From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Thu, 12 Nov 2020 00:14:22 +0000 (+0000)
Subject: Merge pull request #2607 in SNORT/snort3 from ~MASHASAN/snort3:user_logins to master
X-Git-Tag: 3.0.3-5~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e0fe3e9538954580d145be9ae49bf2d2ec645f1;p=thirdparty%2Fsnort3.git

Merge pull request #2607 in SNORT/snort3 from ~MASHASAN/snort3:user_logins to master

Squashed commit of the following:

commit 3010559b529e126340058c30dec48457493ddb4a
Author: Masud Hasan <mashasan@cisco.com>
Date:   Sun Nov 8 21:13:23 2020 -0500

    rna: Support user login failure discovery
---

diff --git a/src/host_tracker/host_tracker.cc b/src/host_tracker/host_tracker.cc
index 7d5f1662f..8a3322ee2 100644
--- a/src/host_tracker/host_tracker.cc
+++ b/src/host_tracker/host_tracker.cc
@@ -32,6 +32,9 @@
 using namespace snort;
 using namespace std;
 
+#define USER_LOGIN_SUCCESS 1
+#define USER_LOGIN_FAILURE 2
+
 THREAD_LOCAL struct HostTrackerStats host_tracker_stats;
 
 const uint8_t snort::zero_mac[MAC_SIZE] = {0, 0, 0, 0, 0, 0};
@@ -564,6 +567,8 @@ HostApplication* HostTracker::find_and_add_service_no_lock(Port port, IpProtocol
         available->last_seen = lseen;
         available->inferred_appid = false;
         available->user[0] = '\0';
+        available->user_login = 0;
+        available->banner_updated = false;
         available->visibility = true;
         return available;
     }
@@ -709,7 +714,7 @@ bool HostTracker::update_service_banner(Port port, IpProtocol proto)
 }
 
 bool HostTracker::update_service_user(Port port, IpProtocol proto, const char* user,
-    uint32_t lseen, uint16_t max_services)
+    uint32_t lseen, uint16_t max_services, bool success)
 {
     host_tracker_stats.service_finds++;
     bool is_new = false;
@@ -725,9 +730,24 @@ bool HostTracker::update_service_user(Port port, IpProtocol proto, const char* u
     {
         strncpy(ha->user, user, INFO_SIZE);
         ha->user[INFO_SIZE-1] = '\0';
+        ha->user_login = success ? USER_LOGIN_SUCCESS : USER_LOGIN_FAILURE;
+        return true;
+    }
+
+    if ( success )
+    {
+        if ( ha->user_login & USER_LOGIN_SUCCESS )
+            return false;
+        ha->user_login |= USER_LOGIN_SUCCESS;
+        return true;
+    }
+    else
+    {
+        if ( ha->user_login & USER_LOGIN_FAILURE )
+            return false;
+        ha->user_login |= USER_LOGIN_FAILURE;
         return true;
     }
-    return false;
 }
 
 void HostTracker::remove_inferred_services()
diff --git a/src/host_tracker/host_tracker.h b/src/host_tracker/host_tracker.h
index deb4fe243..e8c593297 100644
--- a/src/host_tracker/host_tracker.h
+++ b/src/host_tracker/host_tracker.h
@@ -118,6 +118,7 @@ struct HostApplication
     uint32_t hits = 0;
     uint32_t last_seen = 0;
     char user[INFO_SIZE] = { '\0' };
+    uint8_t user_login = 0;
     bool banner_updated = false;
     size_t num_visible_payloads = 0;
 
@@ -325,7 +326,7 @@ public:
         uint16_t max_info);
     bool update_service_banner(Port, IpProtocol);
     bool update_service_user(Port, IpProtocol, const char* username, uint32_t lseen,
-        uint16_t max_services);
+        uint16_t max_services, bool success);
     void remove_inferred_services();
 
     size_t get_client_count();
diff --git a/src/host_tracker/test/host_tracker_test.cc b/src/host_tracker/test/host_tracker_test.cc
index cacc64faa..b85208493 100644
--- a/src/host_tracker/test/host_tracker_test.cc
+++ b/src/host_tracker/test/host_tracker_test.cc
@@ -288,6 +288,26 @@ TEST(host_tracker, client_payload_max_payloads_test)
     CHECK(clients.size() == 1);
 }
 
+// Test user login information updates for service
+TEST(host_tracker, update_service_user_test)
+{
+    HostTracker ht;
+
+    CHECK(ht.add_service(110, IpProtocol::TCP, 788, false) == true);
+
+    // The first discoveries of both login success and login failure are updated
+    CHECK(ht.update_service_user(110, IpProtocol::TCP, "user1", 1, 1, true) == true);
+    CHECK(ht.update_service_user(110, IpProtocol::TCP, "user1", 1, 1, false) == true);
+
+    // Subsequent discoveries for login success and login failure are not updated
+    CHECK(ht.update_service_user(110, IpProtocol::TCP, "user1", 1, 1, true) == false);
+    CHECK(ht.update_service_user(110, IpProtocol::TCP, "user1", 1, 1, false) == false);
+
+    // Discoveries for a new user name are updated
+    CHECK(ht.update_service_user(110, IpProtocol::TCP, "user2", 1, 1, false) == true);
+    CHECK(ht.update_service_user(110, IpProtocol::TCP, "user2", 1, 1, true) == true);
+}
+
 //  Test copying data and deleting copied list
 TEST(host_tracker, copy_data_test)
 {
diff --git a/src/network_inspectors/rna/rna_app_discovery.cc b/src/network_inspectors/rna/rna_app_discovery.cc
index c50fe73fa..fd8a17a7e 100644
--- a/src/network_inspectors/rna/rna_app_discovery.cc
+++ b/src/network_inspectors/rna/rna_app_discovery.cc
@@ -126,15 +126,14 @@ void RnaAppDiscovery::process(AppidEvent* appid_event, DiscoveryFilter& filter,
         discover_banner(p, proto, ht, &p->flow->server_ip, src_mac, logger, service);
     }
 
-    // Appid supports only login success event. Change checks once login failure and
-    // logoff is supported
+    // Appid supports login success/failure events, but not logoff event.
     if ( appid_change_bits[APPID_USER_INFO_BIT] and filter.is_user_monitored(p) )
     {
-        bool login;
-        const char* username = appid_session_api.get_user_info(service, login);
-        if ( login and service > APP_ID_NONE and username and *username )
+        bool login_success;
+        const char* username = appid_session_api.get_user_info(service, login_success);
+        if ( service > APP_ID_NONE and username and *username )
             discover_user(p, ht, (const struct in6_addr*) p->ptrs.ip_api.get_dst()->get_ip6_ptr(),
-                logger, username, service, proto, conf);
+                logger, username, service, proto, conf, login_success);
     }
 
     if ( p->is_from_client() and ( appid_change_bits[APPID_HOST_BIT] or
@@ -318,13 +317,13 @@ void RnaAppDiscovery::discover_client(const Packet* p, RnaTracker& rt,
 
 void RnaAppDiscovery::discover_user(const Packet* p, RnaTracker& rt,
     const struct in6_addr* ip, RnaLogger& logger, const char* username,
-    AppId service, IpProtocol proto, RnaConfig* conf)
+    AppId service, IpProtocol proto, RnaConfig* conf, bool login_success)
 {
     if ( rt->update_service_user(p->flow->server_port, proto, username,
-        (uint32_t) packet_time(), conf ? conf->max_host_services : 0) )
+        (uint32_t) packet_time(), conf ? conf->max_host_services : 0, login_success) )
     {
-        logger.log(RUA_EVENT, CHANGE_USER_LOGIN, p, &rt, ip, username,
-            service, (uint32_t) packet_time());
+        logger.log(RUA_EVENT, login_success ? CHANGE_USER_LOGIN : FAILED_USER_LOGIN,
+            p, &rt, ip, username, service, (uint32_t) packet_time());
     }
 }
 
diff --git a/src/network_inspectors/rna/rna_app_discovery.h b/src/network_inspectors/rna/rna_app_discovery.h
index dbbefac35..02a3d7020 100644
--- a/src/network_inspectors/rna/rna_app_discovery.h
+++ b/src/network_inspectors/rna/rna_app_discovery.h
@@ -41,7 +41,7 @@ public:
         RnaLogger&, const char*, AppId client, AppId service);
 
     static void discover_user(const snort::Packet*, RnaTracker&, const struct in6_addr*,
-        RnaLogger&, const char* username, AppId, IpProtocol, RnaConfig*);
+        RnaLogger&, const char* username, AppId, IpProtocol, RnaConfig*, bool);
 
     static void discover_banner(const snort::Packet*, IpProtocol, RnaTracker&,
         const snort::SfIp*, const uint8_t* mac, RnaLogger&, AppId);
diff --git a/src/network_inspectors/rna/rna_logger.cc b/src/network_inspectors/rna/rna_logger.cc
index 46fc35939..e8ce65b4b 100644
--- a/src/network_inspectors/rna/rna_logger.cc
+++ b/src/network_inspectors/rna/rna_logger.cc
@@ -44,6 +44,7 @@
 #endif
 
 using namespace snort;
+using namespace std;
 
 #ifdef DEBUG_MSGS
 static inline void rna_logger_message(const RnaLoggerEvent& rle, const Packet* p)
@@ -95,11 +96,18 @@ static inline void rna_logger_message(const RnaLoggerEvent& rle, const Packet* p
                 debug_logf(rna_trace, p, "RNA Banner log: true\n");
         }
 
-        if ( rle.user )
+        if ( rle.user and *rle.user )
         {
-            if ( rle.user and *rle.user )
-                debug_logf(rna_trace, p,
-                    "RNA user login: service %u, user name %s\n", rle.appid, rle.user);
+            string login_str;
+            if ( rle.type == RUA_EVENT )
+            {
+                if ( rle.subtype == CHANGE_USER_LOGIN )
+                    login_str = " login success";
+                else if ( rle.subtype == FAILED_USER_LOGIN )
+                    login_str = " login failure";
+            }
+            debug_logf(rna_trace, nullptr, "RNA user%s: service %u, user name %s\n",
+                login_str.c_str(), rle.appid, rle.user);
         }
     }
     else
diff --git a/src/network_inspectors/rna/rna_logger_common.h b/src/network_inspectors/rna/rna_logger_common.h
index 38bdfbfd5..aee6625f8 100644
--- a/src/network_inspectors/rna/rna_logger_common.h
+++ b/src/network_inspectors/rna/rna_logger_common.h
@@ -44,5 +44,6 @@
 
 #define RUA_EVENT         1004
     #define CHANGE_USER_LOGIN    2
+    #define FAILED_USER_LOGIN    5
 
 #endif