From: Lukasz Czarnik -X (lczarnik - SOFTSERVE INC at Cisco) <lczarnik@cisco.com>
Date: Wed, 5 Jul 2023 14:16:25 +0000 (+0000)
Subject: Pull request #3879: appid: fix for opportunistic tls detected as ssl
X-Git-Tag: 3.1.66.0~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fca72f9cb92f0834185d1e920906112fb275f0de;p=thirdparty%2Fsnort3.git

Pull request #3879: appid: fix for opportunistic tls detected as ssl

Merge in SNORT/snort3 from ~LCZARNIK/snort3:appid_imaps to master

Squashed commit of the following:

commit 50fc3462f4f62ad0039e21ff8a103dc80fd65311
Author: Lukasz Czarnik <lczarnik@cisco.com>
Date:   Wed Jun 7 10:53:33 2023 -0400

    appid: fix for opportunistic tls detected as ssl
---

diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h
index 9f4da772a..b89aa8fc1 100644
--- a/src/network_inspectors/appid/appid_session.h
+++ b/src/network_inspectors/appid/appid_session.h
@@ -713,6 +713,11 @@ public:
         return cip_msp;
     }
 
+    inline bool is_encrypted_oportunistic_tls_session()
+    {
+        return get_session_flags(APPID_SESSION_OPPORTUNISTIC_TLS) and !flow->flags.data_decrypted;
+    }
+    
 private:
     uint16_t prev_httpx_raw_packet = 0;
 
diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc
index 003f6ab4f..a69b8cb18 100644
--- a/src/network_inspectors/appid/client_plugins/client_discovery.cc
+++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc
@@ -333,6 +333,13 @@ bool ClientDiscovery::do_client_discovery(AppIdSession& asd, Packet* p,
         }
     }
 
+    if (asd.is_encrypted_oportunistic_tls_session() and asd.encrypted.client_id > 0)
+    {
+        asd.set_client_id(asd.encrypted.client_id);
+        asd.set_client_detected();
+        asd.client_disco_state = APPID_DISCO_STATE_FINISHED;
+    }
+
     if (asd.client_disco_state == APPID_DISCO_STATE_STATEFUL)
     {
         if (asd.client_candidates.empty() and tp_app_id > APP_ID_NONE and
diff --git a/src/network_inspectors/appid/detector_plugins/detector_imap.cc b/src/network_inspectors/appid/detector_plugins/detector_imap.cc
index c31a0361b..3abc62ef4 100644
--- a/src/network_inspectors/appid/detector_plugins/detector_imap.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_imap.cc
@@ -425,7 +425,7 @@ static int imap_server_validate(ImapDetectorData* dd, const uint8_t* data, uint1
         if (id->flags & IMAP_FLAG_RESULT_OK)
         {
             // FIXIT-L - this may be called from server side
-            //add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr);
+            detector->add_app(asd, APP_ID_IMAPS, APP_ID_IMAPS, nullptr, change_bits);
             asd.clear_session_flags(APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
         }
         else
diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc
index 797bd25e6..65bf6820a 100644
--- a/src/network_inspectors/appid/service_plugins/service_discovery.cc
+++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc
@@ -637,6 +637,12 @@ bool ServiceDiscovery::do_service_discovery(AppIdSession& asd, Packet* p,
         }
     }
 
+    if (asd.is_encrypted_oportunistic_tls_session() and asd.encrypted.service_id > 0)
+    {
+        asd.set_service_id(asd.encrypted.service_id, asd.get_odp_ctxt());
+        asd.stop_service_inspection(p, direction);
+    }
+
     //stop inspection as soon as tp has classified a valid AppId later in the session
     if ( tp_app_id > APP_ID_NONE and
          asd.service_disco_state == APPID_DISCO_STATE_STATEFUL and