From: Steve Chew (stechew) Date: Mon, 28 Sep 2020 20:48:32 +0000 (+0000) Subject: Merge pull request #2398 in SNORT/snort3 from ~SBAIGAL/snort3:http_connect to master X-Git-Tag: 3.0.3-2~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=742af4df774edaec7cb0df1558802a84b198a792;p=thirdparty%2Fsnort3.git Merge pull request #2398 in SNORT/snort3 from ~SBAIGAL/snort3:http_connect to master Squashed commit of the following: commit 350263720dd444e39a318419804cfc4b90d31911 Author: Steven Baigal (sbaigal) Date: Wed Aug 12 13:56:06 2020 -0400 http_inspect: implement can_start_tls(), add support of ssl search abandoned event --- diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index 5178b09d5..8bc7e142e 100644 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -58,7 +58,8 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES PEG_GET, PEG_HEAD, PEG_POST, PEG_PUT, PEG_DELETE, PEG_CONNECT, PEG_OPTIONS, PEG_TRACE, PEG_OTHER_METHOD, PEG_REQUEST_BODY, PEG_CHUNKED, PEG_URI_NORM, PEG_URI_PATH, PEG_URI_CODING, PEG_CONCURRENT_SESSIONS, PEG_MAX_CONCURRENT_SESSIONS, PEG_DETAINED, PEG_SCRIPT_DETECTION, - PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_COUNT_MAX }; + PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY, + PEG_COUNT_MAX }; // Result of scanning by splitter enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE, diff --git a/src/service_inspectors/http_inspect/http_flow_data.h b/src/service_inspectors/http_inspect/http_flow_data.h index 1471efa51..a88aa3a91 100644 --- a/src/service_inspectors/http_inspect/http_flow_data.h +++ b/src/service_inspectors/http_inspect/http_flow_data.h @@ -174,6 +174,7 @@ private: HttpEnums::MethodId method_id = HttpEnums::METH__NOT_PRESENT; bool cutover_on_clear = false; + bool ssl_search_abandoned = false; // *** Transaction management including pipelining static const int MAX_PIPELINE = 100; // requests seen - responses seen <= MAX_PIPELINE diff --git a/src/service_inspectors/http_inspect/http_inspect.h b/src/service_inspectors/http_inspect/http_inspect.h index cf5995567..1eacb7280 100644 --- a/src/service_inspectors/http_inspect/http_inspect.h +++ b/src/service_inspectors/http_inspect/http_inspect.h @@ -61,6 +61,9 @@ public: bool can_carve_files() const override { return true; } + bool can_start_tls() const override + { return true; } + static HttpEnums::InspectSection get_latest_is(const snort::Packet* p); static HttpCommon::SourceId get_latest_src(const snort::Packet* p); void disable_detection(snort::Packet* p); diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index ecfda91a2..e34dc66a9 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -191,7 +191,8 @@ void HttpMsgHeader::update_flow() } session_data->cutover_on_clear = true; HttpModule::increment_peg_counts(PEG_CUTOVERS); - + if (session_data->ssl_search_abandoned) + HttpModule::increment_peg_counts(PEG_SSL_SEARCH_ABND_EARLY); #ifdef REG_TEST if (HttpTestManager::use_test_output(HttpTestManager::IN_HTTP)) { diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc index 63c60f70b..9e5f27893 100644 --- a/src/service_inspectors/http_inspect/http_msg_request.cc +++ b/src/service_inspectors/http_inspect/http_msg_request.cc @@ -303,6 +303,16 @@ void HttpMsgRequest::update_flow() session_data->method_id = method_id; } +void HttpMsgRequest::publish() +{ + if (!session_data->ssl_search_abandoned && trans_num > 1 && + !flow->flags.data_decrypted && get_method_id() != METH_CONNECT) + { + session_data->ssl_search_abandoned = true; + DataBus::publish(SSL_SEARCH_ABANDONED, DetectionEngine::get_current_packet()); + } +} + #ifdef REG_TEST void HttpMsgRequest::print_section(FILE* output) diff --git a/src/service_inspectors/http_inspect/http_msg_request.h b/src/service_inspectors/http_inspect/http_msg_request.h index a8aba0fad..01e14a5cd 100644 --- a/src/service_inspectors/http_inspect/http_msg_request.h +++ b/src/service_inspectors/http_inspect/http_msg_request.h @@ -41,6 +41,7 @@ public: ~HttpMsgRequest() override; void gen_events() override; void update_flow() override; + void publish() override; const Field& get_method() { return method; } const Field& get_uri(); const Field& get_uri_norm_classic(); diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 6d17143a0..a0c12f688 100644 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -428,6 +428,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] = { CountType::SUM, "excess_parameters", "repeat parameters exceeding max" }, { CountType::SUM, "parameters", "HTTP parameters inspected" }, { CountType::SUM, "connect_tunnel_cutovers", "CONNECT tunnel flow cutovers to wizard" }, + { CountType::SUM, "ssl_srch_abandoned_early", "total SSL search abandoned too soon" }, { CountType::END, nullptr, nullptr } };