From: Davis McPherson (davmcphe) <davmcphe@cisco.com>
Date: Mon, 12 Oct 2020 15:51:50 +0000 (+0000)
Subject: Merge pull request #2532 in SNORT/snort3 from ~ARMANDAV/snort3:rna_user to master
X-Git-Tag: 3.0.3-3~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=403fe8349866cded948b97ecccbc4deb04ed76ad;p=thirdparty%2Fsnort3.git

Merge pull request #2532 in SNORT/snort3 from ~ARMANDAV/snort3:rna_user to master

Squashed commit of the following:

commit bd6b9da8be8e3f6de3fd612b60a0c3b72ad517bb
Author: Arun Mandava <armandav@cisco.com>
Date:   Wed Oct 7 11:53:46 2020 -0400

    rna: Change ip to client instead of server for login events
---

diff --git a/src/network_inspectors/rna/rna_app_discovery.cc b/src/network_inspectors/rna/rna_app_discovery.cc
index d1cac533f..0544d95d6 100644
--- a/src/network_inspectors/rna/rna_app_discovery.cc
+++ b/src/network_inspectors/rna/rna_app_discovery.cc
@@ -115,7 +115,7 @@ void RnaAppDiscovery::process(AppidEvent* appid_event, DiscoveryFilter& filter,
         AppId service;
         const char* username = appid_session_api.get_client_info(service);
         if ( service > APP_ID_NONE and username and *username )
-            discover_user(p, ht, (const struct in6_addr*) src_ip->get_ip6_ptr(), src_mac,
+            discover_user(p, ht, (const struct in6_addr*) p->ptrs.ip_api.get_dst()->get_ip6_ptr(),
                 logger, username, service, proto);
     }
 
@@ -233,12 +233,12 @@ void RnaAppDiscovery::discover_client(const Packet* p, RnaTracker& rt,
 }
 
 void RnaAppDiscovery::discover_user(const Packet* p, RnaTracker& rt,
-    const struct in6_addr* src_ip, const uint8_t* src_mac, RnaLogger& logger,
-    const char* username, AppId service, IpProtocol proto)
+    const struct in6_addr* ip, RnaLogger& logger, const char* username,
+    AppId service, IpProtocol proto)
 {
     if ( rt->update_service_user(p->flow->server_port, proto, username) )
     {
-        logger.log(RUA_EVENT, CHANGE_USER_LOGIN, p, &rt, src_ip, src_mac, username,
+        logger.log(RUA_EVENT, CHANGE_USER_LOGIN, p, &rt, ip, username,
             service, (uint32_t) packet_time());
     }
 }
diff --git a/src/network_inspectors/rna/rna_app_discovery.h b/src/network_inspectors/rna/rna_app_discovery.h
index df437dc63..e7c468be9 100644
--- a/src/network_inspectors/rna/rna_app_discovery.h
+++ b/src/network_inspectors/rna/rna_app_discovery.h
@@ -40,7 +40,7 @@ public:
         RnaLogger&, const char*, AppId client, AppId service);
 
     static void discover_user(const snort::Packet*, RnaTracker&, const struct in6_addr*,
-        const uint8_t* src_mac, RnaLogger&, const char* username, AppId, IpProtocol);
+        RnaLogger&, const char* username, AppId, IpProtocol);
 
 private:
     static void update_service_info(const snort::Packet*, IpProtocol, const char* vendor,
diff --git a/src/network_inspectors/rna/rna_logger.cc b/src/network_inspectors/rna/rna_logger.cc
index 6503b61d4..e1fb8abd6 100644
--- a/src/network_inspectors/rna/rna_logger.cc
+++ b/src/network_inspectors/rna/rna_logger.cc
@@ -48,16 +48,23 @@ using namespace snort;
 #ifdef DEBUG_MSGS
 static inline void rna_logger_message(const RnaLoggerEvent& rle)
 {
-    char macbuf[19];
-    snprintf(macbuf, 19, "%02X:%02X:%02X:%02X:%02X:%02X",
-        rle.mac[0], rle.mac[1], rle.mac[2], rle.mac[3], rle.mac[4], rle.mac[5]);
+    char macbuf[19] = { 0 };
+    if ( rle.mac )
+        snprintf(macbuf, 19, "%02X:%02X:%02X:%02X:%02X:%02X",
+            rle.mac[0], rle.mac[1], rle.mac[2], rle.mac[3], rle.mac[4], rle.mac[5]);
+
     if ( rle.ip )
     {
         SfIp ip;
         SfIpString ipbuf;
         ip.set(rle.ip); // using this instead of packet's ip to support ARP
-        debug_logf(rna_trace, nullptr, "RNA log: type %u, subtype %u, mac %s, ip %s\n",
-            rle.type, rle.subtype, macbuf, ip.ntop(ipbuf));
+        if ( rle.mac )
+            debug_logf(rna_trace, nullptr, "RNA log: type %u, subtype %u, mac %s, ip %s\n",
+                rle.type, rle.subtype, macbuf, ip.ntop(ipbuf));
+        else
+            debug_logf(rna_trace, nullptr, "RNA log: type %u, subtype %u, ip %s\n",
+                rle.type, rle.subtype, ip.ntop(ipbuf));
+
         if ( rle.hc )
         {
             if ( rle.hc->version[0] != '\0' )
@@ -107,10 +114,9 @@ void RnaLogger::log(uint16_t type, uint16_t subtype, const Packet* p, RnaTracker
 }
 
 void RnaLogger::log(uint16_t type, uint16_t subtype, const Packet* p, RnaTracker* ht,
-   const struct in6_addr* src_ip, const uint8_t* src_mac, const char* user, AppId appid,
-   uint32_t event_time)
+   const struct in6_addr* ip, const char* user, AppId appid, uint32_t event_time)
 {
-    log(type, subtype, src_ip, src_mac, ht, p, event_time, 0,
+    log(type, subtype, ip, nullptr, ht, p, event_time, 0,
         nullptr, nullptr, nullptr, nullptr, nullptr, user, appid);
 }
 
diff --git a/src/network_inspectors/rna/rna_logger.h b/src/network_inspectors/rna/rna_logger.h
index 21ff30e4b..47a61d33d 100644
--- a/src/network_inspectors/rna/rna_logger.h
+++ b/src/network_inspectors/rna/rna_logger.h
@@ -72,8 +72,7 @@ public:
 
     // for host user
     void log(uint16_t type, uint16_t subtype, const snort::Packet*, RnaTracker*,
-        const struct in6_addr*, const uint8_t* src_mac, const char* user,
-        AppId appid, uint32_t event_time);
+        const struct in6_addr*, const char* user, AppId appid, uint32_t event_time);
 
     // for fingerprint
     void log(uint16_t type, uint16_t subtype, const snort::Packet* p, RnaTracker* ht,