From: Oleg Torubara -X (otorubar - SOFTSERVE INC at Cisco) <otorubar@cisco.com>
Date: Tue, 3 Dec 2024 14:58:43 +0000 (+0000)
Subject: Pull request #4522: http_inspect, mime: add hostname and url for http/mime file proce... 
X-Git-Tag: 3.6.0.0~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7976ff5d381a20a31dfad92a511b2b86cf5b5045;p=thirdparty%2Fsnort3.git

Pull request #4522: http_inspect, mime: add hostname and url for http/mime file processing

Merge in SNORT/snort3 from ~OTORUBAR/snort3:mime_file_processing to master

Squashed commit of the following:

commit 5f58cc4b19b587bc101ae21d9dd22543cc037f88
Author: otorubar <otorubar@cisco.com>
Date:   Fri Nov 1 12:02:18 2024 -0700

    http_inspect, mime: add hostname and url for http with mime
---

diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc
index 7ae4ebf58..15b49d13a 100644
--- a/src/mime/file_mime_process.cc
+++ b/src/mime/file_mime_process.cc
@@ -914,7 +914,7 @@ void MimeSession::mime_file_process(Packet* p, const uint8_t* data, int data_siz
             const FileDirection dir = upload ? FILE_UPLOAD : FILE_DOWNLOAD;
             continue_inspecting_file = file_flows->file_process(p, get_file_cache_file_id(), data,
                 data_size, file_offset, dir, get_multiprocessing_file_id(), position, (const uint8_t*)filename.c_str(),
-                filename.length());
+                filename.length(), uri, uri_length, host_name);
         }
         else
         {
@@ -931,3 +931,17 @@ void MimeSession::mime_file_process(Packet* p, const uint8_t* data, int data_siz
         }
     }
 }
+
+void MimeSession::set_host_name(const std::string& host)
+{
+    if (host.empty())
+        return;
+    
+    host_name = host;
+    host_set = true;
+}
+
+bool MimeSession::is_host_set() const
+{
+    return host_set;
+}
diff --git a/src/mime/file_mime_process.h b/src/mime/file_mime_process.h
index cc5655616..3bb4850cf 100644
--- a/src/mime/file_mime_process.h
+++ b/src/mime/file_mime_process.h
@@ -80,6 +80,9 @@ public:
     MailLogState* get_log_state();
     void set_mime_stats(MimeStats*);
 
+    void set_host_name(const std::string& host);
+    bool is_host_set() const;
+
     const BufferData& get_ole_buf();
     const BufferData& get_vba_inspect_buf();
 
@@ -105,6 +108,8 @@ private:
     MimeStats* mime_stats = nullptr;
     FilenameState filename_state = CONT_DISP_FILENAME_PARAM_NAME;
     std::string filename;
+    std::string host_name {""};
+    bool host_set = false;
     bool continue_inspecting_file = true;
     // This counter is not an accurate count of files; used only for creating a unique mime_file_id
     uint32_t file_counter = 0;
@@ -116,8 +121,7 @@ private:
     const int32_t uri_length;
     uint64_t get_file_cache_file_id();
     uint64_t get_multiprocessing_file_id();
-    void mime_file_process(Packet* p, const uint8_t* data, int data_size,
-        FilePosition position, bool upload);
+    void mime_file_process(Packet* p, const uint8_t* data, int data_size, FilePosition position, bool upload);
     void reset_part_state();
 
     // Individual service inspectors may have different implementations for these
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 1599e9d06..e7c80933e 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -194,11 +194,11 @@ void HttpMsgBody::analyze()
         }
         else
             mime_bufs = new std::list<MimeBufs>;
-
+        
         while (ptr < section_end)
         {
             // After process_mime_data(), ptr will point to the last byte processed in the current MIME part
-            ptr = session_data->mime_state[source_id]->process_mime_data(p, ptr,
+            ptr = session_data->mime_state[source_id]->process_mime_data(p, ptr, 
                 (section_end - ptr), true, SNORT_FILE_POSITION_UNKNOWN);
             ptr++;
 
@@ -692,7 +692,9 @@ void HttpMsgBody::do_file_processing(const Field& file_data)
     const FileDirection dir = source_id == SRC_SERVER ? FILE_DOWNLOAD : FILE_UPLOAD;
 
     uint64_t file_index = get_header(source_id)->get_file_cache_index();
-    const std::string host = get_header(source_id)->get_host_header_field();
+    // Get host from the header field.
+    std::string host = get_header(source_id)->get_host_header_field();
+    
     const uint8_t* filename_buffer = nullptr;
     uint32_t filename_length = 0;
     const uint8_t* uri_buffer = nullptr;
@@ -700,6 +702,10 @@ void HttpMsgBody::do_file_processing(const Field& file_data)
     if (request != nullptr)
         get_file_info(dir, filename_buffer, filename_length, uri_buffer, uri_length);
 
+    // Get host from the uri.
+    if (host.empty() and request != nullptr)
+        host = request->get_host_string();
+
     bool continue_processing_file = file_flows->file_process(p, file_index, file_data.start(),
         fp_length, session_data->file_octets[source_id], dir,
         get_header(source_id)->get_multi_file_processing_id(), file_position,
diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index ee2c05a17..5612ce8b6 100755
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -551,6 +551,18 @@ void HttpMsgHeader::setup_mime()
                     session_data->mime_state[source_id] = new MimeSession(p,
                         params->mime_decode_conf, &mime_conf, get_multi_file_processing_id());
 
+                // Get host from the header field.
+                if (!session_data->mime_state[source_id]->is_host_set())
+                {
+                    std::string host = get_host_header_field();
+                    // Get host from the uri.
+                    if (host.empty())
+                        host = request->get_host_string();
+
+                    session_data->mime_state[source_id]->set_host_name(host);
+                }
+
+
                 // Show file processing the Content-Type header as if it were regular data.
                 // This will enable it to find the boundary string.
                 // FIXIT-L develop a proper interface for passing the boundary string.
diff --git a/src/service_inspectors/http_inspect/http_msg_request.cc b/src/service_inspectors/http_inspect/http_msg_request.cc
index 63436f9d6..5820f9d17 100644
--- a/src/service_inspectors/http_inspect/http_msg_request.cc
+++ b/src/service_inspectors/http_inspect/http_msg_request.cc
@@ -394,6 +394,17 @@ string HttpMsgRequest::get_aux_ip()
     return ip_str;
 }
 
+std::string HttpMsgRequest::get_host_string()
+{
+    if (!uri)
+        return "";
+
+    const Field& host = uri->get_host();
+    if (host.length() > STAT_EMPTY_STRING)
+        return string((const char*)host.start(), (size_t)host.length());
+    return "";
+}
+
 #ifdef REG_TEST
 
 void HttpMsgRequest::print_section(FILE* output)
diff --git a/src/service_inspectors/http_inspect/http_msg_request.h b/src/service_inspectors/http_inspect/http_msg_request.h
index f4553e448..aa2ab625c 100644
--- a/src/service_inspectors/http_inspect/http_msg_request.h
+++ b/src/service_inspectors/http_inspect/http_msg_request.h
@@ -51,6 +51,7 @@ public:
     const Field& get_uri();
     const Field& get_uri_norm_classic();
     std::string get_aux_ip();
+    std::string get_host_string();
     HttpUri* get_http_uri() { return uri; }
     ParameterMap& get_query_params();
     ParameterMap& get_body_params();