Merge pull request #1071 in SNORT/snort3 from appid_http_disco_state to master

Squashed commit of the following:

commit 9e99c3f473209630b888abebfc4910ca2c6b1583
Author: davis mcpherson <davmcphe.cisco.com>
Date:   Fri Nov 17 09:03:29 2017 -0500

    appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow

    suppress warnings for valid case statement fall throughs

    only update session flags and discovery state if service id actually set to http

diff --git a/src/network_inspectors/appid/appid_app_descriptor.h b/src/network_inspectors/appid/appid_app_descriptor.h
index 74bdd58078b99b73617552a1ce43aa9ee55474d3..92dd09080ad9c4b9572ee27c71ba62de3c444753 100644 (file)
--- a/src/network_inspectors/appid/appid_app_descriptor.h
+++ b/src/network_inspectors/appid/appid_app_descriptor.h
@@ -64,7 +64,10 @@ public:
         if ( my_id != app_id )
         {
             my_id = app_id;
-            update_stats(app_id);
+            if ( app_id > APP_ID_NONE )
+                update_stats(app_id);
+            else if ( app_id == APP_ID_UNKNOWN )
+                AppIdPegCounts::inc_disco_peg(AppIdPegCounts::DiscoveryPegs::APPID_UNKNOWN);
         }
     }
 
@@ -122,7 +125,8 @@ public:
         if ( id != port_service_id )
         {
             port_service_id = id;
-            AppIdPegCounts::inc_service_count(id);
+            if ( id > APP_ID_NONE )
+                AppIdPegCounts::inc_service_count(id);
         }
     }
 
@@ -150,7 +154,8 @@ public:
         if ( my_user_id != app_id )
         {
             my_user_id = app_id;
-            AppIdPegCounts::inc_user_count(app_id);
+            if ( app_id > APP_ID_NONE )
+                AppIdPegCounts::inc_user_count(app_id);
         }
     }
 

diff --git a/src/network_inspectors/appid/appid_http_event_handler.cc b/src/network_inspectors/appid/appid_http_event_handler.cc
index f43616baa10d70d76e17a831826ddb352567d9e6..fe7453562d88cddafc883a69b5462f1ee2726dd6 100644 (file)
--- a/src/network_inspectors/appid/appid_http_event_handler.cc
+++ b/src/network_inspectors/appid/appid_http_event_handler.cc
@@ -168,9 +168,14 @@ void HttpEventHandler::handle(DataEvent& event, Flow* flow)
     }
 
     session->hsession->process_http_packet(direction);
-    session->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION);
-    session->set_application_ids(session->pick_service_app_id(),
+    if (session->service.get_id() == APP_ID_HTTP)
+    {
+        session->set_session_flags(APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_HTTP_SESSION);
+        session->set_application_ids(session->pick_service_app_id(),
         session->pick_client_app_id(), session->pick_payload_app_id(),
         session->pick_misc_app_id());
+        session->service_disco_state = APPID_DISCO_STATE_FINISHED;
+    }
+
 }
 

diff --git a/src/network_inspectors/appid/appid_peg_counts.cc b/src/network_inspectors/appid/appid_peg_counts.cc
index d0c2c8dbb5f7afe8a9ef6559dc6eba6678fab945..bba3f6e160e46dff5b5d399771c28aa60d9f18fc 100644 (file)
--- a/src/network_inspectors/appid/appid_peg_counts.cc
+++ b/src/network_inspectors/appid/appid_peg_counts.cc
@@ -39,6 +39,7 @@ std::vector<PegInfo> AppIdPegCounts::appid_pegs =
     { CountType::SUM, "processed_packets", "count of packets processed" },
     { CountType::SUM, "ignored_packets", "count of packets ignored" },
     { CountType::SUM, "total_sessions", "count of sessions created" },
+    { CountType::SUM, "appid_unknown", "count of sessions where appid could not be determined" },
 };
 
 THREAD_LOCAL std::vector<PegCount>* AppIdPegCounts::appid_peg_counts;

diff --git a/src/network_inspectors/appid/appid_peg_counts.h b/src/network_inspectors/appid/appid_peg_counts.h
index ffafb5b357b6d3ca64f2475f81ec1657f9091769..de6e283dcb758e8b275317fe1d4a846f8e9c7786 100644 (file)
--- a/src/network_inspectors/appid/appid_peg_counts.h
+++ b/src/network_inspectors/appid/appid_peg_counts.h
@@ -49,6 +49,7 @@ public:
         PROCESSED_PACKETS,
         IGNORED_PACKETS,
         TOTAL_SESSIONS,
+        APPID_UNKNOWN,
         NUM_APPID_GLOBAL_PEGS
     };
 

diff --git a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc
index 3d23d20209449251f08d8d7172f784a41bec4119..83b3e7196c7e6120d85749bcc8ca2ddf3f32e28e 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_kerberos.cc
@@ -169,7 +169,8 @@ static int krb_walk_server_packet(KRBState* krbs, const uint8_t* s, const uint8_
                 return KRB_FAILED;
             krbs->state = KRB_STATE_VERSION_2;
             krbs->pos = 0;
-        case KRB_STATE_VERSION_2:
+            // fallthrough
+       case KRB_STATE_VERSION_2:
             if (*s != KRB_SERVER_VERSION[krbs->pos])
                 return KRB_FAILED;
             krbs->pos++;
@@ -252,7 +253,8 @@ static int krb_walk_server_packet(KRBState* krbs, const uint8_t* s, const uint8_
             if (krbs->msg_len < krbs->len)
                 return KRB_FAILED;
             krbs->state = KRB_STATE_FIELD_DATA_2;
-        case KRB_STATE_FIELD_DATA_2:
+            // fallthrough
+       case KRB_STATE_FIELD_DATA_2:
             if (krbs->len <= 1)
             {
                 if (krbs->msg_len <= 1)
@@ -282,7 +284,8 @@ static int krb_walk_server_packet(KRBState* krbs, const uint8_t* s, const uint8_
                 return KRB_FAILED;
             krbs->state = KRB_STATE_CNAME_TYPE_2;
             krbs->pos = 0;
-        case KRB_STATE_CNAME_TYPE_2:
+            // fallthrough
+       case KRB_STATE_CNAME_TYPE_2:
             if (*s != KRB_CNAME_TYPE[krbs->pos])
                 return KRB_FAILED;
             krbs->pos++;
@@ -323,7 +326,8 @@ static int krb_walk_server_packet(KRBState* krbs, const uint8_t* s, const uint8_
                 return KRB_FAILED;
             krbs->state = KRB_STATE_CNAME_PRINCIPAL_DATA_2;
             krbs->pos = 0;
-        case KRB_STATE_CNAME_PRINCIPAL_DATA_2:
+            // fallthrough
+       case KRB_STATE_CNAME_PRINCIPAL_DATA_2:
             if (krbs->len)
             {
                 if (krbs->pos < (sizeof(krbs->cname) - 2))
@@ -608,6 +612,7 @@ int KerberosClientDetector::krb_walk_client_packet(KRBState* krbs, const uint8_t
                 return KRB_FAILED;
             krbs->state = KRB_STATE_VERSION_2;
             krbs->pos = 0;
+            // fallthrough
         case KRB_STATE_VERSION_2:
             if (*s != KRB_CLIENT_VERSION[krbs->pos])
                 return KRB_FAILED;
@@ -657,7 +662,8 @@ int KerberosClientDetector::krb_walk_client_packet(KRBState* krbs, const uint8_t
             if (krbs->msg_len < krbs->len)
                 return KRB_FAILED;
             krbs->state = KRB_STATE_FIELD_DATA_2;
-        case KRB_STATE_FIELD_DATA_2:
+            // fallthrough
+       case KRB_STATE_FIELD_DATA_2:
             if (krbs->len <= 1)
             {
                 if (krbs->msg_len <= 1)
@@ -743,7 +749,8 @@ int KerberosClientDetector::krb_walk_client_packet(KRBState* krbs, const uint8_t
                 return KRB_FAILED;
             krbs->state = KRB_STATE_CNAME_TYPE_2;
             krbs->pos = 0;
-        case KRB_STATE_CNAME_TYPE_2:
+            // fallthrough
+       case KRB_STATE_CNAME_TYPE_2:
             if (*s != KRB_CNAME_TYPE[krbs->pos])
                 return KRB_FAILED;
             krbs->pos++;
@@ -784,7 +791,8 @@ int KerberosClientDetector::krb_walk_client_packet(KRBState* krbs, const uint8_t
                 return KRB_FAILED;
             krbs->state = KRB_STATE_CNAME_PRINCIPAL_DATA_2;
             krbs->pos = 0;
-        case KRB_STATE_CNAME_PRINCIPAL_DATA_2:
+            // fallthrough
+       case KRB_STATE_CNAME_PRINCIPAL_DATA_2:
             if (krbs->len)
             {
                 if (krbs->pos < (sizeof(krbs->cname) - 2))

diff --git a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc
index 8f6c0265038bffc1355d5c681f4b1957f57b1d12..049f0bc4e4c9f587327b1a36171c014f3daad077 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_pop3.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_pop3.cc
@@ -293,6 +293,8 @@ static int pop3_server_validate(POP3DetectorData* dd, const uint8_t* data, uint1
     case POP3_STATE_CONNECT:
         pd->state = POP3_STATE_RESPONSE;
         begin = data;
+        // fallthrough
+
     case POP3_STATE_RESPONSE:
         if (!begin && data[0] == '+' && data[1] == ' ')
         {
@@ -514,7 +516,7 @@ ven_ver_done:;
             return 0;
         }
         pd->state = POP3_STATE_CONTINUE;
-    /* Fall through */
+        // fallthrough
 
     case POP3_STATE_CONTINUE:
         while (data < end)
@@ -596,7 +598,7 @@ int Pop3ClientDetector::validate(AppIdDiscoveryArgs& args)
         case POP3_CLIENT_STATE_STLS_CMD:
             /* We failed to transition to POP3S - fall back to normal POP3 AUTHORIZATION state */
             fd->state = POP3_CLIENT_STATE_AUTH;
-        // fall through
+            // fallthrough
 
         case POP3_CLIENT_STATE_AUTH:
             switch (pattern_index)
@@ -665,7 +667,8 @@ int Pop3ClientDetector::validate(AppIdDiscoveryArgs& args)
                 fd->state = POP3_CLIENT_STATE_TRANS; // look ahead for normal POP3 commands
                 for (; (s < end) && *s != '\r' && *s != '\n'; s++)
                     ;
-            // having skipped to the end of the line, fall through for the empty-line skip
+                // fallthrough
+                // for the empty-line skip
 
             case PATTERN_AUTHEOC:  // used with subsequent CAPA; no state change;
             case PATTERN_AUTHEOC2:
@@ -686,7 +689,8 @@ int Pop3ClientDetector::validate(AppIdDiscoveryArgs& args)
                         ;
                     break;
                 }
-            // fall through because we are not changing to TRANSACTION state, yet
+            // fallthrough
+            // we are not changing to TRANSACTION state, yet
             default:
             {
                 if (!eoc[pattern_index])

diff --git a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
index 616065ef982254c3ebac96c30a36f4b3ceefd64a..8fae5494d8e8e2950aaaaf3867acf76794bdbaf2 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
+++ b/src/network_inspectors/appid/detector_plugins/detector_smtp.cc
@@ -801,7 +801,8 @@ int SmtpServiceDetector::validate(AppIdDiscoveryArgs& args)
                 if (service_strstr(args.data, args.size,
                     (const uint8_t*)SMTP_CLOSING_CONN, sizeof(SMTP_CLOSING_CONN)-1))
                     goto success;
-            case 520:
+                // fallthrough
+           case 520:
             case 554:
                 fd->state = SMTP_SERVICE_STATE_CONNECTION_ERROR;
                 break;

diff --git a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc
index 2ea04cbadaefe0890c0abb777d9c90f01d59ab93..4822e697d87dfd917ae758b3ae1070a229822361 100644 (file)
--- a/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc
+++ b/src/network_inspectors/appid/detector_plugins/http_url_patterns.cc
@@ -1239,7 +1239,8 @@ void HttpPatternMatchers::identify_user_agent(const uint8_t* start, int size, Ap
             case APP_ID_PICASA:
                 if (dominant_pattern_detected)
                     break;
-            case APP_ID_WINDOWS_MEDIA_PLAYER:
+                // fallthrough
+           case APP_ID_WINDOWS_MEDIA_PLAYER:
             case APP_ID_BITTORRENT:
                 buffPtr = continue_buffer_scan(start, end, tmp, match);
                 if (!buffPtr)

diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc
index 13a20896b7334598747baaec5460bf679cc45419..82237bd704db147bfecff9d973b42c318126a235 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_rpc.cc
+++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc
@@ -713,6 +713,7 @@ int RpcServiceDetector::rpc_tcp_validate(AppIdDiscoveryArgs& args)
             {
                 break;
             }
+            // fallthrough
         case RPC_TCP_STATE_VERIFY_DATA:
             length = min(fragsize, rd->tcpauthsize[dir] - rd->tcppos[dir]);
             rd->tcppos[dir] += length;
@@ -790,6 +791,8 @@ int RpcServiceDetector::rpc_tcp_validate(AppIdDiscoveryArgs& args)
             {
                 break;
             }
+            // fallthrough
+
         case RPC_TCP_STATE_PARTIAL:
             if (rd->tcppos[dir] < RPC_MAX_TCP_PACKET_SIZE && fragsize)
             {

diff --git a/src/network_inspectors/appid/service_plugins/service_ssh.cc b/src/network_inspectors/appid/service_plugins/service_ssh.cc
index f5b30354b64876bcc1360573700c5562ed8694ce..fed8c3a89333ffd637fb75592c9b2ede4c09c32b 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_ssh.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssh.cc
@@ -180,6 +180,7 @@ static int ssh_validate_pubkey(const uint8_t* data, uint16_t size,
             else
                 ss->plen = 0;
             ss->oldhstate = OLD_SSH_HEADER_FIND_CODE;
+            // fallthrough
         case OLD_SSH_HEADER_FIND_CODE:
             if (ss->pos == ss->plen + sizeof(skx->len))
             {