From 9037b321df332e0a2642e34dac1f63455fa4e048 Mon Sep 17 00:00:00 2001 From: Michael Matirko Date: Mon, 25 Jul 2022 11:51:17 -0400 Subject: [PATCH] netflow: pass a flag if the initiator and responder were swapped --- src/network_inspectors/rna/rna_pnd.cc | 10 +++++++++- src/pub_sub/netflow_event.h | 8 ++++++-- src/service_inspectors/netflow/netflow.cc | 10 +++++++++- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/src/network_inspectors/rna/rna_pnd.cc b/src/network_inspectors/rna/rna_pnd.cc index c9e0ff2ff..0d5458504 100644 --- a/src/network_inspectors/rna/rna_pnd.cc +++ b/src/network_inspectors/rna/rna_pnd.cc @@ -254,14 +254,22 @@ void RnaPnd::analyze_netflow_service(NetFlowEvent* nfe) const auto& src_ip = nfe->get_record()->initiator_ip; const auto& mac_addr = layer::get_eth_layer(p)->ether_src; uint32_t service = nfe->get_service_id(); - uint16_t port = nfe->get_record()->responder_port; + uint16_t port = 0; IpProtocol proto = (IpProtocol) nfe->get_record()->proto; + if (nfe->is_initiator_swapped()) + port = nfe->get_record()->initiator_port; + else + port = nfe->get_record()->responder_port; + auto ht = find_or_create_host_tracker(src_ip, new_host); ht->update_last_seen(); bool is_new = false; auto ha = ht->add_service(port, proto, (uint32_t) packet_time(), is_new, service); + + ht->update_service_info(ha, nullptr, nullptr, conf->max_host_service_info); + if ( is_new ) { if ( proto == IpProtocol::TCP ) diff --git a/src/pub_sub/netflow_event.h b/src/pub_sub/netflow_event.h index 82aa60158..4be64a503 100644 --- a/src/pub_sub/netflow_event.h +++ b/src/pub_sub/netflow_event.h @@ -32,9 +32,9 @@ class NetFlowEvent : public DataEvent { public: NetFlowEvent(const snort::Packet* p, const NetFlowSessionRecord* rec, - bool cre_host, bool cre_serv, uint32_t s_id) + bool cre_host, bool cre_serv, bool swp_initiator, uint32_t s_id) : pkt(p), record(rec), create_host(cre_host), - create_service(cre_serv), serviceID(s_id) { } + create_service(cre_serv), swapped(swp_initiator), serviceID(s_id) { } const Packet* get_packet() override { return pkt; } @@ -48,6 +48,9 @@ public: bool get_create_service() { return create_service; } + bool is_initiator_swapped() + { return swapped; } + uint32_t get_service_id() { return serviceID; } @@ -56,6 +59,7 @@ private: const NetFlowSessionRecord* record; bool create_host; bool create_service; + bool swapped; uint32_t serviceID = 0; }; diff --git a/src/service_inspectors/netflow/netflow.cc b/src/service_inspectors/netflow/netflow.cc index f20ee2124..80df66951 100644 --- a/src/service_inspectors/netflow/netflow.cc +++ b/src/service_inspectors/netflow/netflow.cc @@ -109,6 +109,7 @@ static const NetFlowRule* filter_record(const NetFlowRules* rules, const int zon static void publish_netflow_event(const Packet* p, const NetFlowRule* match, NetFlowSessionRecord& record) { uint32_t serviceID = 0; + bool swapped = false; std::unordered_map* service_mappings = nullptr; @@ -134,14 +135,21 @@ static void publish_netflow_event(const Packet* p, const NetFlowRule* match, Net // Use only the known port. If both are known, take the lower numbered port. if (sid_responder && !sid_initiator) + { serviceID = sid_responder; + } else if (sid_initiator && !sid_responder) + { serviceID = sid_initiator; + swapped = true; + } else + { serviceID = (record.initiator_port > record.responder_port) ? sid_responder : sid_initiator; + } } - NetFlowEvent event(p, &record, match->create_host, match->create_service, serviceID); + NetFlowEvent event(p, &record, match->create_host, match->create_service, swapped, serviceID); DataBus::publish(NETFLOW_EVENT, event); } -- 2.47.3