From: Shravan Rangarajuvenkata (shrarang) Date: Fri, 6 Nov 2020 01:51:48 +0000 (+0000) Subject: Merge pull request #2579 in SNORT/snort3 from ~SATHIRKA/snort3:client_login_failure... X-Git-Tag: 3.0.3-5~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1bb0d1fdedf17202e3fd1952c2f132245fd53b1;p=thirdparty%2Fsnort3.git Merge pull request #2579 in SNORT/snort3 from ~SATHIRKA/snort3:client_login_failure to master Squashed commit of the following: commit 2e0205b16c0c50de6348a5b7a5999eb0aa59d483 Author: Sreeja Athirkandathil Narayanan Date: Fri Oct 23 16:35:57 2020 -0400 appid: Support client login failure event --- diff --git a/src/network_inspectors/appid/appid_app_descriptor.cc b/src/network_inspectors/appid/appid_app_descriptor.cc index 2430e38a6..22c4fd720 100644 --- a/src/network_inspectors/appid/appid_app_descriptor.cc +++ b/src/network_inspectors/appid/appid_app_descriptor.cc @@ -77,7 +77,7 @@ void ClientAppDescriptor::update_user(AppId app_id, const char* username, AppidC if ( my_username != username ) { my_username = username; - change_bits.set(APPID_CLIENT_USERNAME_BIT); + change_bits.set(APPID_USER_INFO_BIT); } if ( my_user_id != app_id ) @@ -86,7 +86,7 @@ void ClientAppDescriptor::update_user(AppId app_id, const char* username, AppidC if ( app_id > APP_ID_NONE ) { AppIdPegCounts::inc_user_count(app_id); - change_bits.set(APPID_CLIENT_USERID_BIT); + change_bits.set(APPID_USER_INFO_BIT); } } } diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h index 6210a11af..89b5d2701 100644 --- a/src/network_inspectors/appid/appid_app_descriptor.h +++ b/src/network_inspectors/appid/appid_app_descriptor.h @@ -53,10 +53,10 @@ public: my_version.clear(); } - virtual void update(AppId id, AppidChangeBits& change_bits, char* version) + virtual void update(AppId id, char* version) { set_id(id); - set_version(version, change_bits); + set_version(version); } virtual void update_stats(AppId id, bool increment = true) = 0; @@ -80,13 +80,10 @@ public: return my_version.empty() ? nullptr : my_version.c_str(); } - void set_version(const char* version, AppidChangeBits& change_bits) + void set_version(const char* version) { if ( version ) - { my_version = version; - change_bits.set(APPID_VERSION_BIT); - } } private: @@ -159,7 +156,7 @@ public: if ( vendor ) { my_vendor = vendor; - change_bits.set(APPID_SERVICE_VENDOR_BIT); + change_bits.set(APPID_SERVICE_INFO_BIT); } } @@ -170,7 +167,7 @@ public: for (tmp_subtype = &subtype; *tmp_subtype; tmp_subtype = &(*tmp_subtype)->next) ; *tmp_subtype = &more_subtype; - change_bits.set(APPID_SERVICE_SUBTYPE_BIT); + change_bits.set(APPID_SERVICE_INFO_BIT); } const AppIdServiceSubtype* get_subtype() const diff --git a/src/network_inspectors/appid/appid_detector.cc b/src/network_inspectors/appid/appid_detector.cc index f5c681517..93479451c 100644 --- a/src/network_inspectors/appid/appid_detector.cc +++ b/src/network_inspectors/appid/appid_detector.cc @@ -83,9 +83,9 @@ void AppIdDetector::add_user(AppIdSession& asd, const char* username, AppId appI { asd.set_client_user(appId, username, change_bits); if ( success ) - change_bits.set(APPID_CLIENT_LOGIN_SUCCEEDED_BIT); + asd.set_user_logged_in(); else - change_bits.reset(APPID_CLIENT_LOGIN_SUCCEEDED_BIT); + asd.clear_user_logged_in(); } void AppIdDetector::add_payload(AppIdSession& asd, AppId payload_id) diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index 03609acd7..5d3480167 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -381,7 +381,7 @@ void AppIdHttpSession::process_chp_buffers(AppidChangeBits& change_bits, HttpPat else client.update_user(asd.get_service_id(), user, change_bits); user = nullptr; - change_bits.set(APPID_CLIENT_LOGIN_SUCCEEDED_BIT); + asd.set_user_logged_in(); } chp_candidate = 0; @@ -409,7 +409,11 @@ void AppIdHttpSession::set_client(AppId app_id, AppidChangeBits& change_bits, co client.set_id(app_id); change_bits.set(APPID_CLIENT_BIT); - client.set_version(version, change_bits); + if (version) + { + client.set_version(version); + change_bits.set(APPID_CLIENT_INFO_BIT); + } if (appidDebug->is_active()) { @@ -427,7 +431,7 @@ void AppIdHttpSession::set_payload(AppId app_id, AppidChangeBits& change_bits, c payload.set_id(app_id); change_bits.set(APPID_PAYLOAD_BIT); - payload.set_version(version, change_bits); + payload.set_version(version); if (appidDebug->is_active()) { diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index f68647f7a..2814c1a66 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -516,7 +516,7 @@ void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits) { if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) set_client_appid_data(client_id, change_bits); - set_payload_appid_data(payload_id, change_bits); + set_payload_appid_data(payload_id); } scan_flags &= ~SCAN_SSL_HOST_FLAG; } @@ -528,7 +528,7 @@ void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits) { if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) set_client_appid_data(client_id, change_bits); - set_payload_appid_data(payload_id, change_bits); + set_payload_appid_data(payload_id); } scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG; } @@ -539,7 +539,7 @@ void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits) client_id, payload_id)) { set_client_appid_data(client_id, change_bits); - set_payload_appid_data(payload_id, change_bits); + set_payload_appid_data(payload_id); } tsession->set_tls_org_unit(nullptr, 0); } @@ -603,10 +603,13 @@ void AppIdSession::set_client_appid_data(AppId id, AppidChangeBits& change_bits, return; api.client.set_id(id); } - api.client.set_version(version, change_bits); + if (!version) + return; + api.client.set_version(version); + change_bits.set(APPID_CLIENT_INFO_BIT); } -void AppIdSession::set_payload_appid_data(AppId id, AppidChangeBits& change_bits, char* version) +void AppIdSession::set_payload_appid_data(AppId id, char* version) { if (id <= APP_ID_NONE) return; @@ -615,7 +618,7 @@ void AppIdSession::set_payload_appid_data(AppId id, AppidChangeBits& change_bits odp_ctxt.get_app_info_mgr().get_priority(id)) return; api.payload.set_id(id); - api.payload.set_version(version, change_bits); + api.payload.set_version(version); } void AppIdSession::set_service_appid_data(AppId id, AppidChangeBits& change_bits, char* version) @@ -631,7 +634,9 @@ void AppIdSession::set_service_appid_data(AppId id, AppidChangeBits& change_bits return; } - api.service.update(id, change_bits, version); + api.service.update(id, version); + if (version) + change_bits.set(APPID_SERVICE_INFO_BIT); } bool AppIdSession::is_svc_taking_too_much_time() const diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 65c86b74b..31ad3525d 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -358,7 +358,7 @@ public: void examine_ssl_metadata(AppidChangeBits& change_bits); void set_client_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); void set_service_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); - void set_payload_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); + void set_payload_appid_data(AppId, char* version = nullptr); void check_app_detection_restart(AppidChangeBits& change_bits, ThirdPartyAppIdContext* tp_appid_ctxt); void check_ssl_detection_restart(AppidChangeBits& change_bits, @@ -474,7 +474,10 @@ public: void set_service_version(const char* version, AppidChangeBits& change_bits) { - api.service.set_version(version, change_bits); + if (!version) + return; + api.service.set_version(version); + change_bits.set(APPID_SERVICE_INFO_BIT); } void set_service_vendor(const char* vendor, AppidChangeBits& change_bits) @@ -504,7 +507,10 @@ public: void set_client_version(const char* version, AppidChangeBits& change_bits) { - api.client.set_version(version, change_bits); + if (!version) + return; + api.client.set_version(version); + change_bits.set(APPID_CLIENT_INFO_BIT); } const char* get_client_user() const @@ -585,6 +591,16 @@ public: return service_ip.is_set(); } + void set_user_logged_in() + { + api.set_user_logged_in(); + } + + void clear_user_logged_in() + { + api.clear_user_logged_in(); + } + private: uint16_t prev_http2_raw_packet = 0; diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc index 84f97f702..00511ad1e 100644 --- a/src/network_inspectors/appid/appid_session_api.cc +++ b/src/network_inspectors/appid/appid_session_api.cc @@ -56,9 +56,10 @@ void AppIdSessionApi::get_service_info(const char*& vendor, const char*& version subtype = service.get_subtype(); } -const char* AppIdSessionApi::get_client_info(AppId& service) const +const char* AppIdSessionApi::get_user_info(AppId& service, bool& login) const { service = client.get_user_id(); + login = user_logged_in; return client.get_username(); } @@ -244,7 +245,7 @@ bool AppIdSessionApi::is_appid_available() const asd->get_session_flags(APPID_SESSION_NO_TPI)) ); } -const char* AppIdSessionApi::get_client_version(uint32_t stream_index) const +const char* AppIdSessionApi::get_client_info(uint32_t stream_index) const { if (uint32_t num_hsessions = get_hsessions_size()) { diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h index 972ef7d59..0e896a666 100644 --- a/src/network_inspectors/appid/appid_session_api.h +++ b/src/network_inspectors/appid/appid_session_api.h @@ -106,7 +106,7 @@ public: AppId get_service_app_id() const; void get_service_info(const char*& vendor, const char*& version, const AppIdServiceSubtype*& subtype) const; - const char* get_client_info(AppId& service) const; + const char* get_user_info(AppId& service, bool& login) const; AppId get_misc_app_id(uint32_t stream_index = 0) const; AppId get_client_app_id(uint32_t stream_index = 0) const; AppId get_payload_app_id(uint32_t stream_index = 0) const; @@ -117,7 +117,7 @@ public: uint32_t stream_index = 0) const; bool is_appid_inspecting_session() const; bool is_appid_available() const; - const char* get_client_version(uint32_t stream_index = 0) const; + const char* get_client_info(uint32_t stream_index = 0) const; uint64_t get_appid_session_attribute(uint64_t flag) const; const SfIp* get_initiator_ip() const; const AppIdDnsSession* get_dns_session() const; @@ -145,6 +145,10 @@ public: return session_id; } + void set_user_logged_in() { user_logged_in = true; } + + void clear_user_logged_in() { user_logged_in = false; } + protected: AppIdSessionApi(const AppIdSession* asd, const SfIp& ip); @@ -160,6 +164,7 @@ private: ServiceAppDescriptor service; char* tls_host = nullptr; std::string session_id; + bool user_logged_in = false; // Following two fields are used only for non-http sessions. For HTTP traffic, // these fields are maintained inside AppIdHttpSession. diff --git a/src/network_inspectors/appid/detector_plugins/detector_imap.cc b/src/network_inspectors/appid/detector_plugins/detector_imap.cc index d719876af..e54b55f2e 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_imap.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_imap.cc @@ -300,7 +300,7 @@ static int imap_server_validate(ImapDetectorData* dd, const uint8_t* data, uint1 if ((id->pos < (sizeof(id->tagValue) - 1)) && (isImapTagChar(*data))) { - id->tagValue[id->pos] = *data; + id->tagValue[id->pos++] = *data; } else { diff --git a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc index e0e59b167..1ccf77b3b 100644 --- a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc +++ b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc @@ -361,14 +361,18 @@ static int pop3_server_validate(POP3DetectorData* dd, const uint8_t* data, uint1 } else { - pop3_service_detector->add_user(asd, dd->client.username, APP_ID_POP3, true, change_bits); - snort_free(dd->client.username); - dd->client.username = nullptr; - dd->need_continue = 0; - asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); - dd->client.got_user = 1; - if (dd->client.detected) - asd.set_client_detected(); + if (dd->client.state == POP3_CLIENT_STATE_TRANS) + { + pop3_service_detector->add_user(asd, dd->client.username, APP_ID_POP3, true, change_bits); + snort_free(dd->client.username); + dd->client.username = nullptr; + dd->need_continue = 0; + asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS); + if (dd->client.detected) + asd.set_client_detected(); + } + else + dd->client.got_user = 1; } } if (server && begin) diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index bd28c870c..38d167835 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -331,7 +331,7 @@ TEST(appid_api, ssl_app_group_id_lookup) CHECK_EQUAL(service, APPID_UT_ID); CHECK_EQUAL(client, APPID_UT_ID); CHECK_EQUAL(payload, APPID_UT_ID); - STRCMP_EQUAL("Published change_bits == 00000000000000000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000000000000", test_log); service = APP_ID_NONE; client = APP_ID_NONE; @@ -344,7 +344,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000100011000", test_log); mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); mock_session->tsession->set_tls_cname("www.cisco.com", 13, change_bits); @@ -360,7 +360,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); - STRCMP_EQUAL("Published change_bits == 00000000000100011000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000100011000", test_log); string host = ""; val = appid_api.ssl_app_group_id_lookup(flow, (const char*)(host.c_str()), nullptr, @@ -371,7 +371,7 @@ TEST(appid_api, ssl_app_group_id_lookup) STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Google"); - STRCMP_EQUAL("Published change_bits == 00000000000100000000", test_log); + STRCMP_EQUAL("Published change_bits == 00000000100000000", test_log); mock().checkExpectations(); } diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index 717f9a31c..919cbff5b 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -376,7 +376,7 @@ TEST(appid_discovery_tests, event_published_when_ignoring_flow) // Detect changes in service, client, payload, and misc appid mock().checkExpectations(); - STRCMP_EQUAL("Published change_bits == 00000000000001111100", test_log); + STRCMP_EQUAL("Published change_bits == 00000000001111100", test_log); delete &asd->get_api(); delete asd; @@ -408,7 +408,7 @@ TEST(appid_discovery_tests, event_published_when_processing_flow) // Detect changes in service, client, payload, and misc appid mock().checkExpectations(); - STRCMP_EQUAL("Published change_bits == 00000000000001111100", test_log); + STRCMP_EQUAL("Published change_bits == 00000000001111100", test_log); delete &asd->get_api(); delete asd; delete flow; @@ -426,7 +426,7 @@ TEST(appid_discovery_tests, change_bits_for_client_version) asd->set_client_version(version, change_bits); // Detect changes in client version - CHECK_EQUAL(change_bits.test(APPID_VERSION_BIT), true); + CHECK_EQUAL(change_bits.test(APPID_CLIENT_INFO_BIT), true); delete &asd->get_api(); delete asd; } @@ -503,11 +503,11 @@ TEST(appid_discovery_tests, change_bits_to_string) change_bits.set(); change_bits_to_string(change_bits, str); STRCMP_EQUAL(str.c_str(), "created, reset, service, client, payload, misc, referred, host," - " tls-host, url, user-agent, response, referrer, dns-host, version, service-vendor, service-subtype," - " client-username, client-userid, client-login-succeeded"); + " tls-host, url, user-agent, response, referrer, dns-host, service-info, client-info," + " user-info"); // Failure of this test is a reminder that enum is changed, hence translator needs update - CHECK_EQUAL(APPID_MAX_BIT, 20); + CHECK_EQUAL(APPID_MAX_BIT, 17); } int main(int argc, char** argv) diff --git a/src/network_inspectors/appid/test/appid_http_session_test.cc b/src/network_inspectors/appid/test/appid_http_session_test.cc index 7380dcf29..bfef312cf 100644 --- a/src/network_inspectors/appid/test/appid_http_session_test.cc +++ b/src/network_inspectors/appid/test/appid_http_session_test.cc @@ -126,7 +126,7 @@ void AppIdSession::set_service_appid_data(AppId, AppidChangeBits&, char*) { } -void AppIdSession::set_payload_appid_data(AppId, AppidChangeBits&, char*) +void AppIdSession::set_payload_appid_data(AppId, char*) { } diff --git a/src/network_inspectors/appid/test/appid_mock_definitions.h b/src/network_inspectors/appid/test/appid_mock_definitions.h index 46e4eec01..957c65750 100644 --- a/src/network_inspectors/appid/test/appid_mock_definitions.h +++ b/src/network_inspectors/appid/test/appid_mock_definitions.h @@ -67,8 +67,7 @@ void ClientAppDescriptor::update_user(AppId app_id, const char* username, AppidC { my_username = username; my_user_id = app_id; - change_bits.set(APPID_CLIENT_USERNAME_BIT); - change_bits.set(APPID_CLIENT_USERID_BIT); + change_bits.set(APPID_USER_INFO_BIT); } void ClientAppDescriptor::update_stats(AppId, bool) {} void PayloadAppDescriptor::update_stats(AppId, bool) {} diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h index afe169ada..f2be49fb9 100644 --- a/src/network_inspectors/appid/test/appid_mock_session.h +++ b/src/network_inspectors/appid/test/appid_mock_session.h @@ -160,7 +160,8 @@ AppIdHttpSession* AppIdSession::create_http_session(uint32_t) AppidChangeBits change_bits; hsession->client.set_id(APPID_UT_ID); - hsession->client.set_version(APPID_UT_CLIENT_VERSION, change_bits); + hsession->client.set_version(APPID_UT_CLIENT_VERSION); + change_bits.set(APPID_CLIENT_INFO_BIT); hsession->payload.set_id(APPID_UT_ID); hsession->misc_app_id = APPID_UT_ID; hsession->referred_payload_app_id = APPID_UT_ID; diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index b7796aa6e..25c142f3d 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -215,15 +215,15 @@ TEST(appid_session_api, is_appid_available) CHECK_TRUE(val); } -TEST(appid_session_api, get_client_version) +TEST(appid_session_api, get_client_info) { const char* val; - val = mock_session->get_api().get_client_version(); + val = mock_session->get_api().get_client_info(); STRCMP_EQUAL(val, APPID_UT_CLIENT_VERSION); mock_session->create_http_session(); - val = mock_session->get_api().get_client_version(0); + val = mock_session->get_api().get_client_info(0); STRCMP_EQUAL(APPID_UT_CLIENT_VERSION, val); - val = mock_session->get_api().get_client_version(2); + val = mock_session->get_api().get_client_info(2); STRCMP_EQUAL(nullptr, val); } TEST(appid_session_api, get_http_session) diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 1cc58a004..3b13cb2d1 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -491,7 +491,7 @@ static inline void process_ftp_control(AppIdSession& asd, (field=attribute_data.ftp_command_user()) != nullptr) { asd.set_client_user(APP_ID_FTP_CONTROL, field->c_str(), change_bits); - change_bits.set(APPID_CLIENT_LOGIN_SUCCEEDED_BIT); + asd.set_user_logged_in(); } } diff --git a/src/network_inspectors/rna/rna_app_discovery.cc b/src/network_inspectors/rna/rna_app_discovery.cc index bb7400744..65e55ea5f 100644 --- a/src/network_inspectors/rna/rna_app_discovery.cc +++ b/src/network_inspectors/rna/rna_app_discovery.cc @@ -83,7 +83,7 @@ void RnaAppDiscovery::process(AppidEvent* appid_event, DiscoveryFilter& filter, if ( appid_change_bits[APPID_CLIENT_BIT] and client > APP_ID_NONE and service > APP_ID_NONE ) { - const char* version = appid_session_api.get_client_version(); + const char* version = appid_session_api.get_client_info(); if ( p->packet_flags & PKT_FROM_SERVER ) { auto cht = host_cache.find(p->flow->client_ip); @@ -105,7 +105,7 @@ void RnaAppDiscovery::process(AppidEvent* appid_event, DiscoveryFilter& filter, } } - if ( appid_change_bits[APPID_SERVICE_VENDOR_BIT] or appid_change_bits[APPID_VERSION_BIT] ) + if ( appid_change_bits[APPID_SERVICE_INFO_BIT] ) { const char* vendor; const char* version; @@ -117,18 +117,19 @@ void RnaAppDiscovery::process(AppidEvent* appid_event, DiscoveryFilter& filter, if ( conf->enable_banner_grab and p->is_from_server() and (appid_change_bits[APPID_RESPONSE_BIT] or - ((appid_change_bits[APPID_SERVICE_VENDOR_BIT] or appid_change_bits[APPID_VERSION_BIT])) or - (appid_change_bits[APPID_SERVICE_BIT])) ) + appid_change_bits[APPID_SERVICE_INFO_BIT] or + appid_change_bits[APPID_SERVICE_BIT]) ) { discover_banner(p, proto, ht, &p->flow->server_ip, src_mac, logger, service); } // Appid supports only login success event. Change checks once login failure and // logoff is supported - if ( appid_change_bits[APPID_CLIENT_LOGIN_SUCCEEDED_BIT] and filter.is_user_monitored(p) ) + if ( appid_change_bits[APPID_USER_INFO_BIT] and filter.is_user_monitored(p) ) { - const char* username = appid_session_api.get_client_info(service); - if ( service > APP_ID_NONE and username and *username ) + bool login; + const char* username = appid_session_api.get_user_info(service, login); + if ( login and service > APP_ID_NONE and username and *username ) discover_user(p, ht, (const struct in6_addr*) p->ptrs.ip_api.get_dst()->get_ip6_ptr(), logger, username, service, proto); } diff --git a/src/pub_sub/appid_events.h b/src/pub_sub/appid_events.h index 25a8c28e3..928c6bb31 100644 --- a/src/pub_sub/appid_events.h +++ b/src/pub_sub/appid_events.h @@ -59,12 +59,9 @@ enum AppidChangeBit APPID_DNS_HOST_BIT, // other - APPID_VERSION_BIT, - APPID_SERVICE_VENDOR_BIT, - APPID_SERVICE_SUBTYPE_BIT, - APPID_CLIENT_USERNAME_BIT, - APPID_CLIENT_USERID_BIT, - APPID_CLIENT_LOGIN_SUCCEEDED_BIT, + APPID_SERVICE_INFO_BIT, + APPID_CLIENT_INFO_BIT, + APPID_USER_INFO_BIT, APPID_MAX_BIT }; @@ -103,18 +100,12 @@ inline void change_bits_to_string(AppidChangeBits& change_bits, std::string& str --n? str.append("referrer, ") : str.append("referrer"); if (change_bits.test(APPID_DNS_HOST_BIT)) --n? str.append("dns-host, ") : str.append("dns-host"); - if (change_bits.test(APPID_VERSION_BIT)) - --n? str.append("version, ") : str.append("version"); - if (change_bits.test(APPID_SERVICE_VENDOR_BIT)) - --n? str.append("service-vendor, ") : str.append("service-vendor"); - if (change_bits.test(APPID_SERVICE_SUBTYPE_BIT)) - --n? str.append("service-subtype, ") : str.append("service-subtype"); - if (change_bits.test(APPID_CLIENT_USERNAME_BIT)) - --n? str.append("client-username, ") : str.append("client-username"); - if (change_bits.test(APPID_CLIENT_USERID_BIT)) - --n? str.append("client-userid, ") : str.append("client-userid"); - if (change_bits.test(APPID_CLIENT_LOGIN_SUCCEEDED_BIT)) - --n? str.append("client-login-succeeded, ") : str.append("client-login-succeeded"); + if (change_bits.test(APPID_SERVICE_INFO_BIT)) + --n? str.append("service-info, ") : str.append("service-info"); + if (change_bits.test(APPID_CLIENT_INFO_BIT)) + --n? str.append("client-info, ") : str.append("client-info"); + if (change_bits.test(APPID_USER_INFO_BIT)) + --n? str.append("user-info, ") : str.append("user-info"); if (n != 0) // make sure all bits from AppidChangeBit enum get translated str.append("change_bits_to_string error!"); }