From: Masud Hasan (mashasan) Date: Tue, 6 Oct 2020 14:38:46 +0000 (+0000) Subject: Merge pull request #2529 in SNORT/snort3 from ~MASHASAN/snort3:ua_improvement to... X-Git-Tag: 3.0.3-2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84149cc830eea2ab50a890b374e4070ae7b00e6f;p=thirdparty%2Fsnort3.git Merge pull request #2529 in SNORT/snort3 from ~MASHASAN/snort3:ua_improvement to master Squashed commit of the following: commit f47078b773d829aadba1199d139fb48801eafa04 Author: Masud Hasan Date: Mon Oct 5 13:32:22 2020 -0400 rna: Checking user-agent processor early to skip some works --- diff --git a/src/network_inspectors/rna/rna_app_discovery.cc b/src/network_inspectors/rna/rna_app_discovery.cc index d985fbc63..d1cac533f 100644 --- a/src/network_inspectors/rna/rna_app_discovery.cc +++ b/src/network_inspectors/rna/rna_app_discovery.cc @@ -27,7 +27,6 @@ #include "detection/detection_engine.h" #include "network_inspectors/appid/appid_session_api.h" -#include "rna_fingerprint_ua.h" #include "rna_logger_common.h" using namespace snort; @@ -123,18 +122,23 @@ void RnaAppDiscovery::process(AppidEvent* appid_event, DiscoveryFilter& filter, if ( p->is_from_client() and ( appid_change_bits[APPID_HOST_BIT] or appid_change_bits[APPID_USERAGENT_BIT] ) ) { - const AppIdHttpSession* hsession; - - if ( appid_event->get_is_http2() ) - hsession = appid_session_api.get_http_session(appid_event->get_http2_stream_index()); - else - hsession = appid_session_api.get_http_session(); - - if ( hsession ) + auto processor = get_ua_fp_processor(); + if ( processor and processor->has_pattern() ) { - const char* host = hsession->get_cfield(REQ_HOST_FID); - const char* uagent = hsession->get_cfield(REQ_AGENT_FID); - analyze_user_agent_fingerprint(p, host, uagent, ht, src_ip, src_mac, logger); + const AppIdHttpSession* hsession; + + if ( appid_event->get_is_http2() ) + hsession = appid_session_api.get_http_session(appid_event->get_http2_stream_index()); + else + hsession = appid_session_api.get_http_session(); + + if ( hsession ) + { + const char* host = hsession->get_cfield(REQ_HOST_FID); + const char* uagent = hsession->get_cfield(REQ_AGENT_FID); + analyze_user_agent_fingerprint(p, host, uagent, ht, src_ip, src_mac, + logger, *processor); + } } } } @@ -240,19 +244,16 @@ void RnaAppDiscovery::discover_user(const Packet* p, RnaTracker& rt, } void RnaAppDiscovery::analyze_user_agent_fingerprint(const Packet* p, const char* host, - const char* uagent, RnaTracker& rt, const SfIp* ip, const uint8_t* src_mac, RnaLogger& logger) + const char* uagent, RnaTracker& rt, const SfIp* ip, const uint8_t* src_mac, + RnaLogger& logger, UaFpProcessor& processor) { if ( !host or !uagent ) return; - const auto& processor = get_ua_fp_processor(); - if ( !processor ) - return; - const UaFingerprint* uafp = nullptr; const char* device_info = nullptr; bool jail_broken = false; - processor->match_mpse(host, uagent, uafp, device_info, jail_broken); + processor.match_mpse(host, uagent, uafp, device_info, jail_broken); if ( uafp and rt->add_ua_fingerprint(uafp->fpid, uafp->fp_type, jail_broken, device_info, MAX_USER_AGENT_DEVICES) ) diff --git a/src/network_inspectors/rna/rna_app_discovery.h b/src/network_inspectors/rna/rna_app_discovery.h index 75eceacd0..df437dc63 100644 --- a/src/network_inspectors/rna/rna_app_discovery.h +++ b/src/network_inspectors/rna/rna_app_discovery.h @@ -19,6 +19,7 @@ #ifndef RNA_APP_DISCOVERY_H #define RNA_APP_DISCOVERY_H +#include "rna_fingerprint_ua.h" #include "rna_pnd.h" class RnaAppDiscovery @@ -27,16 +28,16 @@ public: static void process(AppidEvent*, DiscoveryFilter&, RnaConfig*, RnaLogger&); static void discover_service(const snort::Packet*, IpProtocol, RnaTracker&, - const struct in6_addr*, const uint8_t*, RnaConfig*, RnaLogger&, uint16_t, + const struct in6_addr*, const uint8_t*, RnaConfig*, RnaLogger&, uint16_t port, AppId service = APP_ID_NONE); static void discover_payload(const snort::Packet*, IpProtocol, RnaTracker&, const struct in6_addr*, const uint8_t*, RnaConfig*, RnaLogger&, AppId service, AppId payload); - static void discover_client(const snort::Packet* p, RnaTracker& rt, - const struct in6_addr* src_ip, const uint8_t* src_mac, RnaConfig* conf, - RnaLogger& logger, const char* version, AppId client, AppId service); + static void discover_client(const snort::Packet*, RnaTracker&, + const struct in6_addr*, const uint8_t*, RnaConfig*, + RnaLogger&, const char*, AppId client, AppId service); static void discover_user(const snort::Packet*, RnaTracker&, const struct in6_addr*, const uint8_t* src_mac, RnaLogger&, const char* username, AppId, IpProtocol); @@ -48,7 +49,7 @@ private: static void analyze_user_agent_fingerprint(const snort::Packet*, const char* host, const char* uagent, RnaTracker&, const snort::SfIp*, const uint8_t*, - RnaLogger&); + RnaLogger&, snort::UaFpProcessor&); }; #endif diff --git a/src/network_inspectors/rna/rna_fingerprint_ua.cc b/src/network_inspectors/rna/rna_fingerprint_ua.cc index b353a55dc..30aef3800 100644 --- a/src/network_inspectors/rna/rna_fingerprint_ua.cc +++ b/src/network_inspectors/rna/rna_fingerprint_ua.cc @@ -197,6 +197,8 @@ void UaFpProcessor::match_mpse(const char* host, const char* uagent, const UaFin { unsigned len = strlen(uagent); osfp = search_ua_fp(os_mpse, uagent, len); + if ( !osfp ) + return; auto devicefp = search_ua_fp(device_mpse, uagent, len); if ( devicefp ) diff --git a/src/network_inspectors/rna/rna_fingerprint_ua.h b/src/network_inspectors/rna/rna_fingerprint_ua.h index 0f3798648..492b93c8a 100644 --- a/src/network_inspectors/rna/rna_fingerprint_ua.h +++ b/src/network_inspectors/rna/rna_fingerprint_ua.h @@ -49,12 +49,14 @@ class SO_PUBLIC UaFpProcessor public: ~UaFpProcessor(); + bool has_pattern() + { return os_mpse != nullptr; } + void make_mpse(SnortConfig* sc = nullptr); - void match_mpse(const char* host, const char* uagent, const UaFingerprint*& osfp, - const char*& device_info, bool& jail_broken); + void match_mpse(const char*, const char*, const UaFingerprint*&, const char*&, bool&); - void push(const RawFingerprint& rfp); + void push(const RawFingerprint&); void push_agent(const UaFingerprint& uafp) { os_fps.emplace_back(uafp); }