From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Tue, 26 Oct 2021 18:40:33 +0000 (+0000)
Subject: Merge pull request #3116 in SNORT/snort3 from ~CLJUDGE/snort3:snort3_client_app_detec... 
X-Git-Tag: 3.1.16.0~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49e17530db936d52588c1903cff46ae0382928d0;p=thirdparty%2Fsnort3.git

Merge pull request #3116 in SNORT/snort3 from ~CLJUDGE/snort3:snort3_client_app_detect_types to master

Squashed commit of the following:

commit f3a0f5e68a64507125b1acce375ebaf7c708c063
Author: cljudge <cljudge@cisco.com>
Date:   Thu Oct 7 04:55:54 2021 -0400

    appid: provide API to give client_app_detection_type
---

diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h
index d7f85d3e3..6e19081bd 100644
--- a/src/network_inspectors/appid/appid_app_descriptor.h
+++ b/src/network_inspectors/appid/appid_app_descriptor.h
@@ -238,6 +238,7 @@ public:
         ApplicationDescriptor::reset();
         my_username.clear();
         my_user_id = APP_ID_NONE;
+        my_client_detect_type = CLIENT_APP_DETECT_APPID;
     }
 
     void update_user(AppId app_id, const char* username, AppidChangeBits& change_bits);
@@ -264,10 +265,21 @@ public:
         return efp_client_app_id;
     }
 
+    void set_efp_client_app_detect_type(ClientAppDetectType client_app_detect_type)
+    {
+        my_client_detect_type = client_app_detect_type;
+    }
+
+    ClientAppDetectType get_client_app_detect_type() const
+    {
+        return my_client_detect_type;
+    }
+
 private:
     std::string my_username;
     AppId my_user_id = APP_ID_NONE;
     AppId efp_client_app_id = APP_ID_NONE;
+    ClientAppDetectType my_client_detect_type = CLIENT_APP_DETECT_APPID;
 };
 
 class PayloadAppDescriptor : public ApplicationDescriptor
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index f874e573f..904b9ee45 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -854,16 +854,26 @@ AppId AppIdSession::pick_ss_client_app_id() const
     if (!api.hsessions.empty())
         tmp_id = api.hsessions[0]->client.get_id();
     if (tmp_id > APP_ID_NONE)
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
         return tmp_id;
+    }
 
     if (api.client.get_efp_client_app_id() > APP_ID_NONE and
         (api.client.get_id() == APP_ID_SSL_CLIENT or
             api.client.get_id() <= APP_ID_NONE))
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
         return api.client.get_efp_client_app_id();
+    }
 
     if (api.client.get_id() > APP_ID_NONE)
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
         return api.client.get_id();
+    }
 
+    api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
     return encrypted.client_id;
 }
 
diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc
index 69936d2c7..eff468c0b 100644
--- a/src/network_inspectors/appid/appid_session_api.cc
+++ b/src/network_inspectors/appid/appid_session_api.cc
@@ -29,6 +29,7 @@
 #include "managers/inspector_manager.h"
 #include "appid_inspector.h"
 #include "appid_session.h"
+#include "appid_types.h"
 #include "service_plugins/service_bootp.h"
 #include "service_plugins/service_netbios.h"
 
@@ -318,6 +319,11 @@ const char* AppIdSessionApi::get_netbios_domain() const
     return netbios_domain;
 }
 
+ClientAppDetectType AppIdSessionApi::get_client_app_detect_type() const
+{
+    return client.get_client_app_detect_type();
+}
+
 void AppIdSessionApi::set_netbios_name(AppidChangeBits& change_bits, const char* name)
 {
     if (netbios_name)
diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index 585a78627..159d3dbaa 100644
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -127,6 +127,7 @@ public:
     bool is_http_inspection_done() const;
     const char* get_netbios_name() const;
     const char* get_netbios_domain() const;
+    ClientAppDetectType get_client_app_detect_type() const;
 
     // For protocols such as HTTP2 which can have multiple streams within a single flow,
     // get_first_stream_* methods return the appids in the first stream seen in a packet.
diff --git a/src/network_inspectors/appid/appid_types.h b/src/network_inspectors/appid/appid_types.h
index d569c5b3f..58e2157c2 100644
--- a/src/network_inspectors/appid/appid_types.h
+++ b/src/network_inspectors/appid/appid_types.h
@@ -65,4 +65,10 @@ enum AppidSessionDirection
     APP_ID_APPID_SESSION_DIRECTION_MAX
 };
 
+enum ClientAppDetectType
+{
+    CLIENT_APP_DETECT_APPID = 0,
+    CLIENT_APP_DETECT_TLS_FP
+};
+
 #endif
diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h
index 7f50b82c8..cc03b14d0 100644
--- a/src/network_inspectors/appid/test/appid_mock_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_session.h
@@ -141,7 +141,16 @@ AppId AppIdSession::pick_ss_misc_app_id() const
 
 AppId AppIdSession::pick_ss_client_app_id() const
 {
-    return get_client_id();
+    if (get_efp_client_app_id() > APP_ID_NONE and get_client_id() <= APP_ID_NONE)
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
+        return get_efp_client_app_id();
+    }
+    else
+    {
+        api.client.set_efp_client_app_detect_type(CLIENT_APP_DETECT_APPID);
+        return get_client_id();
+    }
 }
 
 AppId AppIdSession::pick_ss_payload_app_id() const
diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc
index eff13f484..b00534595 100644
--- a/src/network_inspectors/appid/test/appid_session_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_session_api_test.cc
@@ -340,6 +340,30 @@ TEST(appid_session_api, is_http_inspection_done)
     CHECK_TRUE(val);
 }
 
+TEST(appid_session_api, get_client_app_detect_type)
+{
+    // Confirm that default detect type is APPID.
+    ClientAppDetectType detect_type = mock_session->get_api().get_client_app_detect_type();
+    CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_APPID);
+
+    /* Set efp client app to some appid, but keep normal client id set to none.
+       The efp_client app should be picked, but the detect type should be TLS_FP.  */
+    mock_session->set_client_id(APP_ID_NONE);
+    mock_session->set_efp_client_app_id(638);
+    AppId id = mock_session->pick_ss_client_app_id();
+    CHECK_EQUAL(id, 638);
+    detect_type = mock_session->get_api().get_client_app_detect_type();   
+    CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_TLS_FP);
+
+    /* Now set the normal client id to something. That is the appid that should be picked,
+       and the detect type should be APPID once more. */
+    mock_session->set_client_id(APP_ID_HTTP2);
+    id = mock_session->pick_ss_client_app_id();
+    CHECK_EQUAL(id, APP_ID_HTTP2);
+    detect_type = mock_session->get_api().get_client_app_detect_type();
+    CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_APPID);
+}
+
 int main(int argc, char** argv)
 {
     mock_init_appid_pegs();