From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 23 Jun 2020 14:01:26 +0000 (+0000) Subject: Merge pull request #2273 in SNORT/snort3 from ~SHRARANG/snort3:appid_stash2 to master X-Git-Tag: 3.0.2-1~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34c7f9384afd8de8efd592b56caf2d29eb21fe14;p=thirdparty%2Fsnort3.git Merge pull request #2273 in SNORT/snort3 from ~SHRARANG/snort3:appid_stash2 to master Squashed commit of the following: commit 064cd95e5122e00b0215f3f9b9c2e39d04d416cf Author: Shravan Rangaraju Date: Wed Jun 17 23:39:11 2020 -0400 appid: include appid session api in appid event --- diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index 2cbc73178..e62c0538c 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -143,9 +143,8 @@ uint32_t AppIdApi::consume_ha_state(Flow& flow, const uint8_t* buf, uint8_t, IpP if (!asd) { AppIdInspector* inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true); - if(inspector) + if (inspector) { - asd = new AppIdSession(proto, ip, port, *inspector); flow.set_flow_data(asd); asd->service.set_id(appHA->appId[1], asd->ctxt.get_odp_ctxt()); @@ -323,21 +322,16 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, return false; } -AppIdSessionApi* AppIdApi::create_appid_session_api(const Flow& flow) +const AppIdSessionApi* AppIdApi::get_appid_session_api(const Flow& flow) const { AppIdSession* asd = (AppIdSession*)flow.get_flow_data(AppIdSession::inspector_id); if (asd) - return new AppIdSessionApi(asd); + return &asd->get_api(); return nullptr; } -void AppIdApi::free_appid_session_api(AppIdSessionApi* api) -{ - delete api; -} - bool AppIdApi::is_inspection_needed(const Inspector& inspector) const { AppIdInspector* appid_inspector = (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, diff --git a/src/network_inspectors/appid/appid_api.h b/src/network_inspectors/appid/appid_api.h index 30a01b4b9..56472c16d 100644 --- a/src/network_inspectors/appid/appid_api.h +++ b/src/network_inspectors/appid/appid_api.h @@ -61,8 +61,7 @@ public: SfIp*, uint16_t initiatorPort); bool ssl_app_group_id_lookup(Flow* flow, const char*, const char*, const char*, const char*, bool, AppId& service_id, AppId& client_id, AppId& payload_id); - AppIdSessionApi* create_appid_session_api(const Flow& flow); - void free_appid_session_api(AppIdSessionApi* api); + const AppIdSessionApi* get_appid_session_api(const Flow& flow) const; bool is_inspection_needed(const Inspector& g) const; }; diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h index 05097e119..516e241c9 100644 --- a/src/network_inspectors/appid/appid_app_descriptor.h +++ b/src/network_inspectors/appid/appid_app_descriptor.h @@ -123,7 +123,7 @@ public: void set_port_service_id(AppId id); - bool get_deferred() + bool get_deferred() const { return deferred; } diff --git a/src/network_inspectors/appid/appid_debug.cc b/src/network_inspectors/appid/appid_debug.cc index f3a92007a..c30ccd421 100644 --- a/src/network_inspectors/appid/appid_debug.cc +++ b/src/network_inspectors/appid/appid_debug.cc @@ -62,9 +62,9 @@ void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t por sport = port1; dport = port2; } - else if (session->common.initiator_port) + else if (session->initiator_port) { - if (session->common.initiator_port == port1) + if (session->initiator_port == port1) { sip = (const ip::snort_in6_addr*)ip1; dip = (const ip::snort_in6_addr*)ip2; @@ -79,7 +79,7 @@ void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t por dport = port1; } } - else if (memcmp(session->common.initiator_ip.get_ip6_ptr(), + else if (memcmp(session->initiator_ip.get_ip6_ptr(), ip1, sizeof(ip::snort_in6_addr)) == 0) { sip = (const ip::snort_in6_addr*)ip1; diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 8d62fda16..425958c1a 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -122,7 +122,7 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect AppidSessionDirection direction = APP_ID_FROM_INITIATOR; AppIdSession* asd = (AppIdSession*)p->flow->get_flow_data(AppIdSession::inspector_id); - if (!do_pre_discovery(p, &asd, inspector, protocol, outer_protocol, direction)) + if (!do_pre_discovery(p, asd, inspector, protocol, outer_protocol, direction)) return; AppId service_id = APP_ID_NONE; @@ -182,13 +182,13 @@ static bool set_network_attributes(AppIdSession* asd, Packet* p, IpProtocol& pro protocol = asd->protocol; asd->flow = p->flow; - if (asd->common.initiator_port) - direction = (asd->common.initiator_port == p->ptrs.sp) ? + if (asd->initiator_port) + direction = (asd->initiator_port == p->ptrs.sp) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; else { const SfIp* ip = p->ptrs.ip_api.get_src(); - direction = ip->fast_equals_raw(asd->common.initiator_ip) ? + direction = ip->fast_equals_raw(asd->initiator_ip) ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDER; } @@ -236,7 +236,7 @@ static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, uint64_t flags; uint64_t flow_flags = APPID_SESSION_DISCOVER_APP; - flow_flags |= asd.common.flags; + flow_flags |= asd.flags; // FIXIT-M - Re-check a flow after snort is reloaded. RNA policy might have changed if (asd.get_session_flags(APPID_SESSION_BIDIRECTIONAL_CHECKED) == @@ -364,11 +364,9 @@ static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir) } // Return false if the packet or the session doesn't need to be inspected -bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession** p_asd, AppIdInspector& inspector, +bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspector& inspector, IpProtocol& protocol, IpProtocol& outer_protocol, AppidSessionDirection& direction) { - AppIdSession* asd = *p_asd; - if (!set_network_attributes(asd, p, protocol, outer_protocol, direction)) { appid_stats.ignored_packets++; @@ -393,7 +391,7 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession** p_asd, AppIdInsp if (!asd) { - *p_asd = asd = AppIdSession::allocate_session(p, protocol, direction, &inspector); + asd = AppIdSession::allocate_session(p, protocol, direction, &inspector); if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM) { flow_flags |= APPID_SESSION_MID; @@ -429,29 +427,27 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession** p_asd, AppIdInsp } } - asd->common.flags = flow_flags; + asd->flags = flow_flags; if (!asd->get_session_flags(APPID_SESSION_PAYLOAD_SEEN) and p->dsize) asd->set_session_flags(APPID_SESSION_PAYLOAD_SEEN); - if (asd->get_session_flags(APPID_SESSION_FUTURE_FLOW)) + if (asd->get_session_flags(APPID_SESSION_FUTURE_FLOW) and + (!asd->get_session_flags(APPID_SESSION_FUTURE_FLOW_IDED))) { - if (!asd->get_session_flags(APPID_SESSION_FUTURE_FLOW_IDED)) - { - AppidChangeBits change_bits; + AppidChangeBits change_bits; - asd->set_ss_application_ids(asd->pick_service_app_id(), asd->pick_ss_client_app_id(), - asd->pick_ss_payload_app_id(), asd->pick_ss_misc_app_id(), change_bits); - asd->publish_appid_event(change_bits, p->flow); - asd->set_session_flags(APPID_SESSION_FUTURE_FLOW_IDED); + asd->set_ss_application_ids(asd->pick_service_app_id(), asd->pick_ss_client_app_id(), + asd->pick_ss_payload_app_id(), asd->pick_ss_misc_app_id(), change_bits); + asd->publish_appid_event(change_bits, p->flow); + asd->set_session_flags(APPID_SESSION_FUTURE_FLOW_IDED); - if (appidDebug->is_active()) - { - const char *app_name = - asd->ctxt.get_odp_ctxt().get_app_info_mgr().get_app_name(asd->service.get_id()); - LogMessage("AppIdDbg %s Ignoring connection with service %s (%d)\n", - appidDebug->get_debug_session(), app_name ? app_name : "unknown", - asd->service.get_id()); - } + if (appidDebug->is_active()) + { + const char *app_name = + asd->ctxt.get_odp_ctxt().get_app_info_mgr().get_app_name(asd->service.get_id()); + LogMessage("AppIdDbg %s Ignoring connection with service %s (%d)\n", + appidDebug->get_debug_session(), app_name ? app_name : "unknown", + asd->service.get_id()); } return false; diff --git a/src/network_inspectors/appid/appid_discovery.h b/src/network_inspectors/appid/appid_discovery.h index 9d6f02416..1447873a6 100644 --- a/src/network_inspectors/appid/appid_discovery.h +++ b/src/network_inspectors/appid/appid_discovery.h @@ -134,7 +134,7 @@ protected: std::vector pattern_data; private: - static bool do_pre_discovery(snort::Packet* p, AppIdSession** p_asd, AppIdInspector& inspector, + static bool do_pre_discovery(snort::Packet* p, AppIdSession*& asd, AppIdInspector& inspector, IpProtocol& protocol, IpProtocol& outer_protocol, AppidSessionDirection& direction); static bool do_discovery(snort::Packet* p, AppIdSession& asd, IpProtocol protocol, IpProtocol outer_protocol, AppidSessionDirection direction, AppId& service_id, diff --git a/src/network_inspectors/appid/appid_http_session.h b/src/network_inspectors/appid/appid_http_session.h index e0ded2774..e51c03ba7 100644 --- a/src/network_inspectors/appid/appid_http_session.h +++ b/src/network_inspectors/appid/appid_http_session.h @@ -74,13 +74,13 @@ public: void set_field(HttpFieldIds id, const std::string* str, AppidChangeBits& change_bits); void set_field(HttpFieldIds id, const uint8_t* str, int32_t len, AppidChangeBits& change_bits); - const std::string* get_field(HttpFieldIds id) + const std::string* get_field(HttpFieldIds id) const { return meta_data[id]; } - const char* get_cfield(HttpFieldIds id) + const char* get_cfield(HttpFieldIds id) const { return meta_data[id] != nullptr ? meta_data[id]->c_str() : nullptr; } - bool get_offset(int id, uint16_t& start, uint16_t& end) + bool get_offset(int id, uint16_t& start, uint16_t& end) const { if ( REQ_AGENT_FID <= id and id < NUM_HTTP_FIELDS ) { @@ -134,7 +134,7 @@ public: void set_tun_dest(); - const TunnelDest* get_tun_dest() + const TunnelDest* get_tun_dest() const { return tun_dest; } void free_tun_dest() @@ -145,7 +145,7 @@ public: void reset_ptype_scan_counts(); - int get_ptype_scan_count(enum HttpFieldIds type) + int get_ptype_scan_count(enum HttpFieldIds type) const { return ptype_scan_counts[type]; } virtual void custom_init() { } diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 2b5bf75d8..e880aa539 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -44,6 +44,7 @@ #include "appid_dns_session.h" #include "appid_http_session.h" #include "appid_inspector.h" +#include "appid_session_api.h" #include "appid_stats.h" #include "lua_detector_api.h" #include "service_plugins/service_ssl.h" @@ -98,13 +99,9 @@ AppIdSession::AppIdSession(IpProtocol proto, const SfIp* ip, uint16_t port, { service_ip.clear(); session_id = ++appid_flow_data_id; - common.initiator_ip = *ip; - common.initiator_port = port; + initiator_ip = *ip; + initiator_port = port; - length_sequence.proto = IpProtocol::PROTO_NOT_SET; - length_sequence.sequence_cnt = 0; - memset(length_sequence.sequence, '\0', sizeof(length_sequence.sequence)); - memset(application_ids, 0, sizeof(application_ids)); appid_stats.total_sessions++; } @@ -605,7 +602,7 @@ void AppIdSession::set_service_appid_data(AppId id, AppidChangeBits& change_bits service.update(id, change_bits, version); } -bool AppIdSession::is_svc_taking_too_much_time() +bool AppIdSession::is_svc_taking_too_much_time() const { return (init_pkts_without_reply > ctxt.get_odp_ctxt().max_packet_service_fail_ignore_bytes || (init_pkts_without_reply > ctxt.get_odp_ctxt().max_packet_before_service_fail && @@ -648,7 +645,7 @@ int AppIdSession::add_flow_data(void* data, unsigned id, AppIdFreeFCN fcn) return 0; } -void* AppIdSession::get_flow_data(unsigned id) +void* AppIdSession::get_flow_data(unsigned id) const { AppIdFlowDataIter it = flow_data.find(id); if (it != flow_data.end()) @@ -735,7 +732,7 @@ void AppIdSession::stop_service_inspection(Packet* p, AppidSessionDirection dire clear_session_flags(APPID_SESSION_CONTINUE); } -AppId AppIdSession::pick_service_app_id() +AppId AppIdSession::pick_service_app_id() const { AppId rval = APP_ID_NONE; @@ -773,7 +770,7 @@ AppId AppIdSession::pick_service_app_id() return rval; } -AppId AppIdSession::pick_ss_misc_app_id() +AppId AppIdSession::pick_ss_misc_app_id() const { if (service.get_id() == APP_ID_HTTP2) return APP_ID_NONE; @@ -790,7 +787,7 @@ AppId AppIdSession::pick_ss_misc_app_id() return encrypted.misc_id; } -AppId AppIdSession::pick_ss_client_app_id() +AppId AppIdSession::pick_ss_client_app_id() const { if (service.get_id() == APP_ID_HTTP2) return APP_ID_NONE; @@ -807,7 +804,7 @@ AppId AppIdSession::pick_ss_client_app_id() return encrypted.client_id; } -AppId AppIdSession::pick_ss_payload_app_id() +AppId AppIdSession::pick_ss_payload_app_id() const { if (service.get_id() == APP_ID_HTTP2) return APP_ID_NONE; @@ -842,7 +839,7 @@ AppId AppIdSession::pick_ss_payload_app_id() return APP_ID_NONE; } -AppId AppIdSession::pick_ss_referred_payload_app_id() +AppId AppIdSession::pick_ss_referred_payload_app_id() const { if (service.get_id() == APP_ID_HTTP2) return APP_ID_NONE; @@ -891,7 +888,7 @@ void AppIdSession::set_application_ids_service(AppId service_id, AppidChangeBits } void AppIdSession::get_first_stream_app_ids(AppId& service_id, AppId& client_id, - AppId& payload_id, AppId& misc_id) + AppId& payload_id, AppId& misc_id) const { service_id = application_ids[APP_PROTOID_SERVICE]; if (service_id != APP_ID_HTTP2) @@ -915,7 +912,7 @@ void AppIdSession::get_first_stream_app_ids(AppId& service_id, AppId& client_id, } void AppIdSession::get_first_stream_app_ids(AppId& service_id, AppId& client_id, - AppId& payload_id) + AppId& payload_id) const { service_id = application_ids[APP_PROTOID_SERVICE]; if (service_id != APP_ID_HTTP2) @@ -935,12 +932,12 @@ void AppIdSession::get_first_stream_app_ids(AppId& service_id, AppId& client_id, } } -AppId AppIdSession::get_application_ids_service() +AppId AppIdSession::get_application_ids_service() const { return application_ids[APP_PROTOID_SERVICE]; } -AppId AppIdSession::get_application_ids_client(uint32_t stream_index) +AppId AppIdSession::get_application_ids_client(uint32_t stream_index) const { if (get_application_ids_service() == APP_ID_HTTP2) { @@ -955,7 +952,7 @@ AppId AppIdSession::get_application_ids_client(uint32_t stream_index) return APP_ID_NONE; } -AppId AppIdSession::get_application_ids_payload(uint32_t stream_index) +AppId AppIdSession::get_application_ids_payload(uint32_t stream_index) const { if (get_application_ids_service() == APP_ID_HTTP2) { @@ -970,7 +967,7 @@ AppId AppIdSession::get_application_ids_payload(uint32_t stream_index) return APP_ID_NONE; } -AppId AppIdSession::get_application_ids_misc(uint32_t stream_index) +AppId AppIdSession::get_application_ids_misc(uint32_t stream_index) const { if (service.get_id() == APP_ID_HTTP2) { @@ -985,7 +982,7 @@ AppId AppIdSession::get_application_ids_misc(uint32_t stream_index) return APP_ID_NONE; } -bool AppIdSession::is_ssl_session_decrypted() +bool AppIdSession::is_ssl_session_decrypted() const { return get_session_flags(APPID_SESSION_DECRYPTED); } @@ -1004,7 +1001,7 @@ void AppIdSession::reset_session_data() this->tpsession->reset(); } -bool AppIdSession::is_payload_appid_set() +bool AppIdSession::is_payload_appid_set() const { return (payload.get_id() || tp_payload_app_id); } @@ -1032,7 +1029,8 @@ AppIdHttpSession* AppIdSession::create_http_session(uint32_t stream_id) hsessions.push_back(hsession); return hsession; } -AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) + +AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) const { if (stream_index < hsessions.size()) return hsessions[stream_index]; @@ -1040,7 +1038,7 @@ AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) return nullptr; } -AppIdHttpSession* AppIdSession::get_matching_http_session(uint32_t stream_id) +AppIdHttpSession* AppIdSession::get_matching_http_session(uint32_t stream_id) const { for (uint32_t stream_index=0; stream_index < hsessions.size(); stream_index++) { @@ -1058,7 +1056,7 @@ AppIdDnsSession* AppIdSession::create_dns_session() return dsession; } -AppIdDnsSession* AppIdSession::get_dns_session() +AppIdDnsSession* AppIdSession::get_dns_session() const { return dsession; } @@ -1142,10 +1140,16 @@ void AppIdSession::set_tp_payload_app_id(Packet& p, AppidSessionDirection dir, A void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, Flow* flow, bool is_http2, uint32_t http2_stream_index) { + if (!api.get_published()) + { + change_bits.set(APPID_CREATED_BIT); + api.set_published(true); + } + if (change_bits.none()) return; - AppidEvent app_event(change_bits, is_http2, http2_stream_index); + AppidEvent app_event(change_bits, is_http2, http2_stream_index, api); DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, flow); if (appidDebug->is_active()) { diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 011566fea..7d3833cd0 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -40,6 +40,11 @@ #include "length_app_cache.h" #include "service_state.h" +namespace snort +{ + class AppIdSessionApi; +} + class ClientDetector; class ServiceDetector; class AppIdDnsSession; @@ -99,19 +104,6 @@ public: }; typedef std::unordered_map::const_iterator AppIdFlowDataIter; -struct CommonAppIdData -{ - CommonAppIdData() - { - initiator_ip.clear(); - } - - //flags shared with other preprocessor via session attributes. - uint64_t flags = 0; - snort::SfIp initiator_ip; - uint16_t initiator_port = 0; -}; - enum MatchedTlsType { MATCHED_TLS_NONE = 0, @@ -163,7 +155,7 @@ public: const char* get_tls_org_unit() const { return tls_org_unit; } - bool get_tls_handshake_done() { return tls_handshake_done; } + bool get_tls_handshake_done() const { return tls_handshake_done; } // Duplicate only if len > 0, otherwise simply set (i.e., own the argument) void set_tls_host(const char* new_tls_host, uint32_t len, AppidChangeBits& change_bits) @@ -257,7 +249,10 @@ public: snort::Flow* flow = nullptr; AppIdContext& ctxt; std::unordered_map flow_data; - CommonAppIdData common; + uint64_t flags = 0; + snort::SfIp initiator_ip; + uint16_t initiator_port = 0; + uint16_t session_packet_count = 0; uint16_t init_pkts_without_reply = 0; uint64_t init_bytes_without_reply = 0; @@ -331,19 +326,19 @@ public: static void init() { inspector_id = FlowData::create_flow_data_id(); } - void set_session_flags(uint64_t flags) { common.flags |= flags; } - void clear_session_flags(uint64_t flags) { common.flags &= ~flags; } - uint64_t get_session_flags(uint64_t flags) const { return (common.flags & flags); } - void set_service_detected() { common.flags |= APPID_SESSION_SERVICE_DETECTED; } - bool is_service_detected() { return ((common.flags & APPID_SESSION_SERVICE_DETECTED) == 0) ? + void set_session_flags(uint64_t set_flags) { flags |= set_flags; } + void clear_session_flags(uint64_t clear_flags) { flags &= ~clear_flags; } + uint64_t get_session_flags(uint64_t get_flags) const { return (flags & get_flags); } + void set_service_detected() { flags |= APPID_SESSION_SERVICE_DETECTED; } + bool is_service_detected() const { return ((flags & APPID_SESSION_SERVICE_DETECTED) == 0) ? false : true; } - void set_client_detected() { common.flags |= APPID_SESSION_CLIENT_DETECTED; } - bool is_client_detected() { return ((common.flags & APPID_SESSION_CLIENT_DETECTED) == 0) ? + void set_client_detected() { flags |= APPID_SESSION_CLIENT_DETECTED; } + bool is_client_detected() const { return ((flags & APPID_SESSION_CLIENT_DETECTED) == 0) ? false : true; } - bool is_decrypted() { return ((common.flags & APPID_SESSION_DECRYPTED) == 0) ? false : true; } - bool is_svc_taking_too_much_time(); + bool is_decrypted() const { return ((flags & APPID_SESSION_DECRYPTED) == 0) ? false : true; } + bool is_svc_taking_too_much_time() const; - void* get_flow_data(unsigned id); + void* get_flow_data(unsigned id) const; int add_flow_data(void* data, unsigned id, AppIdFreeFCN); int add_flow_data_id(uint16_t port, ServiceDetector*); void* remove_flow_data(unsigned id); @@ -351,14 +346,14 @@ public: void free_flow_data_by_mask(unsigned mask); void free_flow_data(); - AppId pick_service_app_id(); + AppId pick_service_app_id() const; // pick_ss_* and set_ss_* methods below are for application protocols that support only a single // stream in a flow. They should not be used for HTTP2 sessions which can have multiple // streams within a single flow - AppId pick_ss_misc_app_id(); - AppId pick_ss_client_app_id(); - AppId pick_ss_payload_app_id(); - AppId pick_ss_referred_payload_app_id(); + AppId pick_ss_misc_app_id() const; + AppId pick_ss_client_app_id() const; + AppId pick_ss_payload_app_id() const; + AppId pick_ss_referred_payload_app_id() const; void set_ss_application_ids(AppId service, AppId client, AppId payload, AppId misc, AppidChangeBits& change_bits); @@ -366,19 +361,19 @@ public: // For protocols such as HTTP2 which can have multiple streams within a single flow, get_first_stream_* // methods return the appids in the first stream seen in a packet. - void get_first_stream_app_ids(AppId& service, AppId& client, AppId& payload, AppId& misc); - void get_first_stream_app_ids(AppId& service, AppId& client, AppId& payload); - AppId get_application_ids_service(); - AppId get_application_ids_client(uint32_t stream_index = 0); - AppId get_application_ids_payload(uint32_t stream_index = 0); - AppId get_application_ids_misc(uint32_t stream_index = 0); - - uint32_t get_hsessions_size() + void get_first_stream_app_ids(AppId& service, AppId& client, AppId& payload, AppId& misc) const; + void get_first_stream_app_ids(AppId& service, AppId& client, AppId& payload) const; + AppId get_application_ids_service() const; + AppId get_application_ids_client(uint32_t stream_index = 0) const; + AppId get_application_ids_payload(uint32_t stream_index = 0) const; + AppId get_application_ids_misc(uint32_t stream_index = 0) const; + + uint32_t get_hsessions_size() const { return hsessions.size(); } - bool is_ssl_session_decrypted(); + bool is_ssl_session_decrypted() const; void examine_ssl_metadata(AppidChangeBits& change_bits); void set_client_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); void set_service_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); @@ -391,14 +386,14 @@ public: void sync_with_snort_protocol_id(AppId, snort::Packet*); void stop_service_inspection(snort::Packet*, AppidSessionDirection); - bool is_payload_appid_set(); + bool is_payload_appid_set() const; void clear_http_flags(); void clear_http_data(); void reset_session_data(); AppIdHttpSession* create_http_session(uint32_t stream_id = 0); - AppIdHttpSession* get_http_session(uint32_t stream_index = 0); - AppIdHttpSession* get_matching_http_session(uint32_t stream_id); + AppIdHttpSession* get_http_session(uint32_t stream_index = 0) const; + AppIdHttpSession* get_matching_http_session(uint32_t stream_id) const; void delete_all_http_sessions() { for (auto hsession : hsessions) @@ -407,7 +402,7 @@ public: } AppIdDnsSession* create_dns_session(); - AppIdDnsSession* get_dns_session(); + AppIdDnsSession* get_dns_session() const; bool is_tp_appid_done() const; bool is_tp_processing_done() const; @@ -420,7 +415,8 @@ public: void publish_appid_event(AppidChangeBits&, snort::Flow*, bool is_http2 = false, uint32_t http2_stream_index = 0); - inline void set_tp_app_id(AppId app_id) { + inline void set_tp_app_id(AppId app_id) + { if (tp_app_id != app_id) { tp_app_id = app_id; @@ -429,7 +425,8 @@ public: } } - inline void set_tp_payload_app_id(AppId app_id) { + inline void set_tp_payload_app_id(AppId app_id) + { if (tp_payload_app_id != app_id) { tp_payload_app_id = app_id; @@ -438,11 +435,13 @@ public: } } - inline AppId get_tp_app_id() { + inline AppId get_tp_app_id() const + { return tp_app_id; } - inline AppId get_tp_payload_app_id() { + inline AppId get_tp_payload_app_id() const + { return tp_payload_app_id; } @@ -471,6 +470,11 @@ public: prev_http2_raw_packet = packet_num; } + const snort::AppIdSessionApi& get_api() const + { + return api; + } + private: std::vector hsessions; AppIdDnsSession* dsession = nullptr; @@ -480,7 +484,8 @@ private: void delete_session_data(); static THREAD_LOCAL uint32_t appid_flow_data_id; - AppId application_ids[APP_PROTOID_MAX]; + AppId application_ids[APP_PROTOID_MAX] = + { APP_ID_NONE, APP_ID_NONE, APP_ID_NONE, APP_ID_NONE }; bool tp_app_id_deferred = false; bool tp_payload_app_id_deferred = false; @@ -489,6 +494,7 @@ private: AppId tp_payload_app_id = APP_ID_NONE; uint16_t my_inferred_svcs_ver = 0; + snort::AppIdSessionApi api{*this}; static uint16_t inferred_svcs_ver; }; @@ -513,4 +519,3 @@ static inline bool is_svc_http_type(AppId serviceId) return false; } #endif - diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 7f0f09d76..888d6cf9a 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -33,63 +33,51 @@ using namespace snort; -bool AppIdSessionApi::refresh(const Flow& flow) +AppId AppIdSessionApi::get_service_app_id() const { - AppIdSession* new_asd = (AppIdSession*)flow.get_flow_data(AppIdSession::inspector_id); - - if (new_asd) - { - asd = new_asd; - return true; - } - return false; -} - -AppId AppIdSessionApi::get_service_app_id() -{ - return asd->get_application_ids_service(); + return asd.get_application_ids_service(); } -AppId AppIdSessionApi::get_misc_app_id(uint32_t stream_index) +AppId AppIdSessionApi::get_misc_app_id(uint32_t stream_index) const { - return asd->get_application_ids_misc(stream_index); + return asd.get_application_ids_misc(stream_index); } -AppId AppIdSessionApi::get_client_app_id(uint32_t stream_index) +AppId AppIdSessionApi::get_client_app_id(uint32_t stream_index) const { - return asd->get_application_ids_client(stream_index); + return asd.get_application_ids_client(stream_index); } -AppId AppIdSessionApi::get_payload_app_id(uint32_t stream_index) +AppId AppIdSessionApi::get_payload_app_id(uint32_t stream_index) const { - return asd->get_application_ids_payload(stream_index); + return asd.get_application_ids_payload(stream_index); } -AppId AppIdSessionApi::get_referred_app_id(uint32_t stream_index) +AppId AppIdSessionApi::get_referred_app_id(uint32_t stream_index) const { - if (asd->get_application_ids_service() == APP_ID_HTTP2) + if (asd.get_application_ids_service() == APP_ID_HTTP2) { - if ((stream_index != 0) and (stream_index >= asd->get_hsessions_size())) + if ((stream_index != 0) and (stream_index >= asd.get_hsessions_size())) return APP_ID_UNKNOWN; - else if (AppIdHttpSession* hsession = asd->get_http_session(stream_index)) + else if (AppIdHttpSession* hsession = asd.get_http_session(stream_index)) return hsession->referred_payload_app_id; } else if (stream_index == 0) - return asd->pick_ss_referred_payload_app_id(); + return asd.pick_ss_referred_payload_app_id(); return APP_ID_UNKNOWN; } void AppIdSessionApi::get_app_id(AppId& service, AppId& client, - AppId& payload, AppId& misc, AppId& referred, uint32_t stream_index) + AppId& payload, AppId& misc, AppId& referred, uint32_t stream_index) const { - if (asd->get_application_ids_service() == APP_ID_HTTP2) + if (asd.get_application_ids_service() == APP_ID_HTTP2) { - if ((stream_index != 0) and (stream_index >= asd->get_hsessions_size())) + if ((stream_index != 0) and (stream_index >= asd.get_hsessions_size())) service = client = payload = misc = referred = APP_ID_UNKNOWN; - else if (AppIdHttpSession* hsession = asd->get_http_session(stream_index)) + else if (AppIdHttpSession* hsession = asd.get_http_session(stream_index)) { - service = asd->get_application_ids_service(); + service = asd.get_application_ids_service(); client = hsession->client.get_id(); payload = hsession->payload.get_id(); misc = hsession->misc_app_id; @@ -98,17 +86,17 @@ void AppIdSessionApi::get_app_id(AppId& service, AppId& client, } else { - asd->get_first_stream_app_ids(service, client, payload, misc); - referred = asd->pick_ss_referred_payload_app_id(); + asd.get_first_stream_app_ids(service, client, payload, misc); + referred = asd.pick_ss_referred_payload_app_id(); } } void AppIdSessionApi::get_app_id(AppId* service, AppId* client, - AppId* payload, AppId* misc, AppId* referred, uint32_t stream_index) + AppId* payload, AppId* misc, AppId* referred, uint32_t stream_index) const { - if (asd->get_application_ids_service() == APP_ID_HTTP2) + if (asd.get_application_ids_service() == APP_ID_HTTP2) { - if ((stream_index != 0) and (stream_index >= asd->get_hsessions_size())) + if ((stream_index != 0) and (stream_index >= asd.get_hsessions_size())) { if (service) *service = APP_ID_UNKNOWN; @@ -122,10 +110,10 @@ void AppIdSessionApi::get_app_id(AppId* service, AppId* client, *referred = APP_ID_UNKNOWN; return; } - else if (AppIdHttpSession* hsession = asd->get_http_session(stream_index)) + else if (AppIdHttpSession* hsession = asd.get_http_session(stream_index)) { if (service) - *service = asd->get_application_ids_service(); + *service = asd.get_application_ids_service(); if (client) *client = hsession->client.get_id(); if (payload) @@ -138,103 +126,102 @@ void AppIdSessionApi::get_app_id(AppId* service, AppId* client, } } if (service) - *service = asd->get_application_ids_service(); + *service = asd.get_application_ids_service(); if (client) - *client = asd->get_application_ids_client(); + *client = asd.get_application_ids_client(); if (payload) - *payload = asd->get_application_ids_payload(); + *payload = asd.get_application_ids_payload(); if (misc) - *misc = asd->get_application_ids_misc(); + *misc = asd.get_application_ids_misc(); if (referred) - *referred = asd->pick_ss_referred_payload_app_id(); + *referred = asd.pick_ss_referred_payload_app_id(); } -bool AppIdSessionApi::is_appid_inspecting_session() +bool AppIdSessionApi::is_appid_inspecting_session() const { - if ( asd->service_disco_state != APPID_DISCO_STATE_FINISHED or - !asd->is_tp_appid_done() or - asd->get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) or - (asd->get_session_flags(APPID_SESSION_ENCRYPTED) and - (asd->get_session_flags(APPID_SESSION_DECRYPTED) or - asd->session_packet_count < SSL_WHITELIST_PKT_LIMIT)) ) + if ( asd.service_disco_state != APPID_DISCO_STATE_FINISHED or + !asd.is_tp_appid_done() or + asd.get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_CONTINUE) or + (asd.get_session_flags(APPID_SESSION_ENCRYPTED) and + (asd.get_session_flags(APPID_SESSION_DECRYPTED) or + asd.session_packet_count < SSL_WHITELIST_PKT_LIMIT)) ) { return true; } - if ( asd->client_disco_state != APPID_DISCO_STATE_FINISHED and - (!asd->is_client_detected() or - (asd->service_disco_state != APPID_DISCO_STATE_STATEFUL - and asd->get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))) ) + if ( asd.client_disco_state != APPID_DISCO_STATE_FINISHED and + (!asd.is_client_detected() or + (asd.service_disco_state != APPID_DISCO_STATE_STATEFUL + and asd.get_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS))) ) { return true; } - if ( asd->get_tp_app_id() == APP_ID_SSH and asd->payload.get_id() != APP_ID_SFTP and - asd->session_packet_count < MAX_SFTP_PACKET_COUNT ) + if ( asd.get_tp_app_id() == APP_ID_SSH and asd.payload.get_id() != APP_ID_SFTP and + asd.session_packet_count < MAX_SFTP_PACKET_COUNT ) { return true; } - if (asd->ctxt.get_odp_ctxt().check_host_port_app_cache) + if (asd.ctxt.get_odp_ctxt().check_host_port_app_cache) return true; return false; } -bool AppIdSessionApi::is_appid_available() +bool AppIdSessionApi::is_appid_available() const { - return ( (asd->service.get_id() != APP_ID_NONE || - asd->payload.get_id() != APP_ID_NONE) && - (asd->is_tp_appid_available() || - asd->get_session_flags(APPID_SESSION_NO_TPI)) ); + return ( (asd.service.get_id() != APP_ID_NONE || + asd.payload.get_id() != APP_ID_NONE) && + (asd.is_tp_appid_available() || + asd.get_session_flags(APPID_SESSION_NO_TPI)) ); } -const char* AppIdSessionApi::get_client_version(uint32_t stream_index) +const char* AppIdSessionApi::get_client_version(uint32_t stream_index) const { - if (uint32_t num_hsessions = asd->get_hsessions_size()) + if (uint32_t num_hsessions = asd.get_hsessions_size()) { if (stream_index >= num_hsessions) return nullptr; - else if (AppIdHttpSession* hsession = asd->get_http_session(stream_index)) + else if (AppIdHttpSession* hsession = asd.get_http_session(stream_index)) return hsession->client.get_version(); } else if (stream_index == 0) - return asd->client.get_version(); + return asd.client.get_version(); return nullptr; } -uint64_t AppIdSessionApi::get_appid_session_attribute(uint64_t flags) +uint64_t AppIdSessionApi::get_appid_session_attribute(uint64_t flags) const { - return asd->get_session_flags(flags); + return asd.get_session_flags(flags); } -const char* AppIdSessionApi::get_tls_host() +const char* AppIdSessionApi::get_tls_host() const { - if (asd->tsession) - return asd->tsession->get_tls_host(); + if (asd.tsession) + return asd.tsession->get_tls_host(); return nullptr; } -SfIp* AppIdSessionApi::get_initiator_ip() +const SfIp* AppIdSessionApi::get_initiator_ip() const { - return &asd->common.initiator_ip; + return &asd.initiator_ip; } -AppIdDnsSession* AppIdSessionApi::get_dns_session() +const AppIdDnsSession* AppIdSessionApi::get_dns_session() const { - return asd->get_dns_session(); + return asd.get_dns_session(); } -AppIdHttpSession* AppIdSessionApi::get_http_session(uint32_t stream_index) +const AppIdHttpSession* AppIdSessionApi::get_http_session(uint32_t stream_index) const { - return asd->get_http_session(stream_index); + return asd.get_http_session(stream_index); } -bool AppIdSessionApi::is_http_inspection_done() +bool AppIdSessionApi::is_http_inspection_done() const { - return (asd->is_tp_appid_done() and - !(asd->get_session_flags(APPID_SESSION_SSL_SESSION) and - !get_tls_host() and - (asd->service_disco_state!= APPID_DISCO_STATE_FINISHED))); + return (asd.is_tp_appid_done() and + !(asd.get_session_flags(APPID_SESSION_SSL_SESSION) and !get_tls_host() and + (asd.service_disco_state!= APPID_DISCO_STATE_FINISHED))); } diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index 58079be33..f540b0464 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -100,27 +100,33 @@ const uint64_t APPID_SESSION_ALL_FLAGS = 0xFFFFFFFFFFFFFFFFULL; class SO_PUBLIC AppIdSessionApi { public: - AppIdSessionApi(AppIdSession* asd) : asd(asd) {} - bool refresh(const Flow& flow); - AppId get_service_app_id(); - AppId get_misc_app_id(uint32_t stream_index = 0); - AppId get_client_app_id(uint32_t stream_index = 0); - AppId get_payload_app_id(uint32_t stream_index = 0); - AppId get_referred_app_id(uint32_t stream_index = 0); - void get_app_id(AppId& service, AppId& client, AppId& payload, AppId& misc, AppId& referred, uint32_t stream_index = 0); - void get_app_id(AppId* service, AppId* client, AppId* payload, AppId* misc, AppId* referred, uint32_t stream_index = 0); - bool is_appid_inspecting_session(); - bool is_appid_available(); - const char* get_client_version(uint32_t stream_index = 0); - uint64_t get_appid_session_attribute(uint64_t flag); - SfIp* get_initiator_ip(); - AppIdDnsSession* get_dns_session(); - AppIdHttpSession* get_http_session(uint32_t stream_index = 0); - const char* get_tls_host(); - bool is_http_inspection_done(); + AppIdSessionApi(const AppIdSession& asd) : asd(asd) {} + AppId get_service_app_id() const; + AppId get_misc_app_id(uint32_t stream_index = 0) const; + AppId get_client_app_id(uint32_t stream_index = 0) const; + AppId get_payload_app_id(uint32_t stream_index = 0) const; + AppId get_referred_app_id(uint32_t stream_index = 0) const; + void get_app_id(AppId& service, AppId& client, AppId& payload, AppId& misc, AppId& referred, uint32_t stream_index = 0) const; + void get_app_id(AppId* service, AppId* client, AppId* payload, AppId* misc, AppId* referred, uint32_t stream_index = 0) const; + bool is_appid_inspecting_session() const; + bool is_appid_available() const; + const char* get_client_version(uint32_t stream_index = 0) const; + uint64_t get_appid_session_attribute(uint64_t flag) const; + const SfIp* get_initiator_ip() const; + const AppIdDnsSession* get_dns_session() const; + const AppIdHttpSession* get_http_session(uint32_t stream_index = 0) const; + const char* get_tls_host() const; + bool is_http_inspection_done() const; + + bool get_published() const + { return published; } + + void set_published(bool val) + { published = val; } private: - AppIdSession* asd; + const AppIdSession& asd; + bool published = false; }; } diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 113088f75..93f7e600c 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -1171,8 +1171,6 @@ static int detector_add_host_port_dynamic(lua_State* L) return 0; } - - bool added = false; std::lock_guard lck(AppIdSession::inferred_svcs_lock); if ( !host_cache[ip_addr]->add_service(port, proto, appid, true, &added) ) diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index 4bd8d1f09..78450a524 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -487,7 +487,7 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX); pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; - pf->common.initiator_ip = *sip; + pf->initiator_ip = *sip; } } break; diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index 2dbe4c762..ea5ff32d1 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -204,7 +204,7 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) return APPID_ENOMEM; } args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_FROM_RESPONDER); - pf->common.initiator_ip = *sip; + pf->initiator_ip = *sip; pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; } diff --git a/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h b/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h index de9eb8c5d..40c056479 100644 --- a/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h +++ b/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h @@ -176,7 +176,7 @@ void AppIdSession::free_flow_data() { snort_free(smb_data); } -void* AppIdSession::get_flow_data(unsigned){ return smb_data;} +void* AppIdSession::get_flow_data(unsigned) const { return smb_data;} // Stubs for AppIdPegCounts void AppIdPegCounts::inc_service_count(AppId) { } diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 99906fa39..3790cc812 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -73,7 +73,8 @@ void DataBus::publish(const char*, DataEvent& event, Flow*) void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, Flow* flow, bool, uint32_t) { - AppidEvent app_event(change_bits, false, 0); + static AppIdSessionApi api(*this); + AppidEvent app_event(change_bits, false, 0, api); DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, flow); } @@ -163,7 +164,7 @@ TEST(appid_api, produce_ha_state) memset((void*)&appHA, 0, sizeof(appHA)); memset((void*)&cmp_buf, 0, sizeof(cmp_buf)); - mock_session->common.flags |= APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION; + mock_session->flags |= APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION; mock_session->set_tp_app_id(APPID_UT_ID); mock_session->service.set_id(APPID_UT_ID + 1, stub_odp_ctxt); @@ -237,7 +238,7 @@ TEST(appid_api, ssl_app_group_id_lookup) CHECK_EQUAL(service, APPID_UT_ID); CHECK_EQUAL(client, APPID_UT_ID); CHECK_EQUAL(payload, APPID_UT_ID); - STRCMP_EQUAL("Published change_bits == 000000001111", test_log); + STRCMP_EQUAL("Published change_bits == 0000000011110", test_log); service = APP_ID_NONE; client = APP_ID_NONE; @@ -250,7 +251,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 000001000110", test_log); + STRCMP_EQUAL("Published change_bits == 0000010001100", test_log); AppidChangeBits change_bits; mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); @@ -267,7 +268,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); - STRCMP_EQUAL("Published change_bits == 000001000110", test_log); + STRCMP_EQUAL("Published change_bits == 0000010001100", test_log); string host = ""; val = appid_api.ssl_app_group_id_lookup(flow, (const char*)(host.c_str()), nullptr, @@ -278,26 +279,10 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Google"); - STRCMP_EQUAL("Published change_bits == 000001000000", test_log); + STRCMP_EQUAL("Published change_bits == 0000010000000", test_log); mock().checkExpectations(); } -TEST(appid_api, create_appid_session_api) -{ - AppIdSessionApi* appid_session_api = appid_api.create_appid_session_api(*flow); - CHECK_TRUE(appid_session_api); - appid_api.free_appid_session_api(appid_session_api); - - Flow* old_flow = flow; - flow = new Flow; - flow->set_flow_data(nullptr); - appid_session_api = appid_api.create_appid_session_api(*flow); - CHECK_FALSE(appid_session_api); - - delete flow; - flow = old_flow; -} - TEST(appid_api, is_inspection_needed) { DummyInspector inspector; diff --git a/src/network_inspectors/appid/test/appid_debug_test.cc b/src/network_inspectors/appid/test/appid_debug_test.cc index 3c91af0d3..d91003913 100644 --- a/src/network_inspectors/appid/test/appid_debug_test.cc +++ b/src/network_inspectors/appid/test/appid_debug_test.cc @@ -120,8 +120,8 @@ TEST(appid_debug, basic_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -153,8 +153,8 @@ TEST(appid_debug, reverse_direction_activate_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = dport; // session initiator is now dst - session.common.initiator_ip = dip; + session.initiator_port = dport; // session initiator is now dst + session.initiator_ip = dip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -187,8 +187,8 @@ TEST(appid_debug, ipv6_test) IpProtocol protocol = IpProtocol::UDP; // also threw in UDP and address space ID for kicks uint16_t address_space_id = 100; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 6, address_space_id, &session, false); @@ -226,8 +226,8 @@ TEST(appid_debug, no_initiator_port_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = 0; // no initiator port yet (uses IPs) - session.common.initiator_ip = sip; + session.initiator_port = 0; // no initiator port yet (uses IPs) + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -259,8 +259,8 @@ TEST(appid_debug, no_initiator_port_reversed_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = 0; // no initiator port yet (uses IPs)... and reversed packet dir from above - session.common.initiator_ip = dip; + session.initiator_port = 0; // no initiator port yet (uses IPs)... and reversed packet dir from above + session.initiator_ip = dip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -327,8 +327,8 @@ TEST(appid_debug, no_match_test) IpProtocol protocol = IpProtocol::UDP; // but this packet is UDP instead uint16_t address_space_id = 0; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -356,8 +356,8 @@ TEST(appid_debug, all_constraints_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -389,8 +389,8 @@ TEST(appid_debug, just_proto_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -422,8 +422,8 @@ TEST(appid_debug, just_ip_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); @@ -455,8 +455,8 @@ TEST(appid_debug, just_port_test) IpProtocol protocol = IpProtocol::TCP; uint16_t address_space_id = 0; // The session... - session.common.initiator_port = sport; - session.common.initiator_ip = sip; + session.initiator_port = sport; + session.initiator_ip = sip; // activate() appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, protocol, 4, address_space_id, &session, false); diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index ea394407f..39ab2bb89 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -31,6 +31,7 @@ #include "utils/sflsq.cc" #include "appid_mock_session.h" +#include "appid_session_api.h" #include "tp_lib_handler.h" #include @@ -203,7 +204,8 @@ AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, Flow* flow, bool, uint32_t) { - AppidEvent app_event(change_bits, false, 0); + static AppIdSessionApi api(*this); + AppidEvent app_event(change_bits, false, 0, api); DataBus::publish(APPID_EVENT_ANY_CHANGE, app_event, flow); } @@ -334,15 +336,15 @@ TEST(appid_discovery_tests, event_published_when_ignoring_flow) Flow* flow = new Flow; flow->set_flow_data(asd); p.flow = flow; - asd->common.initiator_port = 21; - asd->common.initiator_ip.set("1.2.3.4"); + asd->initiator_port = 21; + asd->initiator_ip.set("1.2.3.4"); asd->set_session_flags(APPID_SESSION_FUTURE_FLOW); AppIdDiscovery::do_application_discovery(&p, ins, nullptr); // Detect changes in service, client, payload, and misc appid mock().checkExpectations(); - STRCMP_EQUAL(test_log, "Published change_bits == 000000001111"); + STRCMP_EQUAL(test_log, "Published change_bits == 0000000011110"); delete asd; delete flow; } @@ -365,14 +367,14 @@ TEST(appid_discovery_tests, event_published_when_processing_flow) Flow* flow = new Flow; flow->set_flow_data(asd); p.flow = flow; - asd->common.initiator_port = 21; - asd->common.initiator_ip.set("1.2.3.4"); + asd->initiator_port = 21; + asd->initiator_ip.set("1.2.3.4"); AppIdDiscovery::do_application_discovery(&p, ins, nullptr); // Detect changes in service, client, payload, and misc appid mock().checkExpectations(); - STRCMP_EQUAL(test_log, "Published change_bits == 000000001111"); + STRCMP_EQUAL(test_log, "Published change_bits == 0000000011110"); delete asd; delete flow; } @@ -421,8 +423,8 @@ TEST(appid_discovery_tests, change_bits_for_non_http_appid) flow->set_flow_data(asd); p.flow = flow; p.ptrs.tcph = nullptr; - asd->common.initiator_port = 21; - asd->common.initiator_ip.set("1.2.3.4"); + asd->initiator_port = 21; + asd->initiator_ip.set("1.2.3.4"); asd->misc_app_id = APP_ID_NONE; asd->payload.set_id(APP_ID_NONE); asd->client.set_id(APP_ID_CURL); @@ -462,11 +464,11 @@ TEST(appid_discovery_tests, change_bits_to_string) // Detect all; failure of this test means some bits from enum are missed in translation change_bits.set(); change_bits_to_string(change_bits, str); - STRCMP_EQUAL(str.c_str(), "service, client, payload, misc, referred, host," + STRCMP_EQUAL(str.c_str(), "created, service, client, payload, misc, referred, host," " tls-host, url, user-agent, response, referrer, version"); // Failure of this test is a reminder that enum is changed, hence translator needs update - CHECK_EQUAL(APPID_MAX_BIT, 12); + CHECK_EQUAL(APPID_MAX_BIT, 13); } int main(int argc, char** argv) diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc index 156648dd7..ad24c4be6 100644 --- a/src/network_inspectors/appid/test/appid_http_session_test.cc +++ b/src/network_inspectors/appid/test/appid_http_session_test.cc @@ -128,7 +128,7 @@ void AppIdSession::reset_session_data() { } -bool AppIdSession::is_payload_appid_set() +bool AppIdSession::is_payload_appid_set() const { return true; } diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h index 5c9a9d36c..91be114d7 100644 --- a/src/network_inspectors/appid/test/appid_mock_session.h +++ b/src/network_inspectors/appid/test/appid_mock_session.h @@ -94,7 +94,7 @@ AppIdSession::AppIdSession(IpProtocol proto, const SfIp*, uint16_t, AppIdInspect tsession = new TlsSession; service_ip.pton(AF_INET, APPID_UT_SERVICE_IP_ADDR); - common.initiator_ip.pton(AF_INET, APPID_UT_INITIATOR_IP_ADDR); + initiator_ip.pton(AF_INET, APPID_UT_INITIATOR_IP_ADDR); netbios_name = snort_strdup(APPID_UT_NETBIOS_NAME); @@ -119,7 +119,7 @@ AppIdSession::~AppIdSession() snort_free(netbios_name); } -void* AppIdSession::get_flow_data(unsigned) +void* AppIdSession::get_flow_data(unsigned) const { return nullptr; } @@ -154,38 +154,38 @@ void AppIdSession::set_ss_application_ids(AppId service_id, AppId client_id, } } -AppId AppIdSession::pick_service_app_id() +AppId AppIdSession::pick_service_app_id() const { return service.get_id(); } -AppId AppIdSession::pick_ss_misc_app_id() +AppId AppIdSession::pick_ss_misc_app_id() const { return misc_app_id; } -AppId AppIdSession::pick_ss_client_app_id() +AppId AppIdSession::pick_ss_client_app_id() const { return client.get_id(); } -AppId AppIdSession::pick_ss_payload_app_id() +AppId AppIdSession::pick_ss_payload_app_id() const { return payload.get_id(); } -AppId AppIdSession::pick_ss_referred_payload_app_id() +AppId AppIdSession::pick_ss_referred_payload_app_id() const { return APPID_UT_ID; } -void AppIdSession::get_first_stream_app_ids(AppId&, AppId&, AppId&, AppId&) { } +void AppIdSession::get_first_stream_app_ids(AppId&, AppId&, AppId&, AppId&) const { } -void AppIdSession::get_first_stream_app_ids(AppId&, AppId&, AppId&) { } +void AppIdSession::get_first_stream_app_ids(AppId&, AppId&, AppId&) const { } -AppId AppIdSession::get_application_ids_service() { return APPID_UT_ID; } +AppId AppIdSession::get_application_ids_service() const { return APPID_UT_ID; } -AppId AppIdSession::get_application_ids_client(uint32_t stream_index) +AppId AppIdSession::get_application_ids_client(uint32_t stream_index) const { if (stream_index < hsessions.size() or stream_index == 0) return APPID_UT_ID; @@ -193,7 +193,7 @@ AppId AppIdSession::get_application_ids_client(uint32_t stream_index) return APP_ID_NONE; } -AppId AppIdSession::get_application_ids_payload(uint32_t stream_index) +AppId AppIdSession::get_application_ids_payload(uint32_t stream_index) const { if (stream_index < hsessions.size() or stream_index == 0) return APPID_UT_ID; @@ -201,7 +201,7 @@ AppId AppIdSession::get_application_ids_payload(uint32_t stream_index) return APP_ID_NONE; } -AppId AppIdSession::get_application_ids_misc(uint32_t stream_index) +AppId AppIdSession::get_application_ids_misc(uint32_t stream_index) const { if (stream_index < hsessions.size() or stream_index == 0) return APPID_UT_ID; @@ -209,7 +209,7 @@ AppId AppIdSession::get_application_ids_misc(uint32_t stream_index) return APP_ID_NONE; } -bool AppIdSession::is_ssl_session_decrypted() +bool AppIdSession::is_ssl_session_decrypted() const { return is_session_decrypted; } @@ -228,7 +228,7 @@ AppIdHttpSession* AppIdSession::create_http_session(uint32_t) return hsession; } -AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) +AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) const { if (stream_index < hsessions.size()) { @@ -237,11 +237,11 @@ AppIdHttpSession* AppIdSession::get_http_session(uint32_t stream_index) return nullptr; } -AppIdHttpSession* AppIdSession::get_matching_http_session(uint32_t stream_id) +AppIdHttpSession* AppIdSession::get_matching_http_session(uint32_t stream_id) const { for (uint32_t stream_index=0; stream_index < hsessions.size(); stream_index++) { - if(stream_id == hsessions[stream_index]->get_http2_stream_id()) + if (stream_id == hsessions[stream_index]->get_http2_stream_id()) return hsessions[stream_index]; } return nullptr; @@ -254,7 +254,7 @@ AppIdDnsSession* AppIdSession::create_dns_session() return dsession; } -AppIdDnsSession* AppIdSession::get_dns_session() +AppIdDnsSession* AppIdSession::get_dns_session() const { return dsession; } diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index b67378961..034329644 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -43,7 +43,7 @@ TEST_GROUP(appid_session_api) { MemoryLeakWarningPlugin::turnOffNewDeleteOverloads(); mock_session = new AppIdSession(IpProtocol::TCP, nullptr, 1492, dummy_appid_inspector); - appid_session_api = new AppIdSessionApi(mock_session); + appid_session_api = new AppIdSessionApi(*mock_session); } void teardown() override @@ -115,7 +115,7 @@ TEST(appid_session_api, get_initiator_ip) expected_ip.pton(AF_INET, APPID_UT_INITIATOR_IP_ADDR); - SfIp* val = appid_session_api->get_initiator_ip(); + const SfIp* val = appid_session_api->get_initiator_ip(); CHECK_TRUE(val->fast_eq4(expected_ip)); } @@ -194,7 +194,7 @@ TEST(appid_session_api, get_client_version) } TEST(appid_session_api, get_http_session) { - AppIdHttpSession* val; + const AppIdHttpSession* val; mock_session->create_http_session(); val = appid_session_api->get_http_session(); CHECK_TRUE(val != nullptr); @@ -219,7 +219,7 @@ TEST(appid_session_api, get_appid_session_attribute) TEST(appid_session_api, appid_dns_api) { - AppIdDnsSession* dsession = appid_session_api->get_dns_session(); + const AppIdDnsSession* dsession = appid_session_api->get_dns_session(); const char* val = dsession->get_host(); STRCMP_EQUAL(val, APPID_ID_UT_DNS_HOST); diff --git a/src/pub_sub/appid_events.h b/src/pub_sub/appid_events.h index c809d0515..9d661aee3 100644 --- a/src/pub_sub/appid_events.h +++ b/src/pub_sub/appid_events.h @@ -28,12 +28,19 @@ #define APPID_EVENT_ANY_CHANGE "appid_event_any_change" +namespace snort +{ + class AppIdSessionApi; +} + // Events are added as needed by subscribers // Any change here should also change change_bits_to_string() enum AppidChangeBit { + APPID_CREATED_BIT = 0, + // id - APPID_SERVICE_BIT = 0, + APPID_SERVICE_BIT, APPID_CLIENT_BIT, APPID_PAYLOAD_BIT, APPID_MISC_BIT, @@ -59,6 +66,8 @@ inline void change_bits_to_string(AppidChangeBits& change_bits, std::string& str { size_t n = change_bits.count(); + if (change_bits.test(APPID_CREATED_BIT)) + --n? str.append("created, ") : str.append("created"); if (change_bits.test(APPID_SERVICE_BIT)) --n? str.append("service, ") : str.append("service"); if (change_bits.test(APPID_CLIENT_BIT)) @@ -90,8 +99,9 @@ inline void change_bits_to_string(AppidChangeBits& change_bits, std::string& str class AppidEvent : public snort::DataEvent { public: - AppidEvent(const AppidChangeBits& ac, bool is_http2, uint32_t http2_stream_index) : - ac_bits(ac), is_http2(is_http2), http2_stream_index(http2_stream_index) {} + AppidEvent(const AppidChangeBits& ac, bool is_http2, uint32_t http2_stream_index, + const snort::AppIdSessionApi& api) : + ac_bits(ac), is_http2(is_http2), http2_stream_index(http2_stream_index), api(api) {} const AppidChangeBits& get_change_bitset() const { return ac_bits; } @@ -102,10 +112,14 @@ public: uint32_t get_http2_stream_index() const { return http2_stream_index; } + const snort::AppIdSessionApi& get_appid_session_api() const + { return api; } + private: const AppidChangeBits& ac_bits; bool is_http2; uint32_t http2_stream_index; + const snort::AppIdSessionApi& api; }; #endif