From: Mike Stepanek (mstepane) Date: Tue, 26 Jun 2018 14:44:21 +0000 (-0400) Subject: Merge pull request #1284 in SNORT/snort3 from appid_setTPAppIdData to master X-Git-Tag: 3.0.0-246~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=848a2b3b744ec535cb3782bfbc17ac45d35fa6a3;p=thirdparty%2Fsnort3.git Merge pull request #1284 in SNORT/snort3 from appid_setTPAppIdData to master Squashed commit of the following: commit 103a5b755efc0a480045422fdceb1dd5ddee5e1d Author: Silviu Minut Date: Fri Jun 22 14:30:46 2018 -0400 appid: fix http tunnel handling in do_tp_discovery() appid: add else if clause to set tp_app_id to APP_ID_SSL in do_tp_discovery(), as per user comments. Move asd.get_http_session() inside the if(APPID_SESSION_HTTP_SESSION) block. --- diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 561f9861e..0f3334e05 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -691,6 +691,8 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, if (asd.get_session_flags(APPID_SESSION_HTTP_SESSION)) tp_app_id = APP_ID_HTTP; + else if ( asd.get_session_flags(APPID_SESSION_SSL_SESSION) ) + tp_app_id = APP_ID_SSL; else tp_app_id = APP_ID_NONE; } @@ -719,7 +721,6 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, || asd.payload.get_id() > APP_ID_NONE) ) { AppId snort_app_id; - AppIdHttpSession* hsession = asd.get_http_session(); // if the packet is HTTP, then search for via pattern if ( asd.get_session_flags(APPID_SESSION_HTTP_SESSION) ) @@ -729,26 +730,23 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, if (tp_app_id != APP_ID_HTTP) asd.set_tp_payload_app_id(tp_app_id); - // FIXIT-H commented out this part because it will never get executed - // need to make this function par with snort2x code, need to implement - // setTPAppIdData() and CheckDetectorCallback() - // functions mainly. Set APP_ID_HTTP to asd's tp_session_id var from below - tp_app_id = APP_ID_HTTP; + asd.set_tp_app_id(APP_ID_HTTP); // Handle HTTP tunneling and SSL possibly then being used in that tunnel - /* if (tp_app_id == APP_ID_HTTP_TUNNEL) + if (tp_app_id == APP_ID_HTTP_TUNNEL) asd.set_payload_appid_data(APP_ID_HTTP_TUNNEL, NULL); - else if ((asd.payload.get_id() == APP_ID_HTTP_TUNNEL) && (tp_app_id == - APP_ID_SSL)) - asd.set_payload_appid_data(APP_ID_HTTP_SSL_TUNNEL, NULL);*/ + else if ((asd.payload.get_id() == APP_ID_HTTP_TUNNEL) && + (tp_app_id == APP_ID_SSL)) + asd.set_payload_appid_data(APP_ID_HTTP_SSL_TUNNEL, NULL); + AppIdHttpSession* hsession = asd.get_http_session(); hsession->process_http_packet(direction); // If SSL over HTTP tunnel, make sure Snort knows that it's encrypted. if (asd.payload.get_id() == APP_ID_HTTP_SSL_TUNNEL) snort_app_id = APP_ID_SSL; - if (asd.is_tp_appid_available() && tp_app_id == + if (asd.is_tp_appid_available() && asd.get_tp_app_id() == APP_ID_HTTP && !asd.get_session_flags(APPID_SESSION_APP_REINSPECT)) { @@ -808,7 +806,6 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, } else { - asd.set_tp_app_id(tp_app_id); if (protocol != IpProtocol::TCP || (p->packet_flags & (PKT_STREAM_ORDER_OK | PKT_STREAM_ORDER_BAD))) { @@ -836,4 +833,3 @@ bool do_tp_discovery(AppIdSession& asd, IpProtocol protocol, return isTpAppidDiscoveryDone; } -