From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Thu, 31 Mar 2022 21:12:15 +0000 (+0000)
Subject: Pull request #3336: appid: provide client appid set by encrypted visibility engine... 
X-Git-Tag: 3.1.27.0~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=881f24e5a6d0f53908d5b82267e9159ee3638596;p=thirdparty%2Fsnort3.git

Pull request #3336: appid: provide client appid set by encrypted visibility engine to ssl through the ssl appid lookup api

Merge in SNORT/snort3 from ~SATHIRKA/snort3:ssl_appid_bug to master

Squashed commit of the following:

commit 94dd37f7b2b5af8209556dcdedcc469593785b8c
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Thu Mar 31 13:34:29 2022 -0400

    appid: provide client appid set by encrypted visibility engine to ssl through the ssl appid lookup api
---

diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc
index 8c9787cfd..78261a412 100644
--- a/src/network_inspectors/appid/appid_api.cc
+++ b/src/network_inspectors/appid/appid_api.cc
@@ -193,7 +193,9 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name,
 
         service_id = asd->get_api().get_service_app_id();
 
-        if (client_id == APP_ID_NONE)
+        if (asd->use_eve_client_app_id())
+            client_id = asd->get_eve_client_app_id();
+        else if (client_id == APP_ID_NONE)
             client_id = asd->get_api().get_client_app_id();
         else
             asd->set_client_id(client_id);
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 33e637fe8..652f13ebc 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -846,9 +846,7 @@ AppId AppIdSession::pick_ss_client_app_id() const
         return tmp_id;
     }
 
-    if (api.client.get_eve_client_app_id() > APP_ID_NONE and
-        (api.client.get_id() == APP_ID_SSL_CLIENT or
-            api.client.get_id() <= APP_ID_NONE))
+    if (use_eve_client_app_id())
     {
         api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP);
         return api.client.get_eve_client_app_id();
diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 6a7a3f72a..3910c1f26 100644
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -520,6 +520,12 @@ public:
         return api.client.get_eve_client_app_id();
     }
 
+    bool use_eve_client_app_id() const
+    {
+        return (api.client.get_eve_client_app_id() > APP_ID_NONE and
+            (api.client.get_id() == APP_ID_SSL_CLIENT or api.client.get_id() <= APP_ID_NONE));
+    }
+
     AppId get_payload_id() const
     {
         return api.payload.get_id();
diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc
index 951150cad..9e6887477 100644
--- a/src/network_inspectors/appid/test/appid_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_api_test.cc
@@ -240,7 +240,7 @@ TEST(appid_api, get_application_id)
 
 TEST(appid_api, ssl_app_group_id_lookup)
 {
-    mock().expectNCalls(4, "publish");
+    mock().expectNCalls(5, "publish");
     AppId service, client, payload = APP_ID_NONE;
     bool val = false;
 
@@ -294,6 +294,24 @@ TEST(appid_api, ssl_app_group_id_lookup)
     STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
     STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Google");
     STRCMP_EQUAL("Published change_bits == 0000000000100000000", test_log);
+
+    // Override client id found by SSL pattern matcher with the client id provided by
+    // Encrypted Visibility Engine if available
+    service = APP_ID_NONE;
+    client = APP_ID_NONE;
+    payload = APP_ID_NONE;
+    mock_session->set_client_id(APP_ID_NONE);
+    mock_session->set_eve_client_app_id(APPID_UT_ID + 100);
+    val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST,
+        (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, false, service, client, payload);
+    CHECK_TRUE(val);
+    CHECK_EQUAL(client, APPID_UT_ID + 100);
+    CHECK_EQUAL(payload, APPID_UT_ID + 1);
+    STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
+    STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST);
+    STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
+    STRCMP_EQUAL("Published change_bits == 0000000000100011000", test_log);
+
     mock().checkExpectations();
 }