From: Mike Stepanek (mstepane) Date: Mon, 23 Jul 2018 20:03:33 +0000 (-0400) Subject: Merge pull request #1310 in SNORT/snort3 from appid_debug_fixes to master X-Git-Tag: 3.0.0-246~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eeba0d5ae216086adcabece4314da63cc90e35bc;p=thirdparty%2Fsnort3.git Merge pull request #1310 in SNORT/snort3 from appid_debug_fixes to master Squashed commit of the following: commit 32fdaf3fbf018546a775c01338960e96baf7d398 Author: Masud Hasan Date: Wed Jul 18 21:50:08 2018 -0400 appid: Fixes for TNS, eDonkey, and debug logs in Lua detectors --- diff --git a/src/network_inspectors/appid/appid_detector.cc b/src/network_inspectors/appid/appid_detector.cc index 2da7f5374..9913f36d0 100644 --- a/src/network_inspectors/appid/appid_detector.cc +++ b/src/network_inspectors/appid/appid_detector.cc @@ -106,7 +106,7 @@ const char* AppIdDetector::get_code_string(APPID_STATUS_CODE code) const case APPID_SUCCESS: return "success"; case APPID_INPROCESS: - return "inprocess"; + return "in-process"; case APPID_NEED_REASSEMBLY: return "need-reassembly"; case APPID_NOT_COMPATIBLE: @@ -124,6 +124,6 @@ const char* AppIdDetector::get_code_string(APPID_STATUS_CODE code) const case APPID_ENOMEM: return "error-memory"; } - return "unknown code"; + return "unknown-code"; } diff --git a/src/network_inspectors/appid/appid_detector.h b/src/network_inspectors/appid/appid_detector.h index bd8897439..105a2cf73 100644 --- a/src/network_inspectors/appid/appid_detector.h +++ b/src/network_inspectors/appid/appid_detector.h @@ -127,12 +127,12 @@ public: const std::string& get_name() const { return name; } + const std::string& get_log_name() const + { return log_name.empty()? name : log_name; } + unsigned get_minimum_matches() const { return minimum_matches; } - void set_minimum_matches(unsigned minimumMatches = 0) - { minimum_matches = minimumMatches; } - unsigned int get_precedence() const { return precedence; } @@ -142,21 +142,19 @@ public: bool is_custom_detector() const { return custom_detector; } - void set_custom_detector(bool isCustom = false) - { this->custom_detector = isCustom; } - AppIdDiscovery& get_handler() const { return *handler; } - bool is_client() const - { return client; } + bool is_client() const + { return client; } - virtual LuaStateDescriptor* validate_lua_state(bool /*packet_context*/) - { return nullptr; } + virtual LuaStateDescriptor* validate_lua_state(bool /*packet_context*/) + { return nullptr; } protected: AppIdDiscovery* handler = nullptr; - std::string name; + std::string name; // unique name to map detector; can be UUID file name for lua-detector + std::string log_name; // name from detector package info; can be same as 'name' for c-detector bool client = false; bool enabled = true; bool custom_detector = false; diff --git a/src/network_inspectors/appid/client_plugins/client_app_tns.cc b/src/network_inspectors/appid/client_plugins/client_app_tns.cc index 92565fc88..612279505 100644 --- a/src/network_inspectors/appid/client_plugins/client_app_tns.cc +++ b/src/network_inspectors/appid/client_plugins/client_app_tns.cc @@ -105,7 +105,7 @@ TnsClientDetector::TnsClientDetector(ClientDiscovery* cdm) tcp_patterns = { - { (const uint8_t*)TNS_BANNER, TNS_BANNER_LEN, -1, 0, APP_ID_ORACLE_DATABASE }, + { (const uint8_t*)TNS_BANNER, TNS_BANNER_LEN, 2, 0, APP_ID_ORACLE_DATABASE }, }; appid_registry = diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc index d842a02de..cc8035eba 100644 --- a/src/network_inspectors/appid/client_plugins/client_discovery.cc +++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc @@ -305,8 +305,8 @@ int ClientDiscovery::exec_client_detectors(AppIdSession& asd, Packet* p, AppidSe AppIdDiscoveryArgs disco_args(p->data, p->dsize, direction, asd, p); ret = asd.client_detector->validate(disco_args); if (appidDebug->is_active()) - LogMessage("AppIdDbg %s %s client detector %s (%d)\n", - appidDebug->get_debug_session(), asd.client_detector->get_name().c_str(), + LogMessage("AppIdDbg %s %s client detector returned %s (%d)\n", + appidDebug->get_debug_session(), asd.client_detector->get_log_name().c_str(), asd.client_detector->get_code_string((APPID_STATUS_CODE)ret), ret); } else @@ -316,8 +316,8 @@ int ClientDiscovery::exec_client_detectors(AppIdSession& asd, Packet* p, AppidSe AppIdDiscoveryArgs disco_args(p->data, p->dsize, direction, asd, p); int result = kv->second->validate(disco_args); if (appidDebug->is_active()) - LogMessage("AppIdDbg %s %s client candidate %s (%d)\n", - appidDebug->get_debug_session(), kv->second->get_name().c_str(), + LogMessage("AppIdDbg %s %s client candidate returned %s (%d)\n", + appidDebug->get_debug_session(), kv->second->get_log_name().c_str(), kv->second->get_code_string((APPID_STATUS_CODE)result), result); if (result == APPID_SUCCESS) @@ -332,6 +332,7 @@ int ClientDiscovery::exec_client_detectors(AppIdSession& asd, Packet* p, AppidSe else ++kv; } + // FIXIT-M - Set client as detected/finished when all candidates fails/empty, US#348064 } return ret; diff --git a/src/network_inspectors/appid/lua_detector_api.cc b/src/network_inspectors/appid/lua_detector_api.cc index e556db646..de4e9b9ed 100644 --- a/src/network_inspectors/appid/lua_detector_api.cc +++ b/src/network_inspectors/appid/lua_detector_api.cc @@ -2567,21 +2567,27 @@ static inline void init_lsd(LuaStateDescriptor* lsd, const std::string& detector } LuaServiceDetector::LuaServiceDetector(AppIdDiscovery* sdm, const std::string& detector_name, - IpProtocol protocol) + const std::string& logging_name, bool is_custom, unsigned min_match, IpProtocol protocol) { handler = sdm; name = detector_name; + log_name = logging_name; + custom_detector = is_custom; + minimum_matches = min_match; proto = protocol; handler->register_detector(name, this, proto); } LuaServiceObject::LuaServiceObject(AppIdDiscovery* sdm, const std::string& detector_name, - IpProtocol protocol, lua_State* L) + const std::string& log_name, bool is_custom, IpProtocol protocol, lua_State* L) { + init_lsd(&lsd, detector_name, L); + if (init(L)) { - sd = new LuaServiceDetector(sdm,detector_name,protocol); + sd = new LuaServiceDetector(sdm, detector_name, + log_name, is_custom, lsd.package_info.minimum_matches, protocol); } else { @@ -2605,7 +2611,6 @@ LuaServiceObject::LuaServiceObject(AppIdDiscovery* sdm, const std::string& detec sd = (ServiceDetector*)ad; } - init_lsd(&lsd, detector_name, L); UserData::push(L, DETECTOR, this); lua_pushvalue(L, -1); @@ -2633,20 +2638,26 @@ int LuaServiceDetector::validate(AppIdDiscoveryArgs& args) } LuaClientDetector::LuaClientDetector(AppIdDiscovery* cdm, const std::string& detector_name, - IpProtocol protocol) + const std::string& logging_name, bool is_custom, unsigned min_match, IpProtocol protocol) { handler = cdm; name = detector_name; + log_name = logging_name; + custom_detector = is_custom; + minimum_matches = min_match; proto = protocol; handler->register_detector(name, this, proto); } LuaClientObject::LuaClientObject(AppIdDiscovery* cdm, const std::string& detector_name, - IpProtocol protocol, lua_State* L) + const std::string& log_name, bool is_custom, IpProtocol protocol, lua_State* L) { + init_lsd(&lsd, detector_name, L); + if (init(L)) { - cd = new LuaClientDetector(cdm, detector_name, protocol); + cd = new LuaClientDetector(cdm, detector_name, + log_name, is_custom, lsd.package_info.minimum_matches, protocol); } else { @@ -2670,7 +2681,6 @@ LuaClientObject::LuaClientObject(AppIdDiscovery* cdm, const std::string& detecto cd = (ClientDetector*)ad; } - init_lsd(&lsd, detector_name, L); UserData::push(L, DETECTOR, this); lua_pushvalue(L, -1); diff --git a/src/network_inspectors/appid/lua_detector_api.h b/src/network_inspectors/appid/lua_detector_api.h index cabe60533..8b41df110 100644 --- a/src/network_inspectors/appid/lua_detector_api.h +++ b/src/network_inspectors/appid/lua_detector_api.h @@ -88,16 +88,17 @@ public: class LuaServiceDetector : public ServiceDetector { public: - LuaServiceDetector(AppIdDiscovery* sdm, const std::string& detector_name, IpProtocol protocol); + LuaServiceDetector(AppIdDiscovery* sdm, const std::string& detector_name, + const std::string& log_name, bool is_custom, unsigned min_match, IpProtocol protocol); int validate(AppIdDiscoveryArgs&) override; }; class LuaClientDetector : public ClientDetector { public: - LuaClientDetector(AppIdDiscovery* cdm, const std::string& detector_name, IpProtocol protocol); + LuaClientDetector(AppIdDiscovery* cdm, const std::string& detector_name, + const std::string& log_name, bool is_custom, unsigned min_match, IpProtocol protocol); int validate(AppIdDiscoveryArgs&) override; - }; @@ -120,8 +121,8 @@ class LuaServiceObject: public LuaObject { public: ServiceDetector* sd; - LuaServiceObject(AppIdDiscovery* cdm, const std::string& detector_name, IpProtocol protocol, - lua_State* L); + LuaServiceObject(AppIdDiscovery* sdm, const std::string& detector_name, + const std::string& log_name, bool is_custom, IpProtocol protocol, lua_State* L); ServiceDetector* get_detector() { return sd; } }; @@ -130,8 +131,8 @@ class LuaClientObject : public LuaObject { public: ClientDetector* cd; - LuaClientObject(AppIdDiscovery* cdm, const std::string& detector_name, IpProtocol protocol, - lua_State* L); + LuaClientObject(AppIdDiscovery* cdm, const std::string& detector_name, + const std::string& log_name, bool is_custom, IpProtocol protocol, lua_State* L); ClientDetector* get_detector() { return cd; } }; diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc index 80a1af94b..a816fdee4 100644 --- a/src/network_inspectors/appid/lua_detector_module.cc +++ b/src/network_inspectors/appid/lua_detector_module.cc @@ -285,30 +285,30 @@ static inline uint32_t compute_lua_tracker_size(uint64_t rnaMemory, uint32_t num } // Leaves 1 value (the Detector userdata) at the top of the stack when succeeds -static LuaObject* create_lua_detector(lua_State* L, const char* detectorName, bool is_custom) +static LuaObject* create_lua_detector(lua_State* L, const char* detector_name, bool is_custom) { - std::string detector_name; + std::string log_name; IpProtocol proto = IpProtocol::PROTO_NOT_SET; Lua::ManageStack mgr(L); - lua_getfield(L, LUA_REGISTRYINDEX, detectorName); + lua_getfield(L, LUA_REGISTRYINDEX, detector_name); lua_getfield(L, -1, "DetectorPackageInfo"); if (!lua_istable(L, -1)) { if (init(L)) // for control thread only ErrorMessage("Error - appid: can not read DetectorPackageInfo table from %s\n", - detectorName); + detector_name); if (!lua_isnil(L, -1)) // pop DetectorPackageInfo index if it was pushed lua_pop(L, 1); return nullptr; } - if (!get_lua_field(L, -1, "name", detector_name)) + if (!get_lua_field(L, -1, "name", log_name)) { if (init(L)) ErrorMessage("Error - appid: can not read DetectorPackageInfo field 'name' from %s\n", - detectorName); + detector_name); lua_pop(L, 1); return nullptr; } @@ -317,7 +317,7 @@ static LuaObject* create_lua_detector(lua_State* L, const char* detectorName, bo { if (init(L)) ErrorMessage("Error - appid: can not read DetectorPackageInfo field 'proto' from %s\n", - detectorName); + detector_name); lua_pop(L, 1); return nullptr; } @@ -325,10 +325,8 @@ static LuaObject* create_lua_detector(lua_State* L, const char* detectorName, bo lua_getfield(L, -1, "client"); if ( lua_istable(L, -1) ) { - LuaClientObject* lco = new LuaClientObject(&ClientDiscovery::get_instance(), - detectorName, proto, L); - lco->cd->set_custom_detector(is_custom); - return lco; + return new LuaClientObject(&ClientDiscovery::get_instance(), + detector_name, log_name, is_custom, proto, L); } else { @@ -337,14 +335,12 @@ static LuaObject* create_lua_detector(lua_State* L, const char* detectorName, bo lua_getfield(L, -1, "server"); if ( lua_istable(L, -1) ) { - LuaServiceObject* lso = new LuaServiceObject(&ServiceDiscovery::get_instance(), - detectorName, proto, L); - lso->sd->set_custom_detector(is_custom); - return lso; + return new LuaServiceObject(&ServiceDiscovery::get_instance(), + detector_name, log_name, is_custom, proto, L); } else if (init(L)) ErrorMessage("Error - appid: can not read DetectorPackageInfo field" - " 'client' or 'server' from %s\n", detectorName); + " 'client' or 'server' from %s\n", detector_name); lua_pop(L, 1); // pop server table } diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 3bb5b370c..1b27be301 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -483,8 +483,8 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, AppidSessio got_incompatible_service = true; asd.service_search_state = SESSION_SERVICE_SEARCH_STATE::PENDING; if (appidDebug->is_active()) - LogMessage("AppIdDbg %s %s service detector %s (%d)\n", - appidDebug->get_debug_session(), asd.service_detector->get_name().c_str(), + LogMessage("AppIdDbg %s %s service detector returned %s (%d)\n", + appidDebug->get_debug_session(), asd.service_detector->get_log_name().c_str(), asd.service_detector->get_code_string((APPID_STATUS_CODE)ret), ret); } /* Try to find detectors based on ports and patterns. */ @@ -508,8 +508,8 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, AppidSessio result = service->validate(args); if ( appidDebug->is_active() ) - LogMessage("AppIdDbg %s %s service candidate %s (%d)\n", - appidDebug->get_debug_session(), service->get_name().c_str(), + LogMessage("AppIdDbg %s %s service candidate returned %s (%d)\n", + appidDebug->get_debug_session(), service->get_log_name().c_str(), service->get_code_string((APPID_STATUS_CODE)result), result); if ( result == APPID_SUCCESS ) diff --git a/src/network_inspectors/appid/test/appid_detector_test.cc b/src/network_inspectors/appid/test/appid_detector_test.cc index 49cdade67..a423b38a4 100644 --- a/src/network_inspectors/appid/test/appid_detector_test.cc +++ b/src/network_inspectors/appid/test/appid_detector_test.cc @@ -95,7 +95,7 @@ TEST(appid_detector_tests, get_code_string) { AppIdDetector* ad = new TestDetector; STRCMP_EQUAL(ad->get_code_string(APPID_SUCCESS), "success"); - STRCMP_EQUAL(ad->get_code_string(APPID_INPROCESS), "inprocess"); + STRCMP_EQUAL(ad->get_code_string(APPID_INPROCESS), "in-process"); STRCMP_EQUAL(ad->get_code_string(APPID_NEED_REASSEMBLY), "need-reassembly"); STRCMP_EQUAL(ad->get_code_string(APPID_NOT_COMPATIBLE), "not-compatible"); STRCMP_EQUAL(ad->get_code_string(APPID_INVALID_CLIENT), "invalid-client"); @@ -105,7 +105,7 @@ TEST(appid_detector_tests, get_code_string) STRCMP_EQUAL(ad->get_code_string(APPID_EINVALID), "error-invalid"); STRCMP_EQUAL(ad->get_code_string(APPID_ENOMEM), "error-memory"); STRCMP_EQUAL(ad->get_code_string(APPID_SUCCESS), "success"); - STRCMP_EQUAL(ad->get_code_string((APPID_STATUS_CODE)123), "unknown code"); + STRCMP_EQUAL(ad->get_code_string((APPID_STATUS_CODE)123), "unknown-code"); delete ad; }