From: Suriya Balu -X (subalu - HCL TECHNOLOGIES LIMITED at Cisco) Date: Wed, 21 Jun 2023 13:17:25 +0000 (+0000) Subject: Pull request #3848: appid: add support for cip multiple service packet X-Git-Tag: 3.1.65.0~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b883a644e61748708737b86d376d599149e9b6df;p=thirdparty%2Fsnort3.git Pull request #3848: appid: add support for cip multiple service packet Merge in SNORT/snort3 from ~SUBALU/snort3:msp to master Squashed commit of the following: commit 413d157d7b743f18d98d42f0ca41c58735a31563 Author: suriya Date: Mon May 15 16:55:40 2023 +0530 appid: add support for cip multiple service packet --- diff --git a/src/network_inspectors/appid/appid_cip_event_handler.cc b/src/network_inspectors/appid/appid_cip_event_handler.cc index 9ef7c546a..14b1509f6 100644 --- a/src/network_inspectors/appid/appid_cip_event_handler.cc +++ b/src/network_inspectors/appid/appid_cip_event_handler.cc @@ -24,6 +24,7 @@ #include "appid_cip_event_handler.h" #include "detector_plugins/cip_patterns.h" +#include "service_inspectors/cip/cip.h" #include "appid_debug.h" using namespace snort; @@ -90,7 +91,8 @@ void CipEventHandler::handle(DataEvent& event, Flow* flow) AppId payload_id = asd->get_odp_ctxt().get_cip_matchers().get_cip_payload_id(event_data); asd->set_payload_id(payload_id); asd->set_ss_application_ids(APP_ID_CIP, APP_ID_CIP, payload_id, APP_ID_NONE, APP_ID_NONE, change_bits); - + asd->set_cip_msp(event_data->multipayload); + if (change_bits[APPID_PAYLOAD_BIT] and appidDebug->is_enabled()) { appidDebug->activate(flow, asd, inspector.get_ctxt().config.log_all_sessions); diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 5f57ecb35..9f4da772a 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -702,6 +702,17 @@ public: { return client_info_unpublished; } + + void set_cip_msp(bool multipayload) + { + cip_msp = multipayload; + } + + bool is_cip_msp() const + { + return cip_msp; + } + private: uint16_t prev_httpx_raw_packet = 0; @@ -725,6 +736,7 @@ private: bool no_service_candidate = false; bool no_service_inspector = false; bool client_info_unpublished = false; + bool cip_msp = false; }; #endif diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 8e7d2a13b..c38fba1d5 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -239,6 +239,11 @@ bool AppIdSessionApi::is_appid_inspecting_session() const return true; } + if ( get_service_app_id() == APP_ID_CIP and asd->is_cip_msp()) + { + return true; + } + if (asd->get_odp_ctxt().check_host_port_app_cache) return true; diff --git a/src/service_inspectors/cip/cip.h b/src/service_inspectors/cip/cip.h index 207489a1a..6499ea53e 100644 --- a/src/service_inspectors/cip/cip.h +++ b/src/service_inspectors/cip/cip.h @@ -62,6 +62,9 @@ struct CipEventData // CIP_DATA_TYPE_SET_ATTRIBUTE uint8_t service_id; + // Set when the packet is a multiple service packet + bool multipayload; + // Used for: // CIP_DATA_TYPE_PATH_CLASS: This represents the Request Path Class. // CIP_DATA_TYPE_SET_ATTRIBUTE: This represents the Request Path Class. diff --git a/src/service_inspectors/cip/cip_parsing.cc b/src/service_inspectors/cip/cip_parsing.cc index 6889b7120..9f2f07400 100644 --- a/src/service_inspectors/cip/cip_parsing.cc +++ b/src/service_inspectors/cip/cip_parsing.cc @@ -1538,6 +1538,11 @@ static bool parse_multiple_service_packet(const uint8_t* data, pack_cip_request_event(&embedded_request, &cip_event_data); + if (i != number_services) + cip_event_data.multipayload = true; + else + cip_event_data.multipayload = false; + DataBus::publish(CipEventData::pub_id, CipEventIds::DATA, cip_event, global_data->snort_packet->flow); }