Pull request #4673: appid: fixed unknown payload case for domain fronting

Merge in SNORT/snort3 from ~BSACHDEV/snort3:domain_fronting_payload_unknown to master

Squashed commit of the following:

commit ca35caad3f65496e8ca02cdbca4f39f599a287db
Author: bsachdev <bsachdev@cisco.com>
Date:   Fri Mar 21 17:28:28 2025 -0400

    appid: fixed unknown payload case for domain fronting

diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index c8d28da8921aa78a237efacbb151e4e800958763..45827a341a87877ca6f9a78dcafa56ce9358a4f6 100644 (file)
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -1217,14 +1217,23 @@ void AppIdSession::publish_shadow_traffic_event(const uint32_t &shadow_traffic_b
      
     const char* app_name;
     unsigned shadow_traffic_pub_id = 0;
-    std::string str_print; 
+    std::string str_print;
 
     AppId publishing_appid = get_shadow_traffic_publishing_appid();
     app_name = api.asd->get_odp_ctxt().get_app_info_mgr().get_app_name(publishing_appid);
+
     if (app_name == nullptr)
     {
-        APPID_LOG(CURRENT_PACKET, TRACE_DEBUG_LEVEL,"Appname is invalid, not publishing shadow traffic event without appname\n");
-        return;
+        if ((shadow_traffic_bits & ShadowTraffic_Type_Domain_Fronting) && 
+            !(shadow_traffic_bits & ~ShadowTraffic_Type_Domain_Fronting))
+        { 
+            app_name = "unknown"; 
+        }
+        else 
+        {
+            APPID_LOG(CURRENT_PACKET, TRACE_DEBUG_LEVEL,"Appname is invalid, not publishing shadow traffic event without appname\n");
+            return; 
+        }
     }
 
     shadow_traffic_pub_id = DataBus::get_id(shadowtraffic_pub_key);