From: Ron Dempster (rdempste) Date: Mon, 10 Apr 2023 19:55:34 +0000 (+0000) Subject: Pull request #3801: appid: make ssl app group id lookup set payload and client X-Git-Tag: 3.1.60.0~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=934ea839ec1710a0614a9e8ea8107588cfa05a2b;p=thirdparty%2Fsnort3.git Pull request #3801: appid: make ssl app group id lookup set payload and client Merge in SNORT/snort3 from ~RDEMPSTE/snort3:cert_viz_take_2 to master Squashed commit of the following: commit a36b1fbaeb2485a2d9e20354af8062fca368e988 Author: Ron Dempster (rdempste) Date: Wed Apr 5 17:01:39 2023 -0400 appid: make ssl app group id lookup set payload and client --- diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index c98ed9951..67bb7b226 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -207,6 +207,7 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, else asd->set_payload_id(payload_id); + asd->set_ss_application_ids(client_id, payload_id, change_bits); asd->set_tls_host(change_bits); Packet* p = DetectionEngine::get_current_packet(); diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index d2948a35e..76ea3178c 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -275,7 +275,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log); // Common name based detection mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); @@ -292,7 +292,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); - STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log); // First alt name based detection change_bits.reset(); @@ -304,7 +304,7 @@ TEST(appid_api, ssl_app_group_id_lookup) CHECK_EQUAL(payload, APPID_UT_ID + 1); STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log); // Org unit based detection string host = ""; @@ -316,7 +316,7 @@ TEST(appid_api, ssl_app_group_id_lookup) CHECK_EQUAL(client, APPID_UT_ID + 3); CHECK_EQUAL(payload, APPID_UT_ID + 3); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), APPID_UT_ORG_UNIT); - STRCMP_EQUAL("Published change_bits == 00000000000000000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000000011000", test_log); // Override client id found by SSL pattern matcher with the client id provided by // Encrypted Visibility Engine if available @@ -335,7 +335,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log); mock().checkExpectations();