From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Tue, 22 Oct 2019 13:24:20 +0000 (-0400)
Subject: Merge pull request #1808 in SNORT/snort3 from ~SHRARANG/snort3:appid_inferred_svc_ver... 
X-Git-Tag: 3.0.0-263~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2950e94a2fc881f0c8390448e90eacafb249e6a;p=thirdparty%2Fsnort3.git

Merge pull request #1808 in SNORT/snort3 from ~SHRARANG/snort3:appid_inferred_svc_versioning to master

Squashed commit of the following:

commit ca9b2578a0e6377aa4a66edc1358f2652e88ae1d
Author: Shravan Rangaraju <shrarang@cisco.com>
Date:   Fri Oct 18 16:34:32 2019 -0400

    appid: check inferred services in host cache only if there were updates
---

diff --git a/src/host_tracker/host_tracker.cc b/src/host_tracker/host_tracker.cc
index c8ae5a7db..ecf9d7843 100644
--- a/src/host_tracker/host_tracker.cc
+++ b/src/host_tracker/host_tracker.cc
@@ -79,7 +79,7 @@ void HostTracker::copy_data(uint8_t& p_hops, uint32_t& p_last_seen, list<HostMac
         p_macs = new list<HostMac>(macs.begin(), macs.end());
 }
 
-bool HostTracker::add_service(Port port, IpProtocol proto, AppId appid, bool inferred_appid)
+bool HostTracker::add_service(Port port, IpProtocol proto, AppId appid, bool inferred_appid, bool* added)
 {
     host_tracker_stats.service_adds++;
     std::lock_guard<std::mutex> lck(host_tracker_lock);
@@ -92,12 +92,17 @@ bool HostTracker::add_service(Port port, IpProtocol proto, AppId appid, bool inf
             {
                 s.appid = appid;
                 s.inferred_appid = inferred_appid;
+                if (added)
+                    *added = true;
             }
             return true;
         }
     }
 
     services.emplace_back( HostApplication{port, proto, appid, inferred_appid} );
+    if (added)
+        *added = true;
+
     return true;
 }
 
diff --git a/src/host_tracker/host_tracker.h b/src/host_tracker/host_tracker.h
index 5d45a11ac..60d6ce309 100644
--- a/src/host_tracker/host_tracker.h
+++ b/src/host_tracker/host_tracker.h
@@ -106,7 +106,7 @@ public:
     // Appid may not be identified always. Inferred means dynamic/runtime
     // appid detected from one flow to another flow such as BitTorrent.
     bool add_service(Port port, IpProtocol proto,
-        AppId appid = APP_ID_NONE, bool inferred_appid = false);
+        AppId appid = APP_ID_NONE, bool inferred_appid = false, bool* added = nullptr);
 
     AppId get_appid(Port port, IpProtocol proto, bool inferred_only = false, bool allow_port_wildcard = false);
 
diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index 68d880226..4f070ae50 100644
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -691,7 +691,7 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession** p_asd, AppIdInsp
         *p_asd = asd = AppIdSession::allocate_session(p, protocol, direction, &inspector);
         if (p->flow->get_session_flags() & SSNFLAG_MIDSTREAM)
         {
-            asd->set_session_flags(APPID_SESSION_MID);
+            flow_flags |= APPID_SESSION_MID;
             if (appidDebug->is_active())
                 LogMessage("AppIdDbg %s New AppId mid-stream session\n",
                     appidDebug->get_debug_session());
@@ -873,7 +873,7 @@ bool AppIdDiscovery::do_host_port_based_discovery(Packet* p, AppIdSession& asd,
     if(tun_dest)
     {
         ip = &(tun_dest->ip);
-        port = tun_dest->port;	
+        port = tun_dest->port;
     }
     else
     {
@@ -922,6 +922,10 @@ bool AppIdDiscovery::do_host_port_based_discovery(Packet* p, AppIdSession& asd,
 
     if (!hv and check_dynamic)
     {
+        std::lock_guard<std::mutex> lck(AppIdSession::inferred_svcs_lock);
+        if (!asd.is_inferred_svcs_ver_updated())
+            return false;
+
         auto ht = host_cache.find(*ip);
         if (ht)
         {
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 367c01458..c410bb212 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -55,6 +55,8 @@ using namespace snort;
 
 unsigned AppIdSession::inspector_id = 0;
 THREAD_LOCAL uint32_t AppIdSession::appid_flow_data_id = 0;
+std::mutex AppIdSession::inferred_svcs_lock;
+uint16_t AppIdSession::inferred_svcs_ver = 0;
 
 const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len,
     const uint8_t* needle, unsigned needle_len)
diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 19e4bb451..aabc69439 100644
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -23,6 +23,7 @@
 #define APPID_SESSION_H
 
 #include <map>
+#include <mutex>
 #include <string>
 #include <unordered_map>
 
@@ -278,6 +279,8 @@ public:
     snort::SEARCH_SUPPORT_TYPE search_support_type = snort::UNKNOWN_SEARCH_ENGINE;
     bool in_expected_cache = false;
     static unsigned inspector_id;
+    static std::mutex inferred_svcs_lock;
+
     static void init() { inspector_id = FlowData::create_flow_data_id(); }
 
     void set_session_flags(uint64_t flags) { common.flags |= flags; }
@@ -364,6 +367,21 @@ public:
         return tp_payload_app_id;
     }
 
+    inline uint16_t is_inferred_svcs_ver_updated()
+    {
+        if (my_inferred_svcs_ver == inferred_svcs_ver)
+            return false;
+        my_inferred_svcs_ver = inferred_svcs_ver;
+        return true;
+    }
+
+    static inline void incr_inferred_svcs_ver()
+    {
+        inferred_svcs_ver++;
+        if (inferred_svcs_ver == 0)
+            inferred_svcs_ver++;
+    }
+
 private:
     AppIdHttpSession* hsession = nullptr;
     AppIdDnsSession* dsession = nullptr;
@@ -379,6 +397,9 @@ private:
     // appId determined by 3rd party library
     AppId tp_app_id = APP_ID_NONE;
     AppId tp_payload_app_id = APP_ID_NONE;
+
+    uint16_t my_inferred_svcs_ver = 0;
+    static uint16_t inferred_svcs_ver;
 };
 
 static inline bool is_svc_http_type(AppId serviceId)
diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc
index b32bcd238..d0f8ecd78 100644
--- a/src/network_inspectors/appid/lua_detector_api.cc
+++ b/src/network_inspectors/appid/lua_detector_api.cc
@@ -1190,8 +1190,12 @@ static int detector_add_host_port_dynamic(lua_State* L)
         return 0;
     }
 
-    if ( !host_cache[ip_addr]->add_service(port, proto, appid, true) )
+    bool added = false;
+    std::lock_guard<std::mutex> lck(AppIdSession::inferred_svcs_lock);
+    if ( !host_cache[ip_addr]->add_service(port, proto, appid, true, &added) )
         ErrorMessage("%s:Failed to add host tracker service\n",__func__);
+    if (added)
+        AppIdSession::incr_inferred_svcs_ver();
 
     return 0;
 }
diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h
index 16d85b69d..994f6e1cb 100644
--- a/src/network_inspectors/appid/test/appid_mock_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_session.h
@@ -54,6 +54,8 @@ AppIdServiceSubtype APPID_UT_SERVICE_SUBTYPE = { nullptr, APPID_UT_SERVICE,
                                                  APPID_UT_SERVICE_VERSION };
 
 unsigned AppIdSession::inspector_id = 0;
+std::mutex AppIdSession::inferred_svcs_lock;
+uint16_t AppIdSession::inferred_svcs_ver = 0;
 
 class MockAppIdDnsSession : public AppIdDnsSession
 {