From: Shravan Rangarajuvenkata (shrarang) Date: Fri, 9 Apr 2021 13:28:12 +0000 (+0000) Subject: Merge pull request #2775 in SNORT/snort3 from ~KAMURTHI/snort3:enable_rna_filter... X-Git-Tag: 3.1.4.0~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c3dafdc9454d0769fca7b0118bce78a1d1ac3a6;p=thirdparty%2Fsnort3.git Merge pull request #2775 in SNORT/snort3 from ~KAMURTHI/snort3:enable_rna_filter to master Squashed commit of the following: commit 40346667badded094e185b7cfb842da63995b23e Author: Kanimozhi Murthi Date: Fri Mar 12 17:51:43 2021 -0500 appid: monitor only the networks specified in rna configuration --- diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index d30102667..707ea6b78 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -130,6 +130,8 @@ bool AppIdContext::init_appid(SnortConfig* sc, AppIdInspector& inspector) } map_app_names_to_snort_ids(sc, config); + if (config.enable_rna_filter) + discovery_filter = new DiscoveryFilter(config.rna_conf_path); return true; } diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index e57708258..a1b6582f6 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -25,6 +25,7 @@ #include #include +#include "helpers/discovery_filter.h" #include "target_based/snort_protocols.h" #include "app_info_table.h" @@ -90,6 +91,8 @@ public: size_t memcap = 0; bool list_odp_detectors = false; bool log_all_sessions = false; + bool enable_rna_filter = false; + std::string rna_conf_path = ""; SnortProtocolId snort_proto_ids[PROTO_INDEX_MAX]; void show() const; }; @@ -246,13 +249,21 @@ public: AppIdContext(AppIdConfig& config) : config(config) { } - ~AppIdContext() = default; + ~AppIdContext() + { + if (discovery_filter) + delete discovery_filter; + } OdpContext& get_odp_ctxt() const { assert(odp_ctxt); return *odp_ctxt; } + DiscoveryFilter* get_discovery_filter() const + { + return discovery_filter; + } ThirdPartyAppIdContext* get_tp_appid_ctxt() const { return tp_appid_ctxt; } @@ -269,6 +280,7 @@ public: AppIdConfig& config; private: + DiscoveryFilter* discovery_filter = nullptr; static OdpContext* odp_ctxt; static ThirdPartyAppIdContext* tp_appid_ctxt; }; diff --git a/src/network_inspectors/appid/appid_data_decrypt_event_handler.h b/src/network_inspectors/appid/appid_data_decrypt_event_handler.h index 6b55c0588..41b3e9483 100644 --- a/src/network_inspectors/appid/appid_data_decrypt_event_handler.h +++ b/src/network_inspectors/appid/appid_data_decrypt_event_handler.h @@ -28,23 +28,21 @@ class DataDecryptEventHandler : public snort::DataHandler { public: - DataDecryptEventHandler() : DataHandler(MOD_NAME) - { - } + DataDecryptEventHandler() : DataHandler(MOD_NAME){ } void handle(snort::DataEvent& event, snort::Flow* flow) override { assert(flow); AppIdSession* asd = snort::appid_api.get_appid_session(*flow); - if (!asd) - return; + if (!asd or + !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) + return; const DataDecryptEvent& data_decrypt_event = static_cast(event); if (data_decrypt_event.get_type() == DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT) { asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR); } } - }; #endif diff --git a/src/network_inspectors/appid/appid_dcerpc_event_handler.h b/src/network_inspectors/appid/appid_dcerpc_event_handler.h index 554ce36d6..12eeb82a1 100644 --- a/src/network_inspectors/appid/appid_dcerpc_event_handler.h +++ b/src/network_inspectors/appid/appid_dcerpc_event_handler.h @@ -36,8 +36,9 @@ public: assert(flow); AppIdSession* asd = snort::appid_api.get_appid_session(*flow); - if (!asd) - return; // appid disabled + if (!asd or + !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) + return; else { // Skip sessions using old odp context after reload detectors @@ -62,8 +63,7 @@ public: if (fp) // initialize data session { fp->set_service_id(APP_ID_DCE_RPC, asd->get_odp_ctxt()); - asd->initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS, - APP_ID_FROM_RESPONDER); + asd->initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS); } } }; diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 8b7eb5b78..95a7b2050 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -127,43 +127,6 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect change_bits); } -static inline unsigned get_ipfuncs_flags(const Packet* p, bool dst) -{ - const SfIp* sf_ip; - - if (!dst) - { - sf_ip = p->ptrs.ip_api.get_src(); - } - else - { - int32_t intf = (p->pkth->egress_index == DAQ_PKTHDR_UNKNOWN) ? - p->pkth->ingress_index : p->pkth->egress_index; - if (intf == DAQ_PKTHDR_FLOOD) - return 0; - sf_ip = p->ptrs.ip_api.get_dst(); - } - - if (sf_ip->is_ip4() && sf_ip->get_ip4_value() == 0xFFFFFFFF) - return IPFUNCS_CHECKED; - - // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented - return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION | IPFUNCS_CHECKED; -} - -static inline bool is_special_session_monitored(const Packet* p) -{ - if (p->is_ip4()) - { - if (p->is_udp() && ((p->ptrs.sp == 68 && p->ptrs.dp == 67) - || (p->ptrs.sp == 67 && p->ptrs.dp == 68))) - { - return true; - } - } - return false; -} - static bool set_network_attributes(AppIdSession* asd, Packet* p, IpProtocol& protocol, IpProtocol& outer_protocol, AppidSessionDirection& direction) { @@ -220,139 +183,6 @@ static bool is_packet_ignored(Packet* p) return false; } -static uint64_t is_session_monitored(const AppIdSession& asd, const Packet* p, - AppidSessionDirection dir) -{ - uint64_t flags; - uint64_t flow_flags = APPID_SESSION_DISCOVER_APP; - - flow_flags |= asd.flags; - - // FIXIT-M - Re-check a flow after snort is reloaded. RNA policy might have changed - if (asd.get_session_flags(APPID_SESSION_BIDIRECTIONAL_CHECKED) == - APPID_SESSION_BIDIRECTIONAL_CHECKED) - return flow_flags; - - if (dir == APP_ID_FROM_INITIATOR) - { - if (!asd.get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) - { - flags = get_ipfuncs_flags(p, false); - flow_flags |= APPID_SESSION_INITIATOR_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_INITIATOR_MONITORED; - if (flags & IPFUNCS_USER_IP) - flow_flags |= APPID_SESSION_DISCOVER_USER; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - if (is_special_session_monitored(p)) - flow_flags |= APPID_SESSION_SPECIAL_MONITORED; - } - - if (!(flow_flags & APPID_SESSION_DISCOVER_APP) - && !asd.get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) - { - flags = get_ipfuncs_flags(p, true); - if (flags & IPFUNCS_CHECKED) - flow_flags |= APPID_SESSION_RESPONDER_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_RESPONDER_MONITORED; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - if (is_special_session_monitored(p)) - flow_flags |= APPID_SESSION_SPECIAL_MONITORED; - } - } - else - { - if (!asd.get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) - { - flags = get_ipfuncs_flags(p, false); - flow_flags |= APPID_SESSION_RESPONDER_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_RESPONDER_MONITORED; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - if (is_special_session_monitored(p)) - flow_flags |= APPID_SESSION_SPECIAL_MONITORED; - } - - if (!(flow_flags & APPID_SESSION_DISCOVER_APP) - && !asd.get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) - { - flags = get_ipfuncs_flags(p, true); - if (flags & IPFUNCS_CHECKED) - flow_flags |= APPID_SESSION_INITIATOR_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_INITIATOR_MONITORED; - if (flags & IPFUNCS_USER_IP) - flow_flags |= APPID_SESSION_DISCOVER_USER; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - if (is_special_session_monitored(p)) - flow_flags |= APPID_SESSION_SPECIAL_MONITORED; - } - } - - return flow_flags; -} - -static uint64_t is_session_monitored(const Packet* p, AppidSessionDirection dir) -{ - uint64_t flags; - uint64_t flow_flags = APPID_SESSION_DISCOVER_APP; - - if (dir == APP_ID_FROM_INITIATOR) - { - flags = get_ipfuncs_flags(p, false); - flow_flags |= APPID_SESSION_INITIATOR_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_INITIATOR_MONITORED; - if (flags & IPFUNCS_USER_IP) - flow_flags |= APPID_SESSION_DISCOVER_USER; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - if (!(flow_flags & APPID_SESSION_DISCOVER_APP)) - { - flags = get_ipfuncs_flags(p, true); - if (flags & IPFUNCS_CHECKED) - flow_flags |= APPID_SESSION_RESPONDER_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_RESPONDER_MONITORED; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - } - if (is_special_session_monitored(p)) - flow_flags |= APPID_SESSION_SPECIAL_MONITORED; - } - else - { - flags = get_ipfuncs_flags(p, false); - flow_flags |= APPID_SESSION_RESPONDER_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_RESPONDER_MONITORED; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - if (!(flow_flags & APPID_SESSION_DISCOVER_APP)) - { - flags = get_ipfuncs_flags(p, true); - if (flags & IPFUNCS_CHECKED) - flow_flags |= APPID_SESSION_INITIATOR_CHECKED; - if (flags & IPFUNCS_HOSTS_IP) - flow_flags |= APPID_SESSION_INITIATOR_MONITORED; - if (flags & IPFUNCS_USER_IP) - flow_flags |= APPID_SESSION_DISCOVER_USER; - if (flags & IPFUNCS_APPLICATION) - flow_flags |= APPID_SESSION_DISCOVER_APP; - } - - if (is_special_session_monitored(p)) - flow_flags |= APPID_SESSION_SPECIAL_MONITORED; - } - - return flow_flags; -} - // Return false if the packet or the session doesn't need to be inspected bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspector& inspector, IpProtocol& protocol, IpProtocol& outer_protocol, AppidSessionDirection& direction, @@ -380,21 +210,12 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec if (is_packet_ignored(p)) return false; - uint64_t flow_flags; - if (asd) - flow_flags = is_session_monitored(*asd, p, direction); - else - flow_flags = is_session_monitored(p, direction); - - if ( !(flow_flags & (APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) ) - return false; - if (!asd) { asd = AppIdSession::allocate_session(p, protocol, direction, inspector, odp_ctxt); if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM) { - flow_flags |= APPID_SESSION_MID; + asd->flags |= APPID_SESSION_MID; if (appidDebug->is_active()) LogMessage("AppIdDbg %s New AppId mid-stream session\n", appidDebug->get_debug_session()); @@ -402,6 +223,8 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec else if (appidDebug->is_active()) LogMessage("AppIdDbg %s New AppId session\n", appidDebug->get_debug_session()); } + if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) + return false; // FIXIT-L - from this point on we always have a valid ptr to a Packet // refactor to pass this as ref and delete any checks for null @@ -427,7 +250,6 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec } } - asd->flags = flow_flags; if (!asd->get_session_flags(APPID_SESSION_PAYLOAD_SEEN) and p->dsize) asd->set_session_flags(APPID_SESSION_PAYLOAD_SEEN); diff --git a/src/network_inspectors/appid/appid_ha.cc b/src/network_inspectors/appid/appid_ha.cc index 64c747d57..56a6b5212 100644 --- a/src/network_inspectors/appid/appid_ha.cc +++ b/src/network_inspectors/appid/appid_ha.cc @@ -34,6 +34,8 @@ #define APPID_HA_FLAGS_TP_DONE ( 1 << 0 ) #define APPID_HA_FLAGS_SVC_DONE ( 1 << 1 ) #define APPID_HA_FLAGS_HTTP ( 1 << 2 ) +#define APPID_HA_FLAGS_DISC_APP ( 1 << 3 ) +#define APPID_HA_FLAGS_SPL_MONI ( 1 << 4 ) using namespace snort; @@ -125,6 +127,10 @@ bool AppIdHAAppsClient::consume(Flow*& flow, const FlowKey* key, HAMessage& msg, if (appHA->flags & APPID_HA_FLAGS_HTTP) asd->set_session_flags(APPID_SESSION_HTTP_SESSION); + if (appHA->flags & APPID_HA_FLAGS_DISC_APP) + asd->set_session_flags(APPID_SESSION_DISCOVER_APP); + if (appHA->flags & APPID_HA_FLAGS_SPL_MONI) + asd->set_session_flags(APPID_SESSION_SPECIAL_MONITORED); asd->set_service_id(appHA->appId[APPID_HA_APP_SERVICE], asd->get_odp_ctxt()); AppIdHttpSession* hsession = nullptr; if (appHA->appId[APPID_HA_APP_SERVICE] == APP_ID_HTTP or @@ -171,6 +177,10 @@ bool AppIdHAAppsClient::produce(Flow& flow, HAMessage& msg) appHA->flags |= APPID_HA_FLAGS_SVC_DONE; if (asd->get_session_flags(APPID_SESSION_HTTP_SESSION)) appHA->flags |= APPID_HA_FLAGS_HTTP; + if (asd->get_session_flags(APPID_SESSION_DISCOVER_APP)) + appHA->flags |= APPID_HA_FLAGS_DISC_APP; + if (asd->get_session_flags(APPID_SESSION_SPECIAL_MONITORED)) + appHA->flags |= APPID_HA_FLAGS_SPL_MONI; appHA->appId[APPID_HA_APP_SERVICE] = asd->get_service_id(); const AppIdHttpSession* hsession = asd->get_http_session(0); if (hsession) diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc index 37a81f513..29549bfc6 100644 --- a/src/network_inspectors/appid/appid_http_event_handler.cc +++ b/src/network_inspectors/appid/appid_http_event_handler.cc @@ -65,6 +65,8 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) } else if ( asd->get_odp_ctxt_version() != pkt_thread_odp_ctxt->get_version() ) return; // Skip detection for sessions using old odp context after odp reload + if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) + return; const uint8_t* header_start; int32_t header_length; diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 1f2fd6a56..4a00b567f 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -89,6 +89,10 @@ static const Parameter s_params[] = "print third party configuration on startup" }, { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false", "enable logging of all appid sessions" }, + { "enable_rna_filter", Parameter::PT_BOOL, nullptr, "false", + "monitor only the networks specified in rna configuration" }, + { "rna_conf_path", Parameter::PT_STRING, nullptr, nullptr, + "path to rna configuration file" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; @@ -486,6 +490,10 @@ bool AppIdModule::set(const char*, Value& v, SnortConfig*) config->list_odp_detectors = v.get_bool(); else if ( v.is("log_all_sessions") ) config->log_all_sessions = v.get_bool(); + else if ( v.is("enable_rna_filter") ) + config->enable_rna_filter = v.get_bool(); + else if ( v.is("rna_conf_path") ) + config->rna_conf_path = std::string(v.get_string()); return true; } diff --git a/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h b/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h index 23aca31f1..a47f03b5f 100644 --- a/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h +++ b/src/network_inspectors/appid/appid_opportunistic_tls_event_handler.h @@ -34,8 +34,9 @@ public: { assert(flow); AppIdSession* asd = snort::appid_api.get_appid_session(*flow); - if (!asd) - return; + if (!asd or + !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) + return; // Skip sessions using old odp context after reload detectors if (!pkt_thread_odp_ctxt or diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index bf5b4451d..c7291f57e 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -72,6 +72,37 @@ const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len, return nullptr; } +static inline bool is_special_session_monitored(const Packet* p) +{ + if (p->is_ip4()) + { + if (p->is_udp() && ((p->ptrs.sp == 68 && p->ptrs.dp == 67) + || (p->ptrs.sp == 67 && p->ptrs.dp == 68))) + { + return true; + } + } + return false; +} + +static void is_session_monitored(uint64_t& flow_flags, const Packet* p, + AppIdInspector& inspector) +{ + + DiscoveryFilter* filter = inspector.get_ctxt().get_discovery_filter(); + if (filter and filter->is_app_monitored(p)) + { + flow_flags |= APPID_SESSION_DISCOVER_APP; + flow_flags |= APPID_SESSION_DISCOVER_USER; + if (is_special_session_monitored(p)) + flow_flags |= APPID_SESSION_SPECIAL_MONITORED; + } + else if (!filter) + flow_flags |= (APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER | + APPID_SESSION_DISCOVER_APP); + +} + AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, AppidSessionDirection direction, AppIdInspector& inspector, OdpContext& odp_context) { @@ -85,6 +116,7 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, AppIdSession* asd = new AppIdSession(proto, ip, port, inspector, odp_context, p->pkth->address_space_id); + is_session_monitored(asd->flags, p, inspector); asd->flow = p->flow; asd->stats.first_packet_second = p->pkth->ts.tv_sec; asd->snort_protocol_id = asd->config.snort_proto_ids[PROTO_INDEX_UNSYNCHRONIZED]; @@ -223,32 +255,8 @@ AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const S return asd; } -void AppIdSession::initialize_future_session(AppIdSession& expected, uint64_t flags, - AppidSessionDirection dir) +void AppIdSession::initialize_future_session(AppIdSession& expected, uint64_t flags) { - if (dir == APP_ID_FROM_INITIATOR) - { - expected.set_session_flags(flags | - get_session_flags( - APPID_SESSION_INITIATOR_CHECKED | - APPID_SESSION_INITIATOR_MONITORED | - APPID_SESSION_RESPONDER_CHECKED | - APPID_SESSION_RESPONDER_MONITORED)); - } - else if (dir == APP_ID_FROM_RESPONDER) - { - if (get_session_flags(APPID_SESSION_INITIATOR_CHECKED)) - flags |= APPID_SESSION_RESPONDER_CHECKED; - - if (get_session_flags(APPID_SESSION_INITIATOR_MONITORED)) - flags |= APPID_SESSION_RESPONDER_MONITORED; - - if (get_session_flags(APPID_SESSION_RESPONDER_CHECKED)) - flags |= APPID_SESSION_INITIATOR_CHECKED; - - if (get_session_flags(APPID_SESSION_RESPONDER_MONITORED)) - flags |= APPID_SESSION_INITIATOR_MONITORED; - } expected.set_session_flags(flags | get_session_flags( diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 7d7c2e6d6..d6a295e6c 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -68,13 +68,6 @@ const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len, #define APPID_SESSION_DATA_SERVICE_MODSTATE_BIT 0x20000000 #define APPID_SESSION_DATA_CLIENT_MODSTATE_BIT 0x40000000 #define APPID_SESSION_DATA_DETECTOR_MODSTATE_BIT 0x80000000 -#define APPID_SESSION_BIDIRECTIONAL_CHECKED \ - (APPID_SESSION_INITIATOR_CHECKED | \ - APPID_SESSION_RESPONDER_CHECKED) -#define APPID_SESSION_DO_RNA \ - (APPID_SESSION_RESPONDER_MONITORED | \ - APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_DISCOVER_USER | \ - APPID_SESSION_SPECIAL_MONITORED) enum APPID_DISCOVERY_STATE { @@ -240,7 +233,7 @@ public: AppidSessionDirection, AppIdInspector&, OdpContext&); static AppIdSession* create_future_session(const snort::Packet*, const snort::SfIp*, uint16_t, const snort::SfIp*, uint16_t, IpProtocol, SnortProtocolId, bool swap_app_direction=false); - void initialize_future_session(AppIdSession&, uint64_t, AppidSessionDirection); + void initialize_future_session(AppIdSession&, uint64_t); size_t size_of() override { return sizeof(*this); } diff --git a/src/network_inspectors/appid/detector_plugins/detector_sip.cc b/src/network_inspectors/appid/detector_plugins/detector_sip.cc index 92342718f..d58afbf4a 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_sip.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_sip.cc @@ -190,10 +190,9 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con // FIXIT-M : snort 2.9.x updated the flag to APPID_SESSION_EXPECTED_EVALUATE. // Check if it is needed here as well. - // asd.initialize_future_session(*fp, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX); + // asd.initialize_future_session(*fp, APPID_SESSION_EXPECTED_EVALUATE); - asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS, - APP_ID_APPID_SESSION_DIRECTION_MAX); + asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS); } // create an RTCP flow as well @@ -209,10 +208,9 @@ void SipServiceDetector::createRtpFlow(AppIdSession& asd, const Packet* pkt, con fp2->set_service_id(APP_ID_RTCP, asd.get_odp_ctxt()); // FIXIT-M : same comment as above - // asd.initialize_future_session(*fp2, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX); + // asd.initialize_future_session(*fp2, APPID_SESSION_EXPECTED_EVALUATE); - asd.initialize_future_session(*fp2, APPID_SESSION_IGNORE_ID_FLAGS, - APP_ID_APPID_SESSION_DIRECTION_MAX); + asd.initialize_future_session(*fp2, APPID_SESSION_IGNORE_ID_FLAGS); } } @@ -326,6 +324,7 @@ void SipEventHandler::handle(DataEvent& event, Flow* flow) SipEvent& sip_event = (SipEvent&)event; const Packet* p = sip_event.get_packet(); assert(p); + if ( !asd ) { IpProtocol protocol = p->is_tcp() ? IpProtocol::TCP : IpProtocol::UDP; @@ -333,6 +332,8 @@ void SipEventHandler::handle(DataEvent& event, Flow* flow) asd = AppIdSession::allocate_session(p, protocol, direction, inspector, inspector.get_ctxt().get_odp_ctxt()); } + if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED)) + return; AppidChangeBits change_bits; client_handler(sip_event, *asd, change_bits); diff --git a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h index 3edff5274..ee6adfc1e 100644 --- a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h +++ b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h @@ -86,7 +86,7 @@ char* snort_strdup(const char* str) return p; } } - +DiscoveryFilter::~DiscoveryFilter(){} void show_stats(PegCount*, const PegInfo*, unsigned, const char*) { } void show_stats(PegCount*, const PegInfo*, const IndexVec&, const char*, FILE*) { } diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 2a301b0cd..ad2fe8cfd 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -1142,14 +1142,14 @@ static int detector_add_host_port_application(lua_State* L) ud->validate_lua_state(false); if (!init(L)) return 0; - SfIp ip_addr; + SfIp ip_address; int index = 1; uint8_t type = lua_tointeger(L, ++index); AppId app_id = (AppId)lua_tointeger(L, ++index); size_t ipaddr_size = 0; const char* ip_str= lua_tolstring(L, ++index, &ipaddr_size); - if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_addr)) + if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_address)) { ErrorMessage("%s: Invalid IP address: %s\n",__func__, ip_str); return 0; @@ -1160,7 +1160,7 @@ static int detector_add_host_port_application(lua_State* L) if (toipprotocol(L, ++index, proto)) return 0; - if (!ud->get_odp_ctxt().host_port_cache_add(&ip_addr, (uint16_t)port, proto, type, app_id)) + if (!ud->get_odp_ctxt().host_port_cache_add(&ip_address, (uint16_t)port, proto, type, app_id)) ErrorMessage("%s:Failed to backend call\n",__func__); return 0; @@ -1175,7 +1175,7 @@ static int detector_add_host_port_dynamic(lua_State* L) if (!ud->get_odp_ctxt().is_host_port_app_cache_runtime) return 0; - SfIp ip_addr; + SfIp ip_address; int index = 1; uint8_t type = lua_tointeger(L, ++index); @@ -1186,7 +1186,7 @@ static int detector_add_host_port_dynamic(lua_State* L) AppId appid = (AppId)lua_tointeger(L, ++index); size_t ipaddr_size = 0; const char* ip_str = lua_tolstring(L, ++index, &ipaddr_size); - if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_addr)) + if (!ip_str || !ipaddr_size || !convert_string_to_address(ip_str, &ip_address)) return 0; unsigned port = lua_tointeger(L, ++index); @@ -1196,7 +1196,7 @@ static int detector_add_host_port_dynamic(lua_State* L) bool added = false; std::lock_guard lck(AppIdSession::inferred_svcs_lock); - host_cache[ip_addr]->add_service(port, proto, appid, true, &added); + host_cache[ip_address]->add_service(port, proto, appid, true, &added); if (added) { diff --git a/src/network_inspectors/appid/service_plugins/service_bootp.cc b/src/network_inspectors/appid/service_plugins/service_bootp.cc index 2728e0d3e..c85e5d87c 100644 --- a/src/network_inspectors/appid/service_plugins/service_bootp.cc +++ b/src/network_inspectors/appid/service_plugins/service_bootp.cc @@ -322,12 +322,6 @@ void BootpServiceDetector::add_dhcp_info(AppIdSession& asd, unsigned op55_len, c } } -static unsigned isIPv4HostMonitored(uint32_t, int32_t) -{ - // FIXIT-M Defaulting to checking everything everywhere until RNA config is reimplemented - return IPFUNCS_HOSTS_IP | IPFUNCS_USER_IP | IPFUNCS_APPLICATION; -} - void BootpServiceDetector::add_new_dhcp_lease(AppIdSession& asd, const uint8_t* mac, uint32_t ip, int32_t zone, uint32_t subnetmask, uint32_t leaseSecs, uint32_t router) @@ -335,12 +329,7 @@ void BootpServiceDetector::add_new_dhcp_lease(AppIdSession& asd, const uint8_t* if (memcmp(mac, zeromac, 6) == 0 || ip == 0) return; - if (!asd.get_session_flags(APPID_SESSION_DO_RNA) - || asd.get_session_flags(APPID_SESSION_HAS_DHCP_INFO)) - return; - - unsigned flags = isIPv4HostMonitored(ntohl(ip), zone); - if (!(flags & IPFUNCS_HOSTS_IP)) + if (asd.get_session_flags(APPID_SESSION_HAS_DHCP_INFO)) return; asd.set_session_flags(APPID_SESSION_HAS_DHCP_INFO); diff --git a/src/network_inspectors/appid/service_plugins/service_ftp.cc b/src/network_inspectors/appid/service_plugins/service_ftp.cc index 17dff6cd7..4bc1742bc 100644 --- a/src/network_inspectors/appid/service_plugins/service_ftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_ftp.cc @@ -907,7 +907,7 @@ void FtpServiceDetector::create_expected_session(AppIdSession& asd, const Packet fp->set_service_id(APP_ID_FTP_DATA, asd.get_odp_ctxt()); } - asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS | encrypted_flags, dir); + asd.initialize_future_session(*fp, APPID_SESSION_IGNORE_ID_FLAGS | encrypted_flags); } } diff --git a/src/network_inspectors/appid/service_plugins/service_rexec.cc b/src/network_inspectors/appid/service_plugins/service_rexec.cc index d93444803..6f863b0a5 100644 --- a/src/network_inspectors/appid/service_plugins/service_rexec.cc +++ b/src/network_inspectors/appid/service_plugins/service_rexec.cc @@ -183,7 +183,7 @@ int RexecServiceDetector::validate(AppIdDiscoveryArgs& args) } pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; - args.asd.initialize_future_session(*pf, REXEC_EXPECTED_SESSION_FLAGS, APP_ID_FROM_RESPONDER); + args.asd.initialize_future_session(*pf, REXEC_EXPECTED_SESSION_FLAGS); pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; rd->child = tmp_rd; rd->state = REXEC_STATE_SERVER_CONNECT; diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc index a5d167ba8..dbe749554 100644 --- a/src/network_inspectors/appid/service_plugins/service_rpc.cc +++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc @@ -416,11 +416,7 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi pf->add_flow_data_id((uint16_t)tmp, this); pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; pf->set_session_flags(asd.get_session_flags( - APPID_SESSION_RESPONDER_MONITORED | - APPID_SESSION_INITIATOR_MONITORED | APPID_SESSION_SPECIAL_MONITORED | - APPID_SESSION_RESPONDER_CHECKED | - APPID_SESSION_INITIATOR_CHECKED | APPID_SESSION_DISCOVER_APP | APPID_SESSION_DISCOVER_USER)); } diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index 3c134ce8d..68b00ca79 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -176,8 +176,7 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args) } pf->scan_flags |= SCAN_HOST_PORT_FLAG; args.asd.initialize_future_session(*pf, APPID_SESSION_CONTINUE | APPID_SESSION_REXEC_STDERR | APPID_SESSION_NO_TPI | - APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_PORT_SERVICE_DONE, - APP_ID_FROM_RESPONDER); + APPID_SESSION_NOT_A_SERVICE | APPID_SESSION_PORT_SERVICE_DONE); pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; rd->child = tmp_rd; diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index 9d1b614ee..dcb3d93f4 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -482,7 +482,7 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) tmp_sd->state = SNMP_STATE_ERROR; return APPID_ENULL; } - args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_APPID_SESSION_DIRECTION_MAX); + args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE); pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; pf->set_initiator_ip(*sip); diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index e8eecbee8..88f41c7d0 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -201,7 +201,7 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) tmp_td->state = TFTP_STATE_ERROR; return APPID_ENOMEM; } - args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE, APP_ID_FROM_RESPONDER); + args.asd.initialize_future_session(*pf, APPID_SESSION_EXPECTED_EVALUATE); pf->set_initiator_ip(*sip); pf->service_disco_state = APPID_DISCO_STATE_STATEFUL; pf->scan_flags |= SCAN_HOST_PORT_FLAG; diff --git a/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h b/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h index 4cabc1d1b..60f7ebb63 100644 --- a/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h +++ b/src/network_inspectors/appid/service_plugins/test/service_plugin_mock.h @@ -169,6 +169,7 @@ AppIdSession::AppIdSession(IpProtocol, const SfIp* ip, uint16_t, AppIdInspector& OdpContext&, uint16_t) : snort::FlowData(inspector_id, (snort::Inspector*)&inspector), config(stub_config), api(*(new AppIdSessionApi(this, *ip))), odp_ctxt(stub_odp_ctxt) { } AppIdSession::~AppIdSession() = default; +DiscoveryFilter::~DiscoveryFilter(){} void AppIdSession::free_flow_data() { snort_free(smb_data); diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index 0b68428df..8cdaa8dbe 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -23,6 +23,7 @@ #define APPID_MOCK_INSPECTOR_H // avoiding mocked inspector +#include "helpers/discovery_filter.h" #include "host_tracker/host_cache.h" #include "network_inspectors/appid/appid_discovery.cc" #include "network_inspectors/appid/appid_peg_counts.h" @@ -109,7 +110,7 @@ AppIdSessionApi::AppIdSessionApi(const AppIdSession*, const SfIp&) : StashGenericObject(STASH_GENERIC_OBJECT_APPID) {} } // namespace snort void AppIdModule::reset_stats() {} - +DiscoveryFilter::~DiscoveryFilter() {} // Stubs for publish void DataBus::publish(const char*, DataEvent& event, Flow*) { @@ -184,6 +185,7 @@ AppIdContext& AppIdInspector::get_ctxt() const assert(ctxt); return *ctxt; } +bool DiscoveryFilter::is_app_monitored(const snort::Packet*, uint8_t*){return true;} // Stubs for AppInfoManager AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId) @@ -365,6 +367,8 @@ TEST(appid_discovery_tests, event_published_when_ignoring_flow) AppIdModule app_module; AppIdInspector ins(app_module); AppIdSession* asd = new AppIdSession(IpProtocol::TCP, &ip, 21, ins, app_ctxt.get_odp_ctxt()); + asd->flags |= APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER | + APPID_SESSION_DISCOVER_APP; Flow* flow = new Flow; flow->set_flow_data(asd); p.flow = flow; @@ -398,6 +402,8 @@ TEST(appid_discovery_tests, event_published_when_processing_flow) AppIdModule app_module; AppIdInspector ins(app_module); AppIdSession* asd = new AppIdSession(IpProtocol::TCP, &ip, 21, ins, app_ctxt.get_odp_ctxt()); + asd->flags |= APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER | + APPID_SESSION_DISCOVER_APP; Flow* flow = new Flow; flow->set_flow_data(asd); p.flow = flow; @@ -456,6 +462,8 @@ TEST(appid_discovery_tests, change_bits_for_non_http_appid) AppIdModule app_module; AppIdInspector ins(app_module); AppIdSession* asd = new AppIdSession(IpProtocol::TCP, &ip, 21, ins, app_ctxt.get_odp_ctxt()); + asd->flags |= APPID_SESSION_SPECIAL_MONITORED | APPID_SESSION_DISCOVER_USER | + APPID_SESSION_DISCOVER_APP; Flow* flow = new Flow; flow->set_flow_data(asd); p.flow = flow; diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index 9964b36aa..a16d0695e 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -43,6 +43,7 @@ THREAD_LOCAL AppIdDebug* appidDebug = nullptr; ThirdPartyAppIdContext* AppIdContext::tp_appid_ctxt = nullptr; THREAD_LOCAL bool ThirdPartyAppIdContext::tp_reload_in_progress = false; +bool DiscoveryFilter::is_app_monitored(const snort::Packet*, uint8_t*){return true;} void AppIdDebug::activate(const Flow*, const AppIdSession*, bool) { active = true; } void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } @@ -255,6 +256,7 @@ TEST_GROUP(appid_http_event) pkt_thread_odp_ctxt = &mock_session->get_odp_ctxt(); mock_session->create_http_session(); flow->set_flow_data(mock_session); + mock_session->flags = APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED; appidDebug = new AppIdDebug(); appidDebug->activate(nullptr, nullptr, false); } diff --git a/src/network_inspectors/appid/test/appid_mock_definitions.h b/src/network_inspectors/appid/test/appid_mock_definitions.h index 553089e41..3dd537111 100644 --- a/src/network_inspectors/appid/test/appid_mock_definitions.h +++ b/src/network_inspectors/appid/test/appid_mock_definitions.h @@ -58,7 +58,7 @@ void LogLabel(const char*, FILE*) {} SearchTool::SearchTool(char const*, bool) { } SearchTool::~SearchTool() = default; } - +DiscoveryFilter::~DiscoveryFilter(){} void ApplicationDescriptor::set_id(AppId app_id){ my_id = app_id;} void ServiceAppDescriptor::set_id(AppId app_id, OdpContext&){ set_id(app_id); } void ServiceAppDescriptor::update_stats(AppId, bool){} diff --git a/src/network_inspectors/appid/test/service_state_test.cc b/src/network_inspectors/appid/test/service_state_test.cc index be1d2fec2..c456d70d3 100644 --- a/src/network_inspectors/appid/test/service_state_test.cc +++ b/src/network_inspectors/appid/test/service_state_test.cc @@ -57,6 +57,7 @@ AppIdSessionApi::AppIdSessionApi(const AppIdSession*, const SfIp&) : StashGenericObject(STASH_GENERIC_OBJECT_APPID) {} } +DiscoveryFilter::~DiscoveryFilter(){} // Stubs for AppInfoManager AppInfoTableEntry* AppInfoManager::get_app_info_entry(AppId) { diff --git a/src/network_inspectors/appid/test/tp_lib_handler_test.cc b/src/network_inspectors/appid/test/tp_lib_handler_test.cc index 9599a7f04..16026ef92 100644 --- a/src/network_inspectors/appid/test/tp_lib_handler_test.cc +++ b/src/network_inspectors/appid/test/tp_lib_handler_test.cc @@ -47,6 +47,7 @@ snort::SearchTool::SearchTool(char const*, bool) { } snort::SearchTool::~SearchTool() = default; AppIdDiscovery::~AppIdDiscovery() = default; +DiscoveryFilter::~DiscoveryFilter(){} void ClientDiscovery::initialize(AppIdInspector&) { } void ClientDiscovery::reload() { } void AppIdDiscovery::register_detector(const string&, AppIdDetector*, IpProtocol) { }