From: Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco) Date: Wed, 8 Oct 2025 01:30:34 +0000 (+0000) Subject: Pull request #4888: appid: fix high inspected packets count X-Git-Tag: 3.9.7.0~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a75e013546e4968e8cd46e23d3c43a5125c85bd7;p=thirdparty%2Fsnort3.git Pull request #4888: appid: fix high inspected packets count Merge in SNORT/snort3 from ~BHRYNIV/snort3:fix_high_inspected_packets_count to master Squashed commit of the following: commit bab6b11b314c1cf6545add72eef8bd51e97c399f Author: Bohdan Hryniv Date: Tue Sep 9 12:09:23 2025 -0400 appid: fix high inspected packets count --- diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 10b97d7b1..eaedd893a 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -32,6 +32,7 @@ #include "appid_types.h" #include "service_plugins/service_bootp.h" #include "service_plugins/service_netbios.h" +#include "network_inspectors/appid/service_plugins/service_ssl.h" #define SSL_ALLOWLIST_PKT_LIMIT 20 @@ -250,6 +251,15 @@ bool AppIdSessionApi::is_appid_inspecting_session() const return false; } + // service is a TLS-wrapped service or SNI has been observed + if ( (is_service_over_ssl(get_service_app_id()) or (get_tls_host() != nullptr)) and + !asd->get_session_flags(APPID_SESSION_DECRYPTED) and + !asd->get_odp_ctxt().check_host_port_app_cache and + (asd->session_packet_count >= SSL_ALLOWLIST_PKT_LIMIT) ) + { + return false; + } + if ( (get_service_app_id() == APP_ID_QUIC or get_service_app_id() == APP_ID_HTTP3) and !asd->get_session_flags(APPID_SESSION_DECRYPTED) ) return false; diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index 13abedd67..d56f5808f 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -48,6 +48,18 @@ Inspector* InspectorManager::get_inspector(char const*, bool, const snort::Snort void appid_log(const snort::Packet*, unsigned char, char const*, ...) { } +bool is_service_over_ssl(AppId appId) +{ + switch (appId) + { + case APP_ID_HTTPS: + case APP_ID_SSL: + return true; + default: + return false; + } +} + namespace snort { unsigned get_instance_id() @@ -643,6 +655,41 @@ TEST(appid_session_api, get_client_app_detect_type) CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_APPID); } +TEST(appid_session_api, service_none_sni_reaches_threshold) +{ + SfIp ip{}; + AppIdSession asd(IpProtocol::TCP, &ip, 1492, dummy_appid_inspector, odpctxt, 0 +#ifndef DISABLE_TENANT_ID + ,0 +#endif + ); + asd.flow = &flow; + + asd.service_disco_state = APPID_DISCO_STATE_FINISHED; + asd.client_disco_state = APPID_DISCO_STATE_FINISHED; + + asd.clear_session_flags(APPID_SESSION_ENCRYPTED | + APPID_SESSION_DECRYPTED | + APPID_SESSION_HTTP_SESSION | + APPID_SESSION_CONTINUE | + APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + + asd.set_service_id(APP_ID_NONE, asd.get_odp_ctxt()); + + AppidChangeBits change_bits; + + char* sni = snort_strdup("random-sni.com"); + asd.tsession->set_tls_sni(sni, 0); + asd.examine_ssl_metadata(change_bits, true); + + asd.session_packet_count = SSL_ALLOWLIST_PKT_LIMIT; + bool val = asd.get_api().is_appid_inspecting_session(); + CHECK_FALSE(val); + + asd.tsession->set_tls_sni(nullptr, 0); + delete &asd.get_api(); +} + int main(int argc, char** argv) { mock_init_appid_pegs(); @@ -650,4 +697,3 @@ int main(int argc, char** argv) mock_cleanup_appid_pegs(); return rc; } -