Pull request #4888: appid: fix high inspected packets count

author Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco) <bhryniv@cisco.com>

Wed, 8 Oct 2025 01:30:34 +0000 (01:30 +0000)

committer Chris Sherwin (chsherwi) <chsherwi@cisco.com>

Wed, 8 Oct 2025 01:30:34 +0000 (01:30 +0000)
author Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco) <bhryniv@cisco.com>
Wed, 8 Oct 2025 01:30:34 +0000 (01:30 +0000)
committer Chris Sherwin (chsherwi) <chsherwi@cisco.com>
Wed, 8 Oct 2025 01:30:34 +0000 (01:30 +0000)
diff --git a/src/network_inspectors/appid/appid_session_api.cc b/src/network_inspectors/appid/appid_session_api.cc

index 10b97d7b140f8276e84bacfe972ce2f1494a59ed..eaedd893a14a23664daaa1d1b4dafa17797f7382 100644 (file)
--- a/src/network_inspectors/appid/appid_session_api.cc
+++ b/src/network_inspectors/appid/appid_session_api.cc
@@ -32,6 +32,7 @@
  #include "appid_types.h"
  #include "service_plugins/service_bootp.h"
  #include "service_plugins/service_netbios.h"
+#include "network_inspectors/appid/service_plugins/service_ssl.h"
  
  #define SSL_ALLOWLIST_PKT_LIMIT 20
  
@@ -250,6 +251,15 @@ bool AppIdSessionApi::is_appid_inspecting_session() const
              return false;
      }
  
+    // service is a TLS-wrapped service or SNI has been observed
+    if ( (is_service_over_ssl(get_service_app_id()) or (get_tls_host() != nullptr)) and
+         !asd->get_session_flags(APPID_SESSION_DECRYPTED) and
+         !asd->get_odp_ctxt().check_host_port_app_cache and
+         (asd->session_packet_count >= SSL_ALLOWLIST_PKT_LIMIT) )
+    {
+        return false;
+    }
+
      if ( (get_service_app_id() == APP_ID_QUIC or  get_service_app_id() == APP_ID_HTTP3) and
           !asd->get_session_flags(APPID_SESSION_DECRYPTED) )
          return false;
diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc

index 13abedd670bc3d423691524bc61ebb8deb04ae45..d56f5808f36ff47ae7995c0fd5201f9157533bde 100644 (file)
--- a/src/network_inspectors/appid/test/appid_session_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_session_api_test.cc
@@ -48,6 +48,18 @@ Inspector* InspectorManager::get_inspector(char const*, bool, const snort::Snort
  
  void appid_log(const snort::Packet*, unsigned char, char const*, ...) { }
  
+bool is_service_over_ssl(AppId appId)
+{
+    switch (appId)
+    {
+        case APP_ID_HTTPS:
+        case APP_ID_SSL:
+            return true;
+        default:
+            return false;
+    }
+}
+
  namespace snort
  {
      unsigned get_instance_id()
@@ -643,6 +655,41 @@ TEST(appid_session_api, get_client_app_detect_type)
      CHECK_EQUAL(detect_type, CLIENT_APP_DETECT_APPID);
  }
  
+TEST(appid_session_api, service_none_sni_reaches_threshold)
+{
+    SfIp ip{};
+    AppIdSession asd(IpProtocol::TCP, &ip, 1492, dummy_appid_inspector, odpctxt, 0
+#ifndef DISABLE_TENANT_ID
+        ,0
+#endif
+    );
+    asd.flow = &flow;
+
+    asd.service_disco_state = APPID_DISCO_STATE_FINISHED;
+    asd.client_disco_state  = APPID_DISCO_STATE_FINISHED;
+
+    asd.clear_session_flags(APPID_SESSION_ENCRYPTED |
+                            APPID_SESSION_DECRYPTED |
+                            APPID_SESSION_HTTP_SESSION |
+                            APPID_SESSION_CONTINUE |
+                            APPID_SESSION_CLIENT_GETS_SERVER_PACKETS);
+
+    asd.set_service_id(APP_ID_NONE, asd.get_odp_ctxt());
+
+    AppidChangeBits change_bits;
+
+    char* sni = snort_strdup("random-sni.com");
+    asd.tsession->set_tls_sni(sni, 0);
+    asd.examine_ssl_metadata(change_bits, true);
+
+    asd.session_packet_count = SSL_ALLOWLIST_PKT_LIMIT;
+    bool val = asd.get_api().is_appid_inspecting_session();
+    CHECK_FALSE(val);
+
+    asd.tsession->set_tls_sni(nullptr, 0);
+    delete &asd.get_api();
+}
+
  int main(int argc, char** argv)
  {
      mock_init_appid_pegs();
@@ -650,4 +697,3 @@ int main(int argc, char** argv)
      mock_cleanup_appid_pegs();
      return rc;
  }
-
author	Bohdan Hryniv -X (bhryniv - SOFTSERVE INC at Cisco) <bhryniv@cisco.com>
	Wed, 8 Oct 2025 01:30:34 +0000 (01:30 +0000)
committer	Chris Sherwin (chsherwi) <chsherwi@cisco.com>
	Wed, 8 Oct 2025 01:30:34 +0000 (01:30 +0000)
src/network_inspectors/appid/appid_session_api.cc		patch \| blob \| blame \| history
src/network_inspectors/appid/test/appid_session_api_test.cc		patch \| blob \| blame \| history