From: Shravan Rangarajuvenkata (shrarang) Date: Thu, 3 Oct 2019 18:07:37 +0000 (-0400) Subject: Merge pull request #1777 in SNORT/snort3 from ~SATHIRKA/snort3:bittorrent_std_port... X-Git-Tag: 3.0.0-262~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a086d006568ad2ca6c8e206c46d5f5f5e3f5d3d0;p=thirdparty%2Fsnort3.git Merge pull request #1777 in SNORT/snort3 from ~SATHIRKA/snort3:bittorrent_std_port to master Squashed commit of the following: commit 149109cf966db56b7b1e9f63cea33dfe0b8c682c Author: Sreeja Athirkandathil Narayanan Date: Wed Oct 2 12:40:10 2019 -0400 appid: Add support for bittorrent detection over standard ports --- diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 77267a07b..caca44b71 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -373,6 +373,13 @@ void AppInfoManager::load_appid_config(AppIdModuleConfig* config, const char* pa config->allow_port_wildcard_host_cache = true; } } + else if (!(strcasecmp(conf_key, "recheck_for_portservice_appid"))) + { + if (!(strcasecmp(conf_val, "enabled"))) + { + config->recheck_for_portservice_appid = true; + } + } else if (!(strcasecmp(conf_key, "bittorrent_aggressiveness"))) { int aggressiveness = atoi(conf_val); @@ -380,10 +387,12 @@ void AppInfoManager::load_appid_config(AppIdModuleConfig* config, const char* pa if (aggressiveness >= 50) { config->host_port_app_cache_lookup_interval = 5; + config->recheck_for_portservice_appid = true; set_app_info_flags(APP_ID_BITTORRENT, APPINFO_FLAG_DEFER); set_app_info_flags(APP_ID_BITTORRENT, APPINFO_FLAG_DEFER_PAYLOAD); config->max_tp_flow_depth = 25; LogMessage("AppId: host_port_app_cache_lookup_interval %d\n", config->host_port_app_cache_lookup_interval); + LogMessage("AppId: recheck_for_portservice_appid enabled\n"); LogMessage("AppId: defer_to_thirdparty %d\n", APP_ID_BITTORRENT); LogMessage("AppId: defer_payload_to_thirdparty %d\n", APP_ID_BITTORRENT); LogMessage("AppId: max_tp_flow_depth %d\n", config->max_tp_flow_depth); diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index 14f7f8749..5750b19f0 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -103,6 +103,7 @@ public: uint32_t host_port_app_cache_lookup_range = 100000; uint32_t http_response_version_enabled = 0; bool allow_port_wildcard_host_cache = false; + bool recheck_for_portservice_appid = false; }; typedef std::array AppIdPortExclusions; diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 9ee0405a1..bc75f53f1 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -1044,8 +1044,10 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto misc_id = asd.pick_misc_app_id();; bool is_http_tunnel = ((asd.payload.get_id() == APP_ID_HTTP_TUNNEL) || (asd.payload.get_id() == APP_ID_HTTP_SSL_TUNNEL)) ? true:false; - if ((is_http_tunnel) or ((service_id == APP_ID_UNKNOWN_UI or service_id <= APP_ID_NONE ) and - (client_id <= APP_ID_NONE and payload_id <= APP_ID_NONE and misc_id <= APP_ID_NONE))) + bool is_appid_none = (client_id <= APP_ID_NONE and payload_id <= APP_ID_NONE and misc_id <= APP_ID_NONE); + if ((is_appid_none and (service_id == APP_ID_UNKNOWN_UI or service_id <= APP_ID_NONE or + (asd.config->mod_config->recheck_for_portservice_appid and service_id == asd.service.get_port_service_id()))) + or (is_http_tunnel)) { if(is_http_tunnel) { @@ -1060,6 +1062,7 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto } if (do_host_port_based_discovery(p, asd, protocol, direction)) { + asd.service.set_port_service_id(APP_ID_NONE); service_id = asd.pick_service_app_id(); client_id = asd.pick_client_app_id(); payload_id = asd.pick_payload_app_id();