From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Tue, 8 Mar 2022 19:15:24 +0000 (+0000)
Subject: Pull request #3302: appid: do not add odp mapping for a process name that already... 
X-Git-Tag: 3.1.25.0~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a91413b8cd7ce8ade9fea064f6dcac829295e88;p=thirdparty%2Fsnort3.git

Pull request #3302: appid: do not add odp mapping for a process name that already has a custom process to app mapping

Merge in SNORT/snort3 from ~SATHIRKA/snort3:custom_process_mapping to master

Squashed commit of the following:

commit 41b88649edd815ed38aa25641a360bf18ebac711
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Thu Mar 3 16:29:30 2022 -0500

    appid: do not add duplicate process to client app mapping for the same process name
---

diff --git a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc
index f79e8e126..0a68935d3 100644
--- a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc
+++ b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc
@@ -37,16 +37,19 @@ void EveCaPatternMatchers::add_eve_ca_pattern(AppId app_id, const string& patter
     uint8_t confidence, const string& detector)
 {
     auto match = find_if(eve_ca_load_list.begin(), eve_ca_load_list.end(),
-        [app_id, pattern_str] (EveCaPattern* eve_ca)
-        { return (eve_ca->pattern == pattern_str and eve_ca->app_id != app_id); });
-
+        [pattern_str] (EveCaPattern* eve_ca) { return eve_ca->pattern == pattern_str; });
     if (match != eve_ca_load_list.end())
-        WarningMessage("appid: detector %s - process name '%s' for client app %d is already "
-            "mapped to client app %d\n", detector.c_str(), (*match)->pattern.c_str(), app_id,
-            (*match)->app_id);
-
-    EveCaPattern* new_eve_ca_pattern = new EveCaPattern(app_id, pattern_str, confidence);
-    eve_ca_load_list.push_back(new_eve_ca_pattern);
+    {
+        if ((*match)->app_id != app_id)
+            WarningMessage("appid: detector %s - process name '%s' for client app %d is already "
+                "mapped to client app %d\n", detector.c_str(), (*match)->pattern.c_str(), app_id,
+                (*match)->app_id);
+    }
+    else
+    {
+        EveCaPattern* new_eve_ca_pattern = new EveCaPattern(app_id, pattern_str, confidence);
+        eve_ca_load_list.push_back(new_eve_ca_pattern);
+    }
 }
 
 static int eve_ca_pattern_match(void* id, void*, int, void* data, void*)
diff --git a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.h b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.h
index 7c395f0f2..93690c743 100644
--- a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.h
+++ b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.h
@@ -49,6 +49,8 @@ public:
     void finalize_patterns();
     void reload_patterns();
 
+    const EveCaPatternList& get_eve_ca_load_list() const { return eve_ca_load_list; }
+
 private:
     snort::SearchTool eve_ca_pattern_matcher = snort::SearchTool();
     EveCaPatternList eve_ca_load_list;
diff --git a/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc b/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc
index 7333fb762..a47d9a8d3 100644
--- a/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc
+++ b/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc
@@ -90,6 +90,25 @@ TEST(eve_ca_patterns_tests, match_eve_ca_pattern)
     CHECK(eve_matcher->match_eve_ca_pattern("firefox", 92) == APPID_UT_ID);
 }
 
+TEST(eve_ca_patterns_tests, add_eve_ca_pattern)
+{
+    // same process name mapped to different app
+    eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 1, "firefox", 40, "custom_detector.lua");
+    eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 2, "firefox", 90, "odp_detector.lua");
+
+    CHECK(eve_matcher->get_eve_ca_load_list().size() == 1);
+    CHECK(eve_matcher->get_eve_ca_load_list()[0]->app_id == APPID_UT_ID + 1);
+    CHECK(eve_matcher->get_eve_ca_load_list()[0]->confidence == 40);
+
+    // same process name mapped to an existing app, but with different confidence
+    eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 1, "chrome", 80, "custom_detector.lua");
+    eve_matcher->add_eve_ca_pattern(APPID_UT_ID + 1, "chrome", 90, "odp_detector.lua");
+
+    CHECK(eve_matcher->get_eve_ca_load_list().size() == 2);
+    CHECK(eve_matcher->get_eve_ca_load_list()[1]->app_id == APPID_UT_ID + 1);
+    CHECK(eve_matcher->get_eve_ca_load_list()[1]->confidence == 80);
+}
+
 int main(int argc, char** argv)
 {
     int return_value = CommandLineTestRunner::RunAllTests(argc, argv);