From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 1 Jun 2021 23:31:45 +0000 (+0000) Subject: Merge pull request #2917 in SNORT/snort3 from ~SHRARANG/snort3:appid_aux_ip to master X-Git-Tag: 3.1.6.0~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=deb2c8b747434256159b743b5a6ac450b7d2cd99;p=thirdparty%2Fsnort3.git Merge pull request #2917 in SNORT/snort3 from ~SHRARANG/snort3:appid_aux_ip to master Squashed commit of the following: commit 9eadae760d41137e95f28f10dddd07751088e2c7 Author: Shravan Rangaraju Date: Tue May 11 11:00:56 2021 -0400 appid: extract auxiliary ip when uri is provided by third-party --- diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 72f49c122..928c4eb4c 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -83,7 +83,7 @@ static inline int check_ssl_appid_for_reinspect(AppId app_id, OdpContext& odp_ct // set functions to copy the tp buffers directly into the appropriate observer. // // Or, replace ThirdParty with 1st Party http_inspect. -static inline void process_http_session(AppIdSession& asd, +static inline void process_http_session(const Packet& p, AppIdSession& asd, ThirdPartyAppIDAttributeData& attribute_data, AppidChangeBits& change_bits) { AppIdHttpSession* hsession = asd.get_http_session(0); @@ -102,15 +102,15 @@ static inline void process_http_session(AppIdSession& asd, if (spdyRequestScheme && spdyRequestHost && spdyRequestPath ) { - std::string* url; + string* url; if (asd.get_session_flags(APPID_SESSION_DECRYPTED) && *spdyRequestScheme == "http") { - url = new std::string("http://" + *spdyRequestHost + *spdyRequestPath); + url = new string("http://" + *spdyRequestHost + *spdyRequestPath); } else { - url = new std::string("https://" + *spdyRequestHost + *spdyRequestPath); + url = new string("https://" + *spdyRequestHost + *spdyRequestPath); } if ( hsession->get_field(MISC_URL_FID) ) @@ -298,6 +298,18 @@ static inline void process_http_session(AppIdSession& asd, if ( (field=attribute_data.http_request_x_working_with(own)) != nullptr ) hsession->set_field(MISC_XWW_FID, field, change_bits); + + if (SnortConfig::get_conf()->aux_ip_is_enabled()) + { + const string* uri = hsession->get_field(REQ_URI_FID); + + if (uri and uri->size()) + { + SfIp aux_ip; + if (parse_ip_from_uri(*uri, aux_ip)) + p.flow->stash->store(aux_ip); + } + } } static inline void process_rtmp(AppIdSession& asd, @@ -441,7 +453,7 @@ static inline void process_quic(AppIdSession& asd, } } -static inline void process_third_party_results(AppIdSession& asd, int confidence, +static inline void process_third_party_results(const Packet& p, AppIdSession& asd, int confidence, const vector& proto_list, ThirdPartyAppIDAttributeData& attribute_data, AppidChangeBits& change_bits) { @@ -467,7 +479,7 @@ static inline void process_third_party_results(AppIdSession& asd, int confidence process_ssl(asd, attribute_data, change_bits); if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION)) - process_http_session(asd, attribute_data, change_bits); + process_http_session(p, asd, attribute_data, change_bits); else if (contains(proto_list, APP_ID_RTMP) || contains(proto_list, APP_ID_RTSP) ) @@ -609,7 +621,7 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I appidDebug->get_debug_session(), app_name ? app_name : "unknown", tp_app_id); } - process_third_party_results(asd, tp_confidence, tp_proto_list, tp_attribute_data, change_bits); + process_third_party_results(*p, asd, tp_confidence, tp_proto_list, tp_attribute_data, change_bits); AppIdHttpSession* hsession = nullptr; if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION)) diff --git a/src/sfip/sf_ip.h b/src/sfip/sf_ip.h index f41cdba78..a40fbcabe 100644 --- a/src/sfip/sf_ip.h +++ b/src/sfip/sf_ip.h @@ -483,7 +483,7 @@ static inline int sfip_str_to_fam(const char* str) return AF_UNSPEC; } -static inline bool parse_ip_from_uri(std::string& ip_str, SfIp& ip) +static inline bool parse_ip_from_uri(const std::string& ip_str, SfIp& ip) { auto host_start = ip_str.find("://"); if ( host_start != std::string::npos )