From: Sreeja Athirkandathil Narayanan (sathirka) <sathirka@cisco.com>
Date: Wed, 14 Sep 2022 16:50:16 +0000 (+0000)
Subject: Pull request #3579: appid: Added a snort config to control client-process mapping
X-Git-Tag: 3.1.42.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ab015083c0d1a22f3efce4b4b52652155b1541a;p=thirdparty%2Fsnort3.git

Pull request #3579: appid: Added a snort config to control client-process mapping

Merge in SNORT/snort3 from ~BSACHDEV/snort3:client_process_mapping to master

Squashed commit of the following:

commit ce7051260b852b09a4a0a27d2375f90f2a0ea66d
Author: bsachdev <bsachdev@cisco.com>
Date:   Tue Aug 16 14:41:36 2022 -0400

    appid: Added a snort config to control client-process mapping
---

diff --git a/src/network_inspectors/appid/appid_eve_process_event_handler.cc b/src/network_inspectors/appid/appid_eve_process_event_handler.cc
index e3bcf76fb..ad88cbe79 100644
--- a/src/network_inspectors/appid/appid_eve_process_event_handler.cc
+++ b/src/network_inspectors/appid/appid_eve_process_event_handler.cc
@@ -73,6 +73,7 @@ void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow)
     const std::string& user_agent = eve_process_event.get_user_agent();
     std::vector<std::string> alpn_vec = eve_process_event.get_alpn();
     const bool is_quic = eve_process_event.is_flow_quic();
+    const bool is_client_process_flag = eve_process_event.is_client_process_mapping();
 
     AppidChangeBits change_bits;
 
@@ -106,7 +107,7 @@ void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow)
 
         snort_free(version);
     }
-    else if (!name.empty())
+    else if (!name.empty() and is_client_process_flag)
     {
         client_id = asd->get_odp_ctxt().get_eve_ca_matchers().match_eve_ca_pattern(name,
             conf);
diff --git a/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc b/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc
index 9b59fbb95..0819f0ddf 100644
--- a/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc
+++ b/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc
@@ -139,6 +139,7 @@ TEST(appid_eve_process_event_handler_tests, eve_process_event_handler)
 {
     Packet p;
     EveProcessEvent event(p, "firefox", 90);
+    event.set_client_process_mapping(true);
     AppIdEveProcessEventHandler event_handler(dummy_appid_inspector);
     Flow* flow = new Flow();
     event_handler.handle(event, flow);
diff --git a/src/pub_sub/eve_process_event.h b/src/pub_sub/eve_process_event.h
index 62d94ce4e..65fc66aa6 100644
--- a/src/pub_sub/eve_process_event.h
+++ b/src/pub_sub/eve_process_event.h
@@ -87,6 +87,16 @@ public:
     {
         return is_quic;
     }
+    
+    bool is_client_process_mapping() const
+    {
+        return client_process_mapping;
+    }
+
+    void set_client_process_mapping(bool flag)
+    {
+        client_process_mapping = flag;
+    }
 
 private:
     const snort::Packet &p;
@@ -96,5 +106,6 @@ private:
     std::string user_agent;
     std::vector<std::string> alpn;
     bool is_quic = false;
+    bool client_process_mapping = true;
 };
 #endif