From: Shravan Rangarajuvenkata (shrarang) Date: Thu, 27 Jan 2022 01:44:06 +0000 (+0000) Subject: Pull request #3245: appid: give priority to custom process to app mappings over VDB... X-Git-Tag: 3.1.22.0~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0c33512d027c5924cfe7d95dea28431392dff81;p=thirdparty%2Fsnort3.git Pull request #3245: appid: give priority to custom process to app mappings over VDB mappings Merge in SNORT/snort3 from ~SATHIRKA/snort3:multi_process_to_same_app_mapping to master Squashed commit of the following: commit 7bc7925573e5888981618557215d3398927823ce Author: Sreeja Athirkandathil Narayanan Date: Wed Jan 19 16:50:51 2022 -0500 appid: give priority to custom process to app mappings over ODP mappings --- diff --git a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc index ee047867c..ba754c5ea 100644 --- a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc +++ b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.cc @@ -24,15 +24,27 @@ #include "efp_ca_patterns.h" +#include + #include "log/messages.h" #include "utils/util.h" #include "appid_debug.h" using namespace snort; +using namespace std; -void EfpCaPatternMatchers::add_efp_ca_pattern(AppId app_id, const std::string& pattern_str, - uint8_t confidence) +void EfpCaPatternMatchers::add_efp_ca_pattern(AppId app_id, const string& pattern_str, + uint8_t confidence, const string& detector) { + auto match = find_if(efp_ca_load_list.begin(), efp_ca_load_list.end(), + [app_id, pattern_str] (EfpCaPattern* efp_ca) + { return (efp_ca->pattern == pattern_str and efp_ca->app_id != app_id); }); + + if (match != efp_ca_load_list.end()) + WarningMessage("appid: detector %s - process name '%s' for client app %d is already " + "mapped to client app %d\n", detector.c_str(), (*match)->pattern.c_str(), app_id, + (*match)->app_id); + EfpCaPattern* new_efp_ca_pattern = new EfpCaPattern(app_id, pattern_str, confidence); efp_ca_load_list.push_back(new_efp_ca_pattern); } @@ -44,7 +56,7 @@ static int efp_ca_pattern_match(void* id, void*, int, void* data, void*) return 0; } -AppId EfpCaPatternMatchers::match_efp_ca_pattern(const std::string& pattern, +AppId EfpCaPatternMatchers::match_efp_ca_pattern(const string& pattern, uint8_t reported_confidence) { EfpCaPatternList* efp_ca_match_list = new EfpCaPatternList(); @@ -55,14 +67,19 @@ AppId EfpCaPatternMatchers::match_efp_ca_pattern(const std::string& pattern, for (auto &mp : *efp_ca_match_list) { - if (reported_confidence >= mp->confidence) + if (mp->pattern.size() == pattern.size()) { - if (!best_match or (mp->pattern.size() > best_match->pattern.size() or - (mp->pattern.size() == best_match->pattern.size() and - mp->confidence > best_match->confidence))) - { + if (reported_confidence >= mp->confidence) best_match = mp; - } + else if (best_match) + best_match = nullptr; + break; + } + else if ((reported_confidence >= mp->confidence) and + (!best_match or (mp->pattern.size() > best_match->pattern.size()))) + { + best_match = mp; + continue; } } AppId ret_app_id = APP_ID_NONE; diff --git a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h index dca3167ec..dcdb1d03e 100644 --- a/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h +++ b/src/network_inspectors/appid/client_plugins/efp_ca_patterns.h @@ -45,7 +45,7 @@ class EfpCaPatternMatchers public: ~EfpCaPatternMatchers(); AppId match_efp_ca_pattern(const std::string&, uint8_t); - void add_efp_ca_pattern(AppId, const std::string&, uint8_t); + void add_efp_ca_pattern(AppId, const std::string&, uint8_t, const std::string&); void finalize_patterns(); void reload_patterns(); diff --git a/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h b/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h index 892440618..95148a451 100644 --- a/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h +++ b/src/network_inspectors/appid/client_plugins/test/client_plugins_mock.h @@ -23,6 +23,7 @@ namespace snort { // Stubs for messages void LogMessage(const char*,...) { } +void WarningMessage(const char*,...) { } // Stubs for search_tool.cc SearchTool::SearchTool(char const*, bool) { } diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 2f20579ad..2fab466af 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -1011,9 +1011,10 @@ static int add_process_to_client_mapping(lua_State* L) } const std::string process_name(tmp_string); uint8_t process_score = lua_tointeger(L, ++index); + const std::string detector_name = ud->get_detector()->get_name(); ud->get_odp_ctxt().get_efp_ca_matchers().add_efp_ca_pattern(appid, process_name, - process_score); + process_score, detector_name); ud->get_odp_ctxt().get_app_info_mgr().set_app_info_active(appid);