From: Shravan Rangarajuvenkata (shrarang) Date: Mon, 23 Sep 2019 21:49:10 +0000 (-0400) Subject: Merge pull request #1752 in SNORT/snort3 from ~SATHIRKA/snort3:bittorrent_wildcard... X-Git-Tag: 3.0.0-262~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=991eb9e65ca1c526162cd983f645bbcdd8926465;p=thirdparty%2Fsnort3.git Merge pull request #1752 in SNORT/snort3 from ~SATHIRKA/snort3:bittorrent_wildcard to master Squashed commit of the following: commit e2525bc26e3155a88b92665efc8fd466daae33eb Author: Sreeja Athirkandathil Narayanan Date: Wed Sep 18 15:58:20 2019 -0400 appid: Add support for wildcard ports in host tracker --- diff --git a/src/host_tracker/host_tracker.cc b/src/host_tracker/host_tracker.cc index 6a3bc8a09..c8ae5a7db 100644 --- a/src/host_tracker/host_tracker.cc +++ b/src/host_tracker/host_tracker.cc @@ -101,15 +101,15 @@ bool HostTracker::add_service(Port port, IpProtocol proto, AppId appid, bool inf return true; } -AppId HostTracker::get_appid(Port port, IpProtocol proto, bool inferred_only) +AppId HostTracker::get_appid(Port port, IpProtocol proto, bool inferred_only, bool allow_port_wildcard) { host_tracker_stats.service_finds++; std::lock_guard lck(host_tracker_lock); for ( const auto& s : services ) { - if ( s.port == port and s.proto == proto and - (!inferred_only or s.inferred_appid == inferred_only) ) + bool matched = (s.port == port and s.proto == proto and (!inferred_only or s.inferred_appid == inferred_only)); + if ( matched or ( allow_port_wildcard and s.inferred_appid ) ) return s.appid; } diff --git a/src/host_tracker/host_tracker.h b/src/host_tracker/host_tracker.h index ff46f9adc..5d45a11ac 100644 --- a/src/host_tracker/host_tracker.h +++ b/src/host_tracker/host_tracker.h @@ -108,7 +108,7 @@ public: bool add_service(Port port, IpProtocol proto, AppId appid = APP_ID_NONE, bool inferred_appid = false); - AppId get_appid(Port port, IpProtocol proto, bool inferred_only = false); + AppId get_appid(Port port, IpProtocol proto, bool inferred_only = false, bool allow_port_wildcard = false); // This should be updated whenever HostTracker data members are changed void stringify(std::string& str); diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 9992d0149..77267a07b 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -366,6 +366,34 @@ void AppInfoManager::load_appid_config(AppIdModuleConfig* config, const char* pa config->is_host_port_app_cache_runtime = true; } } + else if (!(strcasecmp(conf_key, "allow_port_wildcard_host_cache"))) + { + if (!(strcasecmp(conf_val, "enabled"))) + { + config->allow_port_wildcard_host_cache = true; + } + } + else if (!(strcasecmp(conf_key, "bittorrent_aggressiveness"))) + { + int aggressiveness = atoi(conf_val); + LogMessage("AppId: bittorrent_aggressiveness %d\n", aggressiveness); + if (aggressiveness >= 50) + { + config->host_port_app_cache_lookup_interval = 5; + set_app_info_flags(APP_ID_BITTORRENT, APPINFO_FLAG_DEFER); + set_app_info_flags(APP_ID_BITTORRENT, APPINFO_FLAG_DEFER_PAYLOAD); + config->max_tp_flow_depth = 25; + LogMessage("AppId: host_port_app_cache_lookup_interval %d\n", config->host_port_app_cache_lookup_interval); + LogMessage("AppId: defer_to_thirdparty %d\n", APP_ID_BITTORRENT); + LogMessage("AppId: defer_payload_to_thirdparty %d\n", APP_ID_BITTORRENT); + LogMessage("AppId: max_tp_flow_depth %d\n", config->max_tp_flow_depth); + } + if (aggressiveness >= 80) + { + config->allow_port_wildcard_host_cache = true; + LogMessage("AppId: allow_port_wildcard_host_cache enabled\n"); + } + } else if (!(strcasecmp(conf_key, "tp_allow_probes"))) { if (!(strcasecmp(conf_val, "enabled"))) diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index 561c2b36f..14f7f8749 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -102,6 +102,7 @@ public: uint32_t host_port_app_cache_lookup_interval = 10; uint32_t host_port_app_cache_lookup_range = 100000; uint32_t http_response_version_enabled = 0; + bool allow_port_wildcard_host_cache = false; }; typedef std::array AppIdPortExclusions; diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index fb0d0d378..40ba7b1ef 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -917,7 +917,7 @@ bool AppIdDiscovery::do_host_port_based_discovery(Packet* p, AppIdSession& asd, auto ht = host_cache.find(*ip); if (ht) { - AppId appid = ht->get_appid(port, protocol, true); + AppId appid = ht->get_appid(port, protocol, true, asd.config->mod_config->allow_port_wildcard_host_cache); if (appid > APP_ID_NONE) { // FIXIT-L: Make this more generic to support service and payload IDs diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index e5da21705..fbd703e97 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -220,7 +220,7 @@ ServiceDiscovery& ServiceDiscovery::get_instance() } HostCacheIp host_cache(50); -AppId HostTracker::get_appid(Port, IpProtocol, bool) +AppId HostTracker::get_appid(Port, IpProtocol, bool, bool) { return APP_ID_NONE; }