From: Masud Hasan (mashasan) Date: Mon, 6 Jun 2022 20:46:46 +0000 (+0000) Subject: Pull request #3456: appid: config for logging eve process to client mappings X-Git-Tag: 3.1.32.0~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc84ef2a592134762394e9e7e857a08fa21821aa;p=thirdparty%2Fsnort3.git Pull request #3456: appid: config for logging eve process to client mappings Merge in SNORT/snort3 from ~SATHIRKA/snort3:eve_process_client_mapping_log to master Squashed commit of the following: commit d30d6a49e5e64f14b96d461eb9d284ebf6d9a2ce Author: Sreeja Athirkandathil Narayanan Date: Fri Jun 3 15:02:36 2022 -0400 appid: config for logging eve process to client mappings --- diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index 1573fd500..4aaffcffd 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -83,6 +83,7 @@ public: // indicate the first packet from where the flow is decrypted (usually immediately // after certificate-exchange). Such manual detection is disabled by default (0). uint32_t first_decrypted_packet_debug = 0; + bool log_eve_process_client_mappings = false; #endif bool log_stats = false; uint32_t app_stats_period = 300; diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index aba51255d..46b59b3e2 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -69,6 +69,8 @@ static const Parameter s_params[] = #ifdef REG_TEST { "first_decrypted_packet_debug", Parameter::PT_INT, "0:max32", "0", "the first packet of an already decrypted SSL flow (debug single session only)" }, + { "log_eve_process_client_mappings", Parameter::PT_BOOL, nullptr, "false", + "enable logging of encrypted visibility engine process to client mappings" }, #endif { "memcap", Parameter::PT_INT, "1024:maxSZ", "1048576", "max size of the service cache before we start pruning the cache" }, @@ -476,6 +478,8 @@ bool AppIdModule::set(const char*, Value& v, SnortConfig*) #ifdef REG_TEST if ( v.is("first_decrypted_packet_debug") ) config->first_decrypted_packet_debug = v.get_uint32(); + else if ( v.is("log_eve_process_client_mappings") ) + config->log_eve_process_client_mappings = v.get_bool(); else #endif if ( v.is("memcap") ) diff --git a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc index 0a68935d3..3ff4d5e4d 100644 --- a/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc +++ b/src/network_inspectors/appid/client_plugins/eve_ca_patterns.cc @@ -27,8 +27,10 @@ #include #include "log/messages.h" +#include "managers/inspector_manager.h" #include "utils/util.h" #include "appid_debug.h" +#include "appid_inspector.h" using namespace snort; using namespace std; @@ -108,6 +110,9 @@ void EveCaPatternMatchers::finalize_patterns() eve_ca_pattern_matcher.add(p->pattern.data(), p->pattern.size(), p, true); #ifdef REG_TEST + AppIdInspector* inspector = + (AppIdInspector*) InspectorManager::get_inspector(MOD_NAME, true); + if (inspector and inspector->get_ctxt().config.log_eve_process_client_mappings) LogMessage("Adding EVE Client App pattern %d %s %d\n", p->app_id, p->pattern.c_str(), p->confidence); #endif diff --git a/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc b/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc index a47d9a8d3..1304d1b6b 100644 --- a/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc +++ b/src/network_inspectors/appid/client_plugins/test/eve_ca_patterns_test.cc @@ -23,6 +23,7 @@ #endif #include "client_plugins/eve_ca_patterns.cc" +#include "appid_inspector.h" #include "client_plugins_mock.h" #include @@ -42,6 +43,14 @@ int SearchTool::find_all(const char* pattern, unsigned, MpseMatch, bool, void* d } } +Inspector* InspectorManager::get_inspector(char const*, bool, const snort::SnortConfig*) +{ + return nullptr; +} + +AppIdContext* ctxt; +AppIdContext& AppIdInspector::get_ctxt() const { return *ctxt; } + TEST_GROUP(eve_ca_patterns_tests) { void setup() override