From: Sreeja Athirkandathil Narayanan (sathirka) Date: Fri, 17 Mar 2023 18:00:30 +0000 (+0000) Subject: Pull request #3780: appid: give precedence to eve detected client over appid when... X-Git-Tag: 3.1.58.0~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a044f11cd0cce5e7584a3bcb831ab2f110be28d8;p=thirdparty%2Fsnort3.git Pull request #3780: appid: give precedence to eve detected client over appid when eve_http_client_mapping config is set Merge in SNORT/snort3 from ~SATHIRKA/snort3:eve_http_process_client_detection to master Squashed commit of the following: commit 214fba55d508bd25ecbe05aa55618d17085daada Author: Sreeja Athirkandathil Narayanan Date: Thu Mar 9 11:20:54 2023 -0500 appid: give precedence to eve detected client over appid when eve_http_client_mapping config is set --- diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 8adfb3f84..d84bedb3a 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -609,6 +609,10 @@ void AppInfoManager::load_odp_config(OdpContext& odp_ctxt, const char* path) { set_app_info_flags(atoi(conf_val), APPINFO_FLAG_IGNORE); } + else if (!(strcasecmp(conf_key, "eve_http_client"))) + { + odp_ctxt.eve_http_client = atoi(conf_val) ? true : false; + } else ParseWarning(WARN_CONF, "appid: unsupported configuration: %s\n", conf_key); } diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h index f3164b2b7..d3cf8c756 100644 --- a/src/network_inspectors/appid/appid_app_descriptor.h +++ b/src/network_inspectors/appid/appid_app_descriptor.h @@ -79,6 +79,11 @@ public: my_version = version; } + void reset_version() + { + my_version.clear(); + } + private: AppId my_id = APP_ID_NONE; std::string my_version; diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index e26d55aef..76e845ef6 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -133,6 +133,7 @@ public: uint16_t max_packet_before_service_fail = MIN_MAX_PKTS_BEFORE_SERVICE_FAIL; uint16_t max_packet_service_fail_ignore_bytes = MIN_MAX_PKT_BEFORE_SERVICE_FAIL_IGNORE_BYTES; FirstPktAppIdDiscovered first_pkt_appid_prefix = NO_APPID_FOUND; + bool eve_http_client = true; OdpContext(const AppIdConfig&, snort::SnortConfig*); void initialize(AppIdInspector& inspector); diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index b12c756de..2c833519c 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -862,6 +862,12 @@ AppId AppIdSession::pick_ss_client_app_id() const (api.service.get_id() == APP_ID_HTTP3 and !api.hsessions.empty())) return APP_ID_NONE; + if (use_eve_client_app_id()) + { + api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP); + return api.client.get_eve_client_app_id(); + } + AppId tmp_id = APP_ID_NONE; if (!api.hsessions.empty()) tmp_id = api.hsessions[0]->client.get_id(); @@ -871,12 +877,6 @@ AppId AppIdSession::pick_ss_client_app_id() const return tmp_id; } - if (use_eve_client_app_id()) - { - api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_TLS_FP); - return api.client.get_eve_client_app_id(); - } - if (api.client.get_id() > APP_ID_NONE) { api.client.set_eve_client_app_detect_type(CLIENT_APP_DETECT_APPID); diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index a57a20b8e..5f57ecb35 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -540,8 +540,17 @@ public: bool use_eve_client_app_id() const { - return (api.client.get_eve_client_app_id() > APP_ID_NONE and - (api.client.get_id() == APP_ID_SSL_CLIENT or api.client.get_id() <= APP_ID_NONE)); + if (api.client.get_eve_client_app_id() <= APP_ID_NONE) + return false; + + if (get_session_flags(APPID_SESSION_HTTP_SESSION)) + { + if (odp_ctxt.eve_http_client) + api.client.reset_version(); + return odp_ctxt.eve_http_client; + } + else + return (api.client.get_id() == APP_ID_SSL_CLIENT or api.client.get_id() <= APP_ID_NONE); } void set_alpn_service_app_id(AppId id) diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index adfb5f6a4..8e7d2a13b 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -258,6 +258,9 @@ bool AppIdSessionApi::is_appid_available(uint32_t stream_index) const const char* AppIdSessionApi::get_client_info(uint32_t stream_index) const { + if (client.get_eve_client_app_id() > APP_ID_NONE and pkt_thread_odp_ctxt and + pkt_thread_odp_ctxt->eve_http_client) + return client.get_version(); if (uint32_t num_hsessions = get_hsessions_size()) { if (stream_index >= num_hsessions) diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index 08f94d884..d25de9927 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -250,6 +250,7 @@ TEST(appid_session_api, is_appid_available) TEST(appid_session_api, get_client_info) { const char* val; + mock_session->get_odp_ctxt().eve_http_client = false; val = mock_session->get_api().get_client_info(); STRCMP_EQUAL(val, APPID_UT_CLIENT_VERSION); mock_session->create_http_session();