From: Pranav Bhalerao (prbhaler) Date: Fri, 17 Jul 2020 12:42:47 +0000 (+0000) Subject: Merge pull request #2274 in SNORT/snort3 from ~PRBHALER/snort3:xff to master X-Git-Tag: 3.0.2-3~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=546e80f73c15fcba1324c74dd321324cc8165455;p=thirdparty%2Fsnort3.git Merge pull request #2274 in SNORT/snort3 from ~PRBHALER/snort3:xff to master Squashed commit of the following: commit 9c8ca841e2f622eb74e04eef40fbf0d80d864cdd Author: Pranav Bhalerao Date: Fri Jul 10 13:10:58 2020 -0400 pub_sub: Added a method in HttpEvent to retrieve true client-ip address from HTTP header based on priority. --- diff --git a/src/pub_sub/http_events.cc b/src/pub_sub/http_events.cc index 8e23eb976..04ff17045 100644 --- a/src/pub_sub/http_events.cc +++ b/src/pub_sub/http_events.cc @@ -92,6 +92,21 @@ const uint8_t* HttpEvent::get_server(int32_t& length) length); } +const uint8_t* HttpEvent::get_trueip_addr(int32_t& length) +{ + const Field& field = http_msg_header->get_true_ip_addr(); + if (field.length() > 0) + { + length = field.length(); + return field.start(); + } + else + { + length = 0; + return nullptr; + } +} + const uint8_t* HttpEvent::get_uri(int32_t& length) { return get_header(HttpEnums::HTTP_BUFFER_URI, 0, length); diff --git a/src/pub_sub/http_events.h b/src/pub_sub/http_events.h index 7f6ecca62..e5038d5b9 100644 --- a/src/pub_sub/http_events.h +++ b/src/pub_sub/http_events.h @@ -46,6 +46,7 @@ public: const uint8_t* get_location(int32_t &length); const uint8_t* get_referer(int32_t &length); const uint8_t* get_server(int32_t &length); + const uint8_t* get_trueip_addr(int32_t& length); const uint8_t* get_uri(int32_t &length); const uint8_t* get_user_agent(int32_t &length); const uint8_t* get_via(int32_t &length); diff --git a/src/pub_sub/test/pub_sub_http_event_test.cc b/src/pub_sub/test/pub_sub_http_event_test.cc index 7d20bc7a0..fac9e4b37 100644 --- a/src/pub_sub/test/pub_sub_http_event_test.cc +++ b/src/pub_sub/test/pub_sub_http_event_test.cc @@ -25,6 +25,7 @@ #include "pub_sub/http_events.h" #include "service_inspectors/http_inspect/http_common.h" +#include "service_inspectors/http_inspect/http_msg_header.h" #include "service_inspectors/http_inspect/http_msg_section.h" #include "service_inspectors/http_inspect/http_field.h" @@ -36,14 +37,33 @@ using namespace snort; using namespace HttpCommon; // Stubs to make the code link +void Field::set(const Field& input) +{ + strt = input.strt; + len = input.len; +} + const Field Field::FIELD_NULL { STAT_NO_SOURCE }; const Field& HttpMsgSection::get_classic_buffer(unsigned, uint64_t, uint64_t) { return Field::FIELD_NULL; } +const Field& HttpMsgHeader::get_true_ip_addr() +{ + Field *out = (Field*)mock().getData("output").getObjectPointer(); + return (*out); +} TEST_GROUP(pub_sub_http_event_test) { -}; + void setup() override + { + mock().setDataObject("output", "Field", nullptr); + } + void teardown() override + { + mock().clear(); + } +}; TEST(pub_sub_http_event_test, http_traffic) { @@ -61,6 +81,32 @@ TEST(pub_sub_http_event_test, http2_traffic) CHECK(event.get_http2_stream_id() == stream_id); } +TEST(pub_sub_http_event_test, no_true_ip_addr) +{ + const uint8_t* header_start; + int32_t header_length; + Field input(0, nullptr); + mock().setDataObject("output", "Field", &input); + HttpEvent event(nullptr, false, 0); + header_start = event.get_trueip_addr(header_length); + CHECK(header_length == 0); + CHECK(header_start == nullptr); + mock().checkExpectations(); +} + +TEST(pub_sub_http_event_test, true_ip_addr) +{ + const uint8_t* header_start; + int32_t header_length; + Field input(7, (const uint8_t*) "1.1.1.1"); + mock().setDataObject("output", "Field", &input); + HttpEvent event(nullptr, false, 0); + header_start = event.get_trueip_addr(header_length); + CHECK(header_length == 7); + CHECK(memcmp(header_start, "1.1.1.1", 7) == 0); + mock().checkExpectations(); +} + int main(int argc, char** argv) { return CommandLineTestRunner::RunAllTests(argc, argv);