From: Shravan Rangarajuvenkata (shrarang) Date: Tue, 15 Jun 2021 17:56:10 +0000 (+0000) Subject: Merge pull request #2938 in SNORT/snort3 from ~SHRARANG/snort3:vdb_ci to master X-Git-Tag: 3.1.6.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e68b08eda11e8584b9a6697774ab0b00fb8181ef;p=thirdparty%2Fsnort3.git Merge pull request #2938 in SNORT/snort3 from ~SHRARANG/snort3:vdb_ci to master Squashed commit of the following: commit ba7463da922459e8a37fd2b04114f89c181ea80c Author: Shravan Rangaraju Date: Mon Jun 14 22:01:11 2021 -0400 appid: remove error message when userappid.conf is not present commit b6e776d4eed4389886195847fe878f842e668a45 Author: Shravan Rangaraju Date: Thu Jun 10 23:26:55 2021 -0400 appid: remove unused metadata offset functionality commit 3a4a71e8787986f41947811106d632c5a917704c Author: Shravan Rangaraju Date: Wed Jun 9 17:30:24 2021 -0400 appid: support fragmented metadata --- diff --git a/src/network_inspectors/appid/app_info_table.cc b/src/network_inspectors/appid/app_info_table.cc index 4f1bd90eb..08fc48106 100644 --- a/src/network_inspectors/appid/app_info_table.cc +++ b/src/network_inspectors/appid/app_info_table.cc @@ -621,10 +621,7 @@ void AppInfoManager::dump_appid_configurations(const std::string& file_path) con { std::ifstream conf_file(file_path); if (!conf_file.is_open()) - { - ParseError("appid: could not open %s", file_path.c_str()); return; - } LogMessage("AppId: Configuration file %s\n", file_path.c_str()); std::string line; diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index 45bd1fc60..92a4083e9 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -42,11 +42,6 @@ using namespace snort; AppIdHttpSession::AppIdHttpSession(AppIdSession& asd, uint32_t http2_stream_id) : asd(asd), http2_stream_id(http2_stream_id) { - for ( int i = 0; i < NUM_HTTP_FIELDS; i++) - { - meta_offset[i].first = 0; - meta_offset[i].second = 0; - } memory::MemoryCap::update_allocations(sizeof(AppIdHttpSession)); } diff --git a/src/network_inspectors/appid/appid_http_session.h b/src/network_inspectors/appid/appid_http_session.h index 97537ddc3..04d518736 100644 --- a/src/network_inspectors/appid/appid_http_session.h +++ b/src/network_inspectors/appid/appid_http_session.h @@ -82,28 +82,6 @@ public: const char* get_cfield(HttpFieldIds id) const { return meta_data[id] != nullptr ? meta_data[id]->c_str() : nullptr; } - bool get_offset(int id, uint16_t& start, uint16_t& end) const - { - if ( REQ_AGENT_FID <= id and id < NUM_HTTP_FIELDS ) - { - start = meta_offset[id].first; - end = meta_offset[id].second; - return true; - } - return false; - } - - bool set_offset(int id, uint16_t start, uint16_t end) - { - if ( REQ_AGENT_FID <= id and id < NUM_HTTP_FIELDS ) - { - meta_offset[id].first = start; - meta_offset[id].second = end; - return true; - } - return false; - } - void set_is_webdav(bool webdav) { is_webdav = webdav; } @@ -189,7 +167,6 @@ protected: // set_field() functions in AppIdHttpSession. We do need set functions // for this array, as old pointers need to be deleted upon set(). const std::string* meta_data[NUM_METADATA_FIELDS] = { }; - pair_t meta_offset[NUM_HTTP_FIELDS]; bool is_webdav = false; bool chp_finished = false; diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 9fa368681..f8bcdd452 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -58,8 +58,6 @@ using AppIdFreeFCN = void (*)(void*); const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len, const uint8_t* needle, unsigned needle_len); -#define MAX_ATTR_LEN 1024 - #define SF_DEBUG_FILE stdout #define MIN_SFTP_PACKET_COUNT 30 #define MAX_SFTP_PACKET_COUNT 55 diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc index acf04fd32..8a9d387b5 100644 --- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc +++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc @@ -748,66 +748,6 @@ void HttpPatternMatchers::reload_patterns() chp_matchers[i].reload(); } -typedef struct fieldPatternData_t -{ - const uint8_t* payload; - unsigned length; - AppIdHttpSession* hsession; -} FieldPatternData; - -static int http_field_pattern_match(void* id, void*, int match_end_pos, void* data, void*) -{ - static const uint8_t crlf[] = "\r\n"; - static unsigned crlfLen = sizeof(crlf)-1; - FieldPatternData* pFieldData = (FieldPatternData*)data; - FieldPattern* target = (FieldPattern*)id; - const uint8_t* p; - unsigned fieldOffset = match_end_pos; - unsigned remainingLength = pFieldData->length - fieldOffset; - - if (!(p = (const uint8_t*)service_strstr(&pFieldData->payload[fieldOffset], remainingLength, - crlf, crlfLen))) - { - return 1; - } - - pFieldData->hsession->set_offset(target->patternType, fieldOffset, p-pFieldData->payload); - - return 1; -} - -// FIXIT-RC: Is this still necessary now that we use inspection events? -void HttpPatternMatchers::get_http_offsets(Packet* pkt, AppIdHttpSession* hsession) -{ - constexpr auto MIN_HTTP_REQ_HEADER_SIZE = (sizeof("GET /\r\n\r\n") - 1); - static const uint8_t crlfcrlf[] = "\r\n\r\n"; - static unsigned crlfcrlfLen = sizeof(crlfcrlf) - 1; - const uint8_t* headerEnd; - FieldPatternData patternMatchData; - - for (int fieldId = REQ_AGENT_FID; fieldId <= REQ_COOKIE_FID; fieldId++) - { - pair_t off; - if ( hsession->get_offset(fieldId, off.first, off.second) ) - hsession->set_offset(fieldId, 0, off.second); - } - - if (!pkt->data || pkt->dsize < MIN_HTTP_REQ_HEADER_SIZE) - return; - - patternMatchData.hsession = hsession; - patternMatchData.payload = pkt->data; - - if (!(headerEnd = (const uint8_t*)service_strstr(pkt->data, pkt->dsize, crlfcrlf, - crlfcrlfLen))) - return; - - headerEnd += crlfcrlfLen; - patternMatchData.length = (unsigned)(headerEnd - pkt->data); - field_matcher.find_all((const char*)pkt->data, patternMatchData.length, - &http_field_pattern_match, false, (void*)(&patternMatchData)); -} - static inline void free_matched_patterns(MatchedPatterns* mp) { while (mp) diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.h b/src/network_inspectors/appid/detector_plugins/http_url_patterns.h index 3f8d06bdc..fc95ba8ee 100644 --- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.h +++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.h @@ -306,7 +306,6 @@ public: AppId get_appid_by_content_type(const char*, int); void get_server_vendor_version(const char*, int, char**, char**, AppIdServiceSubtype**); void identify_user_agent(const char*, int, AppId&, AppId&, char**); - void get_http_offsets(snort::Packet*, AppIdHttpSession*); uint32_t parse_multiple_http_patterns(const char* pattern, tMlmpPattern*, uint32_t numPartLimit, int level); diff --git a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h index ee6adfc1e..8784677d7 100644 --- a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h +++ b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h @@ -190,9 +190,6 @@ const uint8_t* service_strstr(const uint8_t* p, unsigned, return nullptr; } -// Stubs for appid_http_session.cc -static bool test_field_offset_set_done = false; - // Stubs for app_info_table.cc AppInfoTableEntry* AppInfoManager::get_app_info_entry(int) { diff --git a/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc b/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc index fe652dfce..1fd904032 100644 --- a/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc +++ b/src/network_inspectors/appid/detector_plugins/test/http_url_patterns_test.cc @@ -93,31 +93,6 @@ TEST_GROUP(http_url_patterns_tests) } }; -TEST(http_url_patterns_tests, http_field_pattern_match) -{ - FieldPatternData fpd; - FieldPattern fp; - pair_t off; - - // verify service_strstr getting called - fp.patternType = REQ_HOST_FID; - fpd.payload = (const uint8_t*)"Google"; - fpd.length = 6; - fpd.hsession = &mock_hsession; - - test_service_strstr_enabled = false; - test_field_offset_set_done = false; - mock_hsession.set_offset(fp.patternType, 0, 5); - CHECK_EQUAL(1, http_field_pattern_match(&fp, nullptr, 0, &fpd, nullptr)); - mock_hsession.get_offset(fp.patternType, off.first, off.second); - CHECK_EQUAL(5, off.second); // check offset did not change - - test_service_strstr_enabled = true; - CHECK_EQUAL(1, http_field_pattern_match(&fp, nullptr, 0, &fpd, nullptr)); - mock_hsession.get_offset(fp.patternType, off.first, off.second); - CHECK_EQUAL(0, off.second); // if it changed, service_strstr was called -} - TEST(http_url_patterns_tests, match_query_elements) { // null check @@ -151,33 +126,6 @@ TEST(http_url_patterns_tests, chp_add_candidate_to_tally) CHECK_EQUAL(match_tally[0].key_pattern_countdown, 0); } -TEST(http_url_patterns_tests, get_http_offsets) -{ - // field_offset is set for small payload - test_field_offset_set_done = false; - pkt.data = (const uint8_t*)"Go"; - pkt.dsize = 2; - - pair_t off; - mock_hsession.set_offset(REQ_AGENT_FID, 5, 0); - hm->get_http_offsets(&pkt, &mock_hsession); - mock_hsession.get_offset(REQ_AGENT_FID, off.first, off.second); - CHECK_EQUAL(0, off.first); - - // find_all is not called for bigger payload when service_strstr returns nullptr - test_service_strstr_enabled = false; - test_find_all_done = false; - pkt.data = (const uint8_t*)"GET http://www.w3.org HTTP/1.1"; - pkt.dsize = strlen((const char*)pkt.data); - hm->get_http_offsets(&pkt, &mock_hsession); - CHECK_EQUAL(false, test_find_all_done); - - // find_all is called for bigger payload when service_strstr returns something - test_service_strstr_enabled = true; - hm->get_http_offsets(&pkt, &mock_hsession); - CHECK_EQUAL(true, test_find_all_done); -} - TEST(http_url_patterns_tests, normalize_userid) { // no change diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index be7a28dfd..5bc129721 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -128,7 +128,6 @@ void DataBus::publish(const char*, DataEvent& event, Flow*) static HttpPatternMatchers* http_matchers; DnsPatternMatchers::~DnsPatternMatchers() = default; HttpPatternMatchers::~HttpPatternMatchers() = default; -void HttpPatternMatchers::get_http_offsets(Packet*, AppIdHttpSession*) {} SipPatternMatchers::~SipPatternMatchers() = default; SslPatternMatchers::~SslPatternMatchers() = default; diff --git a/src/network_inspectors/appid/test/appid_mock_http_session.h b/src/network_inspectors/appid/test/appid_mock_http_session.h index 17efe6dcb..d51e10e5c 100644 --- a/src/network_inspectors/appid/test/appid_mock_http_session.h +++ b/src/network_inspectors/appid/test/appid_mock_http_session.h @@ -93,11 +93,6 @@ public: meta_data[MISC_SERVER_FID] = new std::string(SERVER); meta_data[MISC_XWW_FID] = new std::string(X_WORKING_WITH); meta_data[MISC_URL_FID] = new std::string(URL); - - meta_offset[REQ_URI_FID].first = URI_OFFSET; - meta_offset[REQ_URI_FID].second = URI_OFFSET + strlen(URI); - meta_offset[REQ_COOKIE_FID].first = COOKIE_OFFSET; - meta_offset[REQ_COOKIE_FID].second = COOKIE_OFFSET + strlen(NEW_COOKIE); } void reset() diff --git a/src/network_inspectors/appid/test/tp_appid_types_test.cc b/src/network_inspectors/appid/test/tp_appid_types_test.cc index dc4c52f66..535075f49 100644 --- a/src/network_inspectors/appid/test/tp_appid_types_test.cc +++ b/src/network_inspectors/appid/test/tp_appid_types_test.cc @@ -35,26 +35,26 @@ // 3rd CHECK_EQUAL checks that AttributeData doesn't leak memory upon consecutive sets // finally check that we don't leak or double free memory when caller owns it #define SET_GET_MACRO(func) \ - ad.set_ ## func(abc.c_str(), abc.size()); \ + ad.set_ ## func(abc.c_str(), abc.size(), true); \ outField=ad.func(0); \ CHECK_EQUAL(*outField,abc); \ outField=ad.func(0); \ CHECK_EQUAL(*outField,abc); \ - ad.set_ ## func(def.c_str(), def.size()); \ + ad.set_ ## func(def.c_str(), def.size(), true); \ outField=ad.func(0); \ CHECK_EQUAL(*outField,def); \ outField=ad.func(1); \ delete outField; -#define SET_GET_OFFSET_MACRO(func) \ - ad.set_ ## func(abc.c_str(), abc.size(), start, end); \ +#define SET_GET_MACRO_FRAGMENTED(func) \ + ad.set_ ## func(abc.c_str(), abc.size(), false); \ outField=ad.func(0); \ CHECK_EQUAL(*outField,abc); \ outField=ad.func(0); \ CHECK_EQUAL(*outField,abc); \ - ad.set_ ## func(def.c_str(), def.size(), start, end); \ + ad.set_ ## func(def.c_str(), def.size(), true); \ outField=ad.func(0); \ - CHECK_EQUAL(*outField,def); \ + CHECK_EQUAL(*outField,abc+def); \ outField=ad.func(1); \ delete outField; @@ -72,33 +72,83 @@ TEST_GROUP(tp_appid_types) TEST(tp_appid_types, get_set) { ThirdPartyAppIDAttributeData ad; - uint16_t start=0, end=3; string abc("abc"); string def("def"); const string* outField=nullptr; - SET_GET_OFFSET_MACRO(spdy_request_path); + SET_GET_MACRO(spdy_request_path); SET_GET_MACRO(spdy_request_scheme); - SET_GET_OFFSET_MACRO(spdy_request_host); + SET_GET_MACRO(spdy_request_host); SET_GET_MACRO(http_request_url); - SET_GET_OFFSET_MACRO(http_request_uri); - SET_GET_OFFSET_MACRO(http_request_host); - SET_GET_OFFSET_MACRO(http_request_cookie); + SET_GET_MACRO(http_request_uri); + SET_GET_MACRO(http_request_host); + SET_GET_MACRO(http_request_cookie); SET_GET_MACRO(http_request_via); SET_GET_MACRO(http_response_via); - SET_GET_OFFSET_MACRO(http_request_user_agent); + SET_GET_MACRO(http_request_user_agent); SET_GET_MACRO(http_response_code); - SET_GET_MACRO(http_response_content); - SET_GET_MACRO(http_response_location); - SET_GET_MACRO(http_response_body); - SET_GET_MACRO(http_request_body); - SET_GET_MACRO(http_response_server); - SET_GET_MACRO(http_request_x_working_with); - SET_GET_MACRO(tls_host); - SET_GET_MACRO(tls_cname); - SET_GET_MACRO(tls_org_unit); - SET_GET_OFFSET_MACRO(http_request_referer); - SET_GET_MACRO(ftp_command_user); +} + +TEST(tp_appid_types, get_set_fragmented) +{ + ThirdPartyAppIDAttributeData ad; + string abc("abc"); + string def("def"); + const string* outField=nullptr; + + SET_GET_MACRO_FRAGMENTED(http_response_content); + SET_GET_MACRO_FRAGMENTED(http_response_location); + SET_GET_MACRO_FRAGMENTED(http_response_body); + SET_GET_MACRO_FRAGMENTED(http_request_body); + SET_GET_MACRO_FRAGMENTED(http_response_server); + SET_GET_MACRO_FRAGMENTED(http_request_x_working_with); + SET_GET_MACRO_FRAGMENTED(tls_host); + SET_GET_MACRO_FRAGMENTED(tls_cname); + SET_GET_MACRO_FRAGMENTED(tls_org_unit); + SET_GET_MACRO_FRAGMENTED(http_request_referer); + SET_GET_MACRO_FRAGMENTED(ftp_command_user); +} + +TEST(tp_appid_types, max_len) +{ + ThirdPartyAppIDAttributeData ad; + char buf[3000]; + + for (int i = 0; i < 2999; i++) + buf[i] = 'a'; + + buf[2999] = '\0'; + ad.set_http_request_body(buf, 2999, true); + string* req_body = ad.http_request_body(); + CHECK_EQUAL(req_body->size(), MAX_ATTR_LEN); + for (int i = 0; i < MAX_ATTR_LEN; i++) + CHECK_EQUAL((*req_body)[i], 'a'); + + ad.set_http_request_body(buf, 2999, true, 2800); + req_body = ad.http_request_body(); + CHECK_EQUAL(req_body->size(), 2800); + for (int i = 0; i < 2800; i++) + CHECK_EQUAL((*req_body)[i], 'a'); + + ad.set_http_request_body(buf, 2999, true, 3200); + req_body = ad.http_request_body(); + CHECK_EQUAL(req_body->size(), 2999); + for (int i = 0; i < 2999; i++) + CHECK_EQUAL((*req_body)[i], 'a'); + + ad.set_http_request_body(buf, 1600, false); + ad.set_http_request_body(buf, 1600, true); + req_body = ad.http_request_body(); + CHECK_EQUAL(req_body->size(), MAX_ATTR_LEN); + for (int i = 0; i < MAX_ATTR_LEN; i++) + CHECK_EQUAL((*req_body)[i], 'a'); + + ad.set_http_request_body(buf, 1600, false, 3200); + ad.set_http_request_body(buf, 1600, true, 3200); + req_body = ad.http_request_body(); + CHECK_EQUAL(req_body->size(), 3200); + for (int i = 0; i < 3200; i++) + CHECK_EQUAL((*req_body)[i], 'a'); } int main(int argc, char** argv) diff --git a/src/network_inspectors/appid/tp_appid_types.h b/src/network_inspectors/appid/tp_appid_types.h index ad5d77d08..586f28596 100644 --- a/src/network_inspectors/appid/tp_appid_types.h +++ b/src/network_inspectors/appid/tp_appid_types.h @@ -25,6 +25,8 @@ #include #include +#define MAX_ATTR_LEN 2048 + using std::string; enum TPFlags @@ -54,6 +56,23 @@ enum TPSessionAttr TP_ATTR_COPY_RESPONSE_BODY = (1 << 3), }; +static void set_attr(string*& attr, const char* buf, size_t len, bool flush, size_t max_len) +{ + if (!attr) + attr = new string(buf, len > max_len ? max_len : len); + else if (flush) + { + delete attr; + attr = new string(buf, len > max_len ? max_len : len); + } + else if (attr->size() < max_len) + { + size_t max_copy_len = max_len - attr->size(); + attr->append(buf, len > max_copy_len ? max_copy_len : len); + } + // else, skip copy because the buffer is filled up to its limit +} + #define TPAD_GET(func) \ string* func(bool caller_owns_it = false) \ { \ @@ -63,22 +82,11 @@ enum TPSessionAttr return tmp; \ } -#define TPAD_SET_OFFSET(func) \ - void set_ ## func(const char* buf, size_t len, uint16_t offset, uint16_t endOffset) \ - { \ - if (func ## _buf) \ - delete func ## _buf; \ - func ## _buf=new string(buf,len); \ - func ## _offset=offset; \ - func ## _end_offset=endOffset; \ - } - -#define TPAD_SET(func) \ - void set_ ## func(const char* buf, size_t len) \ - { \ - if (func ## _buf) \ - delete func ## _buf; \ - func ## _buf=new string(buf,len); \ +#define TPAD_SET(func) \ + void set_ ## func(const char* buf, size_t len, bool last_fragment, size_t max_len = MAX_ATTR_LEN) \ + { \ + set_attr(func ## _buf, buf, len, func ## _flush, max_len); \ + func ## _flush = last_fragment; \ } // The ThirdPartyAppIDAttributeData class acts as a per packet cache for @@ -125,26 +133,30 @@ class ThirdPartyAppIDAttributeData string* ftp_command_user_buf = nullptr; string* quic_sni_buf = nullptr; - uint16_t http_request_uri_offset = 0; - uint16_t http_request_uri_end_offset = 0; - - uint16_t http_request_cookie_offset = 0; - uint16_t http_request_cookie_end_offset = 0; - - uint16_t http_request_user_agent_offset = 0; - uint16_t http_request_user_agent_end_offset = 0; - - uint16_t http_request_host_offset = 0; - uint16_t http_request_host_end_offset = 0; - - uint16_t http_request_referer_offset = 0; - uint16_t http_request_referer_end_offset = 0; - - uint16_t spdy_request_host_offset = 0; - uint16_t spdy_request_host_end_offset = 0; - - uint16_t spdy_request_path_offset = 0; - uint16_t spdy_request_path_end_offset = 0; + // will be set to true after last fragment for a metadata field is received + bool spdy_request_path_flush = true; + bool spdy_request_scheme_flush = true; + bool spdy_request_host_flush = true; + bool http_request_url_flush = true; + bool http_request_uri_flush = true; + bool http_request_host_flush = true; + bool http_request_cookie_flush = true; + bool http_request_via_flush = true; + bool http_response_via_flush = true; + bool http_request_user_agent_flush = true; + bool http_response_code_flush = true; + bool http_response_content_flush = true; + bool http_response_location_flush = true; + bool http_response_body_flush = true; + bool http_request_body_flush = true; + bool http_response_server_flush = true; + bool http_request_x_working_with_flush = true; + bool tls_host_flush = true; + bool tls_cname_flush = true; + bool tls_org_unit_flush = true; + bool http_request_referer_flush = true; + bool ftp_command_user_flush = true; + bool quic_sni_flush = true; // FIXIT-L: make these private too. Figure out how these get set in tp. @@ -204,38 +216,17 @@ public: TPAD_GET(ftp_command_user) TPAD_GET(quic_sni) - uint16_t http_request_uri_begin() { return http_request_uri_offset; } - uint16_t http_request_uri_end() { return http_request_uri_end_offset; } - - uint16_t http_request_cookie_begin() { return http_request_cookie_offset; } - uint16_t http_request_cookie_end() { return http_request_cookie_end_offset; } - - uint16_t http_request_user_agent_begin() { return http_request_user_agent_offset; } - uint16_t http_request_user_agent_end() { return http_request_user_agent_end_offset; } - - uint16_t http_request_host_begin() { return http_request_host_offset; } - uint16_t http_request_host_end() { return http_request_host_end_offset; } - - uint16_t http_request_referer_begin() { return http_request_referer_offset; } - uint16_t http_request_referer_end() { return http_request_referer_end_offset; } - - uint16_t spdy_request_host_begin() { return spdy_request_host_offset; } - uint16_t spdy_request_host_end() { return spdy_request_host_end_offset; } - - uint16_t spdy_request_path_begin() { return spdy_request_path_offset; } - uint16_t spdy_request_path_end() { return spdy_request_path_end_offset; } - // set functions - TPAD_SET_OFFSET(spdy_request_path) + TPAD_SET(spdy_request_path) TPAD_SET(spdy_request_scheme) - TPAD_SET_OFFSET(spdy_request_host) + TPAD_SET(spdy_request_host) TPAD_SET(http_request_url) - TPAD_SET_OFFSET(http_request_uri) - TPAD_SET_OFFSET(http_request_host) - TPAD_SET_OFFSET(http_request_cookie) + TPAD_SET(http_request_uri) + TPAD_SET(http_request_host) + TPAD_SET(http_request_cookie) TPAD_SET(http_request_via) TPAD_SET(http_response_via) - TPAD_SET_OFFSET(http_request_user_agent) + TPAD_SET(http_request_user_agent) TPAD_SET(http_response_code) TPAD_SET(http_response_content) TPAD_SET(http_response_location) @@ -246,7 +237,7 @@ public: TPAD_SET(tls_host) TPAD_SET(tls_cname) TPAD_SET(tls_org_unit) - TPAD_SET_OFFSET(http_request_referer) + TPAD_SET(http_request_referer) TPAD_SET(ftp_command_user) TPAD_SET(quic_sni) }; diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 928c4eb4c..a5c02837e 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -125,9 +125,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_HOST_FID, spdyRequestHost, change_bits); - hsession->set_offset(REQ_HOST_FID, - attribute_data.spdy_request_host_begin(), - attribute_data.spdy_request_host_end()); } if (spdyRequestPath) @@ -136,9 +133,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_URI_FID, spdyRequestPath, change_bits); - hsession->set_offset(REQ_URI_FID, - attribute_data.spdy_request_path_begin(), - attribute_data.spdy_request_path_end()); } } else @@ -150,9 +144,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_HOST_FID, field, change_bits); - hsession->set_offset(REQ_HOST_FID, - attribute_data.http_request_host_begin(), - attribute_data.http_request_host_end()); } if ( (field=attribute_data.http_request_url(own)) != nullptr ) @@ -183,9 +174,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_URI_FID, field, change_bits); - hsession->set_offset(REQ_URI_FID, - attribute_data.http_request_uri_begin(), - attribute_data.http_request_uri_end()); } } @@ -214,9 +202,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_AGENT_FID, field, change_bits); - hsession->set_offset(REQ_AGENT_FID, - attribute_data.http_request_user_agent_begin(), - attribute_data.http_request_user_agent_end()); } if ( (field=attribute_data.http_response_code(own)) != nullptr ) @@ -235,9 +220,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_REFERER_FID, field, change_bits); - hsession->set_offset(REQ_REFERER_FID, - attribute_data.http_request_referer_begin(), - attribute_data.http_request_referer_end()); } if ( (field=attribute_data.http_request_cookie(own)) != nullptr ) @@ -247,9 +229,6 @@ static inline void process_http_session(const Packet& p, AppIdSession& asd, hsession->set_chp_finished(false); hsession->set_field(REQ_COOKIE_FID, field, change_bits); - hsession->set_offset(REQ_COOKIE_FID, - attribute_data.http_request_cookie_begin(), - attribute_data.http_request_cookie_end()); } if ( (field=attribute_data.http_response_content(own)) != nullptr ) @@ -321,31 +300,18 @@ static inline void process_rtmp(AppIdSession& asd, bool own = true; const string* field = nullptr; - if ( !hsession->get_field(MISC_URL_FID) ) - { - if ( ( field=attribute_data.http_request_url(own) ) != nullptr ) - hsession->set_field(MISC_URL_FID, field, change_bits); - } + if (!hsession->get_field(MISC_URL_FID) and + ((field = attribute_data.http_request_url(own)) != nullptr)) + hsession->set_field(MISC_URL_FID, field, change_bits); - if ( !asd.get_odp_ctxt().referred_appId_disabled && - !hsession->get_field(REQ_REFERER_FID) ) - { - if ( ( field=attribute_data.http_request_referer(own) ) != nullptr ) - { - hsession->set_field(REQ_REFERER_FID, field, change_bits); - } - } + if (!asd.get_odp_ctxt().referred_appId_disabled and + !hsession->get_field(REQ_REFERER_FID) and + ((field = attribute_data.http_request_referer(own)) != nullptr)) + hsession->set_field(REQ_REFERER_FID, field, change_bits); - if ( !hsession->get_field(REQ_AGENT_FID) ) - { - if ( ( field=attribute_data.http_request_user_agent(own) ) != nullptr ) - { - hsession->set_field(REQ_AGENT_FID, field, change_bits); - hsession->set_offset(REQ_AGENT_FID, - attribute_data.http_request_user_agent_begin(), - attribute_data.http_request_user_agent_end()); - } - } + if (!hsession->get_field(REQ_AGENT_FID) and + ((field = attribute_data.http_request_user_agent(own)) != nullptr)) + hsession->set_field(REQ_AGENT_FID, field, change_bits); asd.examine_rtmp_metadata(change_bits);