From: Ron Dempster (rdempste) <rdempste@cisco.com>
Date: Wed, 7 Jun 2023 20:00:47 +0000 (+0000)
Subject: Pull request #3868: appid: always publish a change message after do not decrypt
X-Git-Tag: 3.1.64.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb2f480b8d984e0b5dc62f336992b82de4d406ba;p=thirdparty%2Fsnort3.git

Pull request #3868: appid: always publish a change message after do not decrypt

Merge in SNORT/snort3 from ~RDEMPSTE/snort3:cert_viz_3 to master

Squashed commit of the following:

commit bac5cc09c3745ee518d865d3767f73c129ac9a18
Author: Ron Dempster (rdempste) <rdempste@cisco.com>
Date:   Wed May 31 12:39:00 2023 -0400

    appid: always publish a change message after do not decrypt
---

diff --git a/src/network_inspectors/appid/appid_data_decrypt_event_handler.h b/src/network_inspectors/appid/appid_data_decrypt_event_handler.h
index 028ef3f65..0a2c5a2b9 100644
--- a/src/network_inspectors/appid/appid_data_decrypt_event_handler.h
+++ b/src/network_inspectors/appid/appid_data_decrypt_event_handler.h
@@ -34,14 +34,15 @@ public:
     {
         assert(flow);
         AppIdSession* asd = snort::appid_api.get_appid_session(*flow);
-        if (!asd or
-            !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
-                return;
+        if (!asd or !asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECIAL_MONITORED))
+            return;
         const DataDecryptEvent& data_decrypt_event = static_cast<DataDecryptEvent&>(event);
-        if (data_decrypt_event.get_type() == DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT)
-        {
+        DataDecryptEvent::StateEventType state = data_decrypt_event.get_type();
+        if (DataDecryptEvent::DATA_DECRYPT_MONITOR_EVENT== state)
             asd->set_session_flags(APPID_SESSION_DECRYPT_MONITOR);
-        }
+        // Set a do not decrypt flag, so that an event can be generated after appid processes the packet
+        else if (DataDecryptEvent::DATA_DECRYPT_DO_NOT_DECRYPT_EVENT == state)
+            asd->set_session_flags(APPID_SESSION_DO_NOT_DECRYPT);
     }
 };
 
diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index 031b11134..dd14d28dc 100644
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -315,7 +315,15 @@ bool AppIdDiscovery::do_pre_discovery(Packet* p, AppIdSession*& asd, AppIdInspec
     // processing it, but can continue processing the rest of the flow since
     // AppId should have seen this packet already.
     if (p->is_retry())
+    {
+        // Publish an event, if this is the first packet after appid processing
+        if (asd->get_session_flags(APPID_SESSION_DO_NOT_DECRYPT))
+        {
+            AppidChangeBits change_bits;
+            asd->publish_appid_event(change_bits, *p);
+        }
         return false;
+    }
 
     if (p->ptrs.tcph and !asd->get_session_flags(APPID_SESSION_OOO))
     {
@@ -548,7 +556,7 @@ static inline bool is_check_host_cache_valid(AppIdSession& asd, AppId service_id
 bool AppIdDiscovery::detect_on_first_pkt(Packet* p, AppIdSession& asd,
     IpProtocol protocol, AppidSessionDirection direction, AppId& service_id,
     AppId& client_id, AppId& payload_id)
-{ 
+{
     uint16_t port;
     const SfIp* ip;
 
@@ -576,8 +584,8 @@ bool AppIdDiscovery::detect_on_first_pkt(Packet* p, AppIdSession& asd,
             client_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(client_id);
             asd.get_odp_ctxt().first_pkt_client_id = client_id;
             asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_CLIENT_APPID_FOUND;
-        } 
-        if (hv->protocol_appId) 
+        }
+        if (hv->protocol_appId)
         {
             service_id = hv->protocol_appId;
             service_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(service_id);
@@ -586,13 +594,13 @@ bool AppIdDiscovery::detect_on_first_pkt(Packet* p, AppIdSession& asd,
             if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND)
             {
                 asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_CLIENT_APPID_FOUND;
-            } 
-            else 
+            }
+            else
             {
                 asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_APPID_FOUND;
             }
         }
-        if (hv->web_appId) 
+        if (hv->web_appId)
         {
             payload_id = hv->web_appId;
             payload_app_name = asd.get_odp_ctxt().get_app_info_mgr().get_app_name(payload_id);
@@ -601,23 +609,23 @@ bool AppIdDiscovery::detect_on_first_pkt(Packet* p, AppIdSession& asd,
             if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_CLIENT_APPID_FOUND)
             {
                 asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_CLIENT_PAYLOAD_APPID_FOUND;
-            } 
+            }
             else if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_SERVICE_APPID_FOUND)
             {
                 asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_SERVICE_PAYLOAD_APPID_FOUND;
-            }   
+            }
             else if (asd.get_odp_ctxt().first_pkt_appid_prefix == FIRST_SERVICE_CLIENT_APPID_FOUND)
             {
                 asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_ALL_APPID_FOUND;
             }
-            else 
+            else
             {
                 asd.get_odp_ctxt().first_pkt_appid_prefix = FIRST_PAYLOAD_APPID_FOUND;
             }
         }
-        asd.get_odp_ctxt().need_reinspection = hv->reinspect;  
+        asd.get_odp_ctxt().need_reinspection = hv->reinspect;
 
-        switch (asd.get_odp_ctxt().first_pkt_appid_prefix) 
+        switch (asd.get_odp_ctxt().first_pkt_appid_prefix)
         {
         case FIRST_PAYLOAD_APPID_FOUND :
             service_id = payload_id;
@@ -669,23 +677,23 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto
 {
     bool is_discovery_done = false;
 
-    if (asd.session_packet_count == 1) 
+    if (asd.session_packet_count == 1)
     {
         detect_on_first_pkt(p, asd, protocol, direction, service_id, client_id, payload_id);
-    } 
+    }
 
-    if (asd.get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and !asd.get_odp_ctxt().need_reinspection) 
+    if (asd.get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and !asd.get_odp_ctxt().need_reinspection)
     {
        is_discovery_done = true;
        asd.set_session_flags(APPID_SESSION_SERVICE_DETECTED);
-       asd.client_disco_state = APPID_DISCO_STATE_FINISHED; 
+       asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
        asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
        service_id = asd.pick_service_app_id();
        client_id = asd.pick_ss_client_app_id();
        payload_id = asd.pick_ss_payload_app_id(service_id);
-       
+
        return is_discovery_done;
-    }  
+    }
 
     asd.check_app_detection_restart(change_bits, tp_appid_ctxt);
 
@@ -895,7 +903,7 @@ void AppIdDiscovery::do_post_discovery(Packet* p, AppIdSession& asd,
     }
 
     if (PacketTracer::is_daq_activated())
-        populate_trace_data(asd); 
+        populate_trace_data(asd);
 
     asd.publish_appid_event(change_bits, *p);
 }
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 2c833519c..ac655792e 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -823,7 +823,7 @@ AppId AppIdSession::pick_service_app_id() const
             return tp_app_id;
         else if (odp_ctxt.first_pkt_service_id > APP_ID_NONE)
             return odp_ctxt.first_pkt_service_id;
-    }   
+    }
 
     if (client_inferred_service_id > APP_ID_NONE)
         return client_inferred_service_id;
@@ -895,8 +895,8 @@ AppId AppIdSession::pick_ss_client_app_id() const
 
 AppId AppIdSession::check_first_pkt_tp_payload_app_id() const
 {
-    if (get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and 
-        (api.payload.get_id() <= APP_ID_NONE))    
+    if (get_session_flags(APPID_SESSION_FIRST_PKT_CACHE_MATCHED) and
+        (api.payload.get_id() <= APP_ID_NONE))
     {
         if ((odp_ctxt.first_pkt_payload_id > APP_ID_NONE) and (tp_payload_app_id > APP_ID_NONE))
         {
@@ -939,7 +939,7 @@ AppId AppIdSession::pick_ss_payload_app_id(AppId service_id) const
     AppId first_pkt_payload_appid = check_first_pkt_tp_payload_app_id();
     if (first_pkt_payload_appid > APP_ID_NONE)
         return first_pkt_payload_appid;
-    
+
     if (api.payload.get_id() > APP_ID_NONE)
         return api.payload.get_id();
 
@@ -1207,7 +1207,10 @@ void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packe
         api.flags.finished = true;
     }
 
-    if (change_bits.none())
+    // Publish an event, if this is the first packet after appid processing
+    if (get_session_flags(APPID_SESSION_DO_NOT_DECRYPT))
+        clear_session_flags(APPID_SESSION_DO_NOT_DECRYPT);
+    else if (change_bits.none())
         return;
 
     AppidEvent app_event(change_bits, is_httpx, httpx_stream_index, api, p);
diff --git a/src/network_inspectors/appid/appid_session_api.h b/src/network_inspectors/appid/appid_session_api.h
index 31d9e7895..c516feb8f 100644
--- a/src/network_inspectors/appid/appid_session_api.h
+++ b/src/network_inspectors/appid/appid_session_api.h
@@ -92,6 +92,7 @@ namespace snort
 #define APPID_SESSION_HTTP_TUNNEL           (1ULL << 43)
 #define APPID_SESSION_OPPORTUNISTIC_TLS     (1ULL << 44)
 #define APPID_SESSION_FIRST_PKT_CACHE_MATCHED    (1ULL << 45)
+#define APPID_SESSION_DO_NOT_DECRYPT        (1ULL << 46)
 #define APPID_SESSION_IGNORE_ID_FLAGS \
     (APPID_SESSION_FUTURE_FLOW | \
     APPID_SESSION_NOT_A_SERVICE | \