From: Ron Dempster (rdempste) Date: Mon, 7 Nov 2022 20:32:05 +0000 (+0000) Subject: Pull request #3652: appid: add a changed bit for discovery finished X-Git-Tag: 3.1.47.0~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d70087e17529250f7719c45af6a78210e3ce0d47;p=thirdparty%2Fsnort3.git Pull request #3652: appid: add a changed bit for discovery finished Merge in SNORT/snort3 from ~RDEMPSTE/snort3:appid_finished to master Squashed commit of the following: commit 9b441546e2dd71c296276dd2cdf7bd88945ab9a1 Author: Ron Dempster (rdempste) Date: Mon Oct 31 18:24:28 2022 -0400 appid: add a changed bit for discovery finished --- diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index fa84fc27f..fbe705595 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -179,7 +179,7 @@ AppIdSession::~AppIdSession() // If api was not stored in the stash, delete it. An example would be when an appid future // session is created, but it doesn't get attached to a snort flow (because the packets for the // future session were never received by snort), api object is not stored in the stash. - if (!api.stored_in_stash) + if (!api.flags.stored_in_stash) delete &api; else api.asd = nullptr; @@ -1121,17 +1121,17 @@ void AppIdSession::set_tp_payload_app_id(const Packet& p, AppidSessionDirection void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packet& p, bool is_httpx, uint32_t httpx_stream_index) { - if (!api.stored_in_stash) + if (!api.flags.stored_in_stash) { assert(p.flow and p.flow->stash); p.flow->stash->store(STASH_APPID_DATA, &api, false); - api.stored_in_stash = true; + api.flags.stored_in_stash = true; } - if (!api.published) + if (!api.flags.published) { change_bits.set(APPID_CREATED_BIT); - api.published = true; + api.flags.published = true; } if (consumed_ha_data) @@ -1151,6 +1151,12 @@ void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packe consumed_ha_data = false; } + if (!(api.flags.finished || api.is_appid_inspecting_session())) + { + change_bits.set(APPID_DISCOVERY_FINISHED_BIT); + api.flags.finished = true; + } + if (change_bits.none()) return; diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 6485237ec..3f0b65825 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -62,7 +62,7 @@ void AppIdSessionApi::get_service_info(const char*& vendor, const char*& version const char* AppIdSessionApi::get_user_info(AppId& service, bool& login) const { service = client.get_user_id(); - login = user_logged_in; + login = flags.user_logged_in; return client.get_username(); } diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index b9a90b8ca..32bd4ca63 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -150,9 +150,9 @@ public: return session_id; } - void set_user_logged_in() { user_logged_in = true; } + void set_user_logged_in() { flags.user_logged_in = true; } - void clear_user_logged_in() { user_logged_in = false; } + void clear_user_logged_in() { flags.user_logged_in = false; } protected: AppIdSessionApi(const AppIdSession* asd, const SfIp& ip); @@ -161,8 +161,13 @@ private: const AppIdSession* asd = nullptr; AppId application_ids[APP_PROTOID_MAX] = { APP_ID_NONE, APP_ID_NONE, APP_ID_NONE, APP_ID_NONE, APP_ID_NONE }; - bool published = false; - bool stored_in_stash = false; + struct + { + bool published : 1; + bool stored_in_stash : 1; + bool finished : 1; + bool user_logged_in : 1; + } flags = {}; std::vector hsessions; AppIdDnsSession* dsession = nullptr; snort::SfIp initiator_ip; @@ -171,7 +176,6 @@ private: char* netbios_name = nullptr; char* netbios_domain = nullptr; std::string session_id; - bool user_logged_in = false; // Following two fields are used only for non-http sessions. For HTTP traffic, // these fields are maintained inside AppIdHttpSession. diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 8e9e21d3f..d7b9a80f8 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -253,7 +253,7 @@ TEST(appid_api, ssl_app_group_id_lookup) CHECK_EQUAL(service, APPID_UT_ID); CHECK_EQUAL(client, APPID_UT_ID); CHECK_EQUAL(payload, APPID_UT_ID); - STRCMP_EQUAL("Published change_bits == 0000000000000000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000000000000", test_log); service = APP_ID_NONE; client = APP_ID_NONE; @@ -266,7 +266,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 0000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); mock_session->tsession->set_tls_cname("www.cisco.com", 13, change_bits); @@ -282,7 +282,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); - STRCMP_EQUAL("Published change_bits == 0000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); string host = ""; val = appid_api.ssl_app_group_id_lookup(flow, (const char*)(host.c_str()), nullptr, @@ -293,7 +293,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Google"); - STRCMP_EQUAL("Published change_bits == 0000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); // Override client id found by SSL pattern matcher with the client id provided by // Encrypted Visibility Engine if available @@ -310,7 +310,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 0000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); mock().checkExpectations(); } diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index fd99e95f7..b4a12d9fc 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -399,7 +399,7 @@ TEST(appid_discovery_tests, event_published_when_ignoring_flow) // Detect changes in service, client, payload, and misc appid mock().checkExpectations(); - STRCMP_EQUAL("Published change_bits == 0000000000001111100", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000001111100", test_log); delete &asd->get_api(); delete asd; @@ -433,7 +433,7 @@ TEST(appid_discovery_tests, event_published_when_processing_flow) // Detect changes in service, client, payload, and misc appid mock().checkExpectations(); - STRCMP_EQUAL("Published change_bits == 0000000000001111100", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000001111100", test_log); delete &asd->get_api(); delete asd; delete flow; @@ -531,10 +531,10 @@ TEST(appid_discovery_tests, change_bits_to_string) change_bits_to_string(change_bits, str); STRCMP_EQUAL(str.c_str(), "created, reset, service, client, payload, misc, referred, host," " tls-host, url, user-agent, response, referrer, dns-host, service-info, client-info," - " user-info, netbios-name, netbios-domain"); + " user-info, netbios-name, netbios-domain, finished"); // Failure of this test is a reminder that enum is changed, hence translator needs update - CHECK_EQUAL(APPID_MAX_BIT, 19); + CHECK_EQUAL(APPID_MAX_BIT, 20); } int main(int argc, char** argv) diff --git a/src/pub_sub/appid_events.h b/src/pub_sub/appid_events.h index 29a1dee42..5fe16dc2a 100644 --- a/src/pub_sub/appid_events.h +++ b/src/pub_sub/appid_events.h @@ -64,6 +64,7 @@ enum AppidChangeBit APPID_USER_INFO_BIT, APPID_NETBIOS_NAME_BIT, APPID_NETBIOS_DOMAIN_BIT, + APPID_DISCOVERY_FINISHED_BIT, APPID_MAX_BIT }; @@ -112,6 +113,8 @@ inline void change_bits_to_string(AppidChangeBits& change_bits, std::string& str --n? str.append("netbios-name, ") : str.append("netbios-name"); if (change_bits.test(APPID_NETBIOS_DOMAIN_BIT)) --n? str.append("netbios-domain, ") : str.append("netbios-domain"); + if (change_bits.test(APPID_DISCOVERY_FINISHED_BIT)) + --n? str.append("finished, ") : str.append("finished"); if (n != 0) // make sure all bits from AppidChangeBit enum get translated str.append("change_bits_to_string error!"); }