From: Shravan Rangarajuvenkata (shrarang) Date: Thu, 26 Mar 2020 22:32:57 +0000 (+0000) Subject: Merge pull request #2098 in SNORT/snort3 from ~SAARAYA/snort3:http2_app_detection... X-Git-Tag: 3.0.1-1~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4ec47f0be6be5c5273098e1be055a1cacb41f29;p=thirdparty%2Fsnort3.git Merge pull request #2098 in SNORT/snort3 from ~SAARAYA/snort3:http2_app_detection to master Squashed commit of the following: commit 472fe39ed1ec39a11bbc0748b4f1368b8a7d6a1e Author: Oleksii Zaika Date: Mon Mar 23 06:13:16 2020 -0400 appid: use http2 inspector for detection even if third-party module is present --- diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc index cea15369e..e2b757625 100644 --- a/src/network_inspectors/appid/appid_http_event_handler.cc +++ b/src/network_inspectors/appid/appid_http_event_handler.cc @@ -51,6 +51,9 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow) HttpEvent* http_event = (HttpEvent*)&event; AppidChangeBits change_bits; + if (asd->ctxt.get_tp_appid_ctxt() && !http_event->get_is_http2()) + return; + if (appidDebug->is_active()) LogMessage("AppIdDbg %s Processing HTTP metadata from HTTP Inspector\n", appidDebug->get_debug_session()); diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index c240838c3..ea04bd082 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -116,14 +116,12 @@ bool AppIdInspector::configure(SnortConfig* sc) ctxt->init_appid(sc); - if (!ctxt->get_tp_appid_ctxt()) - { - DataBus::subscribe_global(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler( - HttpEventHandler::REQUEST_EVENT), sc); + DataBus::subscribe_global(HTTP_REQUEST_HEADER_EVENT_KEY, new HttpEventHandler( + HttpEventHandler::REQUEST_EVENT), sc); + + DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler( + HttpEventHandler::RESPONSE_EVENT), sc); - DataBus::subscribe_global(HTTP_RESPONSE_HEADER_EVENT_KEY, new HttpEventHandler( - HttpEventHandler::RESPONSE_EVENT), sc); - } DataBus::subscribe_global(DATA_DECRYPT_EVENT, new DataDecryptEventHandler(), sc); return true; diff --git a/src/network_inspectors/appid/test/appid_http_event_test.cc b/src/network_inspectors/appid/test/appid_http_event_test.cc index 277b3ea7d..95d3415f9 100644 --- a/src/network_inspectors/appid/test/appid_http_event_test.cc +++ b/src/network_inspectors/appid/test/appid_http_event_test.cc @@ -41,6 +41,7 @@ #include THREAD_LOCAL AppIdDebug* appidDebug = nullptr; +ThirdPartyAppIdContext* AppIdContext::tp_appid_ctxt = nullptr; void AppIdDebug::activate(const Flow*, const AppIdSession*, bool) { active = true; } void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 3b56257ac..310b5fff2 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -704,11 +704,6 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I // some cases. Treat it like HTTP w/ is_http2 flag set. if ((tp_app_id == APP_ID_HTTP2) && (tp_confidence == 100)) { - if (appidDebug->is_active()) - LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", - appidDebug->get_debug_session()); - - tp_app_id = APP_ID_HTTP; asd.is_http2 = true; } // if the third-party appId must be treated as a client, do it now