appid_app_descriptor.h
appid_config.cc
appid_config.h
+ appid_debug.cc
+ appid_debug.h
appid_detector.cc
appid_detector.h
appid_discovery.cc
sc->proto_ref->add("tftp");
}
-AppIdModuleConfig::AppIdModuleConfig()
-{
- session_log_filter.sip.clear();
- session_log_filter.dip.clear();
-}
-
AppIdModuleConfig::~AppIdModuleConfig()
{
#ifdef USE_RNA_CONFIG
snort::ip::snort_in6_addr netmask;
};
-struct AppIdSessionLogFilter
-{
- AppIdSessionLogFilter()
- {
- sip.clear();
- dip.clear();
- }
-
- snort::SfIp sip;
- bool sip_flag = false;
- snort::SfIp dip;
- bool dip_flag = false;
- uint16_t sport = 0;
- uint16_t dport = 0;
- PktType protocol = PktType::NONE;
- bool log_all_sessions = false;
-};
-
class AppIdModuleConfig
{
public:
- AppIdModuleConfig();
+ AppIdModuleConfig() = default;
~AppIdModuleConfig();
#ifdef USE_RNA_CONFIG
uint32_t memcap = 0;
bool debug = false;
bool dump_ports = false;
- AppIdSessionLogFilter session_log_filter;
+ bool log_all_sessions = false;
bool safe_search_enabled = true;
bool dns_host_reporting = true;
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_debug.cc author Mike Stepanek <mstepane@cisco.com>
+// Created on: March 6, 2018
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "appid_debug.h"
+
+#include "flow/flow_key.h"
+#include "log/messages.h"
+
+#include "appid_config.h"
+#include "appid_session.h"
+
+using namespace snort;
+THREAD_LOCAL AppIdDebug* appidDebug = nullptr;
+
+void AppIdDebug::activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1, uint16_t port2, IpProtocol protocol,
+ uint16_t address_space_id, const AppIdSession* session, bool log_all_sessions)
+{
+ if ((log_all_sessions) ||
+ (enabled && (info.protocol == IpProtocol::PROTO_NOT_SET || info.protocol == protocol) &&
+ (((!info.sport || info.sport == port1) && (!info.dport || info.dport == port2) &&
+ (!info.sip_flag || memcmp(&info.sip, ip1, sizeof(info.sip)) == 0) &&
+ (!info.dip_flag || memcmp(&info.dip, ip2, sizeof(info.dip)) == 0)) ||
+ ((!info.sport || info.sport == port2) && (!info.dport || info.dport == port1) &&
+ (!info.sip_flag || memcmp(&info.sip, ip2, sizeof(info.sip)) == 0) &&
+ (!info.dip_flag || memcmp(&info.dip, ip1, sizeof(info.dip)) == 0)))))
+ {
+ active = true;
+ int af;
+ const struct in6_addr* sip;
+ const struct in6_addr* dip;
+ unsigned offset;
+ uint16_t sport = 0;
+ uint16_t dport = 0;
+ char sipstr[INET6_ADDRSTRLEN];
+ char dipstr[INET6_ADDRSTRLEN];
+
+ if (!session)
+ {
+ sip = (const struct in6_addr*)ip1;
+ dip = (const struct in6_addr*)ip2;
+ sport = port1;
+ dport = port2;
+ }
+ else if (session->common.initiator_port)
+ {
+ if (session->common.initiator_port == port1)
+ {
+ sip = (const struct in6_addr*)ip1;
+ dip = (const struct in6_addr*)ip2;
+ sport = port1;
+ dport = port2;
+ }
+ else
+ {
+ sip = (const struct in6_addr*)ip2;
+ dip = (const struct in6_addr*)ip1;
+ sport = port2;
+ dport = port1;
+ }
+ }
+ else if (memcmp(session->common.initiator_ip.get_ip6_ptr(), ip1, sizeof(struct in6_addr)) == 0)
+ {
+ sip = (const struct in6_addr*)ip1;
+ dip = (const struct in6_addr*)ip2;
+ sport = port1;
+ dport = port2;
+ }
+ else
+ {
+ sip = (const struct in6_addr*)ip2;
+ dip = (const struct in6_addr*)ip1;
+ sport = port2;
+ dport = port1;
+ }
+ sipstr[0] = 0;
+ if (sip->s6_addr32[0] || sip->s6_addr32[1] || sip->s6_addr16[4] || (sip->s6_addr16[5] && sip->s6_addr16[5] != 0xFFFF))
+ {
+ af = AF_INET6;
+ offset = 0;
+ }
+ else
+ {
+ af = AF_INET;
+ offset = 12;
+ }
+ inet_ntop(af, &sip->s6_addr[offset], sipstr, sizeof(sipstr));
+ dipstr[0] = 0;
+ if (dip->s6_addr32[0] || dip->s6_addr32[1] || dip->s6_addr16[4] || (dip->s6_addr16[5] && dip->s6_addr16[5] != 0xFFFF))
+ {
+ af = AF_INET6;
+ offset = 0;
+ }
+ else
+ {
+ af = AF_INET;
+ offset = 12;
+ }
+ inet_ntop(af, &dip->s6_addr[offset], dipstr, sizeof(dipstr));
+
+ snprintf(debug_session, sizeof(debug_session), "%s %hu -> %s %hu %hhu AS=%hu ID=%u",
+ sipstr, sport, dipstr, dport, static_cast<uint8_t>(protocol), address_space_id, instance_id);
+ }
+ else
+ active = false;
+}
+
+void AppIdDebug::activate(const Flow *flow, const AppIdSession* session, bool log_all_sessions)
+{
+ if (flow == nullptr)
+ {
+ active = false;
+ return;
+ }
+ const FlowKey* key = flow->key;
+ activate(key->ip_l, key->ip_h, key->port_l, key->port_h, (IpProtocol)(key->ip_protocol),
+ key->addressSpaceId, session, log_all_sessions);
+}
+
+void AppIdDebug::set_constraints(const char *desc, const AppIdDebugSessionConstraints* constraints)
+{
+ if (constraints)
+ {
+ int saf;
+ int daf;
+ char sipstr[INET6_ADDRSTRLEN];
+ char dipstr[INET6_ADDRSTRLEN];
+
+ memcpy(&info, constraints, sizeof(info));
+ if (!info.sip.s6_addr32[0] && !info.sip.s6_addr32[1] && !info.sip.s6_addr16[4] &&
+ info.sip.s6_addr16[5] == 0xFFFF)
+ {
+ saf = AF_INET;
+ }
+ else
+ saf = AF_INET6;
+ if (!info.dip.s6_addr32[0] && !info.dip.s6_addr32[1] && !info.dip.s6_addr16[4] &&
+ info.dip.s6_addr16[5] == 0xFFFF)
+ {
+ daf = AF_INET;
+ }
+ else
+ daf = AF_INET6;
+ sipstr[0] = 0;
+ inet_ntop(saf, saf == AF_INET ? &info.sip.s6_addr32[3] : info.sip.s6_addr32, sipstr, sizeof(sipstr));
+ dipstr[0] = 0;
+ inet_ntop(daf, daf == AF_INET ? &info.dip.s6_addr32[3] : info.dip.s6_addr32, dipstr, sizeof(dipstr));
+ LogMessage("Debugging %s with %s-%hu and %s-%hu %hhu\n", desc,
+ sipstr, info.sport, dipstr, info.dport, static_cast<uint8_t>(info.protocol));
+
+ enabled = true;
+ }
+ else
+ {
+ LogMessage("Debugging %s disabled\n", desc);
+ enabled = false;
+ }
+
+}
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_debug.h author Mike Stepanek <mstepane@cisco.com>
+// Created on: March 6, 2018
+
+#ifndef APPID_DEBUG_H
+#define APPID_DEBUG_H
+
+#include <netinet/in.h>
+
+#include "protocols/protocol_ids.h"
+#include "main/thread.h"
+
+class AppIdSession;
+namespace snort
+{
+ class Flow;
+}
+
+// %s %u -> %s %u %u AS=%u ID=%u
+// IPv6 Port -> IPv6 Port Proto AS=ASNum ID=InstanceNum
+#define APPID_DEBUG_SESSION_ID_SIZE ((39+1+5+1+2+1+39+1+5+1+3+1+2+1+10+1+2+1+10)+1)
+
+struct AppIdDebugSessionConstraints
+{
+ struct in6_addr sip;
+ int sip_flag;
+ struct in6_addr dip;
+ int dip_flag;
+ uint16_t sport;
+ uint16_t dport;
+ IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
+};
+
+class AppIdDebug
+{
+public:
+ AppIdDebug(unsigned instance_id) : instance_id(instance_id) { }
+
+ void activate(const uint32_t* ip1, const uint32_t* ip2, uint16_t port1, uint16_t port2, IpProtocol protocol,
+ uint16_t address_space_id, const AppIdSession* session, bool log_all_sessions);
+ void activate(const snort::Flow *flow, const AppIdSession* session, bool log_all_sessions);
+ void set_constraints(const char *desc, const AppIdDebugSessionConstraints* constraints);
+
+ bool is_enabled() { return enabled; }
+ void set_enabled(bool enable) { enabled = enable; }
+
+ bool is_active() { return active; }
+ void deactivate() { active = false; }
+
+ const char* get_debug_session()
+ {
+ return debug_session;
+ }
+
+private:
+ bool enabled = false;
+ bool active = false;
+ AppIdDebugSessionConstraints info = { };
+ unsigned instance_id;
+ char debug_session[APPID_DEBUG_SESSION_ID_SIZE];
+};
+
+extern THREAD_LOCAL AppIdDebug* appidDebug;
+
+#endif
{
public:
AppIdDiscoveryArgs(const uint8_t* data, uint16_t size, int dir, AppIdSession& asd,
- snort::Packet* p) : data(data), size(size), dir(dir), asd(asd), pkt(p)
- {
- config = asd.config;
- session_logging_enabled = asd.session_logging_enabled;
- session_logging_id = asd.session_logging_id;
- }
+ snort::Packet* p) : data(data), size(size), dir(dir), asd(asd), pkt(p), config(asd.config)
+ {}
const uint8_t* data;
uint16_t size;
AppIdSession& asd;
snort::Packet* pkt;
const AppIdConfig* config = nullptr;
- bool session_logging_enabled = false;
- char* session_logging_id = nullptr;
};
enum APPID_STATUS_CODE
#include "appid_discovery.h"
+#include "log/messages.h"
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
+#include "protocols/tcp.h"
+
#include "appid_config.h"
+#include "appid_debug.h"
#include "appid_detector.h"
#include "app_forecast.h"
#include "appid_dns_session.h"
#include "appid_session.h"
#include "appid_utils/ip_funcs.h"
#include "appid_utils/network_set.h"
-#include "host_port_app_cache.h"
-#include "thirdparty_appid_utils.h"
-#include "service_plugins/service_discovery.h"
#include "client_plugins/client_discovery.h"
#include "detector_plugins/detector_dns.h"
#include "detector_plugins/http_url_patterns.h"
-
-#include "profiler/profiler.h"
-#include "log/messages.h"
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
+#include "host_port_app_cache.h"
+#include "service_plugins/service_discovery.h"
+#include "thirdparty_appid_utils.h"
using namespace snort;
if ( direction == APP_ID_FROM_INITIATOR && hsession && hsession->is_rebuilt_offsets() )
{
HttpPatternMatchers::get_instance()->get_http_offsets(p, hsession);
- if (asd->session_logging_enabled)
- LogMessage(
- "AppIdDbg %s offsets from rebuilt packet: uri: %u-%u cookie: %u-%u\n",
- asd->session_logging_id,
- hsession->get_field_offset(REQ_URI_FID),
- hsession->get_field_end_offset(REQ_URI_FID),
- hsession->get_field_offset(REQ_COOKIE_FID),
- hsession->get_field_end_offset(REQ_COOKIE_FID));
- }
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Offsets from rebuilt packet: uri: %u-%u cookie: %u-%u\n",
+ appidDebug->get_debug_session(),
+ hsession->get_field_offset(REQ_URI_FID),
+ hsession->get_field_end_offset(REQ_URI_FID),
+ hsession->get_field_offset(REQ_COOKIE_FID),
+ hsession->get_field_end_offset(REQ_COOKIE_FID));
+ }
AppIdPegCounts::inc_disco_peg(AppIdPegCounts::DiscoveryPegs::IGNORED_PACKETS);
return true;
}
return;
}
+ appidDebug->activate(p->flow, asd, inspector.get_appid_config()->mod_config->log_all_sessions);
+
if ( is_packet_ignored(asd, p, direction) )
return;
port = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.sp : p->ptrs.dp;
}
+ // FIXIT-H - Creating AppId session even when flow is ignored (not monitored, e.g.,
+ // when AppId discovery is disabled) will consume a lot of unneeded memory and perform
+ // unneeded tasks in constructor. Snort2 uses static APPID_SESSION_STRUCT_FLAG ignore_fsf.
+ // Snort3 may use something like that or a dummy class/object having only common.flow_type
+ // to let us know that it is APPID_FLOW_TYPE_IGNORE type and thus being returned early
+ // from this method due to set_network_attributes() checking.
AppIdSession* tmp_session = new AppIdSession(protocol, ip, port, inspector);
if ((flow_flags & APPID_SESSION_BIDIRECTIONAL_CHECKED) ==
APPID_SESSION_BIDIRECTIONAL_CHECKED)
+ {
tmp_session->common.flow_type = APPID_FLOW_TYPE_IGNORE;
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Not monitored\n", appidDebug->get_debug_session());
+ }
else
+ {
tmp_session->common.flow_type = APPID_FLOW_TYPE_TMP;
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Unknown monitoring\n", appidDebug->get_debug_session());
+ }
tmp_session->common.flags = flow_flags;
tmp_session->common.policyId = inspector.get_appid_config()->appIdPolicyId;
p->flow->set_flow_data(tmp_session);
APPID_SESSION_BIDIRECTIONAL_CHECKED )
asd->common.flow_type = APPID_FLOW_TYPE_IGNORE;
asd->common.policyId = asd->config->appIdPolicyId;
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Not monitored\n", appidDebug->get_debug_session());
}
return;
if ( !asd || asd->common.flow_type == APPID_FLOW_TYPE_TMP )
{
asd = AppIdSession::allocate_session(p, protocol, direction, inspector);
-
- if (asd->session_logging_enabled)
- LogMessage("AppIdDbg %s new session\n", asd->session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s New AppId session\n", appidDebug->get_debug_session());
}
// FIXIT-L - from this point on we always have a valid ptr to an AppIdSession and a Packet
if (asd->get_session_flags(APPID_SESSION_IGNORE_FLOW))
{
- if ( asd->session_logging_enabled &&
- !asd->get_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED) )
+ if (appidDebug->is_active() &&
+ !asd->get_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED))
{
asd->set_session_flags(APPID_SESSION_IGNORE_FLOW_LOGGED);
LogMessage("AppIdDbg %s Ignoring connection with service %d\n",
- asd->session_logging_id, asd->service.get_id());
+ appidDebug->get_debug_session(), asd->service.get_id());
}
return;
default:
{
asd->service.set_port_service_id(asd->config->get_port_service_id(protocol, p->ptrs.sp));
- if (asd->session_logging_enabled)
- LogMessage("AppIdDbg %s port service %d\n",
- asd->session_logging_id, asd->service.get_port_service_id());
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Port service %d\n",
+ appidDebug->get_debug_session(), asd->service.get_port_service_id());
asd->set_session_flags(APPID_SESSION_PORT_SERVICE_DONE);
}
break;
}
else
{
- if (asd->session_logging_enabled && p->dsize &&
+ if (appidDebug->is_active() && p->dsize &&
!asd->get_session_flags(APPID_SESSION_OOO_LOGGED))
{
asd->set_session_flags(APPID_SESSION_OOO_LOGGED);
- LogMessage("AppIdDbg %s packet out-of-order\n", asd->session_logging_id);
+ LogMessage("AppIdDbg %s Packet out-of-order\n", appidDebug->get_debug_session());
}
}
((flags & APPINFO_FLAG_SUPPORTED_SEARCH) ? SUPPORTED_SEARCH_ENGINE :
UNSUPPORTED_SEARCH_ENGINE )
: NOT_A_SEARCH_ENGINE;
- if (asd->session_logging_enabled)
+ if (appidDebug->is_active())
{
const char* typeString;
switch ( asd->search_support_type )
default: typeString = "unknown"; break;
}
- LogMessage("AppIdDbg %s appId: %u (safe)search_support_type=%s\n",
- asd->session_logging_id, payload_id, typeString);
+ LogMessage("AppIdDbg %s AppId %u (safe)search_support_type=%s\n",
+ appidDebug->get_debug_session(), payload_id, typeString);
}
}
#include "appid_http_session.h"
+#include "profiler/profiler.h"
+
#include "app_info_table.h"
#include "appid_config.h"
+#include "appid_debug.h"
#include "appid_session.h"
-#include "thirdparty_appid_utils.h"
#include "detector_plugins/http_url_patterns.h"
-#include "profiler/profiler.h"
-
+#include "thirdparty_appid_utils.h"
static const char* httpFieldName[ MAX_HTTP_FIELD_ID ] = // for use in debug messages
{
for (unsigned i = 0; i < MAX_HTTP_FIELD_ID; i++)
if ( cmd.chp_rewritten[i] )
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s rewritten %s: %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Rewritten %s: %s\n", appidDebug->get_debug_session(),
httpFieldName[i], cmd.chp_rewritten[i]);
http_fields[i].field = cmd.chp_rewritten[i];
constexpr auto RESPONSE_CODE_LENGTH = 3;
if (response_code.size() != RESPONSE_CODE_LENGTH)
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s bad http response code.\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Bad http response code.\n", appidDebug->get_debug_session());
asd.reset_session_data();
return 0;
}
set_session_flags(APPID_SESSION_RESPONSE_CODE_CHECKED);
/* didn't receive response code in first X packets. Stop processing this session */
asd.reset_session_data();
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s no response code received\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s No response code received\n", appidDebug->get_debug_session());
return 0;
}
#endif
if (asd.service.get_id() == APP_ID_NONE)
asd.service.set_id(APP_ID_HTTP);
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s chp_finished %d chp_hold_flow %d\n", appidDebug->get_debug_session(),
chp_finished, chp_hold_flow);
if (!chp_finished || chp_hold_flow)
if (is_webdav)
{
- if (asd.session_logging_enabled and asd.payload.get_id() != APP_ID_WEBDAV)
- LogMessage("AppIdDbg %s data is webdav\n", asd.session_logging_id);
+ if (appidDebug->is_active() and asd.payload.get_id() != APP_ID_WEBDAV)
+ LogMessage("AppIdDbg %s Data is webdav\n", appidDebug->get_debug_session());
asd.set_payload_appid_data(APP_ID_WEBDAV, nullptr);
}
http_matchers->identify_user_agent(useragent.c_str(), useragent.size(),
service_id, client_id, &version);
+ if (appidDebug->is_active())
+ {
+ if (service_id > APP_ID_NONE and service_id != APP_ID_HTTP and asd.service.get_id() != service_id)
+ LogMessage("AppIdDbg %s User Agent is service %d\n", appidDebug->get_debug_session(), service_id);
+ if (client_id > APP_ID_NONE and client_id != APP_ID_HTTP and asd.client.get_id() != client_id)
+ LogMessage("AppIdDbg %s User Agent is client %d\n", appidDebug->get_debug_session(), client_id);
+ }
asd.set_service_appid_data(service_id, nullptr, nullptr);
asd.set_client_appid_data(client_id, version);
asd.scan_flags &= ~SCAN_HTTP_USER_AGENT_FLAG;
if ( !asd.is_payload_appid_set() && (asd.scan_flags & SCAN_HTTP_VIA_FLAG) && !via.empty() )
{
payload_id = http_matchers->get_appid_by_pattern(via.c_str(), via.size(), nullptr);
- if (asd.session_logging_enabled && payload_id > APP_ID_NONE &&
+ if (appidDebug->is_active() && payload_id > APP_ID_NONE &&
asd.payload.get_id() != payload_id)
- LogMessage("AppIdDbg %s VIA data %d\n", asd.session_logging_id, payload_id);
+ LogMessage("AppIdDbg %s VIA is payload %d\n", appidDebug->get_debug_session(), payload_id);
asd.set_payload_appid_data((AppId)payload_id, nullptr);
asd.scan_flags &= ~SCAN_HTTP_VIA_FLAG;
}
{
if (direction == APP_ID_FROM_INITIATOR)
{
- if (asd.session_logging_enabled && client_id > APP_ID_NONE && client_id !=
+ if (appidDebug->is_active() && client_id > APP_ID_NONE && client_id !=
APP_ID_HTTP && asd.client.get_id() != client_id)
- LogMessage("AppIdDbg %s X is client %d\n", asd.session_logging_id, appId);
+ LogMessage("AppIdDbg %s X is client %d\n", appidDebug->get_debug_session(), appId);
asd.set_client_appid_data(appId, version);
}
else
{
- if (asd.session_logging_enabled && service_id > APP_ID_NONE && service_id !=
+ if (appidDebug->is_active() && service_id > APP_ID_NONE && service_id !=
APP_ID_HTTP && asd.service.get_id() != service_id)
- LogMessage("AppIdDbg %s X service %d\n", asd.session_logging_id, appId);
+ LogMessage("AppIdDbg %s X service %d\n", appidDebug->get_debug_session(), appId);
asd.set_service_appid_data(appId, nullptr, version);
}
asd.scan_flags &= ~SCAN_HTTP_XWORKINGWITH_FLAG;
|| (!thirdparty_appid_module && !asd.is_payload_appid_set() && !content_type.empty()) )
{
payload_id = http_matchers->get_appid_by_content_type(content_type.c_str(), content_type.size());
- if (asd.session_logging_enabled && payload_id > APP_ID_NONE
+ if (appidDebug->is_active() && payload_id > APP_ID_NONE
&& asd.payload.get_id() != payload_id)
- LogMessage("AppIdDbg %s Content-Type is data %d\n", asd.session_logging_id,
+ LogMessage("AppIdDbg %s Content-Type is payload %d\n", appidDebug->get_debug_session(),
payload_id);
asd.set_payload_appid_data((AppId)payload_id, nullptr);
asd.scan_flags &= ~SCAN_HTTP_CONTENT_TYPE_FLAG;
// do not overwrite a previously-set client or service
if (asd.client.get_id() <= APP_ID_NONE)
{
- if (asd.session_logging_enabled && client_id > APP_ID_NONE && client_id !=
+ if (appidDebug->is_active() && client_id > APP_ID_NONE && client_id !=
APP_ID_HTTP && asd.client.get_id() != client_id)
- LogMessage("AppIdDbg %s URL is client %d\n", asd.session_logging_id,
+ LogMessage("AppIdDbg %s URL is client %d\n", appidDebug->get_debug_session(),
client_id);
asd.set_client_appid_data(client_id, nullptr);
}
if (asd.service.get_id() <= APP_ID_NONE)
{
- if (asd.session_logging_enabled && service_id > APP_ID_NONE && service_id !=
+ if (appidDebug->is_active() && service_id > APP_ID_NONE && service_id !=
APP_ID_HTTP && asd.service.get_id() != service_id)
- LogMessage("AppIdDbg %s URL is service %d\n", asd.session_logging_id,
+ LogMessage("AppIdDbg %s URL is service %d\n", appidDebug->get_debug_session(),
service_id);
asd.set_service_appid_data(service_id, nullptr, nullptr);
}
// DO overwrite a previously-set data
- if (asd.session_logging_enabled && payload_id > APP_ID_NONE &&
+ if (appidDebug->is_active() && payload_id > APP_ID_NONE &&
asd.payload.get_id() != payload_id)
- LogMessage("AppIdDbg %s URL is data %d\n", asd.session_logging_id,
+ LogMessage("AppIdDbg %s URL is payload %d\n", appidDebug->get_debug_session(),
payload_id);
asd.set_payload_appid_data((AppId)payload_id, version);
asd.set_referred_payload_app_id_data(referredPayloadAppId);
for (unsigned j = 0; j < numXffFields; j++)
xffPrecedence[j] = strndup(xffPrecedence[j], UINT8_MAX);
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
{
for (unsigned i = 0; i < numXffFields; i++)
- LogMessage("AppIdDbg %s %s : %s\n", asd.session_logging_id,
- xff_fields[i].field, xff_fields[i].value);
+ LogMessage("AppIdDbg %s XFF %s : %s\n", appidDebug->get_debug_session(),
+ xff_fields[i].field, xff_fields[i].value.empty()? "(empty)": xff_fields[i].value);
}
// xffPrecedence array is sorted based on precedence
#include <openssl/crypto.h>
-#include "appid_stats.h"
-#include "appid_session.h"
-#include "appid_discovery.h"
-#include "app_forecast.h"
-#include "host_port_app_cache.h"
-#include "lua_detector_module.h"
-#include "appid_http_event_handler.h"
-#include "thirdparty_appid_utils.h"
-#include "client_plugins/client_discovery.h"
-#include "service_plugins/service_discovery.h"
-#include "service_plugins/service_ssl.h"
-#include "detector_plugins/detector_dns.h"
-#include "detector_plugins/http_url_patterns.h"
-#include "detector_plugins/detector_sip.h"
-#include "detector_plugins/detector_pattern.h"
#include "flow/flow.h"
#include "log/messages.h"
#include "log/packet_tracer.h"
#include "managers/inspector_manager.h"
#include "managers/module_manager.h"
-#include "protocols/packet.h"
#include "profiler/profiler.h"
+#include "protocols/packet.h"
+
+#include "app_forecast.h"
+#include "appid_debug.h"
+#include "appid_discovery.h"
+#include "appid_http_event_handler.h"
+#include "appid_session.h"
+#include "appid_stats.h"
+#include "client_plugins/client_discovery.h"
+#include "detector_plugins/detector_dns.h"
+#include "detector_plugins/detector_pattern.h"
+#include "detector_plugins/detector_sip.h"
+#include "detector_plugins/http_url_patterns.h"
+#include "host_port_app_cache.h"
+#include "lua_detector_module.h"
+#include "service_plugins/service_discovery.h"
+#include "service_plugins/service_ssl.h"
+#include "thirdparty_appid_utils.h"
using namespace snort;
static THREAD_LOCAL PacketTracer::TracerMute appid_mute;
static void appid_inspector_tinit()
{
+ uint32_t snort_instance = get_instance_id();
+ appidDebug = new AppIdDebug(snort_instance);
+
AppIdPegCounts::init_pegs();
}
static void appid_inspector_tterm()
{
AppIdPegCounts::cleanup_pegs();
+
+ delete appidDebug;
+ appidDebug = nullptr;
}
static Inspector* appid_inspector_ctor(Module* m)
#include "appid_module.h"
#include <climits>
+#include <lua.hpp>
-#include "app_info_table.h"
-#include "appid_peg_counts.h"
#include "log/messages.h"
+#include "main/analyzer_command.h"
#include "profiler/profiler.h"
#include "utils/util.h"
+#include "app_info_table.h"
+#include "appid_debug.h"
+#include "appid_peg_counts.h"
+
using namespace snort;
using namespace std;
THREAD_LOCAL ProfileStats appidPerfStats;
-static const Parameter session_log_filter[] =
-{
- { "src_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
- "source IP address in CIDR format" },
- { "dst_ip", Parameter::PT_ADDR, nullptr, "0.0.0.0/32",
- "destination IP address in CIDR format" },
- { "src_port", Parameter::PT_PORT, "1:", nullptr, "source port" },
- { "dst_port", Parameter::PT_PORT, "1:", nullptr, "destination port" },
- { "protocol", Parameter::PT_STRING, nullptr, nullptr,"IP protocol" },
- { "log_all_sessions", Parameter::PT_BOOL, nullptr, "false",
- "enable logging for all appid sessions" },
- { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
-};
-
static const Parameter s_params[] =
{
#ifdef USE_RNA_CONFIG
{ "thirdparty_appid_dir", Parameter::PT_STRING, nullptr, nullptr,
"directory to load thirdparty appid detectors from" },
#endif
- { "session_log_filter", Parameter::PT_TABLE, session_log_filter, nullptr,
- "session log filter options" },
{ "log_all_sessions", Parameter::PT_BOOL, nullptr, "false",
"enable logging of all appid sessions" },
{ nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
};
+class AcAppIdDebug : public AnalyzerCommand
+{
+public:
+ AcAppIdDebug(AppIdDebugSessionConstraints* cs);
+ void execute(Analyzer&) override;
+ const char* stringify() override { return "APPID_DEBUG"; }
+
+private:
+ AppIdDebugSessionConstraints constraints = { };
+ bool enable = false;
+};
+
+AcAppIdDebug::AcAppIdDebug(AppIdDebugSessionConstraints* cs)
+{
+ if (cs)
+ {
+ memcpy(&constraints, cs, sizeof(constraints));
+ enable = true;
+ }
+}
+
+void AcAppIdDebug::execute(Analyzer&)
+{
+ if (appidDebug)
+ {
+ if (enable)
+ appidDebug->set_constraints("appid", &constraints);
+ else
+ appidDebug->set_constraints("appid", nullptr);
+ }
+ // FIXIT-L Add a warning if command was called without appid configured?
+}
+
+static int enable_debug(lua_State* L)
+{
+ int proto = luaL_optint(L, 1, 0);
+ const char* sipstr = luaL_optstring(L, 2, nullptr);
+ int sport = luaL_optint(L, 3, 0);
+ const char* dipstr = luaL_optstring(L, 4, nullptr);
+ int dport = luaL_optint(L, 5, 0);
+
+ SfIp sip, dip;
+ if (sipstr)
+ {
+ if (sip.set(sipstr) != SFIP_SUCCESS)
+ LogMessage("Invalid source IP address provided: %s\n", sipstr);
+ }
+
+ if (dipstr)
+ {
+ if (dip.set(dipstr) != SFIP_SUCCESS)
+ LogMessage("Invalid destination IP address provided: %s\n", dipstr);
+ }
+
+ AppIdDebugSessionConstraints constraints = { };
+
+ if (proto)
+ constraints.protocol = (IpProtocol) proto;
+
+ if (sip.is_set())
+ {
+ memcpy(&constraints.sip, sip.get_ip6_ptr(), sizeof(constraints.sip));
+ constraints.sip_flag = true;
+ }
+
+ if (dip.is_set())
+ {
+ memcpy(&constraints.dip, dip.get_ip6_ptr(), sizeof(constraints.dip));
+ constraints.dip_flag = true;
+ }
+
+ constraints.sport = sport;
+ constraints.dport = dport;
+
+ main_broadcast_command(new AcAppIdDebug(&constraints));
+
+ return 0;
+}
+
+static int disable_debug(lua_State*)
+{
+ main_broadcast_command(new AcAppIdDebug(nullptr));
+ return 0;
+}
+
+static const Parameter enable_debug_params[] =
+{
+ { "proto", Parameter::PT_INT, nullptr, nullptr, "numerical IP protocol ID filter" },
+ { "src_ip", Parameter::PT_STRING, nullptr, nullptr, "source IP address filter" },
+ { "src_port", Parameter::PT_INT, nullptr, nullptr, "source port filter" },
+ { "dst_ip", Parameter::PT_STRING, nullptr, nullptr, "destination IP address filter" },
+ { "dst_port", Parameter::PT_INT, nullptr, nullptr, "destination port filter" },
+
+ { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
+};
+
+static const Command appid_cmds[] =
+{
+ { "enable_debug", enable_debug, enable_debug_params, "enable appid debugging"},
+ { "disable_debug", disable_debug, nullptr, "disable appid debugging"},
+ { nullptr, nullptr, nullptr, nullptr }
+};
+
// FIXIT-M Add appid_rules back in once we start using it.
#ifdef REMOVED_WHILE_NOT_IN_USE
static const RuleMap appid_rules[] =
config->debug = v.get_bool();
else if ( v.is("dump_ports") )
config->dump_ports = v.get_bool();
- else if ( v.is("session_log_filter") )
- config->session_log_filter.log_all_sessions = false; // FIXIT-L need to implement support
- // for all log options
else if ( v.is("log_all_sessions") )
- config->session_log_filter.log_all_sessions = v.get_bool();
- else if (v.is("src_ip") )
- config->session_log_filter.sip.set(v.get_string());
- else if (v.is("dst_ip") )
- config->session_log_filter.dip.set(v.get_string());
+ config->log_all_sessions = v.get_bool();
else
return false;
return true;
}
+const Command* AppIdModule::get_commands() const
+{
+ return appid_cmds;
+}
+
const PegInfo* AppIdModule::get_pegs() const
{
return AppIdPegCounts::get_peg_info();
bool set(const char*, snort::Value&, snort::SnortConfig*) override;
bool end(const char*, int, snort::SnortConfig*) override;
+ const snort::Command* get_commands() const override;
const PegInfo* get_pegs() const override;
PegCount* get_counts() const override;
snort::ProfileStats* get_profile() const override;
#include <cstring>
+#include "log/messages.h"
+#include "main/snort_config.h"
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
+#include "protocols/tcp.h"
+#include "stream/stream.h"
+#include "target_based/snort_protocols.h"
+#include "time/packet_time.h"
+
#include "app_forecast.h"
#include "app_info_table.h"
+#include "appid_debug.h"
#include "appid_dns_session.h"
#include "appid_http_session.h"
#include "appid_inspector.h"
#include "appid_utils/ip_funcs.h"
#include "service_plugins/service_ssl.h"
#include "thirdparty_appid_utils.h"
-#include "log/messages.h"
-#include "main/snort_config.h"
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
-#include "stream/stream.h"
-#include "target_based/snort_protocols.h"
-#include "time/packet_time.h"
using namespace snort;
return nullptr;
}
-void AppIdSession::set_session_logging_state(const Packet* pkt, int direction)
-{
- if (config->mod_config->session_log_filter.log_all_sessions)
- {
- session_logging_enabled = true;
- }
- else
- {
- if ( !pkt->ptrs.ip_api.get_src()->equals(config->mod_config->session_log_filter.sip) )
- return;
-
- if ( !pkt->ptrs.ip_api.get_dst()->equals(config->mod_config->session_log_filter.dip) )
- return;
-
- if ( !( pkt->ptrs.sp == config->mod_config->session_log_filter.sport ) )
- return;
-
- if ( !( pkt->ptrs.dp == config->mod_config->session_log_filter.dport ) )
- return;
-
- if ( !( pkt->ptrs.type == config->mod_config->session_log_filter.protocol ) )
- return;
-
- session_logging_enabled = true;
- }
-
- if (session_logging_enabled)
- {
- char src_ip_str[INET6_ADDRSTRLEN], dst_ip_str[INET6_ADDRSTRLEN];
-
- pkt->ptrs.ip_api.get_src()->ntop(src_ip_str, sizeof(src_ip_str));
- pkt->ptrs.ip_api.get_dst()->ntop(dst_ip_str, sizeof(dst_ip_str));
- snprintf(session_logging_id, MAX_SESSION_LOGGING_ID_LEN,
- "%s-%hu -> %s-%hu %u%s AS %u I %u",
- src_ip_str, pkt->ptrs.sp, dst_ip_str, pkt->ptrs.dp,
- (unsigned)pkt->ptrs.type, (direction == APP_ID_FROM_INITIATOR) ? "" : " R",
- (unsigned)pkt->pkth->address_space_id, get_instance_id());
- }
-}
-
AppIdSession* AppIdSession::allocate_session(const Packet* p, IpProtocol proto, int direction,
AppIdInspector& inspector)
{
AppIdSession* asd = new AppIdSession(proto, ip, port, inspector);
asd->flow = p->flow;
asd->stats.first_packet_second = p->pkth->ts.tv_sec;
- asd->set_session_logging_state(p, direction);
asd->snort_protocol_id = snortId_for_unsynchronized;
p->flow->set_flow_data(asd);
return asd;
length_sequence.proto = IpProtocol::PROTO_NOT_SET;
length_sequence.sequence_cnt = 0;
memset(length_sequence.sequence, '\0', sizeof(length_sequence.sequence));
- session_logging_id[0] = '\0';
AppIdPegCounts::inc_disco_peg(AppIdPegCounts::DiscoveryPegs::TOTAL_SESSIONS);
}
if ( Stream::set_snort_protocol_id_expected(ctrlPkt, type, proto, cliIp, cliPort, srvIp,
srvPort, snort_protocol_id, asd) )
{
- sfip_ntop(cliIp, src_ip, sizeof(src_ip));
- sfip_ntop(srvIp, dst_ip, sizeof(dst_ip));
- WarningMessage("AppIdDbg %s failed to create a related flow for %s-%u -> %s-%u %u\n",
- asd->session_logging_id, src_ip, (unsigned)cliPort, dst_ip,
- (unsigned)srvPort, (unsigned)proto);
+ if (appidDebug->is_active())
+ {
+ sfip_ntop(cliIp, src_ip, sizeof(src_ip));
+ sfip_ntop(srvIp, dst_ip, sizeof(dst_ip));
+ LogMessage("AppIdDbg %s Failed to create a related flow for %s-%u -> %s-%u %u\n",
+ appidDebug->get_debug_session(), src_ip, (unsigned)cliPort, dst_ip,
+ (unsigned)srvPort, (unsigned)proto);
+ }
delete asd;
asd = nullptr;
}
else
{
- if (asd->session_logging_enabled)
+ if (appidDebug->is_active())
{
sfip_ntop(cliIp, src_ip, sizeof(src_ip));
sfip_ntop(srvIp, dst_ip, sizeof(dst_ip));
- LogMessage("AppIdDbg %s related flow created for %s-%u -> %s-%u %u\n",
- asd->session_logging_id,
+ LogMessage("AppIdDbg %s Related flow created for %s-%u -> %s-%u %u\n",
+ appidDebug->get_debug_session(),
src_ip, (unsigned)cliPort, dst_ip, (unsigned)srvPort, (unsigned)proto);
}
-
asd->in_expected_cache = true;
}
if ( tmp_snort_protocol_id != snort_protocol_id )
{
snort_protocol_id = tmp_snort_protocol_id;
- if (session_logging_enabled)
- if (tmp_snort_protocol_id == snortId_for_http2)
- LogMessage("AppIdDbg %s Telling Snort that it's HTTP/2\n",
- session_logging_id);
+ if (appidDebug->is_active() && tmp_snort_protocol_id == snortId_for_http2)
+ LogMessage("AppIdDbg %s Telling Snort that it's HTTP/2\n",
+ appidDebug->get_debug_session());
p->flow->ssn_state.snort_protocol_id = tmp_snort_protocol_id;
}
encrypted.misc_id = pick_misc_app_id();
encrypted.referred_id = pick_referred_payload_app_id();
reinit_session_data();
- if (session_logging_enabled)
- LogMessage("AppIdDbg %s SSL decryption is available, restarting app Detection\n",
- session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SSL decryption is available, restarting app detection\n",
+ appidDebug->get_debug_session());
// APPID_SESSION_ENCRYPTED is set upon receiving a command which upgrades the session to
// SSL. Next packet after the command will have encrypted traffic. In the case of a
APPID_SESSION_EEXISTS
};
-#define MAX_SESSION_LOGGING_ID_LEN (39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1)
-
enum APPID_DISCOVERY_STATE
{
APPID_DISCO_STATE_NONE = 0,
bool is_client_detected() { return common.flags & APPID_SESSION_CLIENT_DETECTED; }
bool is_decrypted() { return common.flags & APPID_SESSION_DECRYPTED; }
- char session_logging_id[MAX_SESSION_LOGGING_ID_LEN];
- bool session_logging_enabled = false;
-
void* get_flow_data(unsigned id);
int add_flow_data(void* data, unsigned id, AppIdFreeFCN);
int add_flow_data_id(uint16_t port, ServiceDetector*);
void delete_session_data();
bool is_ssl_decryption_enabled();
- void set_session_logging_state(const snort::Packet*, int direction);
- void create_session_logging_id(int direction, snort::Packet*);
-
static THREAD_LOCAL uint32_t appid_flow_data_id;
AppId application_ids[APP_PROTOID_MAX];
AppIdInspector& inspector;
#include <map>
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
+
#include "app_info_table.h"
+#include "appid_debug.h"
#include "appid_session.h"
-#include "thirdparty_appid_utils.h"
#include "client_app_aim.h"
#include "client_app_bit_tracker.h"
#include "client_app_bit.h"
#include "detector_plugins/detector_pop3.h"
#include "detector_plugins/detector_sip.h"
#include "detector_plugins/detector_smtp.h"
-#include "protocols/packet.h"
-#include "profiler/profiler.h"
+#include "thirdparty_appid_utils.h"
using namespace snort;
{
AppIdDiscoveryArgs disco_args(p->data, p->dsize, direction, asd, p);
ret = asd.client_detector->validate(disco_args);
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
LogMessage("AppIdDbg %s %s client detector returned %d\n",
- asd.session_logging_id, asd.client_detector->get_name().c_str(), ret);
+ appidDebug->get_debug_session(), asd.client_detector->get_name().c_str(), ret);
}
else
{
{
AppIdDiscoveryArgs disco_args(p->data, p->dsize, direction, asd, p);
int result = kv->second->validate(disco_args);
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
LogMessage("AppIdDbg %s %s client detector returned %d\n",
- asd.session_logging_id, kv->second->get_name().c_str(), result);
+ appidDebug->get_debug_session(), kv->second->get_name().c_str(), result);
if (result == APPID_SUCCESS)
{
}
}
- if ( asd.session_logging_enabled )
+ if ( appidDebug->is_active() )
if ( !was_http2 && asd.is_http2 )
- LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", asd.session_logging_id);
+ LogMessage("AppIdDbg %s Got a preface for HTTP/2\n", appidDebug->get_debug_session());
if ( !was_service && asd.is_service_detected() )
asd.sync_with_snort_protocol_id(asd.service.get_id(), p);
};
// Stubs for modules, config
-AppIdModuleConfig::AppIdModuleConfig() {}
AppIdModuleConfig::~AppIdModuleConfig() {}
AppIdModule::AppIdModule()
: Module("a", "b") {}
{
return false;
}
+const Command* AppIdModule::get_commands() const
+{
+ return nullptr;
+}
const PegInfo* AppIdModule::get_pegs() const
{
return nullptr;
#include <algorithm>
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
+#include "protocols/tcp.h"
+
+#include "app_info_table.h"
#include "appid_config.h"
+#include "appid_debug.h"
#include "appid_dns_session.h"
#include "appid_session.h"
-#include "app_info_table.h"
+#include "detector_plugins/detector_dns.h"
+#include "detector_plugins/detector_http.h"
+#include "detector_plugins/detector_imap.h"
+#include "detector_plugins/detector_kerberos.h"
+#include "detector_plugins/detector_pattern.h"
+#include "detector_plugins/detector_pop3.h"
+#include "detector_plugins/detector_sip.h"
+#include "detector_plugins/detector_smtp.h"
#include "lua_detector_api.h"
-
#include "service_battle_field.h"
#include "service_bgp.h"
#include "service_bit.h"
#include "service_snmp.h"
#include "service_ssh.h"
#include "service_ssl.h"
+#include "service_telnet.h"
#include "service_tftp.h"
#include "service_timbuktu.h"
#include "service_tns.h"
-#include "service_telnet.h"
#include "thirdparty_appid_utils.h"
-#include "detector_plugins/detector_dns.h"
-#include "detector_plugins/detector_http.h"
-#include "detector_plugins/detector_imap.h"
-#include "detector_plugins/detector_kerberos.h"
-#include "detector_plugins/detector_pattern.h"
-#include "detector_plugins/detector_pop3.h"
-#include "detector_plugins/detector_sip.h"
-#include "detector_plugins/detector_smtp.h"
-
-#include "profiler/profiler.h"
-#include "protocols/packet.h"
-#include "protocols/tcp.h"
#ifdef REG_TEST
#include "service_regtest.h"
if ( sds->get_state() == SERVICE_ID_STATE::FAILED )
{
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Failed state, no service match\n", appidDebug->get_debug_session());
fail_service(asd, p, dir, nullptr);
return APPID_NOMATCH;
}
/* If a valid service already exists in host tracker, give it a try. */
if ( sds->get_state() == SERVICE_ID_STATE::VALID )
asd.service_detector = sds->get_service();
+
+ // FIXIT-H: The following logic sets asd.service_detector to sds.service even if
+ // (state != SEARCHING_BRUTE_FORCE && state != VALID). Need to verify if this is really
+ // intended as this is diverged from Snort2 logic. Also, when the walking of brute-force
+ // list is done, we should not do port-pattern again -- which is what this implementation
+ // is doing! We should do port-pattern only if (!bruteForceDone). See Snort 2.9.11-125 logic.
+
+ /* If we've gotten to brute force, give next detector a try. */
else if ( asd.service_candidates.empty() )
{
asd.service_detector = sds->select_detector_by_brute_force(proto);
}
AppIdDiscoveryArgs args(p->data, p->dsize, dir, asd, p);
+ /* If we already have a service to try, then try it out. */
if ( asd.service_detector )
{
ret = asd.service_detector->validate(args);
if (ret == APPID_NOT_COMPATIBLE)
got_incompatible_services = true;
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s %s returned %d\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s %s returned %d\n", appidDebug->get_debug_session(),
asd.service_detector->get_name().c_str(), ret);
}
+ /* Try to find detectors based on ports and patterns. */
else
{
/* See if we've got more detector(s) to add to the candidate list. */
result = service->validate(args);
if ( result == APPID_NOT_COMPATIBLE )
got_incompatible_services = true;
- if ( asd.session_logging_enabled )
+ if ( appidDebug->is_active() )
LogMessage("AppIdDbg %s %s returned %d\n",
- asd.session_logging_id, service->get_name().c_str(), result);
+ appidDebug->get_debug_session(), service->get_name().c_str(), result);
if ( result == APPID_SUCCESS )
{
}
else if ( dir == APP_ID_FROM_RESPONDER ) // bidirectional exchange unknown service
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s no service detector\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s No service detector\n", appidDebug->get_debug_session());
fail_service(asd, p, dir, nullptr);
ret = APPID_NOMATCH;
if ( entry && entry->service_detector &&
!(entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL) )
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s Stop service detection\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Stop service detection\n", appidDebug->get_debug_session());
asd.stop_rna_service_inspection(p, direction);
}
}
#include "service_rshell.h"
-#include "appid_inspector.h"
-#include "app_info_table.h"
#include "protocols/packet.h"
+#include "app_info_table.h"
+#include "appid_debug.h"
+#include "appid_inspector.h"
+
#define RSHELL_PORT 514
#define RSHELL_MAX_PORT_PACKET 6
rd->state = RSHELL_STATE_PORT;
}
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s rshell state %d\n", args.session_logging_id, rd->state);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s RSHELL state %d\n", appidDebug->get_debug_session(), rd->state);
switch (rd->state)
{
#include "service_snmp.h"
-#include "appid_inspector.h"
-#include "app_info_table.h"
#include "log/messages.h"
#include "protocols/packet.h"
+#include "app_info_table.h"
+#include "appid_debug.h"
+#include "appid_inspector.h"
+
#define SNMP_PORT 161
#define SNMP_VERSION_1 0
if (snmp_verify_packet(&data, data+size, &pdu, &version))
{
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s snmp payload verify failed\n", args.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SNMP payload verify failed\n", appidDebug->get_debug_session());
if (args.asd.get_session_flags(APPID_SESSION_UDP_REVERSED))
{
if (args.dir == APP_ID_FROM_RESPONDER)
}
}
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s snmp state %d\n", args.session_logging_id, sd->state);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SNMP state %d\n", appidDebug->get_debug_session(), sd->state);
switch (sd->state)
{
#include "service_tftp.h"
-#include "appid_inspector.h"
-#include "app_info_table.h"
#include "protocols/packet.h"
+#include "app_info_table.h"
+#include "appid_debug.h"
+#include "appid_inspector.h"
+
#define TFTP_PORT 69
#define TFTP_COUNT_THRESHOLD 1
#define TFTP_MAX_PACKET_SIZE 512
data_add(args.asd, td, &snort_free);
td->state = TFTP_STATE_CONNECTION;
}
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp state %d\n", args.session_logging_id, td->state);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP state %d\n", appidDebug->get_debug_session(), td->state);
if (td->state == TFTP_STATE_CONNECTION && args.dir == APP_ID_FROM_RESPONDER)
goto fail;
case TFTP_STATE_TRANSFER:
if ((mode=tftp_verify_header(data, size, &block)) < 0)
{
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp failed to verify\n", args.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP failed to verify\n", appidDebug->get_debug_session());
goto fail;
}
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp mode %d and block %u\n", args.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP mode %d and block %u\n", appidDebug->get_debug_session(),
mode, (unsigned)block);
if (mode == TFTP_STATE_ACK)
{
goto fail;
else
{
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp failed to verify\n", args.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP failed to verify\n", appidDebug->get_debug_session());
goto bail;
}
}
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp mode %d\n", args.session_logging_id, mode);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP mode %d\n", appidDebug->get_debug_session(), mode);
if (mode == TFTP_STATE_ERROR)
{
td->state = TFTP_STATE_TRANSFER;
}
if (args.dir == APP_ID_FROM_INITIATOR && mode != TFTP_STATE_DATA)
{
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp bad mode\n", args.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP bad mode\n", appidDebug->get_debug_session());
goto bail;
}
if (args.dir == APP_ID_FROM_RESPONDER && mode != TFTP_STATE_ACK)
return APPID_INPROCESS;
success:
- if (args.session_logging_enabled)
- LogMessage("AppIdDbg %s tftp success\n", args.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s TFTP success\n", appidDebug->get_debug_session());
return add_service(args.asd, args.pkt, args.dir, APP_ID_TFTP);
bail:
#include <map>
-#include "service_plugins/service_detector.h"
#include "log/messages.h"
#include "sfip/sf_ip.h"
#include "time/packet_time.h"
#include "utils/util.h"
+#include "appid_debug.h"
+#include "service_plugins/service_detector.h"
+
using namespace snort;
ServiceDiscoveryState::ServiceDiscoveryState()
{
if ( state == SERVICE_ID_STATE::SEARCHING_BRUTE_FORCE )
{
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Brute-force state\n", appidDebug->get_debug_session());
if ( !brute_force_mgr )
brute_force_mgr = new AppIdDetectorList(proto);
SOURCES $<TARGET_OBJECTS:appid_cpputest_deps>
)
+add_cpputest( appid_debug_test
+ SOURCES $<TARGET_OBJECTS:appid_cpputest_deps>
+)
+
--- /dev/null
+//--------------------------------------------------------------------------
+// Copyright (C) 2018-2018 Cisco and/or its affiliates. All rights reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License Version 2 as published
+// by the Free Software Foundation. You may not use, modify or distribute
+// this program under any other version of the GNU General Public License.
+//
+// This program is distributed in the hope that it will be useful, but
+// WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+//--------------------------------------------------------------------------
+
+// appid_debug_test.cc author Mike Stepanek <mstepane@cisco.com>
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "network_inspectors/appid/appid_debug.cc"
+
+#include <stdio.h>
+#include <string.h>
+
+#include "flow/flow.h"
+#include "network_inspectors/appid/appid_session.h"
+
+#include "appid_mock_definitions.h"
+
+#include <CppUTest/CommandLineTestRunner.h>
+#include <CppUTest/TestHarness.h>
+
+// Mocks
+
+class AppIdInspector
+{
+public:
+ AppIdInspector() { }
+};
+
+FlowData::FlowData(unsigned, Inspector*) { }
+FlowData::~FlowData() { }
+
+AppIdSession::AppIdSession(IpProtocol, const SfIp*, uint16_t, AppIdInspector& inspector)
+ : FlowData(0), inspector(inspector) { }
+AppIdSession::~AppIdSession() { }
+
+// Utility functions
+
+static void SetConstraints(IpProtocol protocol, // use IpProtocol::PROTO_NOT_SET for "any"
+ const char* sipstr, uint16_t sport,
+ const char* dipstr, uint16_t dport,
+ AppIdDebugSessionConstraints& constraints)
+{
+ SfIp sip, dip;
+ if (sipstr)
+ sip.set(sipstr);
+ if (dipstr)
+ dip.set(dipstr);
+
+ constraints.protocol = protocol;
+ if (sip.is_set())
+ {
+ memcpy(&constraints.sip, sip.get_ip6_ptr(), sizeof(constraints.sip));
+ constraints.sip_flag = true;
+ }
+ if (dip.is_set())
+ {
+ memcpy(&constraints.dip, dip.get_ip6_ptr(), sizeof(constraints.dip));
+ constraints.dip_flag = true;
+ }
+ constraints.sport = sport;
+ constraints.dport = dport;
+}
+
+// Tests
+
+TEST_GROUP(appid_debug)
+{
+ void setup() override
+ {
+ appidDebug = new AppIdDebug(3);
+ }
+
+ void teardown() override
+ {
+ delete appidDebug;
+ }
+};
+
+// This matches the basic pcap/expect regression test that we have for this command.
+TEST(appid_debug, basic_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Test matching a packet in reverse direction (from constraints).
+TEST(appid_debug, reverse_direction_activate_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.9.8.7"); // this would be a reply back
+ dip.set("10.1.2.3");
+ uint16_t sport = 80;
+ uint16_t dport = 48620;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = dport; // session initiator is now dst
+ session.common.initiator_ip = dip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Test IPv6 matches.
+TEST(appid_debug, ipv6_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::UDP, "2001:db8:85a3::8a2e:370:7334", 1234, "2001:db8:85a3::8a2e:370:7335", 443, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("2001:db8:85a3::8a2e:370:7334"); // IPv6
+ dip.set("2001:db8:85a3::8a2e:370:7335");
+ uint16_t sport = 1234;
+ uint16_t dport = 443;
+ IpProtocol protocol = IpProtocol::UDP; // also threw in UDP and address space ID for kicks
+ uint16_t address_space_id = 100;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "2001:db8:85a3::8a2e:370:7334 1234 -> 2001:db8:85a3::8a2e:370:7335 443 17 AS=100 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Test matching on session initiator IP (rather than port).
+TEST(appid_debug, no_initiator_port_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = 0; // no initiator port yet (uses IPs)
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Test matching on session initiator IP (reverse direction packet).
+TEST(appid_debug, no_initiator_port_reversed_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.9.8.7");
+ dip.set("10.1.2.3");
+ uint16_t sport = 80;
+ uint16_t dport = 48620;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = 0; // no initiator port yet (uses IPs)... and reversed packet dir from above
+ session.common.initiator_ip = dip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Check for null session pointer (won't activate).
+TEST(appid_debug, null_session_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ uint16_t sport = 0;
+ uint16_t dport = 0;
+ IpProtocol protocol = IpProtocol::PROTO_NOT_SET;
+ uint16_t address_space_id = 0;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id,
+ nullptr, false); // null session
+ CHECK_EQUAL(appidDebug->is_active(), false); // not active
+}
+
+// Check for null flow pointer (won't activate).
+TEST(appid_debug, null_flow_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 0, "10.9.8.7", 80, constraints);
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ // activate()
+ appidDebug->activate(nullptr, nullptr, false); // null flow (and session)
+ CHECK_EQUAL(appidDebug->is_active(), false); // not active
+}
+
+// Check a packet that doesn't get a match to constraints (won't activate).
+TEST(appid_debug, no_match_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, nullptr, 0, nullptr, 0, constraints); // just TCP
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::UDP; // but this packet is UDP instead
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), false); // not active (no match)
+}
+
+// Set all constraints (must match all).
+TEST(appid_debug, all_constraints_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, "10.1.2.3", 48620, "10.9.8.7", 80, constraints); // must match all constraints
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Only set protocol in constraints.
+TEST(appid_debug, just_proto_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::TCP, nullptr, 0, nullptr, 0, constraints); // only need to match proto
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Only set IP in constraints.
+TEST(appid_debug, just_ip_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::PROTO_NOT_SET, nullptr, 0, "10.9.8.7", 0, constraints); // only need to match (dst) IP
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Only set port in constraints.
+TEST(appid_debug, just_port_test)
+{
+ // set_constraints()
+ AppIdDebugSessionConstraints constraints = { };
+ SetConstraints(IpProtocol::PROTO_NOT_SET, nullptr, 0, nullptr, 80, constraints); // just need to match (dst) port
+ appidDebug->set_constraints("appid", &constraints);
+ CHECK_EQUAL(appidDebug->is_enabled(), true);
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), true);
+
+ // get_debug_session()
+ const char* str = "10.1.2.3 48620 -> 10.9.8.7 80 6 AS=0 ID=3";
+ CHECK_TRUE(strcmp(appidDebug->get_debug_session(), str) == 0);
+}
+
+// Clear constraints (disables it so it won't activate).
+TEST(appid_debug, clear_constraints_test)
+{
+ // set_constraints()
+ appidDebug->set_constraints("appid", nullptr); // clear constraints
+ CHECK_EQUAL(appidDebug->is_enabled(), false); // disabled
+
+ SfIp sip;
+ SfIp dip;
+ AppIdInspector inspector;
+ AppIdSession session(IpProtocol::PROTO_NOT_SET, nullptr, 0, inspector);
+ // This packet...
+ sip.set("10.1.2.3");
+ dip.set("10.9.8.7");
+ uint16_t sport = 48620;
+ uint16_t dport = 80;
+ IpProtocol protocol = IpProtocol::TCP;
+ uint16_t address_space_id = 0;
+ // The session...
+ session.common.initiator_port = sport;
+ session.common.initiator_ip = sip;
+ // activate()
+ appidDebug->activate(sip.get_ip6_ptr(), dip.get_ip6_ptr(), sport, dport,
+ protocol, address_space_id, &session, false);
+ CHECK_EQUAL(appidDebug->is_active(), false); // won't activate (since disabled)
+}
+
+int main(int argc, char** argv)
+{
+ int rc = CommandLineTestRunner::RunAllTests(argc, argv);
+ return rc;
+}
#include <dlfcn.h>
+#include "log/messages.h"
+#include "main/snort_debug.h"
+#include "profiler/profiler.h"
+#include "protocols/packet.h"
+#include "stream/stream.h"
+
+#include "app_info_table.h"
#include "appid_config.h"
+#include "appid_debug.h"
#include "appid_http_session.h"
#include "appid_inspector.h"
-#include "app_info_table.h"
#include "detector_plugins/http_url_patterns.h"
#include "service_plugins/service_ssl.h"
-#include "protocols/packet.h"
-#include "main/snort_debug.h"
-#include "log/messages.h"
-#include "profiler/profiler.h"
-#include "stream/stream.h"
-
using namespace snort;
#define MODULE_SYMBOL "thirdparty_appid_impl_module"
if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list))
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s flow is HTTP\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s HTTP flow\n", appidDebug->get_debug_session());
asd.set_session_flags(APPID_SESSION_HTTP_SESSION);
}
if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list))
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s flow is SPDY\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SPDY flow\n", appidDebug->get_debug_session());
asd.set_session_flags(APPID_SESSION_HTTP_SESSION | APPID_SESSION_SPDY_SESSION);
}
hsession->set_field_offset(REQ_HOST_FID, attribute_data->spdyRequestHostOffset);
hsession->set_field_end_offset(REQ_HOST_FID,
attribute_data->spdyRequestHostEndOffset);
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s SPDY Host (%u-%u) is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SPDY host (%u-%u) is %s\n", appidDebug->get_debug_session(),
hsession->get_field_offset(REQ_HOST_FID),
hsession->get_field_end_offset(REQ_HOST_FID), hsession->get_host());
asd.scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
//attribute_data->spdyRequestPath = nullptr;
hsession->set_field_offset(REQ_URI_FID, attribute_data->spdyRequestPathOffset);
hsession->set_field_end_offset(REQ_URI_FID, attribute_data->spdyRequestPathEndOffset);
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s SPDY URI (%u-%u) is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SPDY URI (%u-%u) is %s\n", appidDebug->get_debug_session(),
hsession->get_field_offset(REQ_URI_FID),
hsession->get_field_end_offset(REQ_URI_FID), hsession->get_uri());
}
hsession->set_field_end_offset(REQ_HOST_FID, attribute_data->httpRequestHostEndOffset);
// FIXIT-M do we need to free this memeory and set to null
//attribute_data->httpRequestHost = nullptr;
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s HTTP host is %s\n",
- asd.session_logging_id, attribute_data->httpRequestHost);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s HTTP host (%u-%u) is %s\n",
+ appidDebug->get_debug_session(), hsession->get_field_offset(REQ_HOST_FID),
+ hsession->get_field_end_offset(REQ_HOST_FID), attribute_data->httpRequestHost);
asd.scan_flags |= SCAN_HTTP_HOST_URL_FLAG;
}
hsession->set_field_end_offset(REQ_URI_FID, attribute_data->httpRequestUriEndOffset);
snort_free(attribute_data->httpRequestUri);
attribute_data->httpRequestUri = nullptr;
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s uri (%u-%u) is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s URI (%u-%u) is %s\n", appidDebug->get_debug_session(),
hsession->get_field_offset(REQ_URI_FID),
hsession->get_field_end_offset(REQ_URI_FID), hsession->get_uri());
}
strlen(attribute_data->httpRequestUserAgent));
snort_free(attribute_data->httpRequestUserAgent);
attribute_data->httpRequestUserAgent = nullptr;
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s User Agent (%u-%u) is %s\n",
+ appidDebug->get_debug_session(), hsession->get_field_offset(REQ_AGENT_FID),
+ hsession->get_field_end_offset(REQ_AGENT_FID), hsession->get_user_agent());
asd.scan_flags |= SCAN_HTTP_USER_AGENT_FLAG;
}
// Check to see if third party discovered HTTP/2. - once it supports it...
if (attribute_data->httpResponseVersion)
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s HTTP response version is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s HTTP response version is %s\n", appidDebug->get_debug_session(),
attribute_data->httpResponseVersion);
if (strncmp(attribute_data->httpResponseVersion, "HTTP/2", 6) == 0)
{
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
LogMessage("AppIdDbg %s 3rd party detected and parsed HTTP/2\n",
- asd.session_logging_id);
+ appidDebug->get_debug_session());
asd.is_http2 = true;
}
snort_free(attribute_data->httpResponseVersion);
}
if (attribute_data->httpResponseCode)
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s HTTP response code is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s HTTP response code is %s\n", appidDebug->get_debug_session(),
attribute_data->httpResponseCode);
if (hsession->get_response_code())
if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT))
// asks the server to upgrade to HTTP/2).
if (attribute_data->httpResponseUpgrade)
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s HTTP response upgrade is %s\n", appidDebug->get_debug_session(),
attribute_data->httpResponseUpgrade);
if (asd.config->mod_config->http2_detection_enabled)
if ( hsession->get_response_code()
&& (strncmp(hsession->get_response_code(), "101", 3) == 0) )
if (strncmp(attribute_data->httpResponseUpgrade, "h2c", 3) == 0)
{
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
LogMessage("AppIdDbg %s Got an upgrade to HTTP/2\n",
- asd.session_logging_id);
+ appidDebug->get_debug_session());
asd.is_http2 = true;
}
snort_free(attribute_data->httpResponseUpgrade);
}
if (attribute_data->httpRequestReferer)
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s referrer is %s\n", asd.session_logging_id,
- attribute_data->httpRequestReferer);
if (hsession->get_referer())
if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT))
hsession->set_chp_finished(false);
attribute_data->httpRequestReferer = nullptr;
hsession->set_field_offset(REQ_REFERER_FID, attribute_data->httpRequestRefererOffset);
hsession->set_field_end_offset(REQ_REFERER_FID, attribute_data->httpRequestRefererEndOffset);
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s Referer (%u-%u) is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Referrer (%u-%u) is %s\n", appidDebug->get_debug_session(),
hsession->get_field_offset(REQ_REFERER_FID),
hsession->get_field_end_offset(REQ_REFERER_FID),
hsession->get_referer());
attribute_data->httpRequestCookie = nullptr;
attribute_data->httpRequestCookieOffset = 0;
attribute_data->httpRequestCookieEndOffset = 0;
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s cookie (%u-%u) is %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Cookie (%u-%u) is %s\n", appidDebug->get_debug_session(),
hsession->get_field_offset(REQ_COOKIE_FID),
hsession->get_field_offset(REQ_COOKIE_FID),
hsession->get_cookie());
if (attribute_data->httpRequestBody)
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s got a request body %s\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Got a request body %s\n", appidDebug->get_debug_session(),
attribute_data->httpRequestBody);
if (hsession->get_req_body())
if (!asd.get_session_flags(APPID_SESSION_APP_REINSPECT))
{
asd.tp_reinspect_by_initiator = true;
asd.set_session_flags(APPID_SESSION_APP_REINSPECT);
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
LogMessage("AppIdDbg %s 3rd party allow reinspect http\n",
- asd.session_logging_id);
+ appidDebug->get_debug_session());
asd.reset_session_data();
}
if ( p->ptrs.ip_api.tos() == 8 )
{
asd.payload.set_id(APP_ID_SFTP);
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s data is SFTP\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s Payload is SFTP\n", appidDebug->get_debug_session());
}
}
TP_STATE_CLASSIFIED)
asd.clear_session_flags(APPID_SESSION_APP_REINSPECT);
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s 3rd party returned %d\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s 3rd party returned %d\n", appidDebug->get_debug_session(),
asd.tp_app_id);
// For now, third party can detect HTTP/2 (w/o metadata) for
// some cases. Treat it like HTTP w/ is_http2 flag set.
if ((asd.tp_app_id == APP_ID_HTTP2) && (tp_confidence == 100))
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s 3rd party saw HTTP/2\n", appidDebug->get_debug_session());
asd.tp_app_id = APP_ID_HTTP;
asd.is_http2 = true;
if (asd.app_info_mgr->get_app_info_flags(asd.tp_app_id, APPINFO_FLAG_IGNORE))
{
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s 3rd party ignored\n", asd.session_logging_id);
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s 3rd party ignored\n", appidDebug->get_debug_session());
if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION))
asd.tp_app_id = APP_ID_HTTP;
else
{
asd.tp_app_id = APP_ID_NONE;
- if (asd.session_logging_enabled && !asd.get_session_flags(
+ if (appidDebug->is_active() && !asd.get_session_flags(
APPID_SESSION_TPI_OOO_LOGGED))
{
asd.set_session_flags(APPID_SESSION_TPI_OOO_LOGGED);
LogMessage("AppIdDbg %s 3rd party packet out-of-order\n",
- asd.session_logging_id);
+ appidDebug->get_debug_session());
}
}
//SSL policy determines IMAPS/POP3S etc before appId sees first server
// packet
asd.service.set_port_service_id(porAppId);
- if (asd.session_logging_enabled)
+ if (appidDebug->is_active())
LogMessage("AppIdDbg %s SSL is service %d, portServiceAppId %d\n",
- asd.session_logging_id,
+ appidDebug->get_debug_session(),
asd.tp_app_id, asd.service.get_port_service_id());
}
else
{
asd.tp_payload_app_id = asd.tp_app_id;
asd.tp_app_id = porAppId;
- if (asd.session_logging_enabled)
- LogMessage("AppIdDbg %s SSL is %d\n", asd.session_logging_id,
+ if (appidDebug->is_active())
+ LogMessage("AppIdDbg %s SSL is %d\n", appidDebug->get_debug_session(),
asd.tp_app_id);
}
snort_app_id = APP_ID_SSL;
projects / thirdparty / snort3.git / commitdiff
