From: Shravan Rangarajuvenkata (shrarang) Date: Wed, 15 Dec 2021 14:41:40 +0000 (+0000) Subject: Pull request #3214: appid: changes to handle SNI in efp event. X-Git-Tag: 3.1.20.0~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34103742c4081258fde090dd1e35020094f87336;p=thirdparty%2Fsnort3.git Pull request #3214: appid: changes to handle SNI in efp event. Merge in SNORT/snort3 from ~PRBHALER/snort3:quic_meta to master Squashed commit of the following: commit 4d0950cfc918aec9104ca349d5dfa16150b5b202 Author: Pranav Bhalerao Date: Fri Dec 10 15:38:16 2021 +0530 appid: handle SNI in efp event. --- diff --git a/src/network_inspectors/appid/appid_efp_process_event_handler.cc b/src/network_inspectors/appid/appid_efp_process_event_handler.cc index 669cb7811..46a7429bb 100644 --- a/src/network_inspectors/appid/appid_efp_process_event_handler.cc +++ b/src/network_inspectors/appid/appid_efp_process_event_handler.cc @@ -23,6 +23,7 @@ #endif #include "appid_efp_process_event_handler.h" +#include "detection/detection_engine.h" #include "appid_debug.h" #include "appid_inspector.h" @@ -46,14 +47,40 @@ void AppIdEfpProcessEventHandler::handle(DataEvent& event, Flow* flow) const std::string& name = efp_process_event.get_process_name(); uint8_t conf = efp_process_event.get_process_confidence(); + const std::string& server_name = efp_process_event.get_server_name(); + AppId app_id = APP_ID_NONE; - AppId app_id = asd->get_odp_ctxt().get_efp_ca_matchers().match_efp_ca_pattern(name, - conf); + if (!name.empty()) + { + app_id = asd->get_odp_ctxt().get_efp_ca_matchers().match_efp_ca_pattern(name, + conf); + + asd->set_efp_client_app_id(app_id); + } if (appidDebug->is_active()) LogMessage("AppIdDbg %s encrypted client app %d process name '%s', " - "confidence: %d\n", appidDebug->get_debug_session(), app_id, name.c_str(), conf); + "confidence: %d, server name '%s'\n", appidDebug->get_debug_session(), app_id, + name.c_str(), conf, server_name.c_str()); - asd->set_efp_client_app_id(app_id); -} + if (!server_name.empty()) + { + AppId client_id; + AppId payload_id; + AppidChangeBits change_bits; + snort::Packet* p = snort::DetectionEngine::get_current_packet(); + + if (!asd->tsession) + asd->tsession = new TlsSession(); + asd->tsession->set_tls_host(server_name.c_str(), server_name.length(), change_bits); + asd->set_tls_host(change_bits); + + asd->get_odp_ctxt().get_ssl_matchers().scan_hostname(reinterpret_cast(server_name.c_str()), + server_name.length(), client_id, payload_id); + asd->set_payload_id(payload_id); + asd->set_ss_application_ids_payload(payload_id, change_bits); + + asd->publish_appid_event(change_bits, *p); + } +} diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index fb3e752ce..66ab5ca4b 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -950,6 +950,13 @@ void AppIdSession::set_ss_application_ids(AppId client_id, AppId payload_id, api.set_ss_application_ids(client_id, payload_id, change_bits, *flow); } +void AppIdSession::set_ss_application_ids_payload(AppId payload_id, + AppidChangeBits& change_bits) +{ + assert(flow); + api.set_ss_application_ids_payload(payload_id, change_bits, *flow); +} + void AppIdSession::set_application_ids_service(AppId service_id, AppidChangeBits& change_bits) { assert(flow); diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 3f1da2acb..b95c6e4d5 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -334,6 +334,7 @@ public: void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc, AppId referred, AppidChangeBits& change_bits); void set_ss_application_ids(AppId client, AppId payload, AppidChangeBits& change_bits); + void set_ss_application_ids_payload(AppId payload, AppidChangeBits& change_bits); void set_application_ids_service(AppId service_id, AppidChangeBits& change_bits); void examine_ssl_metadata(AppidChangeBits& change_bits); diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index eff468c0b..95d7bb41a 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -386,6 +386,18 @@ void AppIdSessionApi::set_ss_application_ids(AppId service_id, AppId client_id, } } +void AppIdSessionApi::set_ss_application_ids_payload(AppId payload_id, + AppidChangeBits& change_bits, Flow& flow) +{ + if (application_ids[APP_PROTOID_PAYLOAD] != payload_id) + { + application_ids[APP_PROTOID_PAYLOAD] = payload_id; + change_bits.set(APPID_PAYLOAD_BIT); + if (flow.ha_state) + flow.ha_state->add(FlowHAState::MODIFIED | FlowHAState::MAJOR); + } +} + void AppIdSessionApi::set_ss_application_ids(AppId client_id, AppId payload_id, AppidChangeBits& change_bits, Flow& flow) { diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index c5a96cdf1..3dfed7e16 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -183,6 +183,7 @@ private: void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc, AppId referred, AppidChangeBits& change_bits, Flow& flow); void set_ss_application_ids(AppId client, AppId payload, AppidChangeBits& change_bits, Flow& flow); + void set_ss_application_ids_payload(AppId payload, AppidChangeBits& change_bits, Flow& flow); void set_application_ids_service(AppId service_id, AppidChangeBits& change_bits, Flow& flow); void set_netbios_name(AppidChangeBits& change_bits, const char* name); void set_netbios_domain(AppidChangeBits& change_bits, const char* domain); diff --git a/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc b/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc index 63ed44503..1309e6059 100644 --- a/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc +++ b/src/network_inspectors/appid/test/appid_efp_process_event_handler_test.cc @@ -52,6 +52,27 @@ AppIdSession* AppIdApi::get_appid_session(Flow const&) { return session; } Packet::Packet(bool) { } Packet::~Packet() = default; + +Packet* DetectionEngine::get_current_packet() +{ + static Packet p; + return &p; +} +} + +void AppIdSession::publish_appid_event(AppidChangeBits&, const Packet&, bool, uint32_t) +{ + return; +} + +bool SslPatternMatchers::scan_hostname(const uint8_t*, size_t, AppId&, AppId&) +{ + return true; +} + +void AppIdSession::set_ss_application_ids_payload(AppId, AppidChangeBits&) +{ + return; } void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, @@ -59,6 +80,7 @@ void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDir void AppIdModule::reset_stats() { } void AppIdDebug::activate(snort::Flow const*, AppIdSession const*, bool) { } + AppId EfpCaPatternMatchers::match_efp_ca_pattern(const string&, uint8_t) { return APPID_UT_ID; diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index debf211ff..62c6bbdd3 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -409,7 +409,7 @@ static inline void process_quic(AppIdSession& asd, if ( !asd.tsession ) asd.tsession = new TlsSession(); - if ( (field=attribute_data.quic_sni()) != nullptr ) + if ( !asd.tsession->get_tls_host() and (field=attribute_data.quic_sni()) != nullptr ) { if ( appidDebug->is_active() ) LogMessage("AppIdDbg %s Flow is QUIC\n", appidDebug->get_debug_session()); diff --git a/src/pub_sub/efp_process_event.h b/src/pub_sub/efp_process_event.h index 1c0e44daf..2b9f05ed5 100644 --- a/src/pub_sub/efp_process_event.h +++ b/src/pub_sub/efp_process_event.h @@ -31,6 +31,8 @@ public: EfpProcessEvent(const snort::Packet& p, const char* process, uint8_t process_conf) : p(p), process_name(process), process_confidence(process_conf) { } + EfpProcessEvent(const snort::Packet& p, const char* server) : p(p), server_name(server) { } + const snort::Packet* get_packet() override { return &p; } const std::string& get_process_name() const @@ -43,10 +45,22 @@ public: return process_confidence; } + const std::string& get_server_name() const + { + return server_name; + } + + void set_server_name(const char* server) + { + if (server) + server_name = server; + } + private: const snort::Packet &p; std::string process_name; uint8_t process_confidence = 0; + std::string server_name; }; #endif