From: Shravan Rangarajuvenkata (shrarang) Date: Mon, 4 May 2020 02:17:18 +0000 (+0000) Subject: Merge pull request #2195 in SNORT/snort3 from ~SATHIRKA/snort3:tunneled_session_metad... X-Git-Tag: 3.0.1-3~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b68f48f21d346fb037d84bbbae0dd4ea051abf92;p=thirdparty%2Fsnort3.git Merge pull request #2195 in SNORT/snort3 from ~SATHIRKA/snort3:tunneled_session_metadata to master Squashed commit of the following: commit dce8ec78a6c30495e0233a8622c200b236ceb3fe Author: Sreeja Athirkandathil Narayanan Date: Tue Apr 28 14:43:16 2020 -0400 appid: Extract metadata for tunneled HTTP session --- diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 9e656adb3..b06450d8a 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -324,7 +324,7 @@ void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p) } } -void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits) +void AppIdSession::check_ssl_detection_restart(AppidChangeBits& change_bits) { if (get_session_flags(APPID_SESSION_DECRYPTED) or !flow->is_proxied()) return; @@ -358,6 +358,49 @@ void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits) } } +void AppIdSession::check_tunnel_detection_restart() +{ + if (tp_payload_app_id != APP_ID_HTTP_TUNNEL or get_session_flags(APPID_SESSION_HTTP_TUNNEL)) + return; + + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Found HTTP Tunnel, restarting app Detection\n", + appidDebug->get_debug_session()); + + // service + if (service.get_id() == service.get_port_service_id()) + service.set_id(APP_ID_NONE, ctxt.get_odp_ctxt()); + service.set_port_service_id(APP_ID_NONE); + service.reset(); + service_ip.clear(); + service_port = 0; + service_disco_state = APPID_DISCO_STATE_NONE; + service_detector = nullptr; + free_flow_data_by_mask(APPID_SESSION_DATA_SERVICE_MODSTATE_BIT); + + // client + client.reset(); + client_inferred_service_id = APP_ID_NONE; + client_disco_state = APPID_DISCO_STATE_NONE; + free_flow_data_by_mask(APPID_SESSION_DATA_CLIENT_MODSTATE_BIT); + client_candidates.clear(); + + init_tpPackets = 0; + resp_tpPackets = 0; + scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; + clear_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_CLIENT_DETECTED | + APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_REINSPECT); + + set_session_flags(APPID_SESSION_HTTP_TUNNEL); + +} + +void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits) +{ + check_ssl_detection_restart(change_bits); + check_tunnel_detection_restart(); +} + void AppIdSession::update_encrypted_app_id(AppId service_id) { switch (service_id) diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 9664aa1c1..7b94f245e 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -342,6 +342,8 @@ public: void set_referred_payload_app_id_data(AppId, AppidChangeBits& change_bits); void set_payload_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); void check_app_detection_restart(AppidChangeBits& change_bits); + void check_ssl_detection_restart(AppidChangeBits& change_bits); + void check_tunnel_detection_restart(); void update_encrypted_app_id(AppId); void examine_rtmp_metadata(AppidChangeBits& change_bits); void sync_with_snort_protocol_id(AppId, snort::Packet*); diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index e9f978c49..98d961fdd 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -89,6 +89,7 @@ namespace snort #define APPID_SESSION_PAYLOAD_SEEN (1ULL << 42) #define APPID_SESSION_HOST_CACHE_MATCHED (1ULL << 43) #define APPID_SESSION_DECRYPT_MONITOR (1ULL << 44) +#define APPID_SESSION_HTTP_TUNNEL (1ULL << 45) #define APPID_SESSION_IGNORE_ID_FLAGS \ (APPID_SESSION_IGNORE_FLOW | \ APPID_SESSION_NOT_A_SERVICE | \ diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc index f8bc420d7..f94dd7afd 100644 --- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc +++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc @@ -1516,8 +1516,15 @@ bool HttpPatternMatchers::get_appid_from_url(const char* host, const char* url, snort_free(temp_host); return false; } - path_len = url_len - host_len; - path = url + host_len; + path = strchr(url, '/'); + if (path) + path_len = url + url_len - path; + } + + if (!path_len) + { + path = "/"; + path_len = 1; } patterns[0].pattern = (const uint8_t*)host; diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index f26d66eaa..7248e9720 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -508,6 +508,15 @@ static inline void process_ssl(AppIdSession& asd, const string* field = 0; int reinspect_ssl_appid = 0; + if (asd.get_session_flags(APPID_SESSION_HTTP_TUNNEL)) + { + if (!asd.service_detector) + asd.service_detector = asd.ctxt.get_odp_ctxt().get_app_info_mgr(). + get_app_info_entry(APP_ID_SSL)->service_detector; + if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION)) + asd.clear_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION); + } + tmpAppId = asd.tpsession->get_appid(tmpConfidence); asd.set_session_flags(APPID_SESSION_SSL_SESSION); @@ -601,6 +610,9 @@ static inline void process_third_party_results(AppIdSession& asd, int confidence asd.set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION); } + if (contains(proto_list, APP_ID_SSL)) + process_ssl(asd, attribute_data, change_bits); + if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION)) process_http_session(asd, attribute_data, change_bits); @@ -608,9 +620,6 @@ static inline void process_third_party_results(AppIdSession& asd, int confidence contains(proto_list, APP_ID_RTSP) ) process_rtmp(asd, attribute_data, confidence, change_bits); - else if (contains(proto_list, APP_ID_SSL)) - process_ssl(asd, attribute_data, change_bits); - else if (contains(proto_list, APP_ID_FTP_CONTROL)) process_ftp_control(asd, attribute_data); @@ -791,26 +800,16 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I asd.set_tp_app_id(APP_ID_HTTP); - // Handle HTTP tunneling and SSL possibly then being used in that tunnel if (tp_app_id == APP_ID_HTTP_TUNNEL) asd.set_payload_appid_data(APP_ID_HTTP_TUNNEL, change_bits); - else if (asd.payload.get_id() == APP_ID_HTTP_TUNNEL) - { - if (tp_app_id == APP_ID_SSL) - asd.set_payload_appid_data(APP_ID_HTTP_SSL_TUNNEL, change_bits); - else - asd.set_payload_appid_data(tp_app_id, change_bits); - } + else if (asd.payload.get_id() == APP_ID_HTTP_TUNNEL and tp_app_id != APP_ID_SSL) + asd.set_payload_appid_data(tp_app_id, change_bits); AppIdHttpSession* hsession = asd.get_http_session(); if (!hsession) hsession = asd.create_http_session(); hsession->process_http_packet(direction, change_bits, asd.ctxt.get_odp_ctxt().get_http_matchers()); - // If SSL over HTTP tunnel, make sure Snort knows that it's encrypted. - if (asd.payload.get_id() == APP_ID_HTTP_SSL_TUNNEL) - snort_app_id = APP_ID_SSL; - if (asd.get_tp_app_id() == APP_ID_HTTP and !asd.get_session_flags(APPID_SESSION_APP_REINSPECT) and asd.is_tp_appid_available())