From: Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco) Date: Tue, 21 Jan 2025 18:14:11 +0000 (+0000) Subject: Pull request #4574: hosts: added check to verify ip protocol match on hosts lookup X-Git-Tag: 3.6.3.0~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e3486578585571634f0243d4507d4f2af0eb518;p=thirdparty%2Fsnort3.git Pull request #4574: hosts: added check to verify ip protocol match on hosts lookup Merge in SNORT/snort3 from ~OSTEPANO/snort3:hosts_proto to master Squashed commit of the following: commit d329f6a7046edf562aafb24e99235669ce54c84f Author: Oleksandr Stepanov Date: Wed Jan 15 10:38:45 2025 -0500 hosts: added check to verify ip protocol match on hosts lookup --- diff --git a/src/network_inspectors/binder/binder.cc b/src/network_inspectors/binder/binder.cc index 5481d0215..afbb7de36 100644 --- a/src/network_inspectors/binder/binder.cc +++ b/src/network_inspectors/binder/binder.cc @@ -733,7 +733,8 @@ void Binder::handle_flow_setup(Flow& flow, bool standby) // in binder, but it *does* need to occur before the binding lookup (for service information) HostAttriInfo host; HostAttriInfo* p_host = nullptr; - if ( HostAttributesManager::get_host_attributes(flow.server_ip, flow.server_port, &host) ) + + if ( HostAttributesManager::get_host_attributes(flow.server_ip, flow.pkt_type, flow.server_port, &host) ) p_host = &host; if (p_host) diff --git a/src/stream/stream.cc b/src/stream/stream.cc index d003386cb..b31818564 100644 --- a/src/stream/stream.cc +++ b/src/stream/stream.cc @@ -433,7 +433,7 @@ SnortProtocolId Stream::get_snort_protocol_id(Flow* flow) set_ip_protocol(flow); HostAttriInfo host; - if (HostAttributesManager::get_host_attributes(flow->server_ip, flow->server_port, &host)) + if (HostAttributesManager::get_host_attributes(flow->server_ip, flow->ssn_state.ipprotocol, flow->server_port, &host)) { set_snort_protocol_id_from_ha(flow, host.snort_protocol_id); @@ -441,7 +441,7 @@ SnortProtocolId Stream::get_snort_protocol_id(Flow* flow) return flow->ssn_state.snort_protocol_id; } - if (HostAttributesManager::get_host_attributes(flow->client_ip, flow->client_port, &host)) + if (HostAttributesManager::get_host_attributes(flow->client_ip, flow->ssn_state.ipprotocol, flow->client_port, &host)) { set_snort_protocol_id_from_ha(flow, host.snort_protocol_id); diff --git a/src/target_based/host_attributes.cc b/src/target_based/host_attributes.cc index e854a5cbe..921a5d359 100644 --- a/src/target_based/host_attributes.cc +++ b/src/target_based/host_attributes.cc @@ -126,14 +126,14 @@ void HostAttributesDescriptor::clear_appid_services() } } -void HostAttributesDescriptor::get_host_attributes(uint16_t port,HostAttriInfo* host_info) const +void HostAttributesDescriptor::get_host_attributes(uint16_t protocol, uint16_t port, HostAttriInfo* host_info) const { std::lock_guard slk(host_attributes_lock); host_info->frag_policy = policies.fragPolicy; host_info->stream_policy = policies.streamPolicy; host_info->snort_protocol_id = UNKNOWN_PROTOCOL_ID; auto it = std::find_if(services.cbegin(), services.cend(), - [port](const HostServiceDescriptor &s){ return s.port == port; }); + [protocol,port](const HostServiceDescriptor &s){ return protocol == s.ipproto and s.port == port; }); if (it != services.cend()) host_info->snort_protocol_id = (*it).snort_protocol_id; } @@ -193,7 +193,7 @@ void HostAttributesManager::swap_cleanup() void HostAttributesManager::term() { delete active_cache; } -bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, uint16_t port, HostAttriInfo* host_info) +bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, uint16_t protocol, uint16_t port, HostAttriInfo* host_info) { if ( !active_cache ) return false; @@ -201,12 +201,40 @@ bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, uint HostAttributesEntry h = active_cache->find(host_ip); if (h) { - h->get_host_attributes(port, host_info); + h->get_host_attributes(protocol, port, host_info); return true; } return false; } +bool HostAttributesManager::get_host_attributes(const snort::SfIp& host_ip, PktType pkt_type, uint16_t port, HostAttriInfo* host_info) +{ + if ( !active_cache ) + return false; + + uint16_t ipproto = 0; + + switch (pkt_type) + { + case PktType::TCP: + ipproto = SNORT_PROTO_TCP; + break; + + case PktType::UDP: + ipproto = SNORT_PROTO_UDP; + break; + + case PktType::ICMP: + ipproto = SNORT_PROTO_ICMP; + break; + + default: + break; + } + + return get_host_attributes(host_ip, ipproto, port, host_info); +} + void HostAttributesManager::update_service(const snort::SfIp& host_ip, uint16_t port, uint16_t protocol, SnortProtocolId snort_protocol_id, bool is_appid_service) { diff --git a/src/target_based/host_attributes.h b/src/target_based/host_attributes.h index 3df8ce0a0..bba991bbf 100644 --- a/src/target_based/host_attributes.h +++ b/src/target_based/host_attributes.h @@ -30,6 +30,7 @@ #include #include "framework/counts.h" +#include "framework/decode_data.h" #include "sfip/sf_ip.h" #include "target_based/snort_protocols.h" @@ -93,7 +94,7 @@ public: bool update_service(uint16_t port, uint16_t protocol, SnortProtocolId, bool& updated, bool is_appid_service = false); void clear_appid_services(); - void get_host_attributes(uint16_t, HostAttriInfo*) const; + void get_host_attributes(uint16_t protocol, uint16_t port, HostAttriInfo*) const; // Note: the following get/set are only called from main thread on a temp LRU table const snort::SfIp& get_ip_addr() const @@ -149,7 +150,8 @@ public: static void term(); static bool add_host(HostAttributesEntry, snort::SnortConfig*); - static bool get_host_attributes(const snort::SfIp&, uint16_t, HostAttriInfo*); + static bool get_host_attributes(const snort::SfIp&, uint16_t protocol, uint16_t port, HostAttriInfo*); + static bool get_host_attributes(const snort::SfIp&, PktType pkt_type, uint16_t port, HostAttriInfo*); static void update_service(const snort::SfIp&, uint16_t port, uint16_t protocol, SnortProtocolId, bool is_appid_service = false); static void clear_appid_services();