From: Shravan Rangarajuvenkata (shrarang) Date: Mon, 24 Feb 2020 19:29:24 +0000 (+0000) Subject: Merge pull request #2027 in SNORT/snort3 from ~SATHIRKA/snort3:appid_cert_viz to... X-Git-Tag: 3.0.0-269~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab4810ce71f2ae6627f0fe0838745e5730e540bf;p=thirdparty%2Fsnort3.git Merge pull request #2027 in SNORT/snort3 from ~SATHIRKA/snort3:appid_cert_viz to master Squashed commit of the following: commit 1ddc6c3d40591b403d2f36b783d2fef0767d3693 Author: Sreeja Athirkandathil Narayanan Date: Thu Feb 20 12:24:44 2020 -0500 appid: Enhance ssl appid lookup api to store SNI and CN provided by SSL for app detection --- diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index 03091f0af..849d3e2b4 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -201,14 +201,26 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, cons if (asd) { + AppidChangeBits change_bits; SslPatternMatchers& ssl_matchers = asd->ctxt.get_odp_ctxt().get_ssl_matchers(); - if (common_name) - ssl_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), client_id, - payload_id); + if (!asd->tsession) + asd->tsession = (TlsSession*)snort_calloc(sizeof(TlsSession)); if (server_name) + { ssl_matchers.scan_hostname((const uint8_t*)server_name, strlen(server_name), client_id, payload_id); + asd->tsession->set_tls_host(server_name, strlen(server_name), change_bits); + asd->scan_flags |= SCAN_SSL_HOST_FLAG; + } + + if (common_name) + { + ssl_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), client_id, + payload_id); + asd->tsession->set_tls_cname(common_name, strlen(common_name)); + asd->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; + } service_id = asd->get_application_ids_service(); if (client_id == APP_ID_NONE) @@ -222,13 +234,14 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, cons if (inspector) { SslPatternMatchers& ssl_matchers = inspector->get_ctxt().get_odp_ctxt().get_ssl_matchers(); - if (common_name) - ssl_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), client_id, - payload_id); if (server_name) ssl_matchers.scan_hostname((const uint8_t*)server_name, strlen(server_name), client_id, payload_id); + + if (common_name) + ssl_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), client_id, + payload_id); } } diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index b40d17ad7..e5d6f852e 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -52,15 +52,17 @@ class Inspector* InspectorManager::get_inspector(char const*, bool, SnortConfig* { return nullptr; } } -bool SslPatternMatchers::scan_hostname(unsigned char const*, unsigned long, AppId& client_id, AppId&) +bool SslPatternMatchers::scan_hostname(unsigned char const*, unsigned long, AppId& client_id, AppId& payload_id) { client_id = APPID_UT_ID + 1; + payload_id = APPID_UT_ID + 1; return true; } -bool SslPatternMatchers::scan_cname(unsigned char const*, unsigned long, AppId&, AppId& payload_id) +bool SslPatternMatchers::scan_cname(unsigned char const*, unsigned long, AppId& client_id, AppId& payload_id) { - payload_id = APPID_UT_ID + 1; + client_id++; + payload_id++; return true; } @@ -197,10 +199,21 @@ TEST(appid_api, ssl_app_group_id_lookup) service = APP_ID_NONE; client = APP_ID_NONE; payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, service, client, payload); + val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, nullptr, service, client, payload); CHECK_TRUE(val); CHECK_EQUAL(client, APPID_UT_ID + 1); CHECK_EQUAL(payload, APPID_UT_ID + 1); + AppidChangeBits change_bits; + mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); + mock_session->tsession->set_tls_cname("www.cisco.com", 13); + STRCMP_EQUAL(mock_session->tsession->get_tls_host(), "www.cisco.com"); + STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), "www.cisco.com"); + val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, service, client, payload); + CHECK_TRUE(val); + CHECK_EQUAL(client, APPID_UT_ID + 2); + CHECK_EQUAL(payload, APPID_UT_ID + 2); + STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); + STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); } TEST(appid_api, create_appid_session_api) diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 1d7eb1952..3b56257ac 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -520,14 +520,14 @@ static inline void process_ssl(AppIdSession& asd, reinspect_ssl_appid = check_ssl_appid_for_reinspect(tmpAppId, asd.ctxt.get_odp_ctxt()); - if ((field=attribute_data.tls_host(false)) != nullptr) + if (asd.tsession->get_tls_host() == nullptr and ((field = attribute_data.tls_host(false)) != nullptr)) { asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits); if (reinspect_ssl_appid) asd.scan_flags |= SCAN_SSL_HOST_FLAG; } - if ((field=attribute_data.tls_cname()) != nullptr) + if ((asd.tsession->get_tls_cname() == nullptr and (field = attribute_data.tls_cname()) != nullptr)) { asd.tsession->set_tls_cname(field->c_str(), field->size()); if (reinspect_ssl_appid) @@ -536,7 +536,7 @@ static inline void process_ssl(AppIdSession& asd, if (reinspect_ssl_appid) { - if ((field=attribute_data.tls_org_unit()) != nullptr) + if ((field = attribute_data.tls_org_unit()) != nullptr) { asd.tsession->set_tls_org_unit(field->c_str(), field->size()); }