From: Mike Stepanek (mstepane) Date: Thu, 3 May 2018 17:28:20 +0000 (-0400) Subject: Merge pull request #1212 in SNORT/snort3 from appid_fixes to master X-Git-Tag: 3.0.0-245~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a7353c3d6b8cf67515ddc9e8517483154842933;p=thirdparty%2Fsnort3.git Merge pull request #1212 in SNORT/snort3 from appid_fixes to master Squashed commit of the following: commit c983b7acc7ef641faa3a9d5e9ef255511b736f47 Author: deramada Date: Wed May 2 11:06:18 2018 -0400 appid: appid session unit test changes commit aa89c65543a5fb16db9c692a38778138fb5d901b Author: deramada Date: Tue May 1 20:27:33 2018 -0400 appid: fixed http fields, referer payload and appid debug --- diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index dbecf5b39..1edd7515b 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -56,9 +56,6 @@ AppIdHttpSession::AppIdHttpSession(AppIdSession& asd) : asd(asd) { http_matchers = HttpPatternMatchers::get_instance(); - http_fields.reserve(MAX_HTTP_FIELD_ID); - ptype_req_counts.assign(MAX_HTTP_FIELD_ID, 0); - ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0); } AppIdHttpSession::~AppIdHttpSession() @@ -278,7 +275,7 @@ void AppIdHttpSession::process_chp_buffers() } cmd.free_rewrite_buffers(); - ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0); + memset(ptype_scan_counts, 0, sizeof(ptype_scan_counts)); // Make it possible for other detectors to run. skip_simple_detect = false; @@ -333,7 +330,7 @@ void AppIdHttpSession::process_chp_buffers() asd.scan_flags &= ~SCAN_HTTP_VIA_FLAG; asd.scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG; asd.scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; - ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0); + memset(ptype_scan_counts, 0, sizeof(ptype_scan_counts)); } else /* if we have a candidate, but we're not finished */ { @@ -840,7 +837,7 @@ void AppIdHttpSession::update_response_code(const char* new_rc) void AppIdHttpSession::reset_ptype_scan_counts() { - ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0); + memset(ptype_scan_counts, 0, sizeof(ptype_scan_counts)); } diff --git a/src/network_inspectors/appid/appid_http_session.h b/src/network_inspectors/appid/appid_http_session.h index 42c524939..b78ee54e7 100644 --- a/src/network_inspectors/appid/appid_http_session.h +++ b/src/network_inspectors/appid/appid_http_session.h @@ -23,12 +23,13 @@ #define APPID_HTTP_SESSION_H #include -#include #include "flow/flow.h" #include "sfip/sf_ip.h" + #include "appid_types.h" #include "application_ids.h" +#include "detector_plugins/http_url_patterns.h" #include "http_xff_fields.h" class AppIdSession; @@ -200,7 +201,6 @@ protected: std::string req_body; std::string server; std::string x_working_with; - std::vector http_fields; bool is_webdav = false; bool chp_finished = false; AppId chp_candidate = APP_ID_NONE; @@ -215,8 +215,9 @@ protected: snort::SfIp* xff_addr = nullptr; const char** xffPrecedence = nullptr; unsigned numXffFields = 0; - std::vector ptype_req_counts; - std::vector ptype_scan_counts; + HttpField http_fields[MAX_HTTP_FIELD_ID]; + int ptype_req_counts[MAX_HTTP_FIELD_ID] = {0}; + int ptype_scan_counts[MAX_HTTP_FIELD_ID] = {0}; #if RESPONSE_CODE_PACKET_THRESHHOLD unsigned response_code_packets = 0; #endif diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc index c24910f5f..e3cb5898a 100644 --- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc +++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc @@ -1649,7 +1649,7 @@ bool HttpPatternMatchers::get_appid_from_url(char* host, const char* url, char** snort_free(temp_host); /* if referred_id feature id disabled, referer will be null */ - if ( referer && (!payload_found || + if ( referer and (referer[0] != '\0') and (!payload_found or AppInfoManager::get_instance().get_app_info_flags(data->payload_id, APPINFO_FLAG_REFERRED)) ) { @@ -1660,7 +1660,7 @@ bool HttpPatternMatchers::get_appid_from_url(char* host, const char* url, char** (const uint8_t*)URL_SCHEME_END_PATTERN, sizeof(URL_SCHEME_END_PATTERN)-1); if ( !referer_offset ) - return false; + return payload_found; referer_offset += sizeof(URL_SCHEME_END_PATTERN)-1; referer_start = referer_offset; diff --git a/src/network_inspectors/appid/test/appid_mock_http_session.h b/src/network_inspectors/appid/test/appid_mock_http_session.h index fcb57e13e..1181d25d6 100644 --- a/src/network_inspectors/appid/test/appid_mock_http_session.h +++ b/src/network_inspectors/appid/test/appid_mock_http_session.h @@ -24,9 +24,6 @@ AppIdHttpSession::AppIdHttpSession(AppIdSession& session) : asd(session) { - http_fields.reserve(MAX_HTTP_FIELD_ID); - ptype_req_counts.assign(MAX_HTTP_FIELD_ID, 0); - ptype_scan_counts.assign(MAX_HTTP_FIELD_ID, 0); } AppIdHttpSession::~AppIdHttpSession() diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 0889118d7..81407024f 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -187,8 +187,9 @@ static inline void process_http_session(AppIdSession& asd, hsession->set_field_offset(REQ_HOST_FID, attribute_data.http_request_host_begin()); hsession->set_field_end_offset(REQ_HOST_FID, attribute_data.http_request_host_end()); if (appidDebug->is_active()) - LogMessage("AppIdDbg %s HTTP host is %s\n", - appidDebug->get_debug_session(), field->c_str()); + LogMessage("AppIdDbg %s HTTP host (%u-%u) is %s\n", + appidDebug->get_debug_session(), hsession->get_field_offset(REQ_HOST_FID), + hsession->get_field_end_offset(REQ_HOST_FID), field->c_str()); asd.scan_flags |= SCAN_HTTP_HOST_URL_FLAG; } @@ -223,7 +224,7 @@ static inline void process_http_session(AppIdSession& asd, hsession->set_field_offset(REQ_URI_FID, attribute_data.http_request_uri_begin()); hsession->set_field_end_offset(REQ_URI_FID, attribute_data.http_request_uri_end()); if (appidDebug->is_active()) - LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", appidDebug->get_debug_session(), + LogMessage("AppIdDbg %s URI (%u-%u) is %s\n", appidDebug->get_debug_session(), hsession->get_field_offset(REQ_URI_FID), hsession->get_field_end_offset(REQ_URI_FID), hsession->get_uri()); } @@ -544,14 +545,14 @@ static inline void process_third_party_results(AppIdSession& asd, int confidence if ( contains(proto_list, APP_ID_HTTP) ) { if (appidDebug->is_active()) - LogMessage("AppIdDbg %s flow is HTTP\n", appidDebug->get_debug_session()); + LogMessage("AppIdDbg %s Flow is HTTP\n", appidDebug->get_debug_session()); asd.set_session_flags(APPID_SESSION_HTTP_SESSION); } if ( contains(proto_list, APP_ID_SPDY) ) { if (appidDebug->is_active()) - LogMessage("AppIdDbg %s flow is SPDY\n", appidDebug->get_debug_session()); + LogMessage("AppIdDbg %s Flow is SPDY\n", appidDebug->get_debug_session()); asd.set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION); }