From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 24 Sep 2019 13:06:44 +0000 (-0400) Subject: Merge pull request #1746 in SNORT/snort3 from ~SHRARANG/snort3:appid_detector_callbac... X-Git-Tag: 3.0.0-262~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=995ed74bfdecec8ce3881bbe91118a457ef7f039;p=thirdparty%2Fsnort3.git Merge pull request #1746 in SNORT/snort3 from ~SHRARANG/snort3:appid_detector_callback to master Squashed commit of the following: commit a288bcb656661f879362bb851eb8aba5425c3774 Author: Shravan Rangaraju Date: Mon Sep 16 10:18:56 2019 -0400 appid: add support for Lua detector callback mechanism --- diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 0a0873351..5c2d73deb 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -22,28 +22,28 @@ set (APPID_INCLUDES set ( APPID_INCLUDE_DIR ${CMAKE_CURRENT_SOURCE_DIR} ) set ( CP_APPID_SOURCES - client_plugins/client_app_aim.cc - client_plugins/client_app_aim.h - client_plugins/client_app_bit.cc - client_plugins/client_app_bit.h - client_plugins/client_app_bit_tracker.cc - client_plugins/client_app_bit_tracker.h - client_plugins/client_detector.cc - client_plugins/client_detector.h - client_plugins/client_app_msn.cc - client_plugins/client_app_msn.h - client_plugins/client_app_rtp.cc - client_plugins/client_app_rtp.h - client_plugins/client_app_ssh.cc - client_plugins/client_app_ssh.h - client_plugins/client_app_timbuktu.cc - client_plugins/client_app_timbuktu.h - client_plugins/client_app_tns.cc - client_plugins/client_app_tns.h - client_plugins/client_app_vnc.cc - client_plugins/client_app_vnc.h - client_plugins/client_app_ym.cc - client_plugins/client_app_ym.h + client_plugins/client_app_aim.cc + client_plugins/client_app_aim.h + client_plugins/client_app_bit.cc + client_plugins/client_app_bit.h + client_plugins/client_app_bit_tracker.cc + client_plugins/client_app_bit_tracker.h + client_plugins/client_detector.cc + client_plugins/client_detector.h + client_plugins/client_app_msn.cc + client_plugins/client_app_msn.h + client_plugins/client_app_rtp.cc + client_plugins/client_app_rtp.h + client_plugins/client_app_ssh.cc + client_plugins/client_app_ssh.h + client_plugins/client_app_timbuktu.cc + client_plugins/client_app_timbuktu.h + client_plugins/client_app_tns.cc + client_plugins/client_app_tns.h + client_plugins/client_app_vnc.cc + client_plugins/client_app_vnc.h + client_plugins/client_app_ym.cc + client_plugins/client_app_ym.h client_plugins/client_detector.cc client_plugins/client_detector.h client_plugins/client_discovery.cc @@ -51,108 +51,108 @@ set ( CP_APPID_SOURCES ) set ( SP_APPID_SOURCES - service_plugins/dcerpc.cc - service_plugins/dcerpc.h - service_plugins/service_battle_field.cc - service_plugins/service_battle_field.h - service_plugins/service_bgp.cc - service_plugins/service_bgp.h - service_plugins/service_bit.cc - service_plugins/service_bit.h - service_plugins/service_bootp.cc - service_plugins/service_bootp.h - service_plugins/service_dcerpc.cc - service_plugins/service_dcerpc.h + service_plugins/dcerpc.cc + service_plugins/dcerpc.h + service_plugins/service_battle_field.cc + service_plugins/service_battle_field.h + service_plugins/service_bgp.cc + service_plugins/service_bgp.h + service_plugins/service_bit.cc + service_plugins/service_bit.h + service_plugins/service_bootp.cc + service_plugins/service_bootp.h + service_plugins/service_dcerpc.cc + service_plugins/service_dcerpc.h service_plugins/service_detector.cc service_plugins/service_detector.h - service_plugins/service_direct_connect.cc - service_plugins/service_direct_connect.h + service_plugins/service_direct_connect.cc + service_plugins/service_direct_connect.h service_plugins/service_discovery.cc service_plugins/service_discovery.h - service_plugins/service_flap.cc - service_plugins/service_flap.h - service_plugins/service_ftp.cc - service_plugins/service_ftp.h - service_plugins/service_irc.cc - service_plugins/service_irc.h - service_plugins/service_lpr.cc - service_plugins/service_lpr.h - service_plugins/service_mdns.cc - service_plugins/service_mdns.h - service_plugins/service_mysql.cc - service_plugins/service_mysql.h - service_plugins/service_netbios.cc - service_plugins/service_netbios.h - service_plugins/service_nntp.cc - service_plugins/service_nntp.h - service_plugins/service_ntp.cc - service_plugins/service_ntp.h - service_plugins/service_radius.cc - service_plugins/service_radius.h - service_plugins/service_regtest.cc - service_plugins/service_regtest.h - service_plugins/service_rexec.cc - service_plugins/service_rexec.h - service_plugins/service_rfb.cc - service_plugins/service_rfb.h - service_plugins/service_rlogin.cc - service_plugins/service_rlogin.h - service_plugins/service_rpc.cc - service_plugins/service_rpc.h - service_plugins/service_rshell.cc - service_plugins/service_rshell.h - service_plugins/service_rsync.cc - service_plugins/service_rsync.h - service_plugins/service_rtmp.cc - service_plugins/service_rtmp.h - service_plugins/service_snmp.cc - service_plugins/service_snmp.h - service_plugins/service_ssh.cc - service_plugins/service_ssh.h - service_plugins/service_ssl.cc - service_plugins/service_ssl.h - service_plugins/service_telnet.cc - service_plugins/service_telnet.h - service_plugins/service_tftp.cc - service_plugins/service_tftp.h - service_plugins/service_timbuktu.cc - service_plugins/service_timbuktu.h - service_plugins/service_tns.cc - service_plugins/service_tns.h + service_plugins/service_flap.cc + service_plugins/service_flap.h + service_plugins/service_ftp.cc + service_plugins/service_ftp.h + service_plugins/service_irc.cc + service_plugins/service_irc.h + service_plugins/service_lpr.cc + service_plugins/service_lpr.h + service_plugins/service_mdns.cc + service_plugins/service_mdns.h + service_plugins/service_mysql.cc + service_plugins/service_mysql.h + service_plugins/service_netbios.cc + service_plugins/service_netbios.h + service_plugins/service_nntp.cc + service_plugins/service_nntp.h + service_plugins/service_ntp.cc + service_plugins/service_ntp.h + service_plugins/service_radius.cc + service_plugins/service_radius.h + service_plugins/service_regtest.cc + service_plugins/service_regtest.h + service_plugins/service_rexec.cc + service_plugins/service_rexec.h + service_plugins/service_rfb.cc + service_plugins/service_rfb.h + service_plugins/service_rlogin.cc + service_plugins/service_rlogin.h + service_plugins/service_rpc.cc + service_plugins/service_rpc.h + service_plugins/service_rshell.cc + service_plugins/service_rshell.h + service_plugins/service_rsync.cc + service_plugins/service_rsync.h + service_plugins/service_rtmp.cc + service_plugins/service_rtmp.h + service_plugins/service_snmp.cc + service_plugins/service_snmp.h + service_plugins/service_ssh.cc + service_plugins/service_ssh.h + service_plugins/service_ssl.cc + service_plugins/service_ssl.h + service_plugins/service_telnet.cc + service_plugins/service_telnet.h + service_plugins/service_tftp.cc + service_plugins/service_tftp.h + service_plugins/service_timbuktu.cc + service_plugins/service_timbuktu.h + service_plugins/service_tns.cc + service_plugins/service_tns.h ) set ( DP_APPID_SOURCES - detector_plugins/detector_dns.cc - detector_plugins/detector_dns.h - detector_plugins/detector_http.cc - detector_plugins/detector_http.h - detector_plugins/detector_imap.cc - detector_plugins/detector_imap.h - detector_plugins/detector_kerberos.cc - detector_plugins/detector_kerberos.h - detector_plugins/detector_pattern.cc - detector_plugins/detector_pattern.h - detector_plugins/detector_pop3.cc - detector_plugins/detector_pop3.h - detector_plugins/detector_sip.cc - detector_plugins/detector_sip.h - detector_plugins/detector_smtp.cc - detector_plugins/detector_smtp.h - detector_plugins/http_url_patterns.cc - detector_plugins/http_url_patterns.h + detector_plugins/detector_dns.cc + detector_plugins/detector_dns.h + detector_plugins/detector_http.cc + detector_plugins/detector_http.h + detector_plugins/detector_imap.cc + detector_plugins/detector_imap.h + detector_plugins/detector_kerberos.cc + detector_plugins/detector_kerberos.h + detector_plugins/detector_pattern.cc + detector_plugins/detector_pattern.h + detector_plugins/detector_pop3.cc + detector_plugins/detector_pop3.h + detector_plugins/detector_sip.cc + detector_plugins/detector_sip.h + detector_plugins/detector_smtp.cc + detector_plugins/detector_smtp.h + detector_plugins/http_url_patterns.cc + detector_plugins/http_url_patterns.h ) set ( UTIL_APPID_SOURCES - appid_utils/fw_avltree.cc - appid_utils/fw_avltree.h - appid_utils/ip_funcs.cc - appid_utils/ip_funcs.h - appid_utils/network_set.cc - appid_utils/network_set.h - appid_utils/sf_mlmp.cc - appid_utils/sf_mlmp.h - appid_utils/sf_multi_mpse.cc - appid_utils/sf_multi_mpse.h + appid_utils/fw_avltree.cc + appid_utils/fw_avltree.h + appid_utils/ip_funcs.cc + appid_utils/ip_funcs.h + appid_utils/network_set.cc + appid_utils/network_set.h + appid_utils/sf_mlmp.cc + appid_utils/sf_mlmp.h + appid_utils/sf_multi_mpse.cc + appid_utils/sf_multi_mpse.h ) if ( ENABLE_APPID_THIRD_PARTY ) @@ -169,6 +169,7 @@ set ( APPID_SOURCES app_forecast.h appid_api.cc appid_api.h + appid_app_descriptor.cc appid_app_descriptor.h appid_config.cc appid_config.h @@ -215,24 +216,23 @@ set ( APPID_SOURCES service_state.h http_xff_fields.h ${APPID_TP_SOURCES} - ) - +) #if (STATIC_INSPECTORS) add_library(appid OBJECT - ${APPID_SOURCES} - ${CP_APPID_SOURCES} - ${DP_APPID_SOURCES} - ${SP_APPID_SOURCES} - ${UTIL_APPID_SOURCES} - ) + ${APPID_SOURCES} + ${CP_APPID_SOURCES} + ${DP_APPID_SOURCES} + ${SP_APPID_SOURCES} + ${UTIL_APPID_SOURCES} +) #else (STATIC_INSPECTORS) # add_dynamic_module(appid inspectors -# ${APPID_SOURCES} -# ${CP_APPID_SOURCES} -# ${DP_APPID_SOURCES} -# ${SP_APPID_SOURCES} -# ${UTIL_APPID_SOURCES} +# ${APPID_SOURCES} +# ${CP_APPID_SOURCES} +# ${DP_APPID_SOURCES} +# ${SP_APPID_SOURCES} +# ${UTIL_APPID_SOURCES} # ) #endif (STATIC_INSPECTORS) diff --git a/src/network_inspectors/appid/app_info_table.h b/src/network_inspectors/appid/app_info_table.h index 325c74917..1444f57e4 100644 --- a/src/network_inspectors/appid/app_info_table.h +++ b/src/network_inspectors/appid/app_info_table.h @@ -60,7 +60,9 @@ enum AppInfoFlags APPINFO_FLAG_TP_CLIENT = (1<<11), APPINFO_FLAG_DEFER_PAYLOAD = (1<<12), APPINFO_FLAG_SEARCH_ENGINE = (1<<13), - APPINFO_FLAG_SUPPORTED_SEARCH = (1<<14) + APPINFO_FLAG_SUPPORTED_SEARCH = (1<<14), + APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK = (1<<15), + APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK = (1<<16) }; class AppInfoTableEntry diff --git a/src/network_inspectors/appid/appid_app_descriptor.cc b/src/network_inspectors/appid/appid_app_descriptor.cc new file mode 100644 index 000000000..6e666d840 --- /dev/null +++ b/src/network_inspectors/appid/appid_app_descriptor.cc @@ -0,0 +1,23 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved. +//-------------------------------------------------------------------------- + +// appid_app_descriptor.cc author Shravan Rangaraju + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "appid_app_descriptor.h" +#include "lua_detector_api.h" + +void ApplicationDescriptor::set_id(const snort::Packet& p, AppIdSession& asd, + AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits) +{ + if ( my_id != app_id ) + { + set_id(app_id); + check_detector_callback(p, asd, dir, app_id, change_bits); + } +} + diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h index 5882785d1..2092c639c 100644 --- a/src/network_inspectors/appid/appid_app_descriptor.h +++ b/src/network_inspectors/appid/appid_app_descriptor.h @@ -30,9 +30,16 @@ #include +#include "protocols/packet.h" +#include "pub_sub/appid_events.h" + #include "app_info_table.h" #include "appid_module.h" #include "appid_peg_counts.h" +#include "appid_types.h" + +class AppIdDetector; +class AppIdSession; class ApplicationDescriptor { @@ -47,10 +54,9 @@ public: my_version.clear(); } - virtual void update(AppId id, char* vendor, char* version, AppidChangeBits& change_bits) + virtual void update(AppId id, AppidChangeBits& change_bits, char* version) { set_id(id); - set_vendor(vendor); set_version(version, change_bits); } @@ -73,6 +79,8 @@ public: } } + virtual void set_id(const snort::Packet& p, AppIdSession& asd, AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits); + const char* get_vendor() const { return my_vendor.empty() ? nullptr : my_vendor.c_str(); diff --git a/src/network_inspectors/appid/appid_detector.h b/src/network_inspectors/appid/appid_detector.h index c9cd43c80..9d302c8da 100644 --- a/src/network_inspectors/appid/appid_detector.h +++ b/src/network_inspectors/appid/appid_detector.h @@ -17,7 +17,7 @@ // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. //-------------------------------------------------------------------------- -// client_detector.h author Sourcefire Inc. +// appid_detector.h author Sourcefire Inc. #ifndef APPID_DETECTOR_H #define APPID_DETECTOR_H diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 40ba7b1ef..797303325 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -985,7 +985,7 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto { dns_host_scan_hostname((const uint8_t*)dsession->get_host(), dsession->get_host_len(), &client_id, &payload_id); - asd.set_client_appid_data(client_id, nullptr, change_bits); + asd.set_client_appid_data(client_id, change_bits); } else if (asd.service.get_id() == APP_ID_RTMP) asd.examine_rtmp_metadata(change_bits); diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index d7b9ef8f7..953625870 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -312,13 +312,13 @@ void AppIdHttpSession::process_chp_buffers(AppidChangeBits& change_bits) : CHP_APPIDINSTANCE_TO_ID(chp_candidate); if (app_type_flags & APP_TYPE_SERVICE) - asd.set_service_appid_data(chp_final, nullptr, version, change_bits); + asd.set_service_appid_data(chp_final, change_bits, version); if (app_type_flags & APP_TYPE_CLIENT) - asd.set_client_appid_data(chp_final, version, change_bits); + asd.set_client_appid_data(chp_final, change_bits, version); if ( app_type_flags & APP_TYPE_PAYLOAD ) - asd.set_payload_appid_data((AppId)chp_final, version, change_bits); + asd.set_payload_appid_data(chp_final, change_bits, version); if ( version ) { @@ -483,7 +483,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, { if (appidDebug->is_active() and asd.payload.get_id() != APP_ID_WEBDAV) LogMessage("AppIdDbg %s Data is webdav\n", appidDebug->get_debug_session()); - asd.set_payload_appid_data(APP_ID_WEBDAV, nullptr, change_bits); + asd.set_payload_appid_data(APP_ID_WEBDAV, change_bits); } // Scan User-Agent for Browser types or Skype @@ -511,8 +511,8 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, appidDebug->get_debug_session(), app_name ? app_name : "unknown", client_id); } } - asd.set_service_appid_data(service_id, nullptr, nullptr, change_bits); - asd.set_client_appid_data(client_id, version, change_bits); + asd.set_service_appid_data(service_id, change_bits); + asd.set_client_appid_data(client_id, change_bits, version); asd.scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG; snort_free(version); } @@ -531,7 +531,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, app_name ? app_name : "unknown", payload_id); } - asd.set_payload_appid_data((AppId)payload_id, nullptr, change_bits); + asd.set_payload_appid_data(payload_id, change_bits); asd.scan_flags &= ~SCAN_HTTP_VIA_FLAG; } } @@ -559,7 +559,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, LogMessage("AppIdDbg %s X is client %s (%d)\n", appidDebug->get_debug_session(), app_name ? app_name : "unknown", appId); } - asd.set_client_appid_data(appId, version, change_bits); + asd.set_client_appid_data(appId, change_bits, version); } else { @@ -570,7 +570,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, LogMessage("AppIdDbg %s X service %s (%d)\n", appidDebug->get_debug_session(), app_name ? app_name : "unknown", appId); } - asd.set_service_appid_data(appId, nullptr, version, change_bits); + asd.set_service_appid_data(appId, change_bits, version); } asd.scan_flags &= ~SCAN_HTTP_XWORKINGWITH_FLAG; } @@ -597,7 +597,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, app_name ? app_name : "unknown", payload_id); } - asd.set_payload_appid_data((AppId)payload_id, nullptr, change_bits); + asd.set_payload_appid_data(payload_id, change_bits); asd.scan_flags &= ~SCAN_HTTP_CONTENT_TYPE_FLAG; } @@ -625,7 +625,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, app_name ? app_name : "unknown", client_id); } - asd.set_client_appid_data(client_id, nullptr, change_bits); + asd.set_client_appid_data(client_id, change_bits); } if (asd.service.get_id() <= APP_ID_NONE) @@ -639,7 +639,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, app_name ? app_name : "unknown", service_id); } - asd.set_service_appid_data(service_id, nullptr, nullptr, change_bits); + asd.set_service_appid_data(service_id, change_bits); } // DO overwrite a previously-set data @@ -651,7 +651,7 @@ int AppIdHttpSession::process_http_packet(AppidSessionDirection direction, app_name ? app_name : "unknown", payload_id); } - asd.set_payload_appid_data((AppId)payload_id, version, change_bits); + asd.set_payload_appid_data(payload_id, change_bits, version); asd.set_referred_payload_app_id_data(referredPayloadAppId, change_bits); } diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 458f5015c..6a86904be 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -45,6 +45,7 @@ #include "appid_inspector.h" #include "appid_stats.h" #include "appid_utils/ip_funcs.h" +#include "lua_detector_api.h" #include "service_plugins/service_ssl.h" #ifdef ENABLE_APPID_THIRD_PARTY #include "tp_lib_handler.h" @@ -415,8 +416,8 @@ void AppIdSession::examine_ssl_metadata(Packet* p, AppidChangeBits& change_bits) if ((ret = ssl_scan_hostname((const uint8_t*)tls_str, size, client_id, payload_id))) { - set_client_appid_data(client_id, nullptr, change_bits); - set_payload_appid_data((AppId)payload_id, nullptr, change_bits); + set_client_appid_data(client_id, change_bits); + set_payload_appid_data(payload_id, change_bits); setSSLSquelch(p, ret, (ret == 1 ? payload_id : client_id)); } scan_flags &= ~SCAN_SSL_HOST_FLAG; @@ -427,8 +428,8 @@ void AppIdSession::examine_ssl_metadata(Packet* p, AppidChangeBits& change_bits) if ((ret = ssl_scan_cname((const uint8_t*)tls_str, size, client_id, payload_id))) { - set_client_appid_data(client_id, nullptr, change_bits); - set_payload_appid_data((AppId)payload_id, nullptr, change_bits); + set_client_appid_data(client_id, change_bits); + set_payload_appid_data(payload_id, change_bits); setSSLSquelch(p, ret, (ret == 1 ? payload_id : client_id)); } tsession->set_tls_cname(nullptr, 0); @@ -439,8 +440,8 @@ void AppIdSession::examine_ssl_metadata(Packet* p, AppidChangeBits& change_bits) if ((ret = ssl_scan_cname((const uint8_t*)tls_str, size, client_id, payload_id))) { - set_client_appid_data(client_id, nullptr, change_bits); - set_payload_appid_data((AppId)payload_id, nullptr, change_bits); + set_client_appid_data(client_id, change_bits); + set_payload_appid_data(payload_id, change_bits); setSSLSquelch(p, ret, (ret == 1 ? payload_id : client_id)); } tsession->set_tls_org_unit(nullptr, 0); @@ -472,18 +473,18 @@ void AppIdSession::examine_rtmp_metadata(AppidChangeBits& change_bits) { /* do not overwrite a previously-set client or service */ if (client.get_id() <= APP_ID_NONE) - set_client_appid_data(payload_id, nullptr, change_bits); + set_client_appid_data(payload_id, change_bits); if (service.get_id() <= APP_ID_NONE) - set_service_appid_data(service_id, nullptr, nullptr, change_bits); + set_service_appid_data(service_id, change_bits); /* DO overwrite a previously-set data */ - set_payload_appid_data((AppId)payload.get_id(), nullptr, change_bits); + set_payload_appid_data((AppId)payload.get_id(), change_bits); set_referred_payload_app_id_data(referred_payload_id, change_bits); } } } -void AppIdSession::set_client_appid_data(AppId id, char* version, AppidChangeBits& change_bits) +void AppIdSession::set_client_appid_data(AppId id, AppidChangeBits& change_bits, char* version) { if ( id <= APP_ID_NONE || id == APP_ID_HTTP ) return; @@ -513,7 +514,7 @@ void AppIdSession::set_referred_payload_app_id_data(AppId id, AppidChangeBits& c } } -void AppIdSession::set_payload_appid_data(AppId id, char* version, AppidChangeBits& change_bits) +void AppIdSession::set_payload_appid_data(AppId id, AppidChangeBits& change_bits, char* version) { if ( id <= APP_ID_NONE ) return; @@ -524,8 +525,7 @@ void AppIdSession::set_payload_appid_data(AppId id, char* version, AppidChangeBi payload.set_version(version, change_bits); } -void AppIdSession::set_service_appid_data(AppId id, char* vendor, char* version, - AppidChangeBits& change_bits) +void AppIdSession::set_service_appid_data(AppId id, AppidChangeBits& change_bits, char* version) { if (id <= APP_ID_NONE) return; @@ -538,7 +538,7 @@ void AppIdSession::set_service_appid_data(AppId id, char* vendor, char* version, return; } - service.update(id, vendor, version, change_bits); + service.update(id, change_bits, version); } void AppIdSession::free_tls_session_data() @@ -943,3 +943,30 @@ bool AppIdSession::is_tp_appid_available() const return true; } +void AppIdSession::set_tp_app_id(Packet& p, AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits) +{ + if (tp_app_id != app_id) + { + tp_app_id = app_id; + AppInfoTableEntry* entry = app_info_mgr->get_app_info_entry(tp_app_id); + if (entry) + { + tp_app_id_deferred = (entry->flags & APPINFO_FLAG_DEFER) ? true : false; + check_detector_callback(p, *this, dir, app_id, change_bits, entry); + } + } +} + +void AppIdSession::set_tp_payload_app_id(Packet& p, AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits) +{ + if (tp_payload_app_id != app_id) + { + tp_payload_app_id = app_id; + AppInfoTableEntry* entry = app_info_mgr->get_app_info_entry(tp_payload_app_id); + if (entry) + { + tp_payload_app_id_deferred = (entry->flags & APPINFO_FLAG_DEFER_PAYLOAD) ? true : false; + check_detector_callback(p, *this, dir, app_id, change_bits, entry); + } + } +} diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 8a1493a04..ed87858fe 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -309,10 +309,10 @@ public: bool is_ssl_session_decrypted(); void examine_ssl_metadata(snort::Packet*, AppidChangeBits& change_bits); - void set_client_appid_data(AppId, char*, AppidChangeBits& change_bits); - void set_service_appid_data(AppId, char*, char*, AppidChangeBits& change_bits); + void set_client_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); + void set_service_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); void set_referred_payload_app_id_data(AppId, AppidChangeBits& change_bits); - void set_payload_appid_data(AppId, char*, AppidChangeBits& change_bits); + void set_payload_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); void check_app_detection_restart(AppidChangeBits& change_bits); void update_encrypted_app_id(AppId); void examine_rtmp_metadata(AppidChangeBits& change_bits); @@ -331,6 +331,9 @@ public: bool is_tp_processing_done() const; bool is_tp_appid_available() const; + void set_tp_app_id(snort::Packet& p, AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits); + void set_tp_payload_app_id(snort::Packet& p, AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits); + inline void set_tp_app_id(AppId app_id) { if(tp_app_id != app_id) { tp_app_id = app_id; diff --git a/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc b/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc index 07f4047ee..fc2ecaa3d 100644 --- a/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc +++ b/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc @@ -58,6 +58,8 @@ static uint16_t my_length[NUM_HTTP_FIELDS] = { 0 }; static CHPAction my_match; static void* my_chp_rewritten = nullptr; +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } + TEST_GROUP(http_url_patterns_tests) { void setup() override diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index f42e31b3d..b32bcd238 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -35,6 +35,7 @@ #include "app_forecast.h" #include "app_info_table.h" +#include "appid_debug.h" #include "appid_inspector.h" #include "client_plugins/client_discovery.h" #include "detector_plugins/detector_dns.h" @@ -51,6 +52,7 @@ #include "host_tracker/host_cache.h" using namespace snort; +using namespace std; #define OVECCOUNT 30 /* should be a multiple of 3 */ @@ -1223,6 +1225,154 @@ static int detector_add_content_type_pattern(lua_State* L) return 0; } +static int register_callback(lua_State* L, LuaObject& ud, AppInfoFlags flag) +{ + // Verify detector user data and that we are NOT in packet context + ud.validate_lua_state(false); + + const char* callback = lua_tostring(L, 3); + + if (!callback) + { + lua_pushnumber(L, -1); + return 1; // number of results + } + + AppId app_id = lua_tonumber(L, 2); + if (init(L)) + { + // in control thread, update app info table. app info table is shared across all threads + AppInfoTableEntry* entry = AppInfoManager::get_instance().get_app_info_entry(app_id); + if (entry) + { + if (entry->flags & flag) + { + ErrorMessage("AppId: detector callback already registered for app %d\n", app_id); + return 1; + } + entry->flags |= flag; + } + else + { + ErrorMessage("AppId: detector callback cannot be registered for invalid app %d\n", + app_id); + return 1; + } + } + else + { + // In packet thread, store Lua detectors objects with callback in a thread local list. + // Note that Lua detector objects are thread local + ud.set_cb_fn_name(callback); + + assert(lua_detector_mgr); + if (!lua_detector_mgr->insert_cb_detector(app_id, &ud)) + { + ErrorMessage("AppId: detector callback already registered for app %d\n", app_id); + return 1; + } + } + + lua_pushnumber(L, 0); + + return 1; +} + +static int detector_register_client_callback(lua_State* L) +{ + auto& ud = *UserData::check(L, DETECTOR, 1); + + return register_callback(L, *ud, APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK); +} + +static int detector_register_service_callback(lua_State* L) +{ + auto& ud = *UserData::check(L, DETECTOR, 1); + + return register_callback(L, *ud, APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK); +} + +static int detector_callback(const uint8_t* data, uint16_t size, AppidSessionDirection dir, + AppIdSession& asd, const Packet& p, LuaObject& ud, AppidChangeBits& change_bits) +{ + if (!data) + { + return -10; + } + + auto my_lua_state = lua_detector_mgr->L; + const string& cb_fn_name = ud.get_cb_fn_name(); + const char* detector_name = ud.get_detector()->get_name().c_str(); + + if ((cb_fn_name.empty()) || !(lua_checkstack(my_lua_state, 1))) + { + ErrorMessage("Detector %s: invalid LUA %s\n", detector_name, lua_tostring(my_lua_state, -1)); + ud.lsd.ldp.pkt = nullptr; + return -10; + } + + lua_getfield(my_lua_state, LUA_REGISTRYINDEX, ud.lsd.package_info.name.c_str()); + + ud.lsd.ldp.data = data; + ud.lsd.ldp.size = size; + ud.lsd.ldp.dir = dir; + ud.lsd.ldp.asd = &asd; + ud.lsd.ldp.pkt = &p; + ud.lsd.ldp.change_bits = &change_bits; + + lua_getfield(my_lua_state, -1, cb_fn_name.c_str()); + if (lua_pcall(my_lua_state, 0, 1, 0)) + { + ErrorMessage("Detector %s: Error validating %s\n", detector_name, lua_tostring(my_lua_state, -1)); + ud.lsd.ldp.pkt = nullptr; + return -10; + } + + // detector flows must be destroyed after each packet is processed + LuaDetectorManager::free_detector_flows(); + + // retrieve result + if (!lua_isnumber(my_lua_state, -1)) + { + ErrorMessage("Detector %s: Validator returned non-numeric value\n", detector_name); + ud.lsd.ldp.pkt = nullptr; + return -10; + } + + int ret = lua_tonumber(my_lua_state, -1); + lua_pop(my_lua_state, 1); // pop returned value + ud.lsd.ldp.pkt = nullptr; + + return ret; +} + +void check_detector_callback(const Packet& p, AppIdSession& asd, AppidSessionDirection dir, AppId app_id, AppidChangeBits& change_bits, AppInfoTableEntry* entry) +{ + if (!entry) + entry = AppInfoManager::get_instance().get_app_info_entry(app_id); + if (!entry) + return; + + if (entry->flags & APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK or + entry->flags & APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK) + { + assert(lua_detector_mgr); + LuaObject* ud = lua_detector_mgr->get_cb_detector(app_id); + assert(ud); + + if (ud->is_running()) + return; + + ud->set_running(true); + + int ret = detector_callback(p.data, p.dsize, dir, asd, p, *ud, change_bits); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s %s detector callback returned %d\n", appidDebug->get_debug_session(), + ud->get_detector()->get_name().empty() ? "UKNOWN" : ud->get_detector()->get_name().c_str(), ret); + ud->set_running(false); + } +} + static int create_chp_application(AppId appIdInstance, unsigned app_type_flags, int num_matches) { CHPApp* new_app = (CHPApp*)snort_calloc(sizeof(CHPApp)); @@ -2377,6 +2527,8 @@ static const luaL_Reg detector_methods[] = { "addHostPortApp", detector_add_host_port_application }, { "addHostPortAppDynamic", detector_add_host_port_dynamic }, { "addDNSHostPattern", detector_add_dns_host_pattern }, + { "registerClientDetectorCallback", detector_register_client_callback }, + { "registerServiceDetectorCallback", detector_register_service_callback }, /*Obsolete - new detectors should not use this API */ { "init", service_init }, diff --git a/src/network_inspectors/appid/lua_detector_api.h b/src/network_inspectors/appid/lua_detector_api.h index 0fbc9fc1d..82548da06 100644 --- a/src/network_inspectors/appid/lua_detector_api.h +++ b/src/network_inspectors/appid/lua_detector_api.h @@ -27,6 +27,7 @@ #include #include +#include "appid_types.h" #include "client_plugins/client_detector.h" #include "service_plugins/service_detector.h" @@ -40,6 +41,7 @@ struct Packet; } struct lua_State; class AppIdSession; +class AppInfoTableEntry; #define DETECTOR "Detector" #define DETECTORFLOW "DetectorFlow" @@ -71,8 +73,7 @@ struct LuaDetectorParameters AppidSessionDirection dir = APP_ID_FROM_INITIATOR; AppIdSession* asd; AppidChangeBits* change_bits = nullptr; - snort::Packet* pkt = nullptr; - uint8_t macAddress[6] = { 0 }; + const snort::Packet* pkt = nullptr; }; class LuaStateDescriptor @@ -116,6 +117,22 @@ public: LuaStateDescriptor lsd; virtual AppIdDetector* get_detector() = 0; LuaStateDescriptor* validate_lua_state(bool packet_context); + + const std::string& get_cb_fn_name() + { return cb_fn_name; } + + void set_cb_fn_name(const char* name) + { cb_fn_name = name; } + + bool is_running() + { return running; } + + void set_running(bool is_running) + { running = is_running; } + +private: + std::string cb_fn_name; + bool running = false; }; class LuaServiceObject: public LuaObject @@ -143,5 +160,8 @@ void init_chp_glossary(); int init(lua_State*, int result=0); void free_chp_glossary(); +void check_detector_callback(const snort::Packet& p, AppIdSession& asd, AppidSessionDirection dir, + AppId app_id, AppidChangeBits& change_bits, AppInfoTableEntry* entry = nullptr); + #endif diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index f8c53cce1..7ec447068 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -155,6 +155,7 @@ LuaDetectorManager::LuaDetectorManager(AppIdConfig& config, int is_control) : { sflist_init(&allocated_detector_flow_list); allocated_objects.clear(); + cb_detectors.clear(); L = create_lua_state(config.mod_config, is_control); if (is_control == 1) init_chp_glossary(); @@ -194,6 +195,7 @@ LuaDetectorManager::~LuaDetectorManager() sflist_static_free_all(&allocated_detector_flow_list, free_detector_flow); allocated_objects.clear(); + cb_detectors.clear(); // do not free Lua objects in cb_detectors } void LuaDetectorManager::initialize(AppIdConfig& config, int is_control) @@ -234,6 +236,26 @@ void LuaDetectorManager::free_detector_flows() sflist_static_free_all(&allocated_detector_flow_list, free_detector_flow); } +bool LuaDetectorManager::insert_cb_detector(AppId app_id, LuaObject* cb_detector) +{ + if (cb_detectors.find(app_id) != cb_detectors.end()) + return false; + else + cb_detectors[app_id] = cb_detector; + + return true; +} + +LuaObject* LuaDetectorManager::get_cb_detector(AppId app_id) +{ + auto it = cb_detectors.find(app_id); + + if (it != cb_detectors.end()) + return it->second; + + return nullptr; +} + /**calculates Number of flow and host tracker entries for Lua detectors, given amount * of memory allocated to RNA (fraction of total system memory) and number of detectors * loaded in database. Calculations are based on CAICCI detector and observing memory diff --git a/src/network_inspectors/appid/lua_detector_module.h b/src/network_inspectors/appid/lua_detector_module.h index 0d79cc703..4df547aaf 100644 --- a/src/network_inspectors/appid/lua_detector_module.h +++ b/src/network_inspectors/appid/lua_detector_module.h @@ -24,6 +24,7 @@ #include #include +#include #include #include @@ -32,6 +33,8 @@ #include "main/thread.h" #include "protocols/protocol_ids.h" +#include "application_ids.h" + class AppIdConfig; class AppIdDetector; struct DetectorFlow; @@ -52,6 +55,8 @@ public: static void free_detector_flows(); // FIXIT-M: RELOAD - When reload is supported, move this variable to a separate location lua_State* L; + bool insert_cb_detector(AppId app_id, LuaObject* ud); + LuaObject* get_cb_detector(AppId app_id); private: void initialize_lua_detectors(); @@ -63,6 +68,7 @@ private: AppIdConfig& config; std::list allocated_objects; size_t num_odp_detectors = 0; + std::map cb_detectors; }; extern THREAD_LOCAL LuaDetectorManager* lua_detector_mgr; diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 9e765644f..2890b333e 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -707,7 +707,7 @@ bool ServiceDiscovery::do_service_discovery(AppIdSession& asd, Packet* p, AppId payload_id = APP_ID_NONE; dns_host_scan_hostname((const uint8_t*)(dsession->get_host()), dsession->get_host_len(), &client_id, &payload_id); - asd.set_client_appid_data(client_id, nullptr, change_bits); + asd.set_client_appid_data(client_id, change_bits); } else if (asd.service.get_id() == APP_ID_RTMP) asd.examine_rtmp_metadata(change_bits); diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 61fdcb8d2..3bf25201d 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -53,6 +53,7 @@ class Inspector* InspectorManager::get_inspector(char const*, bool, SnortConfig* } +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } const char* AppInfoManager::get_app_name(AppId) { return test_app_name; diff --git a/src/network_inspectors/appid/test/appid_debug_test.cc b/src/network_inspectors/appid/test/appid_debug_test.cc index 3f7c51568..53d6c1553 100644 --- a/src/network_inspectors/appid/test/appid_debug_test.cc +++ b/src/network_inspectors/appid/test/appid_debug_test.cc @@ -45,6 +45,7 @@ FlowData::FlowData(unsigned, Inspector*) { } FlowData::~FlowData() = default; } +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } class AppIdInspector { public: diff --git a/src/network_inspectors/appid/test/appid_detector_test.cc b/src/network_inspectors/appid/test/appid_detector_test.cc index 0b34157d4..bcfac4645 100644 --- a/src/network_inspectors/appid/test/appid_detector_test.cc +++ b/src/network_inspectors/appid/test/appid_detector_test.cc @@ -36,6 +36,7 @@ #include #include +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } void AppIdHttpSession::set_http_change_bits(AppidChangeBits&, HttpFieldIds) {} class TestDetector : public AppIdDetector diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index fbd703e97..d94b6592c 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -122,6 +122,8 @@ HttpPatternMatchers* HttpPatternMatchers::get_instance() return http_matchers; } +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } + // Stubs for AppIdModule AppIdModule::AppIdModule(): snort::Module("appid_mock", "appid_mock_help") {} AppIdModule::~AppIdModule() {} @@ -178,7 +180,7 @@ const char* AppInfoManager::get_app_name(int32_t) // Stubs for AppIdSession void AppIdSession::sync_with_snort_protocol_id(AppId, Packet*) {} void AppIdSession::check_app_detection_restart(AppidChangeBits&) {} -void AppIdSession::set_client_appid_data(AppId, char*, AppidChangeBits&) {} +void AppIdSession::set_client_appid_data(AppId, AppidChangeBits&, char*) {} void AppIdSession::examine_rtmp_metadata(AppidChangeBits&) {} void AppIdSession::examine_ssl_metadata(Packet*, AppidChangeBits&) {} void AppIdSession::update_encrypted_app_id(AppId) {} diff --git a/src/network_inspectors/appid/test/appid_expected_flags_test.cc b/src/network_inspectors/appid/test/appid_expected_flags_test.cc index eb9783b4c..f2c41f665 100644 --- a/src/network_inspectors/appid/test/appid_expected_flags_test.cc +++ b/src/network_inspectors/appid/test/appid_expected_flags_test.cc @@ -28,6 +28,7 @@ #include #include +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } void AppIdHttpSession::set_http_change_bits(AppidChangeBits&, HttpFieldIds) {} class MockServiceDetector : public ServiceDetector diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index e6d1fa539..a7b203adf 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -40,10 +40,9 @@ #include #include -// Stubs for AppIdDebug THREAD_LOCAL AppIdDebug* appidDebug = nullptr; void AppIdDebug::activate(const Flow*, const AppIdSession*, bool) { active = true; } - +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } using namespace snort; namespace snort diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc index 9bbf26fa9..77a2891c0 100644 --- a/src/network_inspectors/appid/test/appid_http_session_test.cc +++ b/src/network_inspectors/appid/test/appid_http_session_test.cc @@ -45,6 +45,7 @@ using namespace snort; +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } const char* AppInfoManager::get_app_name(AppId) { return ""; @@ -107,15 +108,15 @@ AppIdSession::~AppIdSession() { } -void AppIdSession::set_client_appid_data(AppId, char*, AppidChangeBits&) +void AppIdSession::set_client_appid_data(AppId, AppidChangeBits&, char*) { } -void AppIdSession::set_service_appid_data(AppId, char*, char*, AppidChangeBits&) +void AppIdSession::set_service_appid_data(AppId, AppidChangeBits&, char*) { } -void AppIdSession::set_payload_appid_data(AppId, char*, AppidChangeBits&) +void AppIdSession::set_payload_appid_data(AppId, AppidChangeBits&, char*) { } diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index 4a613289e..f97d79239 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -30,6 +30,7 @@ #include #include +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } void BootpServiceDetector::AppIdFreeDhcpData(DHCPData* data) { delete data; diff --git a/src/network_inspectors/appid/test/service_state_test.cc b/src/network_inspectors/appid/test/service_state_test.cc index b51afdc54..05dfc7858 100644 --- a/src/network_inspectors/appid/test/service_state_test.cc +++ b/src/network_inspectors/appid/test/service_state_test.cc @@ -71,6 +71,7 @@ THREAD_LOCAL AppIdStats appid_stats; void AppIdDebug::activate(const Flow*, const AppIdSession*, bool) { active = true; } +void ApplicationDescriptor::set_id(const snort::Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } AppIdSession::AppIdSession(IpProtocol, const SfIp*, uint16_t, AppIdInspector&) : FlowData(0) {} AppIdSession::~AppIdSession() = default; diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index d2e97068b..1a205ec4a 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -459,11 +459,11 @@ static inline void process_rtmp(AppIdSession& asd, http_matchers->identify_user_agent(field->c_str(), size, service_id, client_id, &version); - asd.set_client_appid_data(client_id, version, change_bits); + asd.set_client_appid_data(client_id, change_bits, version); // do not overwrite a previously-set service if ( service_id <= APP_ID_NONE ) - asd.set_service_appid_data(service_id, nullptr, nullptr, change_bits); + asd.set_service_appid_data(service_id, change_bits); asd.scan_flags |= ~SCAN_HTTP_USER_AGENT_FLAG; snort_free(version); @@ -487,12 +487,12 @@ static inline void process_rtmp(AppIdSession& asd, { // do not overwrite a previously-set client or service if ( client_id <= APP_ID_NONE ) - asd.set_client_appid_data(client_id, nullptr, change_bits); + asd.set_client_appid_data(client_id, change_bits); if ( service_id <= APP_ID_NONE ) - asd.set_service_appid_data(service_id, nullptr, nullptr, change_bits); + asd.set_service_appid_data(service_id, change_bits); // DO overwrite a previously-set data - asd.set_payload_appid_data(payload_id, nullptr, change_bits); + asd.set_payload_appid_data(payload_id, change_bits); asd.set_referred_payload_app_id_data(referred_payload_app_id, change_bits); } } @@ -521,7 +521,7 @@ static inline void process_ssl(AppIdSession& asd, asd.tsession = (TlsSession*)snort_calloc(sizeof(TlsSession)); if (!asd.client.get_id()) - asd.set_client_appid_data(APP_ID_SSL_CLIENT, nullptr, change_bits); + asd.set_client_appid_data(APP_ID_SSL_CLIENT, change_bits); if ( (field=attribute_data.tls_host(false)) != nullptr ) { @@ -712,7 +712,7 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, APPINFO_FLAG_TP_CLIENT | APPINFO_FLAG_IGNORE | APPINFO_FLAG_SSL_SQUELCH); if ( app_info_flags & APPINFO_FLAG_TP_CLIENT ) - asd.client.set_id(tp_app_id); + asd.client.set_id(*p, asd, direction, tp_app_id, change_bits); process_third_party_results(asd, tp_confidence, tp_proto_list, tp_attribute_data, change_bits); @@ -762,16 +762,16 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, snort_app_id = APP_ID_HTTP; //data should never be APP_ID_HTTP if (tp_app_id != APP_ID_HTTP) - asd.set_tp_payload_app_id(tp_app_id); + asd.set_tp_payload_app_id(*p, direction, tp_app_id, change_bits); asd.set_tp_app_id(APP_ID_HTTP); // Handle HTTP tunneling and SSL possibly then being used in that tunnel if (tp_app_id == APP_ID_HTTP_TUNNEL) - asd.set_payload_appid_data(APP_ID_HTTP_TUNNEL, NULL, change_bits); + asd.set_payload_appid_data(APP_ID_HTTP_TUNNEL, change_bits); else if ((asd.payload.get_id() == APP_ID_HTTP_TUNNEL) && (tp_app_id == APP_ID_SSL)) - asd.set_payload_appid_data(APP_ID_HTTP_SSL_TUNNEL, NULL, change_bits); + asd.set_payload_appid_data(APP_ID_HTTP_SSL_TUNNEL, change_bits); AppIdHttpSession* hsession = asd.get_http_session(); hsession->process_http_packet(direction, change_bits); @@ -826,7 +826,7 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, } else { - asd.set_tp_payload_app_id(tp_app_id); + asd.set_tp_payload_app_id(*p, direction, tp_app_id, change_bits); tp_app_id = portAppId; if (appidDebug->is_active()) { @@ -843,7 +843,7 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, snort_app_id = tp_app_id; } - asd.set_tp_app_id(tp_app_id); + asd.set_tp_app_id(*p, direction, tp_app_id, change_bits); asd.sync_with_snort_protocol_id(snort_app_id, p); } else