From 9049f985b8002d8f5cd58da1e2e67cc52018e08e Mon Sep 17 00:00:00 2001 From: "Mike Stepanek (mstepane)" Date: Fri, 23 Mar 2018 08:00:52 -0400 Subject: [PATCH] Merge pull request #1151 in SNORT/snort3 from appid_debug_command to master Squashed commit of the following: commit 94ab5291fa5240c58116e0614e826204ee78bb88 Author: Masud Hasan Date: Fri Mar 16 11:17:58 2018 -0400 appid: Refactor debug command commit ae917cc0c9194d3b538c008017bbfa6f1bcb30b7 Author: Mike Stepanek Date: Wed Mar 7 16:28:41 2018 -0500 appid: Add AppID debug command --- src/network_inspectors/appid/CMakeLists.txt | 2 + src/network_inspectors/appid/appid_config.cc | 6 - src/network_inspectors/appid/appid_config.h | 22 +- src/network_inspectors/appid/appid_debug.cc | 180 +++++++ src/network_inspectors/appid/appid_debug.h | 82 +++ src/network_inspectors/appid/appid_detector.h | 10 +- .../appid/appid_discovery.cc | 79 +-- .../appid/appid_http_session.cc | 68 +-- .../appid/appid_inspector.cc | 40 +- src/network_inspectors/appid/appid_module.cc | 141 ++++- src/network_inspectors/appid/appid_module.h | 1 + src/network_inspectors/appid/appid_session.cc | 93 +--- src/network_inspectors/appid/appid_session.h | 8 - .../appid/client_plugins/client_discovery.cc | 20 +- .../test/detector_plugins_mock.h | 5 +- .../service_plugins/service_discovery.cc | 58 ++- .../appid/service_plugins/service_rshell.cc | 10 +- .../appid/service_plugins/service_snmp.cc | 14 +- .../appid/service_plugins/service_tftp.cc | 34 +- src/network_inspectors/appid/service_state.cc | 6 +- .../appid/test/CMakeLists.txt | 4 + .../appid/test/appid_debug_test.cc | 489 ++++++++++++++++++ .../appid/thirdparty_appid_utils.cc | 113 ++-- 23 files changed, 1159 insertions(+), 326 deletions(-) create mode 100644 src/network_inspectors/appid/appid_debug.cc create mode 100644 src/network_inspectors/appid/appid_debug.h create mode 100644 src/network_inspectors/appid/test/appid_debug_test.cc diff --git a/src/network_inspectors/appid/CMakeLists.txt b/src/network_inspectors/appid/CMakeLists.txt index 9e92a8db9..d92cf734f 100644 --- a/src/network_inspectors/appid/CMakeLists.txt +++ b/src/network_inspectors/appid/CMakeLists.txt @@ -150,6 +150,8 @@ set ( APPID_SOURCES appid_app_descriptor.h appid_config.cc appid_config.h + appid_debug.cc + appid_debug.h appid_detector.cc appid_detector.h appid_discovery.cc diff --git a/src/network_inspectors/appid/appid_config.cc b/src/network_inspectors/appid/appid_config.cc index 1ca926c64..143a1d9a0 100644 --- a/src/network_inspectors/appid/appid_config.cc +++ b/src/network_inspectors/appid/appid_config.cc @@ -80,12 +80,6 @@ static void map_app_names_to_snort_ids(SnortConfig* sc) sc->proto_ref->add("tftp"); } -AppIdModuleConfig::AppIdModuleConfig() -{ - session_log_filter.sip.clear(); - session_log_filter.dip.clear(); -} - AppIdModuleConfig::~AppIdModuleConfig() { #ifdef USE_RNA_CONFIG diff --git a/src/network_inspectors/appid/appid_config.h b/src/network_inspectors/appid/appid_config.h index 818802cbf..59c91ec8e 100644 --- a/src/network_inspectors/appid/appid_config.h +++ b/src/network_inspectors/appid/appid_config.h @@ -53,28 +53,10 @@ struct PortExclusion snort::ip::snort_in6_addr netmask; }; -struct AppIdSessionLogFilter -{ - AppIdSessionLogFilter() - { - sip.clear(); - dip.clear(); - } - - snort::SfIp sip; - bool sip_flag = false; - snort::SfIp dip; - bool dip_flag = false; - uint16_t sport = 0; - uint16_t dport = 0; - PktType protocol = PktType::NONE; - bool log_all_sessions = false; -}; - class AppIdModuleConfig { public: - AppIdModuleConfig(); + AppIdModuleConfig() = default; ~AppIdModuleConfig(); #ifdef USE_RNA_CONFIG @@ -90,7 +72,7 @@ public: uint32_t memcap = 0; bool debug = false; bool dump_ports = false; - AppIdSessionLogFilter session_log_filter; + bool log_all_sessions = false; bool safe_search_enabled = true; bool dns_host_reporting = true; diff --git a/src/network_inspectors/appid/appid_debug.cc b/src/network_inspectors/appid/appid_debug.cc new file mode 100644 index 000000000..bf744126c --- /dev/null +++ b/src/network_inspectors/appid/appid_debug.cc @@ -0,0 +1,180 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// appid_debug.cc author Mike Stepanek +// Created on: March 6, 2018 + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "appid_debug.h" + +#include "flow/flow_key.h" +#include "log/messages.h" + +#include "appid_config.h" +#include "appid_session.h" + +using namespace snort; +THREAD_LOCAL AppIdDebug* appidDebug = nullptr; + +void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1, uint16_t port2, IpProtocol protocol, + uint16_t address_space_id, const AppIdSession* session, bool log_all_sessions) +{ + if ((log_all_sessions) || + (enabled && (info.protocol == IpProtocol::PROTO_NOT_SET || info.protocol == protocol) && + (((!info.sport || info.sport == port1) && (!info.dport || info.dport == port2) && + (!info.sip_flag || memcmp(&info.sip, ip1, sizeof(info.sip)) == 0) && + (!info.dip_flag || memcmp(&info.dip, ip2, sizeof(info.dip)) == 0)) || + ((!info.sport || info.sport == port2) && (!info.dport || info.dport == port1) && + (!info.sip_flag || memcmp(&info.sip, ip2, sizeof(info.sip)) == 0) && + (!info.dip_flag || memcmp(&info.dip, ip1, sizeof(info.dip)) == 0))))) + { + active = true; + int af; + const struct in6_addr* sip; + const struct in6_addr* dip; + unsigned offset; + uint16_t sport = 0; + uint16_t dport = 0; + char sipstr[INET6_ADDRSTRLEN]; + char dipstr[INET6_ADDRSTRLEN]; + + if (!session) + { + sip = (const struct in6_addr*)ip1; + dip = (const struct in6_addr*)ip2; + sport = port1; + dport = port2; + } + else if (session->common.initiator_port) + { + if (session->common.initiator_port == port1) + { + sip = (const struct in6_addr*)ip1; + dip = (const struct in6_addr*)ip2; + sport = port1; + dport = port2; + } + else + { + sip = (const struct in6_addr*)ip2; + dip = (const struct in6_addr*)ip1; + sport = port2; + dport = port1; + } + } + else if (memcmp(session->common.initiator_ip.get_ip6_ptr(), ip1, sizeof(struct in6_addr)) == 0) + { + sip = (const struct in6_addr*)ip1; + dip = (const struct in6_addr*)ip2; + sport = port1; + dport = port2; + } + else + { + sip = (const struct in6_addr*)ip2; + dip = (const struct in6_addr*)ip1; + sport = port2; + dport = port1; + } + sipstr[0] = 0; + if (sip->s6_addr32[0] || sip->s6_addr32[1] || sip->s6_addr16[4] || (sip->s6_addr16[5] && sip->s6_addr16[5] != 0xFFFF)) + { + af = AF_INET6; + offset = 0; + } + else + { + af = AF_INET; + offset = 12; + } + inet_ntop(af, &sip->s6_addr[offset], sipstr, sizeof(sipstr)); + dipstr[0] = 0; + if (dip->s6_addr32[0] || dip->s6_addr32[1] || dip->s6_addr16[4] || (dip->s6_addr16[5] && dip->s6_addr16[5] != 0xFFFF)) + { + af = AF_INET6; + offset = 0; + } + else + { + af = AF_INET; + offset = 12; + } + inet_ntop(af, &dip->s6_addr[offset], dipstr, sizeof(dipstr)); + + snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%hu ID=%u", + sipstr, sport, dipstr, dport, static_cast(protocol), address_space_id, instance_id); + } + else + active = false; +} + +void AppIdDebug::activate(const Flow *flow, const AppIdSession* session, bool log_all_sessions) +{ + if (flow == nullptr) + { + active = false; + return; + } + const FlowKey* key = flow->key; + activate(key->ip_l, key->ip_h, key->port_l, key->port_h, (IpProtocol)(key->ip_protocol), + key->addressSpaceId, session, log_all_sessions); +} + +void AppIdDebug::set_constraints(const char *desc, const AppIdDebugSessionConstraints* constraints) +{ + if (constraints) + { + int saf; + int daf; + char sipstr[INET6_ADDRSTRLEN]; + char dipstr[INET6_ADDRSTRLEN]; + + memcpy(&info, constraints, sizeof(info)); + if (!info.sip.s6_addr32[0] && !info.sip.s6_addr32[1] && !info.sip.s6_addr16[4] && + info.sip.s6_addr16[5] == 0xFFFF) + { + saf = AF_INET; + } + else + saf = AF_INET6; + if (!info.dip.s6_addr32[0] && !info.dip.s6_addr32[1] && !info.dip.s6_addr16[4] && + info.dip.s6_addr16[5] == 0xFFFF) + { + daf = AF_INET; + } + else + daf = AF_INET6; + sipstr[0] = 0; + inet_ntop(saf, saf == AF_INET ? &info.sip.s6_addr32[3] : info.sip.s6_addr32, sipstr, sizeof(sipstr)); + dipstr[0] = 0; + inet_ntop(daf, daf == AF_INET ? &info.dip.s6_addr32[3] : info.dip.s6_addr32, dipstr, sizeof(dipstr)); + LogMessage("Debugging %s with %s-%hu and %s-%hu %hhu\n", desc, + sipstr, info.sport, dipstr, info.dport, static_cast(info.protocol)); + + enabled = true; + } + else + { + LogMessage("Debugging %s disabled\n", desc); + enabled = false; + } + +} diff --git a/src/network_inspectors/appid/appid_debug.h b/src/network_inspectors/appid/appid_debug.h new file mode 100644 index 000000000..037a1cb8d --- /dev/null +++ b/src/network_inspectors/appid/appid_debug.h @@ -0,0 +1,82 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// appid_debug.h author Mike Stepanek +// Created on: March 6, 2018 + +#ifndef APPID_DEBUG_H +#define APPID_DEBUG_H + +#include + +#include "protocols/protocol_ids.h" +#include "main/thread.h" + +class AppIdSession; +namespace snort +{ + class Flow; +} + +// %s %u -> %s %u %u AS=%u ID=%u +// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum +#define APPID_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10)+1) + +struct AppIdDebugSessionConstraints +{ + struct in6_addr sip; + int sip_flag; + struct in6_addr dip; + int dip_flag; + uint16_t sport; + uint16_t dport; + IpProtocol protocol = IpProtocol::PROTO_NOT_SET; +}; + +class AppIdDebug +{ +public: + AppIdDebug(unsigned instance_id) : instance_id(instance_id) { } + + void activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1, uint16_t port2, IpProtocol protocol, + uint16_t address_space_id, const AppIdSession* session, bool log_all_sessions); + void activate(const snort::Flow *flow, const AppIdSession* session, bool log_all_sessions); + void set_constraints(const char *desc, const AppIdDebugSessionConstraints* constraints); + + bool is_enabled() { return enabled; } + void set_enabled(bool enable) { enabled = enable; } + + bool is_active() { return active; } + void deactivate() { active = false; } + + const char* get_debug_session() + { + return debug_session; + } + +private: + bool enabled = false; + bool active = false; + AppIdDebugSessionConstraints info = { }; + unsigned instance_id; + char debug_session[APPID_DEBUG_SESSION_ID_SIZE]; +}; + +extern THREAD_LOCAL AppIdDebug* appidDebug; + +#endif diff --git a/src/network_inspectors/appid/appid_detector.h b/src/network_inspectors/appid/appid_detector.h index efc0c9c04..936fd429d 100644 --- a/src/network_inspectors/appid/appid_detector.h +++ b/src/network_inspectors/appid/appid_detector.h @@ -74,12 +74,8 @@ class AppIdDiscoveryArgs { public: AppIdDiscoveryArgs(const uint8_t* data, uint16_t size, int dir, AppIdSession& asd, - snort::Packet* p) : data(data), size(size), dir(dir), asd(asd), pkt(p) - { - config = asd.config; - session_logging_enabled = asd.session_logging_enabled; - session_logging_id = asd.session_logging_id; - } + snort::Packet* p) : data(data), size(size), dir(dir), asd(asd), pkt(p), config(asd.config) + {} const uint8_t* data; uint16_t size; @@ -87,8 +83,6 @@ public: AppIdSession& asd; snort::Packet* pkt; const AppIdConfig* config = nullptr; - bool session_logging_enabled = false; - char* session_logging_id = nullptr; }; enum APPID_STATUS_CODE diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index bef16a7b8..a3fd4e5b1 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -25,7 +25,13 @@ #include "appid_discovery.h" +#include "log/messages.h" +#include "profiler/profiler.h" +#include "protocols/packet.h" +#include "protocols/tcp.h" + #include "appid_config.h" +#include "appid_debug.h" #include "appid_detector.h" #include "app_forecast.h" #include "appid_dns_session.h" @@ -34,17 +40,12 @@ #include "appid_session.h" #include "appid_utils/ip_funcs.h" #include "appid_utils/network_set.h" -#include "host_port_app_cache.h" -#include "thirdparty_appid_utils.h" -#include "service_plugins/service_discovery.h" #include "client_plugins/client_discovery.h" #include "detector_plugins/detector_dns.h" #include "detector_plugins/http_url_patterns.h" - -#include "profiler/profiler.h" -#include "log/messages.h" -#include "protocols/packet.h" -#include "protocols/tcp.h" +#include "host_port_app_cache.h" +#include "service_plugins/service_discovery.h" +#include "thirdparty_appid_utils.h" using namespace snort; @@ -340,15 +341,14 @@ static bool is_packet_ignored(AppIdSession* asd, Packet* p, int& direction) if ( direction == APP_ID_FROM_INITIATOR && hsession && hsession->is_rebuilt_offsets() ) { HttpPatternMatchers::get_instance()->get_http_offsets(p, hsession); - if (asd->session_logging_enabled) - LogMessage( - "AppIdDbg %s offsets from rebuilt packet: uri: %u-%u cookie: %u-%u\n", - asd->session_logging_id, - hsession->get_field_offset(REQ_URI_FID), - hsession->get_field_end_offset(REQ_URI_FID), - hsession->get_field_offset(REQ_COOKIE_FID), - hsession->get_field_end_offset(REQ_COOKIE_FID)); - } + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Offsets from rebuilt packet: uri: %u-%u cookie: %u-%u\n", + appidDebug->get_debug_session(), + hsession->get_field_offset(REQ_URI_FID), + hsession->get_field_end_offset(REQ_URI_FID), + hsession->get_field_offset(REQ_COOKIE_FID), + hsession->get_field_end_offset(REQ_COOKIE_FID)); + } AppIdPegCounts::inc_disco_peg(AppIdPegCounts::DiscoveryPegs::IGNORED_PACKETS); return true; } @@ -610,6 +610,8 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect return; } + appidDebug->activate(p->flow, asd, inspector.get_appid_config()->mod_config->log_all_sessions); + if ( is_packet_ignored(asd, p, direction) ) return; @@ -633,13 +635,27 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect port = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp; } + // FIXIT-H - Creating AppId session even when flow is ignored (not monitored, e.g., + // when AppId discovery is disabled) will consume a lot of unneeded memory and perform + // unneeded tasks in constructor. Snort2 uses static APPID_SESSION_STRUCT_FLAG ignore_fsf. + // Snort3 may use something like that or a dummy class/object having only common.flow_type + // to let us know that it is APPID_FLOW_TYPE_IGNORE type and thus being returned early + // from this method due to set_network_attributes() checking. AppIdSession* tmp_session = new AppIdSession(protocol, ip, port, inspector); if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) == APPID_SESSION_BIDIRECTIONAL_CHECKED) + { tmp_session->common.flow_type = APPID_FLOW_TYPE_IGNORE; + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Not monitored\n", appidDebug->get_debug_session()); + } else + { tmp_session->common.flow_type = APPID_FLOW_TYPE_TMP; + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Unknown monitoring\n", appidDebug->get_debug_session()); + } tmp_session->common.flags = flow_flags; tmp_session->common.policyId = inspector.get_appid_config()->appIdPolicyId; p->flow->set_flow_data(tmp_session); @@ -651,6 +667,8 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect APPID_SESSION_BIDIRECTIONAL_CHECKED ) asd->common.flow_type = APPID_FLOW_TYPE_IGNORE; asd->common.policyId = asd->config->appIdPolicyId; + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Not monitored\n", appidDebug->get_debug_session()); } return; @@ -659,9 +677,8 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect if ( !asd || asd->common.flow_type == APPID_FLOW_TYPE_TMP ) { asd = AppIdSession::allocate_session(p, protocol, direction, inspector); - - if (asd->session_logging_enabled) - LogMessage("AppIdDbg %s new session\n", asd->session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s New AppId session\n", appidDebug->get_debug_session()); } // FIXIT-L - from this point on we always have a valid ptr to an AppIdSession and a Packet @@ -679,12 +696,12 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect if (asd->get_session_flags(APPID_SESSION_IGNORE_FLOW)) { - if ( asd->session_logging_enabled && - !asd->get_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED) ) + if (appidDebug->is_active() && + !asd->get_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED)) { asd->set_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED); LogMessage("AppIdDbg %s Ignoring connection with service %d\n", - asd->session_logging_id, asd->service.get_id()); + appidDebug->get_debug_session(), asd->service.get_id()); } return; @@ -748,9 +765,9 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect default: { asd->service.set_port_service_id(asd->config->get_port_service_id(protocol, p->ptrs.sp)); - if (asd->session_logging_enabled) - LogMessage("AppIdDbg %s port service %d\n", - asd->session_logging_id, asd->service.get_port_service_id()); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Port service %d\n", + appidDebug->get_debug_session(), asd->service.get_port_service_id()); asd->set_session_flags(APPID_SESSION_PORT_SERVICE_DONE); } break; @@ -811,11 +828,11 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect } else { - if (asd->session_logging_enabled && p->dsize && + if (appidDebug->is_active() && p->dsize && !asd->get_session_flags(APPID_SESSION_OOO_LOGGED)) { asd->set_session_flags(APPID_SESSION_OOO_LOGGED); - LogMessage("AppIdDbg %s packet out-of-order\n", asd->session_logging_id); + LogMessage("AppIdDbg %s Packet out-of-order\n", appidDebug->get_debug_session()); } } @@ -852,7 +869,7 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect ((flags & APPINFO_FLAG_SUPPORTED_SEARCH) ? SUPPORTED_SEARCH_ENGINE : UNSUPPORTED_SEARCH_ENGINE ) : NOT_A_SEARCH_ENGINE; - if (asd->session_logging_enabled) + if (appidDebug->is_active()) { const char* typeString; switch ( asd->search_support_type ) @@ -863,8 +880,8 @@ void AppIdDiscovery::do_application_discovery(Packet* p, AppIdInspector& inspect default: typeString = "unknown"; break; } - LogMessage("AppIdDbg %s appId: %u (safe)search_support_type=%s\n", - asd->session_logging_id, payload_id, typeString); + LogMessage("AppIdDbg %s AppId %u (safe)search_support_type=%s\n", + appidDebug->get_debug_session(), payload_id, typeString); } } diff --git a/src/network_inspectors/appid/appid_http_session.cc b/src/network_inspectors/appid/appid_http_session.cc index e5acf60c7..bf56e26fb 100644 --- a/src/network_inspectors/appid/appid_http_session.cc +++ b/src/network_inspectors/appid/appid_http_session.cc @@ -25,13 +25,14 @@ #include "appid_http_session.h" +#include "profiler/profiler.h" + #include "app_info_table.h" #include "appid_config.h" +#include "appid_debug.h" #include "appid_session.h" -#include "thirdparty_appid_utils.h" #include "detector_plugins/http_url_patterns.h" -#include "profiler/profiler.h" - +#include "thirdparty_appid_utils.h" static const char* httpFieldName[ MAX_HTTP_FIELD_ID ] = // for use in debug messages { @@ -316,8 +317,8 @@ void AppIdHttpSession::process_chp_buffers() for (unsigned i = 0; i < MAX_HTTP_FIELD_ID; i++) if ( cmd.chp_rewritten[i] ) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s rewritten %s: %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Rewritten %s: %s\n", appidDebug->get_debug_session(), httpFieldName[i], cmd.chp_rewritten[i]); http_fields[i].field = cmd.chp_rewritten[i]; @@ -371,8 +372,8 @@ int AppIdHttpSession::process_http_packet(int direction) constexpr auto RESPONSE_CODE_LENGTH = 3; if (response_code.size() != RESPONSE_CODE_LENGTH) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s bad http response code.\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Bad http response code.\n", appidDebug->get_debug_session()); asd.reset_session_data(); return 0; } @@ -383,8 +384,8 @@ int AppIdHttpSession::process_http_packet(int direction) set_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED); /* didn't receive response code in first X packets. Stop processing this session */ asd.reset_session_data(); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s no response code received\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s No response code received\n", appidDebug->get_debug_session()); return 0; } #endif @@ -393,8 +394,8 @@ int AppIdHttpSession::process_http_packet(int direction) if (asd.service.get_id() == APP_ID_NONE) asd.service.set_id(APP_ID_HTTP); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", appidDebug->get_debug_session(), chp_finished, chp_hold_flow); if (!chp_finished || chp_hold_flow) @@ -444,8 +445,8 @@ int AppIdHttpSession::process_http_packet(int direction) if (is_webdav) { - if (asd.session_logging_enabled and asd.payload.get_id() != APP_ID_WEBDAV) - LogMessage("AppIdDbg %s data is webdav\n", asd.session_logging_id); + if (appidDebug->is_active() and asd.payload.get_id() != APP_ID_WEBDAV) + LogMessage("AppIdDbg %s Data is webdav\n", appidDebug->get_debug_session()); asd.set_payload_appid_data(APP_ID_WEBDAV, nullptr); } @@ -457,6 +458,13 @@ int AppIdHttpSession::process_http_packet(int direction) http_matchers->identify_user_agent(useragent.c_str(), useragent.size(), service_id, client_id, &version); + if (appidDebug->is_active()) + { + if (service_id > APP_ID_NONE and service_id != APP_ID_HTTP and asd.service.get_id() != service_id) + LogMessage("AppIdDbg %s User Agent is service %d\n", appidDebug->get_debug_session(), service_id); + if (client_id > APP_ID_NONE and client_id != APP_ID_HTTP and asd.client.get_id() != client_id) + LogMessage("AppIdDbg %s User Agent is client %d\n", appidDebug->get_debug_session(), client_id); + } asd.set_service_appid_data(service_id, nullptr, nullptr); asd.set_client_appid_data(client_id, version); asd.scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG; @@ -467,9 +475,9 @@ int AppIdHttpSession::process_http_packet(int direction) if ( !asd.is_payload_appid_set() && (asd.scan_flags & SCAN_HTTP_VIA_FLAG) && !via.empty() ) { payload_id = http_matchers->get_appid_by_pattern(via.c_str(), via.size(), nullptr); - if (asd.session_logging_enabled && payload_id > APP_ID_NONE && + if (appidDebug->is_active() && payload_id > APP_ID_NONE && asd.payload.get_id() != payload_id) - LogMessage("AppIdDbg %s VIA data %d\n", asd.session_logging_id, payload_id); + LogMessage("AppIdDbg %s VIA is payload %d\n", appidDebug->get_debug_session(), payload_id); asd.set_payload_appid_data((AppId)payload_id, nullptr); asd.scan_flags &= ~SCAN_HTTP_VIA_FLAG; } @@ -490,17 +498,17 @@ int AppIdHttpSession::process_http_packet(int direction) { if (direction == APP_ID_FROM_INITIATOR) { - if (asd.session_logging_enabled && client_id > APP_ID_NONE && client_id != + if (appidDebug->is_active() && client_id > APP_ID_NONE && client_id != APP_ID_HTTP && asd.client.get_id() != client_id) - LogMessage("AppIdDbg %s X is client %d\n", asd.session_logging_id, appId); + LogMessage("AppIdDbg %s X is client %d\n", appidDebug->get_debug_session(), appId); asd.set_client_appid_data(appId, version); } else { - if (asd.session_logging_enabled && service_id > APP_ID_NONE && service_id != + if (appidDebug->is_active() && service_id > APP_ID_NONE && service_id != APP_ID_HTTP && asd.service.get_id() != service_id) - LogMessage("AppIdDbg %s X service %d\n", asd.session_logging_id, appId); + LogMessage("AppIdDbg %s X service %d\n", appidDebug->get_debug_session(), appId); asd.set_service_appid_data(appId, nullptr, version); } asd.scan_flags &= ~SCAN_HTTP_XWORKINGWITH_FLAG; @@ -517,9 +525,9 @@ int AppIdHttpSession::process_http_packet(int direction) || (!thirdparty_appid_module && !asd.is_payload_appid_set() && !content_type.empty()) ) { payload_id = http_matchers->get_appid_by_content_type(content_type.c_str(), content_type.size()); - if (asd.session_logging_enabled && payload_id > APP_ID_NONE + if (appidDebug->is_active() && payload_id > APP_ID_NONE && asd.payload.get_id() != payload_id) - LogMessage("AppIdDbg %s Content-Type is data %d\n", asd.session_logging_id, + LogMessage("AppIdDbg %s Content-Type is payload %d\n", appidDebug->get_debug_session(), payload_id); asd.set_payload_appid_data((AppId)payload_id, nullptr); asd.scan_flags &= ~SCAN_HTTP_CONTENT_TYPE_FLAG; @@ -536,26 +544,26 @@ int AppIdHttpSession::process_http_packet(int direction) // do not overwrite a previously-set client or service if (asd.client.get_id() <= APP_ID_NONE) { - if (asd.session_logging_enabled && client_id > APP_ID_NONE && client_id != + if (appidDebug->is_active() && client_id > APP_ID_NONE && client_id != APP_ID_HTTP && asd.client.get_id() != client_id) - LogMessage("AppIdDbg %s URL is client %d\n", asd.session_logging_id, + LogMessage("AppIdDbg %s URL is client %d\n", appidDebug->get_debug_session(), client_id); asd.set_client_appid_data(client_id, nullptr); } if (asd.service.get_id() <= APP_ID_NONE) { - if (asd.session_logging_enabled && service_id > APP_ID_NONE && service_id != + if (appidDebug->is_active() && service_id > APP_ID_NONE && service_id != APP_ID_HTTP && asd.service.get_id() != service_id) - LogMessage("AppIdDbg %s URL is service %d\n", asd.session_logging_id, + LogMessage("AppIdDbg %s URL is service %d\n", appidDebug->get_debug_session(), service_id); asd.set_service_appid_data(service_id, nullptr, nullptr); } // DO overwrite a previously-set data - if (asd.session_logging_enabled && payload_id > APP_ID_NONE && + if (appidDebug->is_active() && payload_id > APP_ID_NONE && asd.payload.get_id() != payload_id) - LogMessage("AppIdDbg %s URL is data %d\n", asd.session_logging_id, + LogMessage("AppIdDbg %s URL is payload %d\n", appidDebug->get_debug_session(), payload_id); asd.set_payload_appid_data((AppId)payload_id, version); asd.set_referred_payload_app_id_data(referredPayloadAppId); @@ -625,11 +633,11 @@ void AppIdHttpSession::update_http_xff_address(struct XffFieldValue* /*xff_field for (unsigned j = 0; j < numXffFields; j++) xffPrecedence[j] = strndup(xffPrecedence[j], UINT8_MAX); - if (asd.session_logging_enabled) + if (appidDebug->is_active()) { for (unsigned i = 0; i < numXffFields; i++) - LogMessage("AppIdDbg %s %s : %s\n", asd.session_logging_id, - xff_fields[i].field, xff_fields[i].value); + LogMessage("AppIdDbg %s XFF %s : %s\n", appidDebug->get_debug_session(), + xff_fields[i].field, xff_fields[i].value.empty()? "(empty)": xff_fields[i].value); } // xffPrecedence array is sorted based on precedence diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc index b45691d0e..965f77387 100644 --- a/src/network_inspectors/appid/appid_inspector.cc +++ b/src/network_inspectors/appid/appid_inspector.cc @@ -27,28 +27,30 @@ #include -#include "appid_stats.h" -#include "appid_session.h" -#include "appid_discovery.h" -#include "app_forecast.h" -#include "host_port_app_cache.h" -#include "lua_detector_module.h" -#include "appid_http_event_handler.h" -#include "thirdparty_appid_utils.h" -#include "client_plugins/client_discovery.h" -#include "service_plugins/service_discovery.h" -#include "service_plugins/service_ssl.h" -#include "detector_plugins/detector_dns.h" -#include "detector_plugins/http_url_patterns.h" -#include "detector_plugins/detector_sip.h" -#include "detector_plugins/detector_pattern.h" #include "flow/flow.h" #include "log/messages.h" #include "log/packet_tracer.h" #include "managers/inspector_manager.h" #include "managers/module_manager.h" -#include "protocols/packet.h" #include "profiler/profiler.h" +#include "protocols/packet.h" + +#include "app_forecast.h" +#include "appid_debug.h" +#include "appid_discovery.h" +#include "appid_http_event_handler.h" +#include "appid_session.h" +#include "appid_stats.h" +#include "client_plugins/client_discovery.h" +#include "detector_plugins/detector_dns.h" +#include "detector_plugins/detector_pattern.h" +#include "detector_plugins/detector_sip.h" +#include "detector_plugins/http_url_patterns.h" +#include "host_port_app_cache.h" +#include "lua_detector_module.h" +#include "service_plugins/service_discovery.h" +#include "service_plugins/service_ssl.h" +#include "thirdparty_appid_utils.h" using namespace snort; static THREAD_LOCAL PacketTracer::TracerMute appid_mute; @@ -215,12 +217,18 @@ static void appid_inspector_pterm() static void appid_inspector_tinit() { + uint32_t snort_instance = get_instance_id(); + appidDebug = new AppIdDebug(snort_instance); + AppIdPegCounts::init_pegs(); } static void appid_inspector_tterm() { AppIdPegCounts::cleanup_pegs(); + + delete appidDebug; + appidDebug = nullptr; } static Inspector* appid_inspector_ctor(Module* m) diff --git a/src/network_inspectors/appid/appid_module.cc b/src/network_inspectors/appid/appid_module.cc index 44c92a34a..d18fc3aeb 100644 --- a/src/network_inspectors/appid/appid_module.cc +++ b/src/network_inspectors/appid/appid_module.cc @@ -26,13 +26,17 @@ #include "appid_module.h" #include +#include -#include "app_info_table.h" -#include "appid_peg_counts.h" #include "log/messages.h" +#include "main/analyzer_command.h" #include "profiler/profiler.h" #include "utils/util.h" +#include "app_info_table.h" +#include "appid_debug.h" +#include "appid_peg_counts.h" + using namespace snort; using namespace std; @@ -42,20 +46,6 @@ using namespace std; THREAD_LOCAL ProfileStats appidPerfStats; -static const Parameter session_log_filter[] = -{ - { "src_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", - "source IP address in CIDR format" }, - { "dst_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32", - "destination IP address in CIDR format" }, - { "src_port", Parameter::PT_PORT, "1:", nullptr, "source port" }, - { "dst_port", Parameter::PT_PORT, "1:", nullptr, "destination port" }, - { "protocol", Parameter::PT_STRING, nullptr, nullptr,"IP protocol" }, - { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false", - "enable logging for all appid sessions" }, - { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } -}; - static const Parameter s_params[] = { #ifdef USE_RNA_CONFIG @@ -84,13 +74,114 @@ static const Parameter s_params[] = { "thirdparty_appid_dir", Parameter::PT_STRING, nullptr, nullptr, "directory to load thirdparty appid detectors from" }, #endif - { "session_log_filter", Parameter::PT_TABLE, session_log_filter, nullptr, - "session log filter options" }, { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false", "enable logging of all appid sessions" }, { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } }; +class AcAppIdDebug : public AnalyzerCommand +{ +public: + AcAppIdDebug(AppIdDebugSessionConstraints* cs); + void execute(Analyzer&) override; + const char* stringify() override { return "APPID_DEBUG"; } + +private: + AppIdDebugSessionConstraints constraints = { }; + bool enable = false; +}; + +AcAppIdDebug::AcAppIdDebug(AppIdDebugSessionConstraints* cs) +{ + if (cs) + { + memcpy(&constraints, cs, sizeof(constraints)); + enable = true; + } +} + +void AcAppIdDebug::execute(Analyzer&) +{ + if (appidDebug) + { + if (enable) + appidDebug->set_constraints("appid", &constraints); + else + appidDebug->set_constraints("appid", nullptr); + } + // FIXIT-L Add a warning if command was called without appid configured? +} + +static int enable_debug(lua_State* L) +{ + int proto = luaL_optint(L, 1, 0); + const char* sipstr = luaL_optstring(L, 2, nullptr); + int sport = luaL_optint(L, 3, 0); + const char* dipstr = luaL_optstring(L, 4, nullptr); + int dport = luaL_optint(L, 5, 0); + + SfIp sip, dip; + if (sipstr) + { + if (sip.set(sipstr) != SFIP_SUCCESS) + LogMessage("Invalid source IP address provided: %s\n", sipstr); + } + + if (dipstr) + { + if (dip.set(dipstr) != SFIP_SUCCESS) + LogMessage("Invalid destination IP address provided: %s\n", dipstr); + } + + AppIdDebugSessionConstraints constraints = { }; + + if (proto) + constraints.protocol = (IpProtocol) proto; + + if (sip.is_set()) + { + memcpy(&constraints.sip, sip.get_ip6_ptr(), sizeof(constraints.sip)); + constraints.sip_flag = true; + } + + if (dip.is_set()) + { + memcpy(&constraints.dip, dip.get_ip6_ptr(), sizeof(constraints.dip)); + constraints.dip_flag = true; + } + + constraints.sport = sport; + constraints.dport = dport; + + main_broadcast_command(new AcAppIdDebug(&constraints)); + + return 0; +} + +static int disable_debug(lua_State*) +{ + main_broadcast_command(new AcAppIdDebug(nullptr)); + return 0; +} + +static const Parameter enable_debug_params[] = +{ + { "proto", Parameter::PT_INT, nullptr, nullptr, "numerical IP protocol ID filter" }, + { "src_ip", Parameter::PT_STRING, nullptr, nullptr, "source IP address filter" }, + { "src_port", Parameter::PT_INT, nullptr, nullptr, "source port filter" }, + { "dst_ip", Parameter::PT_STRING, nullptr, nullptr, "destination IP address filter" }, + { "dst_port", Parameter::PT_INT, nullptr, nullptr, "destination port filter" }, + + { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr } +}; + +static const Command appid_cmds[] = +{ + { "enable_debug", enable_debug, enable_debug_params, "enable appid debugging"}, + { "disable_debug", disable_debug, nullptr, "disable appid debugging"}, + { nullptr, nullptr, nullptr, nullptr } +}; + // FIXIT-M Add appid_rules back in once we start using it. #ifdef REMOVED_WHILE_NOT_IN_USE static const RuleMap appid_rules[] = @@ -150,15 +241,8 @@ bool AppIdModule::set(const char*, Value& v, SnortConfig*) config->debug = v.get_bool(); else if ( v.is("dump_ports") ) config->dump_ports = v.get_bool(); - else if ( v.is("session_log_filter") ) - config->session_log_filter.log_all_sessions = false; // FIXIT-L need to implement support - // for all log options else if ( v.is("log_all_sessions") ) - config->session_log_filter.log_all_sessions = v.get_bool(); - else if (v.is("src_ip") ) - config->session_log_filter.sip.set(v.get_string()); - else if (v.is("dst_ip") ) - config->session_log_filter.dip.set(v.get_string()); + config->log_all_sessions = v.get_bool(); else return false; @@ -186,6 +270,11 @@ bool AppIdModule::end(const char*, int, SnortConfig*) return true; } +const Command* AppIdModule::get_commands() const +{ + return appid_cmds; +} + const PegInfo* AppIdModule::get_pegs() const { return AppIdPegCounts::get_peg_info(); diff --git a/src/network_inspectors/appid/appid_module.h b/src/network_inspectors/appid/appid_module.h index 7aaf9544d..94ea6ba83 100644 --- a/src/network_inspectors/appid/appid_module.h +++ b/src/network_inspectors/appid/appid_module.h @@ -43,6 +43,7 @@ public: bool set(const char*, snort::Value&, snort::SnortConfig*) override; bool end(const char*, int, snort::SnortConfig*) override; + const snort::Command* get_commands() const override; const PegInfo* get_pegs() const override; PegCount* get_counts() const override; snort::ProfileStats* get_profile() const override; diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index b66827331..0bcb0b74f 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -27,8 +27,18 @@ #include +#include "log/messages.h" +#include "main/snort_config.h" +#include "profiler/profiler.h" +#include "protocols/packet.h" +#include "protocols/tcp.h" +#include "stream/stream.h" +#include "target_based/snort_protocols.h" +#include "time/packet_time.h" + #include "app_forecast.h" #include "app_info_table.h" +#include "appid_debug.h" #include "appid_dns_session.h" #include "appid_http_session.h" #include "appid_inspector.h" @@ -36,14 +46,6 @@ #include "appid_utils/ip_funcs.h" #include "service_plugins/service_ssl.h" #include "thirdparty_appid_utils.h" -#include "log/messages.h" -#include "main/snort_config.h" -#include "profiler/profiler.h" -#include "protocols/packet.h" -#include "protocols/tcp.h" -#include "stream/stream.h" -#include "target_based/snort_protocols.h" -#include "time/packet_time.h" using namespace snort; @@ -66,46 +68,6 @@ const uint8_t* service_strstr(const uint8_t* haystack, unsigned haystack_len, return nullptr; } -void AppIdSession::set_session_logging_state(const Packet* pkt, int direction) -{ - if (config->mod_config->session_log_filter.log_all_sessions) - { - session_logging_enabled = true; - } - else - { - if ( !pkt->ptrs.ip_api.get_src()->equals(config->mod_config->session_log_filter.sip) ) - return; - - if ( !pkt->ptrs.ip_api.get_dst()->equals(config->mod_config->session_log_filter.dip) ) - return; - - if ( !( pkt->ptrs.sp == config->mod_config->session_log_filter.sport ) ) - return; - - if ( !( pkt->ptrs.dp == config->mod_config->session_log_filter.dport ) ) - return; - - if ( !( pkt->ptrs.type == config->mod_config->session_log_filter.protocol ) ) - return; - - session_logging_enabled = true; - } - - if (session_logging_enabled) - { - char src_ip_str[INET6_ADDRSTRLEN], dst_ip_str[INET6_ADDRSTRLEN]; - - pkt->ptrs.ip_api.get_src()->ntop(src_ip_str, sizeof(src_ip_str)); - pkt->ptrs.ip_api.get_dst()->ntop(dst_ip_str, sizeof(dst_ip_str)); - snprintf(session_logging_id, MAX_SESSION_LOGGING_ID_LEN, - "%s-%hu -> %s-%hu %u%s AS %u I %u", - src_ip_str, pkt->ptrs.sp, dst_ip_str, pkt->ptrs.dp, - (unsigned)pkt->ptrs.type, (direction == APP_ID_FROM_INITIATOR) ? "" : " R", - (unsigned)pkt->pkth->address_space_id, get_instance_id()); - } -} - AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, int direction, AppIdInspector& inspector) { @@ -119,7 +81,6 @@ AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, AppIdSession* asd = new AppIdSession(proto, ip, port, inspector); asd->flow = p->flow; asd->stats.first_packet_second = p->pkth->ts.tv_sec; - asd->set_session_logging_state(p, direction); asd->snort_protocol_id = snortId_for_unsynchronized; p->flow->set_flow_data(asd); return asd; @@ -143,7 +104,6 @@ AppIdSession::AppIdSession(IpProtocol proto, const SfIp* ip, uint16_t port, length_sequence.proto = IpProtocol::PROTO_NOT_SET; length_sequence.sequence_cnt = 0; memset(length_sequence.sequence, '\0', sizeof(length_sequence.sequence)); - session_logging_id[0] = '\0'; AppIdPegCounts::inc_disco_peg(AppIdPegCounts::DiscoveryPegs::TOTAL_SESSIONS); } @@ -224,25 +184,27 @@ AppIdSession* AppIdSession::create_future_session(const Packet* ctrlPkt, const S if ( Stream::set_snort_protocol_id_expected(ctrlPkt, type, proto, cliIp, cliPort, srvIp, srvPort, snort_protocol_id, asd) ) { - sfip_ntop(cliIp, src_ip, sizeof(src_ip)); - sfip_ntop(srvIp, dst_ip, sizeof(dst_ip)); - WarningMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n", - asd->session_logging_id, src_ip, (unsigned)cliPort, dst_ip, - (unsigned)srvPort, (unsigned)proto); + if (appidDebug->is_active()) + { + sfip_ntop(cliIp, src_ip, sizeof(src_ip)); + sfip_ntop(srvIp, dst_ip, sizeof(dst_ip)); + LogMessage("AppIdDbg %s Failed to create a related flow for %s-%u -> %s-%u %u\n", + appidDebug->get_debug_session(), src_ip, (unsigned)cliPort, dst_ip, + (unsigned)srvPort, (unsigned)proto); + } delete asd; asd = nullptr; } else { - if (asd->session_logging_enabled) + if (appidDebug->is_active()) { sfip_ntop(cliIp, src_ip, sizeof(src_ip)); sfip_ntop(srvIp, dst_ip, sizeof(dst_ip)); - LogMessage("AppIdDbg %s related flow created for %s-%u -> %s-%u %u\n", - asd->session_logging_id, + LogMessage("AppIdDbg %s Related flow created for %s-%u -> %s-%u %u\n", + appidDebug->get_debug_session(), src_ip, (unsigned)cliPort, dst_ip, (unsigned)srvPort, (unsigned)proto); } - asd->in_expected_cache = true; } @@ -339,10 +301,9 @@ void AppIdSession::sync_with_snort_protocol_id(AppId newAppId, Packet* p) if ( tmp_snort_protocol_id != snort_protocol_id ) { snort_protocol_id = tmp_snort_protocol_id; - if (session_logging_enabled) - if (tmp_snort_protocol_id == snortId_for_http2) - LogMessage("AppIdDbg %s Telling Snort that it's HTTP/2\n", - session_logging_id); + if (appidDebug->is_active() && tmp_snort_protocol_id == snortId_for_http2) + LogMessage("AppIdDbg %s Telling Snort that it's HTTP/2\n", + appidDebug->get_debug_session()); p->flow->ssn_state.snort_protocol_id = tmp_snort_protocol_id; } @@ -379,9 +340,9 @@ void AppIdSession::check_app_detection_restart() encrypted.misc_id = pick_misc_app_id(); encrypted.referred_id = pick_referred_payload_app_id(); reinit_session_data(); - if (session_logging_enabled) - LogMessage("AppIdDbg %s SSL decryption is available, restarting app Detection\n", - session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SSL decryption is available, restarting app detection\n", + appidDebug->get_debug_session()); // APPID_SESSION_ENCRYPTED is set upon receiving a command which upgrades the session to // SSL. Next packet after the command will have encrypted traffic. In the case of a diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 64b853bad..0b7dc550c 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -79,8 +79,6 @@ enum AppIdFlowStatusCodes APPID_SESSION_EEXISTS }; -#define MAX_SESSION_LOGGING_ID_LEN (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1) - enum APPID_DISCOVERY_STATE { APPID_DISCO_STATE_NONE = 0, @@ -244,9 +242,6 @@ public: bool is_client_detected() { return common.flags & APPID_SESSION_CLIENT_DETECTED; } bool is_decrypted() { return common.flags & APPID_SESSION_DECRYPTED; } - char session_logging_id[MAX_SESSION_LOGGING_ID_LEN]; - bool session_logging_enabled = false; - void* get_flow_data(unsigned id); int add_flow_data(void* data, unsigned id, AppIdFreeFCN); int add_flow_data_id(uint16_t port, ServiceDetector*); @@ -297,9 +292,6 @@ private: void delete_session_data(); bool is_ssl_decryption_enabled(); - void set_session_logging_state(const snort::Packet*, int direction); - void create_session_logging_id(int direction, snort::Packet*); - static THREAD_LOCAL uint32_t appid_flow_data_id; AppId application_ids[APP_PROTOID_MAX]; AppIdInspector& inspector; diff --git a/src/network_inspectors/appid/client_plugins/client_discovery.cc b/src/network_inspectors/appid/client_plugins/client_discovery.cc index 11423c8af..8140e991b 100644 --- a/src/network_inspectors/appid/client_plugins/client_discovery.cc +++ b/src/network_inspectors/appid/client_plugins/client_discovery.cc @@ -27,9 +27,12 @@ #include +#include "profiler/profiler.h" +#include "protocols/packet.h" + #include "app_info_table.h" +#include "appid_debug.h" #include "appid_session.h" -#include "thirdparty_appid_utils.h" #include "client_app_aim.h" #include "client_app_bit_tracker.h" #include "client_app_bit.h" @@ -46,8 +49,7 @@ #include "detector_plugins/detector_pop3.h" #include "detector_plugins/detector_sip.h" #include "detector_plugins/detector_smtp.h" -#include "protocols/packet.h" -#include "profiler/profiler.h" +#include "thirdparty_appid_utils.h" using namespace snort; @@ -286,9 +288,9 @@ int ClientDiscovery::exec_client_detectors(AppIdSession& asd, Packet* p, int dir { AppIdDiscoveryArgs disco_args(p->data, p->dsize, direction, asd, p); ret = asd.client_detector->validate(disco_args); - if (asd.session_logging_enabled) + if (appidDebug->is_active()) LogMessage("AppIdDbg %s %s client detector returned %d\n", - asd.session_logging_id, asd.client_detector->get_name().c_str(), ret); + appidDebug->get_debug_session(), asd.client_detector->get_name().c_str(), ret); } else { @@ -296,9 +298,9 @@ int ClientDiscovery::exec_client_detectors(AppIdSession& asd, Packet* p, int dir { AppIdDiscoveryArgs disco_args(p->data, p->dsize, direction, asd, p); int result = kv->second->validate(disco_args); - if (asd.session_logging_enabled) + if (appidDebug->is_active()) LogMessage("AppIdDbg %s %s client detector returned %d\n", - asd.session_logging_id, kv->second->get_name().c_str(), result); + appidDebug->get_debug_session(), kv->second->get_name().c_str(), result); if (result == APPID_SUCCESS) { @@ -430,9 +432,9 @@ bool ClientDiscovery::do_client_discovery(AppIdSession& asd, Packet* p, int dire } } - if ( asd.session_logging_enabled ) + if ( appidDebug->is_active() ) if ( !was_http2 && asd.is_http2 ) - LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", asd.session_logging_id); + LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", appidDebug->get_debug_session()); if ( !was_service && asd.is_service_detected() ) asd.sync_with_snort_protocol_id(asd.service.get_id(), p); diff --git a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h index 808f3a9cc..9293c7827 100644 --- a/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h +++ b/src/network_inspectors/appid/detector_plugins/test/detector_plugins_mock.h @@ -55,7 +55,6 @@ public: }; // Stubs for modules, config -AppIdModuleConfig::AppIdModuleConfig() {} AppIdModuleConfig::~AppIdModuleConfig() {} AppIdModule::AppIdModule() : Module("a", "b") {} @@ -72,6 +71,10 @@ bool AppIdModule::end(const char*, int, snort::SnortConfig*) { return false; } +const Command* AppIdModule::get_commands() const +{ + return nullptr; +} const PegInfo* AppIdModule::get_pegs() const { return nullptr; diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index e09cf3fb5..ede8479c2 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -27,12 +27,24 @@ #include +#include "profiler/profiler.h" +#include "protocols/packet.h" +#include "protocols/tcp.h" + +#include "app_info_table.h" #include "appid_config.h" +#include "appid_debug.h" #include "appid_dns_session.h" #include "appid_session.h" -#include "app_info_table.h" +#include "detector_plugins/detector_dns.h" +#include "detector_plugins/detector_http.h" +#include "detector_plugins/detector_imap.h" +#include "detector_plugins/detector_kerberos.h" +#include "detector_plugins/detector_pattern.h" +#include "detector_plugins/detector_pop3.h" +#include "detector_plugins/detector_sip.h" +#include "detector_plugins/detector_smtp.h" #include "lua_detector_api.h" - #include "service_battle_field.h" #include "service_bgp.h" #include "service_bit.h" @@ -59,23 +71,11 @@ #include "service_snmp.h" #include "service_ssh.h" #include "service_ssl.h" +#include "service_telnet.h" #include "service_tftp.h" #include "service_timbuktu.h" #include "service_tns.h" -#include "service_telnet.h" #include "thirdparty_appid_utils.h" -#include "detector_plugins/detector_dns.h" -#include "detector_plugins/detector_http.h" -#include "detector_plugins/detector_imap.h" -#include "detector_plugins/detector_kerberos.h" -#include "detector_plugins/detector_pattern.h" -#include "detector_plugins/detector_pop3.h" -#include "detector_plugins/detector_sip.h" -#include "detector_plugins/detector_smtp.h" - -#include "profiler/profiler.h" -#include "protocols/packet.h" -#include "protocols/tcp.h" #ifdef REG_TEST #include "service_regtest.h" @@ -433,6 +433,8 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, int dir) if ( sds->get_state() == SERVICE_ID_STATE::FAILED ) { + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Failed state, no service match\n", appidDebug->get_debug_session()); fail_service(asd, p, dir, nullptr); return APPID_NOMATCH; } @@ -442,6 +444,14 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, int dir) /* If a valid service already exists in host tracker, give it a try. */ if ( sds->get_state() == SERVICE_ID_STATE::VALID ) asd.service_detector = sds->get_service(); + + // FIXIT-H: The following logic sets asd.service_detector to sds.service even if + // (state != SEARCHING_BRUTE_FORCE && state != VALID). Need to verify if this is really + // intended as this is diverged from Snort2 logic. Also, when the walking of brute-force + // list is done, we should not do port-pattern again -- which is what this implementation + // is doing! We should do port-pattern only if (!bruteForceDone). See Snort 2.9.11-125 logic. + + /* If we've gotten to brute force, give next detector a try. */ else if ( asd.service_candidates.empty() ) { asd.service_detector = sds->select_detector_by_brute_force(proto); @@ -450,15 +460,17 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, int dir) } AppIdDiscoveryArgs args(p->data, p->dsize, dir, asd, p); + /* If we already have a service to try, then try it out. */ if ( asd.service_detector ) { ret = asd.service_detector->validate(args); if (ret == APPID_NOT_COMPATIBLE) got_incompatible_services = true; - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s %s returned %d\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s %s returned %d\n", appidDebug->get_debug_session(), asd.service_detector->get_name().c_str(), ret); } + /* Try to find detectors based on ports and patterns. */ else { /* See if we've got more detector(s) to add to the candidate list. */ @@ -480,9 +492,9 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, int dir) result = service->validate(args); if ( result == APPID_NOT_COMPATIBLE ) got_incompatible_services = true; - if ( asd.session_logging_enabled ) + if ( appidDebug->is_active() ) LogMessage("AppIdDbg %s %s returned %d\n", - asd.session_logging_id, service->get_name().c_str(), result); + appidDebug->get_debug_session(), service->get_name().c_str(), result); if ( result == APPID_SUCCESS ) { @@ -515,8 +527,8 @@ int ServiceDiscovery::identify_service(AppIdSession& asd, Packet* p, int dir) } else if ( dir == APP_ID_FROM_RESPONDER ) // bidirectional exchange unknown service { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s no service detector\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s No service detector\n", appidDebug->get_debug_session()); fail_service(asd, p, dir, nullptr); ret = APPID_NOMATCH; @@ -617,8 +629,8 @@ bool ServiceDiscovery::do_service_discovery(AppIdSession& asd, Packet* p, int di if ( entry && entry->service_detector && !(entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL) ) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s Stop service detection\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Stop service detection\n", appidDebug->get_debug_session()); asd.stop_rna_service_inspection(p, direction); } } diff --git a/src/network_inspectors/appid/service_plugins/service_rshell.cc b/src/network_inspectors/appid/service_plugins/service_rshell.cc index 35de59274..1abbc5786 100644 --- a/src/network_inspectors/appid/service_plugins/service_rshell.cc +++ b/src/network_inspectors/appid/service_plugins/service_rshell.cc @@ -25,10 +25,12 @@ #include "service_rshell.h" -#include "appid_inspector.h" -#include "app_info_table.h" #include "protocols/packet.h" +#include "app_info_table.h" +#include "appid_debug.h" +#include "appid_inspector.h" + #define RSHELL_PORT 514 #define RSHELL_MAX_PORT_PACKET 6 @@ -110,8 +112,8 @@ int RshellServiceDetector::validate(AppIdDiscoveryArgs& args) rd->state = RSHELL_STATE_PORT; } - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s rshell state %d\n", args.session_logging_id, rd->state); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s RSHELL state %d\n", appidDebug->get_debug_session(), rd->state); switch (rd->state) { diff --git a/src/network_inspectors/appid/service_plugins/service_snmp.cc b/src/network_inspectors/appid/service_plugins/service_snmp.cc index ee4d499b1..8af0a4b34 100644 --- a/src/network_inspectors/appid/service_plugins/service_snmp.cc +++ b/src/network_inspectors/appid/service_plugins/service_snmp.cc @@ -25,11 +25,13 @@ #include "service_snmp.h" -#include "appid_inspector.h" -#include "app_info_table.h" #include "log/messages.h" #include "protocols/packet.h" +#include "app_info_table.h" +#include "appid_debug.h" +#include "appid_inspector.h" + #define SNMP_PORT 161 #define SNMP_VERSION_1 0 @@ -418,8 +420,8 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) if (snmp_verify_packet(&data, data+size, &pdu, &version)) { - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s snmp payload verify failed\n", args.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SNMP payload verify failed\n", appidDebug->get_debug_session()); if (args.asd.get_session_flags(APPID_SESSION_UDP_REVERSED)) { if (args.dir == APP_ID_FROM_RESPONDER) @@ -436,8 +438,8 @@ int SnmpServiceDetector::validate(AppIdDiscoveryArgs& args) } } - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s snmp state %d\n", args.session_logging_id, sd->state); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SNMP state %d\n", appidDebug->get_debug_session(), sd->state); switch (sd->state) { diff --git a/src/network_inspectors/appid/service_plugins/service_tftp.cc b/src/network_inspectors/appid/service_plugins/service_tftp.cc index f6de546e5..c99ff1732 100644 --- a/src/network_inspectors/appid/service_plugins/service_tftp.cc +++ b/src/network_inspectors/appid/service_plugins/service_tftp.cc @@ -25,10 +25,12 @@ #include "service_tftp.h" -#include "appid_inspector.h" -#include "app_info_table.h" #include "protocols/packet.h" +#include "app_info_table.h" +#include "appid_debug.h" +#include "appid_inspector.h" + #define TFTP_PORT 69 #define TFTP_COUNT_THRESHOLD 1 #define TFTP_MAX_PACKET_SIZE 512 @@ -139,8 +141,8 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) data_add(args.asd, td, &snort_free); td->state = TFTP_STATE_CONNECTION; } - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp state %d\n", args.session_logging_id, td->state); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP state %d\n", appidDebug->get_debug_session(), td->state); if (td->state == TFTP_STATE_CONNECTION && args.dir == APP_ID_FROM_RESPONDER) goto fail; @@ -212,12 +214,12 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) case TFTP_STATE_TRANSFER: if ((mode=tftp_verify_header(data, size, &block)) < 0) { - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp failed to verify\n", args.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP failed to verify\n", appidDebug->get_debug_session()); goto fail; } - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp mode %d and block %u\n", args.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP mode %d and block %u\n", appidDebug->get_debug_session(), mode, (unsigned)block); if (mode == TFTP_STATE_ACK) { @@ -255,13 +257,13 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) goto fail; else { - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp failed to verify\n", args.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP failed to verify\n", appidDebug->get_debug_session()); goto bail; } } - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp mode %d\n", args.session_logging_id, mode); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP mode %d\n", appidDebug->get_debug_session(), mode); if (mode == TFTP_STATE_ERROR) { td->state = TFTP_STATE_TRANSFER; @@ -269,8 +271,8 @@ int TftpServiceDetector::validate(AppIdDiscoveryArgs& args) } if (args.dir == APP_ID_FROM_INITIATOR && mode != TFTP_STATE_DATA) { - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp bad mode\n", args.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP bad mode\n", appidDebug->get_debug_session()); goto bail; } if (args.dir == APP_ID_FROM_RESPONDER && mode != TFTP_STATE_ACK) @@ -318,8 +320,8 @@ inprocess: return APPID_INPROCESS; success: - if (args.session_logging_enabled) - LogMessage("AppIdDbg %s tftp success\n", args.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s TFTP success\n", appidDebug->get_debug_session()); return add_service(args.asd, args.pkt, args.dir, APP_ID_TFTP); bail: diff --git a/src/network_inspectors/appid/service_state.cc b/src/network_inspectors/appid/service_state.cc index 437654fd2..5d3366edc 100644 --- a/src/network_inspectors/appid/service_state.cc +++ b/src/network_inspectors/appid/service_state.cc @@ -27,12 +27,14 @@ #include -#include "service_plugins/service_detector.h" #include "log/messages.h" #include "sfip/sf_ip.h" #include "time/packet_time.h" #include "utils/util.h" +#include "appid_debug.h" +#include "service_plugins/service_detector.h" + using namespace snort; ServiceDiscoveryState::ServiceDiscoveryState() @@ -53,6 +55,8 @@ ServiceDetector* ServiceDiscoveryState::select_detector_by_brute_force(IpProtoco { if ( state == SERVICE_ID_STATE::SEARCHING_BRUTE_FORCE ) { + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Brute-force state\n", appidDebug->get_debug_session()); if ( !brute_force_mgr ) brute_force_mgr = new AppIdDetectorList(proto); diff --git a/src/network_inspectors/appid/test/CMakeLists.txt b/src/network_inspectors/appid/test/CMakeLists.txt index 3cd624de3..f8c9f47e7 100644 --- a/src/network_inspectors/appid/test/CMakeLists.txt +++ b/src/network_inspectors/appid/test/CMakeLists.txt @@ -22,3 +22,7 @@ add_cpputest( appid_http_event_test SOURCES $ ) +add_cpputest( appid_debug_test + SOURCES $ +) + diff --git a/src/network_inspectors/appid/test/appid_debug_test.cc b/src/network_inspectors/appid/test/appid_debug_test.cc new file mode 100644 index 000000000..f7df9658a --- /dev/null +++ b/src/network_inspectors/appid/test/appid_debug_test.cc @@ -0,0 +1,489 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +// appid_debug_test.cc author Mike Stepanek + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "network_inspectors/appid/appid_debug.cc" + +#include +#include + +#include "flow/flow.h" +#include "network_inspectors/appid/appid_session.h" + +#include "appid_mock_definitions.h" + +#include +#include + +// Mocks + +class AppIdInspector +{ +public: + AppIdInspector() { } +}; + +FlowData::FlowData(unsigned, Inspector*) { } +FlowData::~FlowData() { } + +AppIdSession::AppIdSession(IpProtocol, const SfIp*, uint16_t, AppIdInspector& inspector) + : FlowData(0), inspector(inspector) { } +AppIdSession::~AppIdSession() { } + +// Utility functions + +static void SetConstraints(IpProtocol protocol, // use IpProtocol::PROTO_NOT_SET for "any" + const char* sipstr, uint16_t sport, + const char* dipstr, uint16_t dport, + AppIdDebugSessionConstraints& constraints) +{ + SfIp sip, dip; + if (sipstr) + sip.set(sipstr); + if (dipstr) + dip.set(dipstr); + + constraints.protocol = protocol; + if (sip.is_set()) + { + memcpy(&constraints.sip, sip.get_ip6_ptr(), sizeof(constraints.sip)); + constraints.sip_flag = true; + } + if (dip.is_set()) + { + memcpy(&constraints.dip, dip.get_ip6_ptr(), sizeof(constraints.dip)); + constraints.dip_flag = true; + } + constraints.sport = sport; + constraints.dport = dport; +} + +// Tests + +TEST_GROUP(appid_debug) +{ + void setup() override + { + appidDebug = new AppIdDebug(3); + } + + void teardown() override + { + delete appidDebug; + } +}; + +// This matches the basic pcap/expect regression test that we have for this command. +TEST(appid_debug, basic_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Test matching a packet in reverse direction (from constraints). +TEST(appid_debug, reverse_direction_activate_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.9.8.7"); // this would be a reply back + dip.set("10.1.2.3"); + uint16_t sport = 80; + uint16_t dport = 48620; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = dport; // session initiator is now dst + session.common.initiator_ip = dip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Test IPv6 matches. +TEST(appid_debug, ipv6_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::UDP, "2001:db8:85a3::8a2e:370:7334", 1234, "2001:db8:85a3::8a2e:370:7335", 443, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("2001:db8:85a3::8a2e:370:7334"); // IPv6 + dip.set("2001:db8:85a3::8a2e:370:7335"); + uint16_t sport = 1234; + uint16_t dport = 443; + IpProtocol protocol = IpProtocol::UDP; // also threw in UDP and address space ID for kicks + uint16_t address_space_id = 100; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "2001:db8:85a3::8a2e:370:7334 1234 -> 2001:db8:85a3::8a2e:370:7335 443 17 AS=100 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Test matching on session initiator IP (rather than port). +TEST(appid_debug, no_initiator_port_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = 0; // no initiator port yet (uses IPs) + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Test matching on session initiator IP (reverse direction packet). +TEST(appid_debug, no_initiator_port_reversed_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.9.8.7"); + dip.set("10.1.2.3"); + uint16_t sport = 80; + uint16_t dport = 48620; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = 0; // no initiator port yet (uses IPs)... and reversed packet dir from above + session.common.initiator_ip = dip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Check for null session pointer (won't activate). +TEST(appid_debug, null_session_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + uint16_t sport = 0; + uint16_t dport = 0; + IpProtocol protocol = IpProtocol::PROTO_NOT_SET; + uint16_t address_space_id = 0; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, + nullptr, false); // null session + CHECK_EQUAL(appidDebug->is_active(), false); // not active +} + +// Check for null flow pointer (won't activate). +TEST(appid_debug, null_flow_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints); + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + // activate() + appidDebug->activate(nullptr, nullptr, false); // null flow (and session) + CHECK_EQUAL(appidDebug->is_active(), false); // not active +} + +// Check a packet that doesn't get a match to constraints (won't activate). +TEST(appid_debug, no_match_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, nullptr, 0, nullptr, 0, constraints); // just TCP + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::UDP; // but this packet is UDP instead + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), false); // not active (no match) +} + +// Set all constraints (must match all). +TEST(appid_debug, all_constraints_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, "10.1.2.3", 48620, "10.9.8.7", 80, constraints); // must match all constraints + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Only set protocol in constraints. +TEST(appid_debug, just_proto_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::TCP, nullptr, 0, nullptr, 0, constraints); // only need to match proto + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Only set IP in constraints. +TEST(appid_debug, just_ip_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::PROTO_NOT_SET, nullptr, 0, "10.9.8.7", 0, constraints); // only need to match (dst) IP + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Only set port in constraints. +TEST(appid_debug, just_port_test) +{ + // set_constraints() + AppIdDebugSessionConstraints constraints = { }; + SetConstraints(IpProtocol::PROTO_NOT_SET, nullptr, 0, nullptr, 80, constraints); // just need to match (dst) port + appidDebug->set_constraints("appid", &constraints); + CHECK_EQUAL(appidDebug->is_enabled(), true); + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), true); + + // get_debug_session() + const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3"; + CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0); +} + +// Clear constraints (disables it so it won't activate). +TEST(appid_debug, clear_constraints_test) +{ + // set_constraints() + appidDebug->set_constraints("appid", nullptr); // clear constraints + CHECK_EQUAL(appidDebug->is_enabled(), false); // disabled + + SfIp sip; + SfIp dip; + AppIdInspector inspector; + AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector); + // This packet... + sip.set("10.1.2.3"); + dip.set("10.9.8.7"); + uint16_t sport = 48620; + uint16_t dport = 80; + IpProtocol protocol = IpProtocol::TCP; + uint16_t address_space_id = 0; + // The session... + session.common.initiator_port = sport; + session.common.initiator_ip = sip; + // activate() + appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport, + protocol, address_space_id, &session, false); + CHECK_EQUAL(appidDebug->is_active(), false); // won't activate (since disabled) +} + +int main(int argc, char** argv) +{ + int rc = CommandLineTestRunner::RunAllTests(argc, argv); + return rc; +} diff --git a/src/network_inspectors/appid/thirdparty_appid_utils.cc b/src/network_inspectors/appid/thirdparty_appid_utils.cc index d3e97d772..124d1b5bc 100644 --- a/src/network_inspectors/appid/thirdparty_appid_utils.cc +++ b/src/network_inspectors/appid/thirdparty_appid_utils.cc @@ -27,19 +27,20 @@ #include +#include "log/messages.h" +#include "main/snort_debug.h" +#include "profiler/profiler.h" +#include "protocols/packet.h" +#include "stream/stream.h" + +#include "app_info_table.h" #include "appid_config.h" +#include "appid_debug.h" #include "appid_http_session.h" #include "appid_inspector.h" -#include "app_info_table.h" #include "detector_plugins/http_url_patterns.h" #include "service_plugins/service_ssl.h" -#include "protocols/packet.h" -#include "main/snort_debug.h" -#include "log/messages.h" -#include "profiler/profiler.h" -#include "stream/stream.h" - using namespace snort; #define MODULE_SYMBOL "thirdparty_appid_impl_module" @@ -272,14 +273,14 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list)) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s flow is HTTP\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s HTTP flow\n", appidDebug->get_debug_session()); asd.set_session_flags(APPID_SESSION_HTTP_SESSION); } if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list)) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s flow is SPDY\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SPDY flow\n", appidDebug->get_debug_session()); asd.set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION); } @@ -341,8 +342,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* hsession->set_field_offset(REQ_HOST_FID, attribute_data->spdyRequestHostOffset); hsession->set_field_end_offset(REQ_HOST_FID, attribute_data->spdyRequestHostEndOffset); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s SPDY Host (%u-%u) is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SPDY host (%u-%u) is %s\n", appidDebug->get_debug_session(), hsession->get_field_offset(REQ_HOST_FID), hsession->get_field_end_offset(REQ_HOST_FID), hsession->get_host()); asd.scan_flags |= SCAN_HTTP_HOST_URL_FLAG; @@ -359,8 +360,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* //attribute_data->spdyRequestPath = nullptr; hsession->set_field_offset(REQ_URI_FID, attribute_data->spdyRequestPathOffset); hsession->set_field_end_offset(REQ_URI_FID, attribute_data->spdyRequestPathEndOffset); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s SPDY URI (%u-%u) is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SPDY URI (%u-%u) is %s\n", appidDebug->get_debug_session(), hsession->get_field_offset(REQ_URI_FID), hsession->get_field_end_offset(REQ_URI_FID), hsession->get_uri()); } @@ -379,9 +380,10 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* hsession->set_field_end_offset(REQ_HOST_FID, attribute_data->httpRequestHostEndOffset); // FIXIT-M do we need to free this memeory and set to null //attribute_data->httpRequestHost = nullptr; - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s HTTP host is %s\n", - asd.session_logging_id, attribute_data->httpRequestHost); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s HTTP host (%u-%u) is %s\n", + appidDebug->get_debug_session(), hsession->get_field_offset(REQ_HOST_FID), + hsession->get_field_end_offset(REQ_HOST_FID), attribute_data->httpRequestHost); asd.scan_flags |= SCAN_HTTP_HOST_URL_FLAG; } @@ -427,8 +429,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* hsession->set_field_end_offset(REQ_URI_FID, attribute_data->httpRequestUriEndOffset); snort_free(attribute_data->httpRequestUri); attribute_data->httpRequestUri = nullptr; - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s URI (%u-%u) is %s\n", appidDebug->get_debug_session(), hsession->get_field_offset(REQ_URI_FID), hsession->get_field_end_offset(REQ_URI_FID), hsession->get_uri()); } @@ -469,20 +471,24 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* strlen(attribute_data->httpRequestUserAgent)); snort_free(attribute_data->httpRequestUserAgent); attribute_data->httpRequestUserAgent = nullptr; + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s User Agent (%u-%u) is %s\n", + appidDebug->get_debug_session(), hsession->get_field_offset(REQ_AGENT_FID), + hsession->get_field_end_offset(REQ_AGENT_FID), hsession->get_user_agent()); asd.scan_flags |= SCAN_HTTP_USER_AGENT_FLAG; } // Check to see if third party discovered HTTP/2. - once it supports it... if (attribute_data->httpResponseVersion) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s HTTP response version is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s HTTP response version is %s\n", appidDebug->get_debug_session(), attribute_data->httpResponseVersion); if (strncmp(attribute_data->httpResponseVersion, "HTTP/2", 6) == 0) { - if (asd.session_logging_enabled) + if (appidDebug->is_active()) LogMessage("AppIdDbg %s 3rd party detected and parsed HTTP/2\n", - asd.session_logging_id); + appidDebug->get_debug_session()); asd.is_http2 = true; } snort_free(attribute_data->httpResponseVersion); @@ -490,8 +496,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* } if (attribute_data->httpResponseCode) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s HTTP response code is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s HTTP response code is %s\n", appidDebug->get_debug_session(), attribute_data->httpResponseCode); if (hsession->get_response_code()) if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT)) @@ -506,17 +512,17 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* // asks the server to upgrade to HTTP/2). if (attribute_data->httpResponseUpgrade) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", appidDebug->get_debug_session(), attribute_data->httpResponseUpgrade); if (asd.config->mod_config->http2_detection_enabled) if ( hsession->get_response_code() && (strncmp(hsession->get_response_code(), "101", 3) == 0) ) if (strncmp(attribute_data->httpResponseUpgrade, "h2c", 3) == 0) { - if (asd.session_logging_enabled) + if (appidDebug->is_active()) LogMessage("AppIdDbg %s Got an upgrade to HTTP/2\n", - asd.session_logging_id); + appidDebug->get_debug_session()); asd.is_http2 = true; } snort_free(attribute_data->httpResponseUpgrade); @@ -524,9 +530,6 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* } if (attribute_data->httpRequestReferer) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s referrer is %s\n", asd.session_logging_id, - attribute_data->httpRequestReferer); if (hsession->get_referer()) if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT)) hsession->set_chp_finished(false); @@ -537,8 +540,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* attribute_data->httpRequestReferer = nullptr; hsession->set_field_offset(REQ_REFERER_FID, attribute_data->httpRequestRefererOffset); hsession->set_field_end_offset(REQ_REFERER_FID, attribute_data->httpRequestRefererEndOffset); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s Referer (%u-%u) is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Referrer (%u-%u) is %s\n", appidDebug->get_debug_session(), hsession->get_field_offset(REQ_REFERER_FID), hsession->get_field_end_offset(REQ_REFERER_FID), hsession->get_referer()); @@ -558,8 +561,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* attribute_data->httpRequestCookie = nullptr; attribute_data->httpRequestCookieOffset = 0; attribute_data->httpRequestCookieEndOffset = 0; - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Cookie (%u-%u) is %s\n", appidDebug->get_debug_session(), hsession->get_field_offset(REQ_COOKIE_FID), hsession->get_field_offset(REQ_COOKIE_FID), hsession->get_cookie()); @@ -592,8 +595,8 @@ static void ProcessThirdPartyResults(AppIdSession& asd, int confidence, AppId* if (attribute_data->httpRequestBody) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s got a request body %s\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Got a request body %s\n", appidDebug->get_debug_session(), attribute_data->httpRequestBody); if (hsession->get_req_body()) if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT)) @@ -795,9 +798,9 @@ bool do_third_party_discovery(AppIdSession& asd, IpProtocol protocol, const SfIp { asd.tp_reinspect_by_initiator = true; asd.set_session_flags(APPID_SESSION_APP_REINSPECT); - if (asd.session_logging_enabled) + if (appidDebug->is_active()) LogMessage("AppIdDbg %s 3rd party allow reinspect http\n", - asd.session_logging_id); + appidDebug->get_debug_session()); asd.reset_session_data(); } @@ -808,8 +811,8 @@ bool do_third_party_discovery(AppIdSession& asd, IpProtocol protocol, const SfIp if ( p->ptrs.ip_api.tos() == 8 ) { asd.payload.set_id(APP_ID_SFTP); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s data is SFTP\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s Payload is SFTP\n", appidDebug->get_debug_session()); } } @@ -845,16 +848,16 @@ bool do_third_party_discovery(AppIdSession& asd, IpProtocol protocol, const SfIp TP_STATE_CLASSIFIED) asd.clear_session_flags(APPID_SESSION_APP_REINSPECT); - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s 3rd party returned %d\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s 3rd party returned %d\n", appidDebug->get_debug_session(), asd.tp_app_id); // For now, third party can detect HTTP/2 (w/o metadata) for // some cases. Treat it like HTTP w/ is_http2 flag set. if ((asd.tp_app_id == APP_ID_HTTP2) && (tp_confidence == 100)) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", appidDebug->get_debug_session()); asd.tp_app_id = APP_ID_HTTP; asd.is_http2 = true; @@ -873,8 +876,8 @@ bool do_third_party_discovery(AppIdSession& asd, IpProtocol protocol, const SfIp if (asd.app_info_mgr->get_app_info_flags(asd.tp_app_id, APPINFO_FLAG_IGNORE)) { - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s 3rd party ignored\n", asd.session_logging_id); + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s 3rd party ignored\n", appidDebug->get_debug_session()); if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION)) asd.tp_app_id = APP_ID_HTTP; @@ -885,12 +888,12 @@ bool do_third_party_discovery(AppIdSession& asd, IpProtocol protocol, const SfIp else { asd.tp_app_id = APP_ID_NONE; - if (asd.session_logging_enabled && !asd.get_session_flags( + if (appidDebug->is_active() && !asd.get_session_flags( APPID_SESSION_TPI_OOO_LOGGED)) { asd.set_session_flags(APPID_SESSION_TPI_OOO_LOGGED); LogMessage("AppIdDbg %s 3rd party packet out-of-order\n", - asd.session_logging_id); + appidDebug->get_debug_session()); } } @@ -974,17 +977,17 @@ bool do_third_party_discovery(AppIdSession& asd, IpProtocol protocol, const SfIp //SSL policy determines IMAPS/POP3S etc before appId sees first server // packet asd.service.set_port_service_id(porAppId); - if (asd.session_logging_enabled) + if (appidDebug->is_active()) LogMessage("AppIdDbg %s SSL is service %d, portServiceAppId %d\n", - asd.session_logging_id, + appidDebug->get_debug_session(), asd.tp_app_id, asd.service.get_port_service_id()); } else { asd.tp_payload_app_id = asd.tp_app_id; asd.tp_app_id = porAppId; - if (asd.session_logging_enabled) - LogMessage("AppIdDbg %s SSL is %d\n", asd.session_logging_id, + if (appidDebug->is_active()) + LogMessage("AppIdDbg %s SSL is %d\n", appidDebug->get_debug_session(), asd.tp_app_id); } snort_app_id = APP_ID_SSL; -- 2.47.3