From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Thu, 6 Feb 2020 16:48:57 +0000 (+0000)
Subject: Merge pull request #1945 in SNORT/snort3 from ~SATHIRKA/snort3:appid_ssl_decryption... 
X-Git-Tag: 3.0.0-268~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e195f374e58976d7a9469e49ffa984c0f3fd4d9b;p=thirdparty%2Fsnort3.git

Merge pull request #1945 in SNORT/snort3 from ~SATHIRKA/snort3:appid_ssl_decryption to master

Squashed commit of the following:

commit 9b25ac57051282d79daab57cc67858e7b43de526
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Wed Jan 8 10:44:55 2020 -0500

    appid: Adding support for appid detection on decrypted SSL sessions
---

diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt
index 84a220004..58124aa79 100644
--- a/src/network_inspectors/appid/CMakeLists.txt
+++ b/src/network_inspectors/appid/CMakeLists.txt
@@ -153,6 +153,7 @@ set ( APPID_SOURCES
     appid_app_descriptor.h
     appid_config.cc
     appid_config.h
+    appid_data_decrypt_event_handler.h
     appid_debug.cc
     appid_debug.h
     appid_detector.cc
diff --git a/src/network_inspectors/appid/appid_data_decrypt_event_handler.h b/src/network_inspectors/appid/appid_data_decrypt_event_handler.h
new file mode 100644
index 000000000..b2043081e
--- /dev/null
+++ b/src/network_inspectors/appid/appid_data_decrypt_event_handler.h
@@ -0,0 +1,51 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation.  You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_data_decrypt_event_handler.h author Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
+
+#ifndef APPID_DATA_DECRYPT_EVENT_HANDLER_H
+#define APPID_DATA_DECRYPT_EVENT_HANDLER_H
+
+#include "pub_sub/data_decrypt_event.h"
+
+#include "appid_session.h"
+
+class DataDecryptEventHandler : public snort::DataHandler
+{
+public:
+    DataDecryptEventHandler() : DataHandler(MOD_NAME)
+    {
+    }
+
+    void handle(snort::DataEvent& event, snort::Flow* flow) override
+    {
+        assert(flow);
+        AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
+        if (!asd)
+            return;
+        DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
+        if (data_decrypt_event.get_type() == DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT)
+        {
+            asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
+        }
+    }
+
+};
+
+#endif
+
diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index c4bc17219..c747b8083 100644
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -259,7 +259,7 @@ static bool set_network_attributes(AppIdSession* asd, Packet* p, IpProtocol& pro
 
 static bool is_packet_ignored(AppIdSession* asd, Packet* p, AppidSessionDirection direction)
 {
-    if ( p->is_rebuilt() && !p->flow->is_proxied() )
+    if ( p->is_rebuilt() and !p->flow->is_proxied())
     {
         // FIXIT-M: In snort2x, a rebuilt packet was ignored whether it had a session or not.
         // Here, we are ignoring rebuilt packet only if it has a session. Why?
@@ -912,14 +912,8 @@ void AppIdDiscovery::do_post_discovery(Packet* p, AppIdSession& asd,
             if (asd.misc_app_id == APP_ID_NONE)
                 asd.update_encrypted_app_id(service_id);
         }
-// FIXIT-M Need to determine what api to use for this _dpd function
-#if 1
-        UNUSED(is_discovery_done);
-#else
-        else if (is_discovery_done && isSslServiceAppId(service_id) &&
-            _dpd.isSSLPolicyEnabled(nullptr))
+        else if (is_discovery_done and asd.get_session_flags(APPID_SESSION_DECRYPT_MONITOR))
             asd.set_session_flags(APPID_SESSION_CONTINUE);
-#endif
     }
 
     // Set the field that the Firewall queries to see if we have a search engine
diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc
index 5b57e79a7..248b0f3f9 100644
--- a/src/network_inspectors/appid/appid_inspector.cc
+++ b/src/network_inspectors/appid/appid_inspector.cc
@@ -35,6 +35,7 @@
 #include "profiler/profiler.h"
 
 #include "app_forecast.h"
+#include "appid_data_decrypt_event_handler.h"
 #include "appid_debug.h"
 #include "appid_discovery.h"
 #include "appid_http_event_handler.h"
@@ -126,6 +127,7 @@ bool AppIdInspector::configure(SnortConfig* sc)
         DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler(
             HttpEventHandler::RESPONSE_EVENT), sc);
     }
+    DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), sc);
 
     return true;
 }
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 2845fd29f..ca1caaef1 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -323,7 +323,7 @@ void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p)
 
 void AppIdSession::check_app_detection_restart(AppidChangeBits& change_bits)
 {
-    if (get_session_flags(APPID_SESSION_DECRYPTED) || !flow->is_proxied())
+    if (get_session_flags(APPID_SESSION_DECRYPTED) or !flow->is_proxied())
         return;
 
     AppId service_id = pick_service_app_id();
diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index d7d57e78d..ff4a6d6bb 100644
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -88,6 +88,7 @@ namespace snort
 #define APPID_SESSION_OOO_CHECK_TP          (1ULL << 41)
 #define APPID_SESSION_PAYLOAD_SEEN          (1ULL << 42)
 #define APPID_SESSION_HOST_CACHE_MATCHED    (1ULL << 43)
+#define APPID_SESSION_DECRYPT_MONITOR       (1ULL << 44)
 #define APPID_SESSION_IGNORE_ID_FLAGS \
     (APPID_SESSION_IGNORE_FLOW | \
     APPID_SESSION_NOT_A_SERVICE | \
diff --git a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
index 50e3a6ae9..5c819d010 100644
--- a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
@@ -835,17 +835,14 @@ int SmtpServiceDetector::validate(AppIdDiscoveryArgs& args)
             {
                 dd->client.flags |= CLIENT_FLAG_STARTTLS_SUCCESS;
 
-                // FIXIT-M: Revisit SSL decryption countdown after isSSLPolicyEnabled()
-                // is ported.  Can we use Flow::is_proxied() here?
-#if 0
-                if (_dpd.isSSLPolicyEnabled(NULL))
-#endif
-
+                #ifndef REG_TEST
+                if (args.asd.get_session_flags(APPID_SESSION_DECRYPT_MONITOR))
+                #endif
                     dd->client.decryption_countdown = SSL_WAIT_PACKETS; // start a countdown
-#if 0
+                #ifndef REG_TEST
                 else
-                    dd->client.decryption_countdown = 1
-#endif
+                    dd->client.decryption_countdown = 1;
+                #endif
 
                 add_service(args.change_bits, args.asd, args.pkt, args.dir,  APP_ID_SMTPS);
 
diff --git a/src/pub_sub/CMakeLists.txt b/src/pub_sub/CMakeLists.txt
index 290e4d7aa..6e8dcc8db 100644
--- a/src/pub_sub/CMakeLists.txt
+++ b/src/pub_sub/CMakeLists.txt
@@ -1,6 +1,7 @@
 set (PUB_SUB_INCLUDES
     appid_events.h
     cip_events.h
+    data_decrypt_event.h
     daq_message_event.h
     expect_events.h
     finalize_packet_event.h
diff --git a/src/pub_sub/data_decrypt_event.h b/src/pub_sub/data_decrypt_event.h
new file mode 100644
index 000000000..88e6489f7
--- /dev/null
+++ b/src/pub_sub/data_decrypt_event.h
@@ -0,0 +1,30 @@
+//--------------------------------------------------------------------------
+// Copyright (C) 2020-2020 Cisco and/or its affiliates. All rights reserved.
+//--------------------------------------------------------------------------
+
+#ifndef DATA_DECRYPT_EVENT_H
+#define DATA_DECRYPT_EVENT_H
+
+#define DATA_DECRYPT_EVENT "Data Decrypt event"
+
+class DataDecryptEvent : public snort::DataEvent
+{
+public:
+
+    enum StateEventType : uint16_t
+    {
+        DATA_DECRYPT_MONITOR_EVENT,
+        DATA_DECRYPT_DO_NOT_DECRYPT_EVENT,
+        DATA_DECRYPT_START_EVENT
+    };
+
+    DataDecryptEvent(const StateEventType& type)  : m_type(type)  { }
+    StateEventType get_type(void) const { return m_type; }
+
+private:
+    StateEventType m_type;
+};
+
+
+#endif //DATA_DECRYPT_EVENT_H
+