From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Mon, 3 Jun 2019 20:06:02 +0000 (-0400)
Subject: Merge pull request #1620 in SNORT/snort3 from ~SATHIRKA/snort3:icmp_bruteforce to... 
X-Git-Tag: 3.0.0-257~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fddde145b138fd1e998253502fd44c057562b169;p=thirdparty%2Fsnort3.git

Merge pull request #1620 in SNORT/snort3 from ~SATHIRKA/snort3:icmp_bruteforce to master

Squashed commit of the following:

commit d6298c44470c752ccdbd2abd098814e7b36a27e5
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Thu May 23 14:24:42 2019 -0400

    appid: Protocol based detection for non-TCP non-UDP traffic.
---

diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc
index da2f6a5b0..93dbadee0 100644
--- a/src/network_inspectors/appid/appid_config.cc
+++ b/src/network_inspectors/appid/appid_config.cc
@@ -818,14 +818,17 @@ AppId AppIdConfig::get_port_service_id(IpProtocol proto, uint16_t port)
 
     if (proto == IpProtocol::TCP)
         appId = tcp_port_only[port];
-    else if (proto == IpProtocol::UDP)
-        appId = udp_port_only[port];
     else
-        appId = ip_protocol[(uint16_t)proto];
+        appId = udp_port_only[port];
 
     return appId;
 }
 
+AppId AppIdConfig::get_protocol_service_id(IpProtocol proto)
+{
+    return ip_protocol[(uint16_t)proto];
+}
+
 static void display_port_exclusion_list(SF_LIST* pe_list, uint16_t port)
 {
     char inet_buffer[INET6_ADDRSTRLEN];
diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h
index 2b53688da..0d4595046 100644
--- a/src/network_inspectors/appid/appid_config.h
+++ b/src/network_inspectors/appid/appid_config.h
@@ -117,6 +117,7 @@ public:
     void show();
     void set_safe_search_enforcement(bool enabled);
     AppId get_port_service_id(IpProtocol, uint16_t port);
+    AppId get_protocol_service_id(IpProtocol);
 
     unsigned max_service_info = 0;
 #ifdef USE_RNA_CONFIG
diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc
index 90d971910..aae4e48f7 100644
--- a/src/network_inspectors/appid/appid_discovery.cc
+++ b/src/network_inspectors/appid/appid_discovery.cc
@@ -147,7 +147,7 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect
     if ( !do_pre_discovery(p, &asd, inspector, protocol, direction) )
         return;
 
-    AppId service_id;
+    AppId service_id = APP_ID_NONE;
     AppidChangeBits change_bits;
     bool is_discovery_done = do_discovery(p, *asd, protocol, direction, service_id, change_bits);
 
@@ -870,6 +870,30 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto
 
     asd.check_app_detection_restart(change_bits);
 
+    if (protocol != IpProtocol::TCP and protocol != IpProtocol::UDP)
+    {
+        if ( !asd.get_session_flags(APPID_SESSION_PORT_SERVICE_DONE) )
+        {
+            AppId id = asd.config->get_protocol_service_id(protocol);
+            if (id > APP_ID_NONE)
+            {
+                asd.service.set_port_service_id(id);
+                service_id = id;
+                asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
+                if (appidDebug->is_active())
+                {
+                    const char *app_name = AppInfoManager::get_instance().get_app_name(asd.service.get_port_service_id());
+                    LogMessage("AppIdDbg %s Protocol service %s (%d) from protocol\n",
+                        appidDebug->get_debug_session(), app_name ? app_name : "unknown", asd.service.get_port_service_id());
+                }
+            }
+            asd.set_session_flags(APPID_SESSION_PORT_SERVICE_DONE);
+        }
+        else
+             service_id = asd.pick_service_app_id();
+        return true;
+    }
+
     // Third party detection
 #ifdef ENABLE_APPID_THIRD_PARTY
     if ( TPLibHandler::have_tp() )
@@ -892,7 +916,6 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto
             if (direction != APP_ID_FROM_RESPONDER)
                 break;
         // fallthrough
-        // All protocols other than TCP and UDP come straight here.
         default:
         {
             AppId id = asd.config->get_port_service_id(protocol, p->ptrs.sp);
diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc
index 60a1aa039..c5cea991a 100644
--- a/src/network_inspectors/appid/test/appid_discovery_test.cc
+++ b/src/network_inspectors/appid/test/appid_discovery_test.cc
@@ -146,6 +146,11 @@ AppId AppIdConfig::get_port_service_id(IpProtocol, uint16_t)
     return APP_ID_NONE;
 }
 
+AppId AppIdConfig::get_protocol_service_id(IpProtocol)
+{
+    return APP_ID_NONE;
+}
+
 // Stubs for AppIdInspector
 AppIdInspector::AppIdInspector(AppIdModule&) {}
 AppIdInspector::~AppIdInspector() = default;