From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 24 Mar 2020 22:40:00 +0000 (+0000) Subject: Merge pull request #2069 in SNORT/snort3 from ~OZAIKA/snort3:http2_draft_test to... X-Git-Tag: 3.0.0-270~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d5c916ff2ba9cf0c8b3d7a513d11b6bff40fe18a;p=thirdparty%2Fsnort3.git Merge pull request #2069 in SNORT/snort3 from ~OZAIKA/snort3:http2_draft_test to master Squashed commit of the following: commit 3c70e324722c55684edd27c3689db0d699dfcad8 Author: Oleksii Zaika Date: Tue Mar 10 08:26:02 2020 -0400 appid: support detection for first stream in http/2 session --- diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 49e83d0f3..90afa09ef 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -116,8 +116,6 @@ set ( SP_APPID_SOURCES set ( DP_APPID_SOURCES detector_plugins/detector_dns.cc detector_plugins/detector_dns.h - detector_plugins/detector_http.cc - detector_plugins/detector_http.h detector_plugins/detector_imap.cc detector_plugins/detector_imap.h detector_plugins/detector_kerberos.cc diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc index 190650583..cea15369e 100644 --- a/src/network_inspectors/appid/appid_http_event_handler.cc +++ b/src/network_inspectors/appid/appid_http_event_handler.cc @@ -137,6 +137,10 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) if (asd->service.get_id() == APP_ID_HTTP) { + if (http_event->get_is_http2() && http_event->get_http2_stream_id() != 0) + { + asd->service.set_id(APP_ID_HTTP2, asd->ctxt.get_odp_ctxt()); + } asd->set_application_ids(asd->pick_service_app_id(), asd->pick_client_app_id(), asd->pick_payload_app_id(), asd->pick_misc_app_id(), change_bits); } diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc index 1d95b8a1b..caaa8465b 100644 --- a/src/network_inspectors/appid/client_plugins/client_discovery.cc +++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc @@ -40,7 +40,6 @@ #include "client_app_timbuktu.h" #include "client_app_tns.h" #include "client_app_vnc.h" -#include "detector_plugins/detector_http.h" #include "detector_plugins/detector_imap.h" #include "detector_plugins/detector_kerberos.h" #include "detector_plugins/detector_pattern.h" @@ -57,7 +56,6 @@ void ClientDiscovery::initialize() new AimClientDetector(this); new BitClientDetector(this); new BitTrackerClientDetector(this); - new HttpClientDetector(this); new ImapClientDetector(this); new KerberosClientDetector(this); new MsnClientDetector(this); diff --git a/src/network_inspectors/appid/detector_plugins/detector_http.cc b/src/network_inspectors/appid/detector_plugins/detector_http.cc deleted file mode 100644 index b0d4d8607..000000000 --- a/src/network_inspectors/appid/detector_plugins/detector_http.cc +++ /dev/null @@ -1,101 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// detector_http.cc author Sourcefire Inc. - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "detector_http.h" - -// Start of HTTP/2 detection logic. -// -// This is intended to simply detect the presence of HTTP version 2 as a -// service protocol if it is seen (unencrypted) on non-std ports. That way, we -// can notify Snort for future reference. this covers the "with prior -// knowledge" case for HTTP/2 (i.e., the client knows the server supports -// HTTP/2 and jumps right in with the preface). - -static const char HTTP2_PREFACE[] = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"; -#define HTTP2_PREFACE_LEN (sizeof(HTTP2_PREFACE) - 1) -#define HTTP2_PREFACE_MAXPOS (sizeof(HTTP2_PREFACE)-2) - -static HttpServiceDetector* http_service_detector; - -HttpClientDetector::HttpClientDetector(ClientDiscovery* cdm) -{ - handler = cdm; - name = "HTTP"; - proto = IpProtocol::TCP; - minimum_matches = 1; - - tcp_patterns = - { - { (const uint8_t*)HTTP2_PREFACE, HTTP2_PREFACE_LEN, 0, 0, APP_ID_HTTP } - }; - - appid_registry = - { - { APP_ID_HTTP, 0 } - }; - - handler->register_detector(name, this, proto); -} - - -int HttpClientDetector::validate(AppIdDiscoveryArgs& args) -{ - add_app(args.asd, APP_ID_HTTP, APP_ID_HTTP + GENERIC_APP_OFFSET, nullptr, args.change_bits); - args.asd.client_disco_state = APPID_DISCO_STATE_FINISHED; - http_service_detector->add_service(args.change_bits, args.asd, args.pkt, - args.dir, APP_ID_HTTP); - args.asd.service_disco_state = APPID_DISCO_STATE_FINISHED; - args.asd.set_session_flags(APPID_SESSION_CLIENT_DETECTED | APPID_SESSION_SERVICE_DETECTED); - args.asd.clear_session_flags(APPID_SESSION_CONTINUE); - args.asd.is_http2 = true; - - return APPID_SUCCESS; -} - -HttpServiceDetector::HttpServiceDetector(ServiceDiscovery* sd) -{ - http_service_detector = this; - - handler = sd; - name = "HTTP"; - proto = IpProtocol::TCP; - detectorType = DETECTOR_TYPE_DECODER; - - appid_registry = - { - { APP_ID_HTTP, 0 } - }; - - handler->register_detector(name, this, proto); -} - - -int HttpServiceDetector::validate(AppIdDiscoveryArgs&) -{ - return APPID_INPROCESS; -} - -// End of HTTP/2 detection logic. - diff --git a/src/network_inspectors/appid/detector_plugins/detector_http.h b/src/network_inspectors/appid/detector_plugins/detector_http.h deleted file mode 100644 index 47b38044e..000000000 --- a/src/network_inspectors/appid/detector_plugins/detector_http.h +++ /dev/null @@ -1,45 +0,0 @@ -//-------------------------------------------------------------------------- -// Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved. -// Copyright (C) 2005-2013 Sourcefire, Inc. -// -// This program is free software; you can redistribute it and/or modify it -// under the terms of the GNU General Public License Version 2 as published -// by the Free Software Foundation. You may not use, modify or distribute -// this program under any other version of the GNU General Public License. -// -// This program is distributed in the hope that it will be useful, but -// WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -// General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -//-------------------------------------------------------------------------- - -// detector_http.h author Sourcefire Inc. - -#ifndef DETECTOR_HTTP_H -#define DETECTOR_HTTP_H - -#include "client_plugins/client_detector.h" -#include "service_plugins/service_detector.h" - -class HttpClientDetector : public ClientDetector -{ -public: - HttpClientDetector(ClientDiscovery*); - - int validate(AppIdDiscoveryArgs&) override; -}; - -class HttpServiceDetector : public ServiceDetector -{ -public: - HttpServiceDetector(ServiceDiscovery*); - - int validate(AppIdDiscoveryArgs&) override; -}; - -#endif - diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index 18de10ac6..b0744109f 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -39,7 +39,6 @@ #include "appid_inspector.h" #include "client_plugins/client_discovery.h" #include "detector_plugins/detector_dns.h" -#include "detector_plugins/detector_http.h" #include "detector_plugins/detector_pattern.h" #include "detector_plugins/detector_sip.h" #include "detector_plugins/http_url_patterns.h" diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index 998d43447..5788371d5 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -35,7 +35,6 @@ #include "lua_detector_util.h" #include "lua_detector_api.h" #include "lua_detector_flow_api.h" -#include "detector_plugins/detector_http.h" #include "utils/util.h" #include "utils/sflsq.h" #include "log/messages.h" diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index f726b393e..c1ef13c03 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -37,7 +37,6 @@ #include "appid_dns_session.h" #include "appid_session.h" #include "detector_plugins/detector_dns.h" -#include "detector_plugins/detector_http.h" #include "detector_plugins/detector_imap.h" #include "detector_plugins/detector_kerberos.h" #include "detector_plugins/detector_pattern.h" @@ -98,7 +97,6 @@ void ServiceDiscovery::initialize() new DnsUdpServiceDetector(this); new FlapServiceDetector(this); new FtpServiceDetector(this); - new HttpServiceDetector(this); new ImapServiceDetector(this); new IrcServiceDetector(this); new KerberosServiceDetector(this); diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index 02111b54a..277b3ea7d 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -172,6 +172,16 @@ bool HttpEvent::contains_webdav_method() return true; } +bool HttpEvent::get_is_http2() const +{ + return false; +} + +uint32_t HttpEvent::get_http2_stream_id() const +{ + return 0; +} + Flow* flow = nullptr; AppIdSession* mock_session = nullptr;