payload_id = hsession->payload.get_id(); } + else if (service_id == APP_ID_HTTP3) + { + client_id = application_ids[APP_PROTOID_CLIENT]; + payload_id = application_ids[APP_PROTOID_PAYLOAD]; + } else { client_id = APP_ID_NONE; diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index 6f0c62aec..b9a90b8ca 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -130,7 +130,7 @@ public: const char* get_netbios_domain() const; ClientAppDetectType get_client_app_detect_type() const; - // For protocols such as HTTP2 which can have multiple streams within a single flow, + // For protocols such as HTTP2/HTTP3 which can have multiple streams within a single flow, // get_first_stream_* methods return the appids in the first stream seen in a packet. void get_first_stream_app_ids(AppId& service, AppId& client, AppId& payload, AppId& misc) const; void get_first_stream_app_ids(AppId& service, AppId& client, AppId& payload) const; diff --git a/src/network_inspectors/appid/ips_appid_option.cc b/src/network_inspectors/appid/ips_appid_option.cc index 5fe37644d..975f915ed 100644 --- a/src/network_inspectors/appid/ips_appid_option.cc +++ b/src/network_inspectors/appid/ips_appid_option.cc @@ -124,7 +124,7 @@ IpsOption::EvalStatus AppIdIpsOption::eval(Cursor&, Packet* p) AppId service_id = session->get_api().get_service_app_id(); OdpContext& odp_ctxt = session->get_odp_ctxt(); - if (service_id != APP_ID_HTTP2) + if (service_id != APP_ID_HTTP2 and service_id != APP_ID_HTTP3) { AppId app_ids[APP_PROTOID_MAX]; diff --git a/src/pub_sub/http_request_body_event.cc b/src/pub_sub/http_request_body_event.cc index 4cd4d743d..b508b4a33 100644 --- a/src/pub_sub/http_request_body_event.cc +++ b/src/pub_sub/http_request_body_event.cc @@ -51,7 +51,7 @@ bool HttpRequestBodyEvent::is_last_request_body_piece() return last_piece; } -uint32_t HttpRequestBodyEvent::get_http2_stream_id() const +int64_t HttpRequestBodyEvent::get_httpx_stream_id() const { return http_flow_data->get_hx_stream_id(); } diff --git a/src/pub_sub/http_request_body_event.h b/src/pub_sub/http_request_body_event.h index 02487c636..3e0a88983 100644 --- a/src/pub_sub/http_request_body_event.h +++ b/src/pub_sub/http_request_body_event.h @@ -26,7 +26,7 @@ #include "service_inspectors/http_inspect/http_msg_body.h" // These are common values between the HTTP inspector and the subscribers. -#define HTTP2_REQUEST_BODY_EVENT_KEY "http2_request_body_event" +#define HTTPX_REQUEST_BODY_EVENT_KEY "httpx_request_body_event" class HttpFlowData; @@ -43,7 +43,7 @@ public: const uint8_t* get_request_body_data(int32_t& length, int32_t& offset); bool is_last_request_body_piece(); - uint32_t get_http2_stream_id() const; + int64_t get_httpx_stream_id() const; private: const HttpMsgBody* const http_msg_body; diff --git a/src/pub_sub/test/pub_sub_http_request_body_event_test.cc b/src/pub_sub/test/pub_sub_http_request_body_event_test.cc index c27c8b4d6..b1e98bacd 100644 --- a/src/pub_sub/test/pub_sub_http_request_body_event_test.cc +++ b/src/pub_sub/test/pub_sub_http_request_body_event_test.cc @@ -132,7 +132,7 @@ TEST(pub_sub_http_request_body_event_test, first_event) CHECK(memcmp(data, msg.data(), length) == 0); CHECK(length == msg_len); CHECK(offset == 0); - CHECK(event.get_http2_stream_id() == stream_id); + CHECK(event.get_httpx_stream_id() == stream_id); CHECK_FALSE(event.is_last_request_body_piece()); delete body; } @@ -153,7 +153,7 @@ TEST(pub_sub_http_request_body_event_test, last_event) CHECK(memcmp(data, msg.data(), length) == 0); CHECK(length == msg_len); CHECK(offset == 1500); - CHECK(event.get_http2_stream_id() == stream_id); + CHECK(event.get_httpx_stream_id() == stream_id); CHECK(event.is_last_request_body_piece()); delete body; } @@ -169,7 +169,7 @@ TEST(pub_sub_http_request_body_event_test, empty_data_last_event) CHECK(data == nullptr); CHECK(length == 0); CHECK(offset == 1500); - CHECK(event.get_http2_stream_id() == stream_id); + CHECK(event.get_httpx_stream_id() == stream_id); CHECK(event.is_last_request_body_piece()); } diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc index 8de6f2055..a6d565ef4 100644 --- a/src/service_inspectors/http_inspect/http_msg_body.cc +++ b/src/service_inspectors/http_inspect/http_msg_body.cc @@ -65,7 +65,7 @@ void HttpMsgBody::publish() HttpRequestBodyEvent http_request_body_event(this, publish_octets, last_piece, session_data); - DataBus::publish(HTTP2_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow); + DataBus::publish(HTTPX_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow); publish_octets += publish_length; #ifdef REG_TEST if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP)) diff --git a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc index b9f6ebfea..18c491df4 100644 --- a/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc +++ b/src/service_inspectors/http_inspect/http_stream_splitter_finish.cc @@ -198,7 +198,7 @@ bool HttpStreamSplitter::finish(Flow* flow) { HttpRequestBodyEvent http_request_body_event(nullptr, session_data->publish_octets[source_id], true, session_data); - DataBus::publish(HTTP2_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow); + DataBus::publish(HTTPX_REQUEST_BODY_EVENT_KEY, http_request_body_event, flow); #ifdef REG_TEST if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP)) {