"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/dynamic-preprocessors/appid/fw_appid.c" between
snort-2.9.16.1.tar.gz and snort-2.9.17.tar.gz

About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

fw_appid.c  (snort-2.9.16.1):fw_appid.c  (snort-2.9.17)
skipping to change at line 96 skipping to change at line 96
PreprocStats tpPerfStats; PreprocStats tpPerfStats;
PreprocStats tpLibPerfStats; PreprocStats tpLibPerfStats;
PreprocStats httpPerfStats; PreprocStats httpPerfStats;
PreprocStats clientMatchPerfStats; PreprocStats clientMatchPerfStats;
PreprocStats serviceMatchPerfStats; PreprocStats serviceMatchPerfStats;
#endif #endif
#define HTTP_PATTERN_MAX_LEN 1024 #define HTTP_PATTERN_MAX_LEN 1024
#define PORT_MAX 65535 #define PORT_MAX 65535
unsigned long app_id_ongoing_session = 0;
unsigned long app_id_total_alloc = 0;
unsigned long app_id_raw_packet_count = 0; unsigned long app_id_raw_packet_count = 0;
unsigned long app_id_processed_packet_count = 0; unsigned long app_id_processed_packet_count = 0;
unsigned long app_id_ignored_packet_count = 0; unsigned long app_id_ignored_packet_count = 0;
static tAppIdData *app_id_free_list; static tAppIdData *app_id_free_list;
static tTmpAppIdData *tmp_app_id_free_list; static tTmpAppIdData *tmp_app_id_free_list;
static uint32_t snortInstance; static uint32_t snortInstance;
int app_id_debug; int app_id_debug;
static int ptype_scan_counts[NUMBER_OF_PTYPES]; static int ptype_scan_counts[NUMBER_OF_PTYPES];
static void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRECTION d irection, tAppIdData* appIdSession, int confidence, tAppId* proto_list, ThirdPar tyAppIDAttributeData* attribute_data); static void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRECTION d irection, tAppIdData* appIdSession, int confidence, tAppId* proto_list, ThirdPar tyAppIDAttributeData* attribute_data);
skipping to change at line 316 skipping to change at line 318
RNAServiceSubtype *subtype; RNAServiceSubtype *subtype;
if (sharedData) if (sharedData)
{ {
#ifdef DEBUG_FW_APPID #ifdef DEBUG_FW_APPID
#if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT #if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT
if (sharedData->service_port == DEBUG_FW_APPID_PORT) if (sharedData->service_port == DEBUG_FW_APPID_PORT)
#endif #endif
fprintf(SF_DEBUG_FILE, "Deleting session %p\n", sharedData); fprintf(SF_DEBUG_FILE, "Deleting session %p\n", sharedData);
#endif #endif
app_id_ongoing_session--;
#ifdef REG_TEST #ifdef REG_TEST
if (appidStaticConfig->appid_reg_test_mode) if (appidStaticConfig->appid_reg_test_mode)
appIdRegTestDumpEndOfSession(sharedData); appIdRegTestDumpEndOfSession(sharedData);
#endif #endif
/*check daq flag */ /*check daq flag */
appIdStatsUpdate(sharedData); appIdStatsUpdate(sharedData);
if (sharedData->ssn) if (sharedData->ssn)
FailInProcessService(sharedData, pAppidActiveConfig); FailInProcessService(sharedData, pAppidActiveConfig);
AppIdFlowdataFree(sharedData); AppIdFlowdataFree(sharedData);
skipping to change at line 381 skipping to change at line 384
static int16_t snortId_for_unsynchronized; static int16_t snortId_for_unsynchronized;
static int16_t snortId_for_ftp_data; static int16_t snortId_for_ftp_data;
static int16_t snortId_for_http2; static int16_t snortId_for_http2;
tAppIdData* appSharedDataAlloc(uint8_t proto, const struct in6_addr *ip, uint16 _t port) tAppIdData* appSharedDataAlloc(uint8_t proto, const struct in6_addr *ip, uint16 _t port)
{ {
static uint32_t gFlowId; static uint32_t gFlowId;
tAppIdData *data; tAppIdData *data;
app_id_ongoing_session++;
if (app_id_free_list) if (app_id_free_list)
{ {
data = app_id_free_list; data = app_id_free_list;
app_id_free_list = data->next; app_id_free_list = data->next;
memset(data, 0, sizeof(*data)); memset(data, 0, sizeof(*data));
} }
else if (!(data = calloc(1, sizeof(*data)))) else if (!(data = calloc(1, sizeof(*data))))
DynamicPreprocessorFatalMessage("Could not allocate tAppIdData data"); DynamicPreprocessorFatalMessage("Could not allocate tAppIdData data");
app_id_total_alloc++;
if (thirdparty_appid_module) if (thirdparty_appid_module)
if (!(data->tpsession = thirdparty_appid_module->session_create())) if (!(data->tpsession = thirdparty_appid_module->session_create()))
DynamicPreprocessorFatalMessage("Could not allocate tAppIdData->tpse ssion data"); DynamicPreprocessorFatalMessage("Could not allocate tAppIdData->tpse ssion data");
data->flowId = ++gFlowId; data->flowId = ++gFlowId;
data->common.fsf_type.flow_type = APPID_SESSION_TYPE_NORMAL; data->common.fsf_type.flow_type = APPID_SESSION_TYPE_NORMAL;
data->proto = proto; data->proto = proto;
data->common.initiator_ip = *ip; data->common.initiator_ip = *ip;
data->common.initiator_port = port; data->common.initiator_port = port;
data->snortId = snortId_for_unsynchronized; data->snortId = snortId_for_unsynchronized;
skipping to change at line 2248 skipping to change at line 2254
// Next packet after the command will have encrypted traffic. // Next packet after the command will have encrypted traffic.
// In the case of a session which starts as SSL, current packet itself i s encrypted. Set the special flag // In the case of a session which starts as SSL, current packet itself i s encrypted. Set the special flag
// APPID_SESSION_APP_REINSPECT_SSL which allows reinspection of this pac ket. // APPID_SESSION_APP_REINSPECT_SSL which allows reinspection of this pac ket.
if (isSsl) if (isSsl)
setAppIdFlag(session, APPID_SESSION_APP_REINSPECT_SSL); setAppIdFlag(session, APPID_SESSION_APP_REINSPECT_SSL);
} }
} }
static inline void checkRestartTunnelDetection(tAppIdData *session) static inline void checkRestartTunnelDetection(tAppIdData *session)
{ {
if (session->tpPayloadAppId == APP_ID_HTTP_TUNNEL && !getAppIdFlag(session, if ((session->hsession && session->hsession->is_tunnel) ||
APPID_SESSION_HTTP_TUNNEL)) (session->tpPayloadAppId == APP_ID_HTTP_TUNNEL && !getAppIdFlag(session,
APPID_SESSION_HTTP_TUNNEL)))
{ {
if (app_id_debug_session_flag) if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s Found HTTP Tunnel, restarting app Detection \n", app_id_debug_session); _dpd.logMsg("AppIdDbg %s Found HTTP Tunnel, restarting app Detection \n", app_id_debug_session);
// Service // Service
if (session->serviceAppId == session->portServiceAppId) if (session->serviceAppId == session->portServiceAppId)
session->serviceAppId = APP_ID_NONE; session->serviceAppId = APP_ID_NONE;
session->portServiceAppId = APP_ID_NONE; session->portServiceAppId = APP_ID_NONE;
if (session->serviceVendor) if (session->serviceVendor)
{ {
skipping to change at line 2297 skipping to change at line 2304
} }
session->num_candidate_clients_tried = 0; session->num_candidate_clients_tried = 0;
AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_DATA_CLIENT_MODSTATE _BIT); AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_DATA_CLIENT_MODSTATE _BIT);
session->init_tpPackets = 0; session->init_tpPackets = 0;
session->resp_tpPackets = 0; session->resp_tpPackets = 0;
session->scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; session->scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG;
clearAppIdFlag(session, APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_C LIENT_DETECTED clearAppIdFlag(session, APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_C LIENT_DETECTED
| APPID_SESSION_HTTP_SESSION | APPID_SESSION_HTT P_CONNECT); | APPID_SESSION_HTTP_SESSION | APPID_SESSION_HTT P_CONNECT);
if (session->hsession && session->hsession->is_tunnel)
{
session->hsession->is_tunnel = false;
if (appidStaticConfig->http_tunnel_detect == HTTP_TUNNEL_DETECT_REST
ART_AND_RESET && thirdparty_appid_module)
{
thirdparty_appid_module->session_delete(session->tpsession, 0);
session->tpsession = NULL;
}
}
setAppIdFlag(session, APPID_SESSION_HTTP_TUNNEL); setAppIdFlag(session, APPID_SESSION_HTTP_TUNNEL);
} }
return; return;
} }
static inline void checkRestartAppDetection(tAppIdData *session) static inline void checkRestartAppDetection(tAppIdData *session)
{ {
checkRestartSSLDetection(session); checkRestartSSLDetection(session);
checkRestartTunnelDetection(session); checkRestartTunnelDetection(session);
skipping to change at line 2357 skipping to change at line 2373
session->miscAppId = APP_ID_IRCS; session->miscAppId = APP_ID_IRCS;
break; break;
case APP_ID_POP3: case APP_ID_POP3:
session->miscAppId = APP_ID_POP3S; session->miscAppId = APP_ID_POP3S;
break; break;
default: default:
break; break;
} }
} }
static inline void ExamineSslMetadata(SFSnortPacket *p, APPID_SESSION_DIRECTION /*
direction, tAppIdData *session, tAppIdConfig *pConfig) * Desc: This function does AppId detection corresponding to the SSL params
* The order of processing is:
* Valid SNI: SNI->first_SAN->CN->OU
* No SNI/Mismatched SNI: first_SAN->CN->OU
*/
static int scanSslParamsLookupAppId(tAppIdData *session, const char *serverName,
bool isSniMismatch, const char *subjectAltName, const char *commonNa
me,
const char *orgName, tAppId *clientAppId, tAppId *payloadAppId)
{ {
size_t size; int ret = 0;
int ret;
tAppId clientAppId = 0;
tAppId payloadAppId = 0;
if ((session->scan_flags & SCAN_SSL_HOST_FLAG) && session->tsession->tls_hos t) if ((session->scan_flags & SCAN_SSL_HOST_FLAG) && serverName && !isSniMismat ch)
{ {
size = strlen(session->tsession->tls_host); ret = ssl_scan_hostname((const uint8_t *)serverName, strlen(serverName),
if ((ret = ssl_scan_hostname((const u_int8_t *)session->tsession->tls_ho clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig
st, size, &clientAppId, &payloadAppId, &pConfig->serviceSslConfig))) );
{ session->tsession->matched_tls_type = MATCHED_TLS_HOST;
if (session->clientAppId == APP_ID_NONE ||
session->clientAppId == APP_ID_SSL_CLIENT)
setClientAppIdData(p, direction, session, clientAppId, NULL);
setPayloadAppIdData(p, direction, session, payloadAppId, NULL);
setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId));
}
session->scan_flags &= ~SCAN_SSL_HOST_FLAG; session->scan_flags &= ~SCAN_SSL_HOST_FLAG;
// ret = 0;
} }
if ((session->scan_flags & SCAN_SSL_CERTIFICATE_FLAG) && session->tsession->
tls_cname) if (subjectAltName && (APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payl
oadAppId))
{ {
size = strlen(session->tsession->tls_cname); ret = ssl_scan_hostname((const uint8_t *)subjectAltName, strlen(subjectA
if ((ret = ssl_scan_cname((const u_int8_t *)session->tsession->tls_cname ltName),
, size, &clientAppId, &payloadAppId, &pConfig->serviceSslConfig))) clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig
{ );
if (session->clientAppId == APP_ID_NONE || session->tsession->matched_tls_type = MATCHED_TLS_FIRST_SAN;
session->clientAppId == APP_ID_SSL_CLIENT) }
setClientAppIdData(p, direction, session, clientAppId, NULL);
setPayloadAppIdData(p, direction, session, payloadAppId, NULL); if ((session->scan_flags & SCAN_SSL_CERTIFICATE_FLAG) && commonName &&
setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId)); (APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payloadAppId))
} {
ret = ssl_scan_cname((const uint8_t *)commonName, strlen(commonName),
clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig
);
session->tsession->matched_tls_type = MATCHED_TLS_CNAME;
session->scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG; session->scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG;
// ret = 0;
} }
if (orgName && (APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payloadAppI
d))
{
ret = ssl_scan_cname((const uint8_t *)orgName, strlen(orgName),
clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig
);
session->tsession->matched_tls_type = MATCHED_TLS_ORG_UNIT;
}
if ((APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payloadAppId))
session->tsession->matched_tls_type = MATCHED_TLS_NONE;
return ret;
}
static inline void ExamineSslMetadata(SFSnortPacket *p, APPID_SESSION_DIRECTION
direction, tAppIdData *session, tAppIdConfig *pConfig)
{
int ret = 0;
tAppId clientAppId = 0;
tAppId payloadAppId = 0;
/* TLS params already scanned, skip scanning again */
if ((session->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
return;
ret = scanSslParamsLookupAppId(session, (const char*)session->tsession->tls_
host,
false, NULL, (const char*)session->tsession->tls_cname,
(const char*)session->tsession->tls_orgUnit, &clientAppId, &payloadA
ppId);
if (session->clientAppId == APP_ID_NONE ||
session->clientAppId == APP_ID_SSL_CLIENT)
setClientAppIdData(p, direction, session, clientAppId, NULL);
setPayloadAppIdData(p, direction, session, payloadAppId, NULL);
setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId));
if (session->tsession->tls_orgUnit) if (session->tsession->tls_orgUnit)
{ {
size = strlen(session->tsession->tls_orgUnit);
if ((ret = ssl_scan_cname((const u_int8_t *)session->tsession->tls_orgUn
it, size, &clientAppId, &payloadAppId, &pConfig->serviceSslConfig)))
{
if (session->clientAppId == APP_ID_NONE)
setClientAppIdData(p, direction, session, clientAppId, NULL);
setPayloadAppIdData(p, direction, session, payloadAppId, NULL);
setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId));
}
free(session->tsession->tls_orgUnit); free(session->tsession->tls_orgUnit);
session->tsession->tls_orgUnit = NULL; session->tsession->tls_orgUnit = NULL;
// ret = 0;
} }
if (session->tsession->tls_handshake_done &&
session->payloadAppId == APP_ID_NONE)
{
if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s End of SSL/TLS handshake detected with no p
ayloadAppId, so setting to unknown\n", app_id_debug_session);
session->payloadAppId = APP_ID_UNKNOWN;
}
} }
static inline int RunClientDetectors(tAppIdData *session, static inline int RunClientDetectors(tAppIdData *session,
SFSnortPacket *p, SFSnortPacket *p,
int direction, int direction,
tAppIdConfig *pConfig) tAppIdConfig *pConfig)
{ {
int ret = CLIENT_APP_INPROCESS; int ret = CLIENT_APP_INPROCESS;
const struct RNAClientAppModule *tmpClientData = session->clientData; const struct RNAClientAppModule *tmpClientData = session->clientData;
skipping to change at line 2517 skipping to change at line 2567
// in the rna_app.yaml file entry; so ignore the tempSnortId == 0 ca se. // in the rna_app.yaml file entry; so ignore the tempSnortId == 0 ca se.
// Then if the value is different call the api. // Then if the value is different call the api.
if ((tempSnortId != 0 || (tempSnortId = (newAppId == APP_ID_HTTP2) ? snortId_for_http2 : 0)) && if ((tempSnortId != 0 || (tempSnortId = (newAppId == APP_ID_HTTP2) ? snortId_for_http2 : 0)) &&
tempSnortId != session->snortId) tempSnortId != session->snortId)
{ {
session->snortId = tempSnortId; // remember the most recent chan ge session->snortId = tempSnortId; // remember the most recent chan ge
// inform Snort so that other preprocessors can be turned on/off // inform Snort so that other preprocessors can be turned on/off
if (app_id_debug_session_flag) if (app_id_debug_session_flag)
if (tempSnortId == snortId_for_http2) if (tempSnortId == snortId_for_http2)
_dpd.logMsg("AppIdDbg %s Telling Snort that it's HTTP/2\ n", app_id_debug_session); _dpd.logMsg("AppIdDbg %s Telling Snort that it's HTTP/2\ n", app_id_debug_session);
#ifdef TARGET_BASED
_dpd.sessionAPI->set_application_protocol_id(p->stream_session, tempSnortId); _dpd.sessionAPI->set_application_protocol_id(p->stream_session, tempSnortId);
#endif
p->application_protocol_ordinal = tempSnortId; p->application_protocol_ordinal = tempSnortId;
} }
} }
} }
} }
static inline void checkTerminateTpModule(uint16_t tpPktCount, tAppIdData *sessi on) static inline void checkTerminateTpModule(uint16_t tpPktCount, tAppIdData *sessi on)
{ {
if ((tpPktCount >= appidStaticConfig->max_tp_flow_depth) || if ((tpPktCount >= appidStaticConfig->max_tp_flow_depth) ||
(getAppIdFlag(session, APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_RE INSPECT) == (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_RE INSPECT) ==
skipping to change at line 3001 skipping to change at line 3053
if(isAppIdNone || isSslNone || appidStaticConfig->check_host_port_app_cache) if(isAppIdNone || isSslNone || appidStaticConfig->check_host_port_app_cache)
{ {
return true; return true;
} }
return false; return false;
} }
void fwAppIdInit(void) void fwAppIdInit(void)
{ {
/* init globals for snortId compares etc. */ /* init globals for snortId compares etc. */
#ifdef TARGET_BASED
snortId_for_unsynchronized = _dpd.addProtocolReference("unsynchronized"); snortId_for_unsynchronized = _dpd.addProtocolReference("unsynchronized");
snortId_for_ftp_data = _dpd.findProtocolReference("ftp-data"); snortId_for_ftp_data = _dpd.findProtocolReference("ftp-data");
snortId_for_http2 = _dpd.findProtocolReference("http2"); snortId_for_http2 = _dpd.findProtocolReference("http2");
#endif
snortInstance = _dpd.getSnortInstance(); snortInstance = _dpd.getSnortInstance();
} }
static inline tAppId processThirdParty(SFSnortPacket* p, tAppIdData* session, AP PID_SESSION_DIRECTION direction, uint8_t protocol, bool* isTpAppidDiscoveryDone, static inline tAppId processThirdParty(SFSnortPacket* p, tAppIdData* session, AP PID_SESSION_DIRECTION direction, uint8_t protocol, bool* isTpAppidDiscoveryDone,
tAppIdConfig *pConfig) tAppIdConfig *pConfig)
{ {
tAppId tpAppId = session->tpAppId; tAppId tpAppId = session->tpAppId;
int tp_confidence; int tp_confidence;
tAppId* tp_proto_list; tAppId* tp_proto_list;
ThirdPartyAppIDAttributeData* tp_attribute_data; ThirdPartyAppIDAttributeData* tp_attribute_data;
skipping to change at line 3089 skipping to change at line 3143
uint32_t entryFlags = appInfoEntryFlags(tpAppId, pConfig); uint32_t entryFlags = appInfoEntryFlags(tpAppId, pConfig);
if (entryFlags & APPINFO_FLAG_TP_CLIENT) if (entryFlags & APPINFO_FLAG_TP_CLIENT)
session->clientAppId = tpAppId; session->clientAppId = tpAppId;
ProcessThirdPartyResults(p, direction, session, tp_confidence, t p_proto_list, tp_attribute_data); ProcessThirdPartyResults(p, direction, session, tp_confidence, t p_proto_list, tp_attribute_data);
if ((entryFlags & APPINFO_FLAG_SSL_SQUELCH) && if ((entryFlags & APPINFO_FLAG_SSL_SQUELCH) &&
getAppIdFlag(session, APPID_SESSION_SSL_SESSION) && getAppIdFlag(session, APPID_SESSION_SSL_SESSION) &&
!(session->scan_flags & SCAN_SSL_HOST_FLAG)) !(session->scan_flags & SCAN_SSL_HOST_FLAG))
{ {
setSSLSquelch(p, 1, tpAppId); if (!(session->scan_flags & SCAN_SPOOFED_SNI_FLAG))
{
setSSLSquelch(p, 1, tpAppId);
}
else
{
if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s Ignored 3rd party returned
%d, SNI is spoofed\n",
app_id_debug_session, tpAppId);
}
} }
if (entryFlags & APPINFO_FLAG_IGNORE) if (entryFlags & APPINFO_FLAG_IGNORE)
{ {
if (app_id_debug_session_flag) if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s 3rd party ignored\n", app_id_de bug_session); _dpd.logMsg("AppIdDbg %s 3rd party ignored\n", app_id_de bug_session);
if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION)) if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION))
tpAppId = APP_ID_HTTP; tpAppId = APP_ID_HTTP;
else if(getAppIdFlag(session, APPID_SESSION_SSL_SESSION)) else if(getAppIdFlag(session, APPID_SESSION_SSL_SESSION))
tpAppId = APP_ID_SSL; tpAppId = APP_ID_SSL;
skipping to change at line 3120 skipping to change at line 3183
#endif #endif
fprintf(SF_DEBUG_FILE, "%u -> %u %u Skipping ooo\n", fprintf(SF_DEBUG_FILE, "%u -> %u %u Skipping ooo\n",
(unsigned)p->src_port, (unsigned)p->dst_port, (unsig ned)protocol); (unsigned)p->src_port, (unsigned)p->dst_port, (unsig ned)protocol);
#endif #endif
} }
if (thirdparty_appid_module->session_state_get(session->tpsession) = = TP_STATE_MONITORING) if (thirdparty_appid_module->session_state_get(session->tpsession) = = TP_STATE_MONITORING)
{ {
thirdparty_appid_module->disable_flags(session->tpsession, TP_SE SSION_FLAG_ATTRIBUTE | TP_SESSION_FLAG_TUNNELING | TP_SESSION_FLAG_FUTUREFLOW); thirdparty_appid_module->disable_flags(session->tpsession, TP_SE SSION_FLAG_ATTRIBUTE | TP_SESSION_FLAG_TUNNELING | TP_SESSION_FLAG_FUTUREFLOW);
} }
#ifdef TARGET_BASED
if(tpAppId == APP_ID_SSL && (_dpd.sessionAPI->get_application_protoc ol_id(p->stream_session) == snortId_for_ftp_data)) if(tpAppId == APP_ID_SSL && (_dpd.sessionAPI->get_application_protoc ol_id(p->stream_session) == snortId_for_ftp_data))
{ {
// If we see SSL on an FTP data channel set tpAppId back // If we see SSL on an FTP data channel set tpAppId back
// to APP_ID_NONE so the FTP preprocessor picks up the flow. // to APP_ID_NONE so the FTP preprocessor picks up the flow.
tpAppId = APP_ID_NONE; tpAppId = APP_ID_NONE;
} }
#endif
if (tpAppId > APP_ID_NONE && (!getAppIdFlag(session, APPID_SESSION_A PP_REINSPECT) || session->payloadAppId > APP_ID_NONE)) if (tpAppId > APP_ID_NONE && (!getAppIdFlag(session, APPID_SESSION_A PP_REINSPECT) || session->payloadAppId > APP_ID_NONE))
{ {
#ifdef TARGET_BASED #ifdef TARGET_BASED
tAppId snortAppId; tAppId snortAppId;
#endif #endif
// if the packet is HTTP, then search for via pattern // if the packet is HTTP, then search for via pattern
if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION) && session ->hsession) if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION) && session ->hsession)
{ {
#ifdef TARGET_BASED #ifdef TARGET_BASED
skipping to change at line 3209 skipping to change at line 3272
//SSL policy needs to determine IMAPS/POP3S etc before a ppId sees first server packet //SSL policy needs to determine IMAPS/POP3S etc before a ppId sees first server packet
session->portServiceAppId = portAppId; session->portServiceAppId = portAppId;
if (app_id_debug_session_flag) if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s SSL is service %d, portServ iceAppId %d\n", _dpd.logMsg("AppIdDbg %s SSL is service %d, portServ iceAppId %d\n",
app_id_debug_session, tpAppId, session->port ServiceAppId); app_id_debug_session, tpAppId, session->port ServiceAppId);
} }
else else
{ {
setTPPayloadAppIdData(p, direction, session, tpAppId); if (!(session->scan_flags & SCAN_SPOOFED_SNI_FLAG))
{
setTPPayloadAppIdData(p, direction, session, tpAppId
);
}
else
{
if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s Ignoring 3rd party retu
rned %d, SNI is spoofed\n",
app_id_debug_session, tpAppId);
}
tpAppId = portAppId; tpAppId = portAppId;
if (app_id_debug_session_flag) if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s SSL is %d\n", app_id_debug_ session, tpAppId); _dpd.logMsg("AppIdDbg %s SSL is %d\n", app_id_debug_ session, tpAppId);
} }
setTPAppIdData(p, direction, session, tpAppId); setTPAppIdData(p, direction, session, tpAppId);
#ifdef TARGET_BASED #ifdef TARGET_BASED
snortAppId = APP_ID_SSL; snortAppId = APP_ID_SSL;
#endif #endif
#ifdef DEBUG_FW_APPID #ifdef DEBUG_FW_APPID
skipping to change at line 3268 skipping to change at line 3340
} }
else else
{ {
session->resp_tpPackets++; session->resp_tpPackets++;
checkTerminateTpModule(session->resp_tpPackets, session) ; checkTerminateTpModule(session->resp_tpPackets, session) ;
} }
} }
} }
} }
else if (session->hsession && (direction == APP_ID_FROM_RESPONDER) &&
getAppIdFlag(session, APPID_SESSION_HTTP_CONNECT))
{
if ((p->payload_size >= 13) && !strncasecmp((char *)p->payload, "HTT
P/1.1 200 ", 13))
session->hsession->is_tunnel = true;
}
if (session->tpReinspectByInitiator && checkThirdPartyReinspect(p, sessi on)) if (session->tpReinspectByInitiator && checkThirdPartyReinspect(p, sessi on))
{ {
if (*isTpAppidDiscoveryDone) if (*isTpAppidDiscoveryDone)
clearAppIdFlag(session, APPID_SESSION_APP_REINSPECT); clearAppIdFlag(session, APPID_SESSION_APP_REINSPECT);
if (direction == APP_ID_FROM_RESPONDER) if (direction == APP_ID_FROM_RESPONDER)
session->tpReinspectByInitiator = 0; //toggle at OK response session->tpReinspectByInitiator = 0; //toggle at OK response
} }
} }
PREPROC_PROFILE_END(tpPerfStats); PREPROC_PROFILE_END(tpPerfStats);
/*** End of third-party processing. ***/ /*** End of third-party processing. ***/
skipping to change at line 3797 skipping to change at line 3875
session->payloadAppId == APP_ID_NONE) session->payloadAppId == APP_ID_NONE)
session->payloadAppId = APP_ID_UNKNOWN; session->payloadAppId = APP_ID_UNKNOWN;
} }
} }
else if (TPIsAppIdAvailable(session->tpsession)) else if (TPIsAppIdAvailable(session->tpsession))
{ {
if (tpAppId > APP_ID_NONE) if (tpAppId > APP_ID_NONE)
{ {
//tp has positively identified appId, Dig deeper only if sourcefire detector //tp has positively identified appId, Dig deeper only if sourcefire detector
//identifies additional information or flow is UDP rever esed. //identifies additional information or flow is UDP rever esed.
#ifdef TARGET_BASED
if ((entry = appInfoEntryGet(tpAppId, pConfig)) if ((entry = appInfoEntryGet(tpAppId, pConfig))
&& entry->svrValidator && && entry->svrValidator &&
((entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL ) || ((entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL ) ||
((entry->flags & APPINFO_FLAG_SERVICE_UDP_REVER SED) && protocol == IPPROTO_UDP && ((entry->flags & APPINFO_FLAG_SERVICE_UDP_REVER SED) && protocol == IPPROTO_UDP &&
getAppIdFlag(session, APPID_SESSION_INITIATOR_ MONITORED | APPID_SESSION_RESPONDER_MONITORED)))) getAppIdFlag(session, APPID_SESSION_INITIATOR_ MONITORED | APPID_SESSION_RESPONDER_MONITORED))))
{ {
AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_ DATA_SERVICE_MODSTATE_BIT); AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_ DATA_SERVICE_MODSTATE_BIT);
#ifdef DEBUG_FW_APPID #ifdef DEBUG_FW_APPID
if (session->serviceData && compareServiceElements(s ession->serviceData, entry->svrValidator)) if (session->serviceData && compareServiceElements(s ession->serviceData, entry->svrValidator))
skipping to change at line 3826 skipping to change at line 3905
if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_por t == DEBUG_FW_APPID_PORT) if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_por t == DEBUG_FW_APPID_PORT)
#endif #endif
fprintf(SF_DEBUG_FILE, "%u -> %u %u RNA doing de eper inspection\n", fprintf(SF_DEBUG_FILE, "%u -> %u %u RNA doing de eper inspection\n",
(unsigned)p->src_port, (unsigned)p->dst_ port, (unsigned)protocol); (unsigned)p->src_port, (unsigned)p->dst_ port, (unsigned)protocol);
#endif #endif
} }
else else
{ {
stopRnaServiceInspection(p, session, direction); stopRnaServiceInspection(p, session, direction);
} }
#endif
} }
else else
session->rnaServiceState = RNA_STATE_STATEFUL; session->rnaServiceState = RNA_STATE_STATEFUL;
} }
else else
session->rnaServiceState = RNA_STATE_STATEFUL; session->rnaServiceState = RNA_STATE_STATEFUL;
} }
//stop rna inspection as soon as tp has classified a valid AppId lat er in the session //stop rna inspection as soon as tp has classified a valid AppId lat er in the session
if (session->rnaServiceState == RNA_STATE_STATEFUL && if (session->rnaServiceState == RNA_STATE_STATEFUL &&
prevRnaServiceState == RNA_STATE_STATEFUL && prevRnaServiceState == RNA_STATE_STATEFUL &&
!getAppIdFlag(session, APPID_SESSION_NO_TPI) && !getAppIdFlag(session, APPID_SESSION_NO_TPI) &&
TPIsAppIdAvailable(session->tpsession) && TPIsAppIdAvailable(session->tpsession) &&
tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX) tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX)
{ {
#ifdef TARGET_BASED
entry = appInfoEntryGet(tpAppId, pConfig); entry = appInfoEntryGet(tpAppId, pConfig);
if (entry && entry->svrValidator && !(entry->flags & APPINFO_FLA G_SERVICE_ADDITIONAL)) if (entry && entry->svrValidator && !(entry->flags & APPINFO_FLA G_SERVICE_ADDITIONAL))
{ {
if (app_id_debug_session_flag) if (app_id_debug_session_flag)
_dpd.logMsg("AppIdDbg %s Stopping service detection\n", app_id_debug_session); _dpd.logMsg("AppIdDbg %s Stopping service detection\n", app_id_debug_session);
stopRnaServiceInspection(p, session, direction); stopRnaServiceInspection(p, session, direction);
} }
#endif
} }
// Check to see if we want to stop any detectors for SIP/RTP. // Check to see if we want to stop any detectors for SIP/RTP.
if (session->rnaServiceState != RNA_STATE_FINISHED) if (session->rnaServiceState != RNA_STATE_FINISHED)
{ {
if (tpAppId == APP_ID_SIP) if (tpAppId == APP_ID_SIP)
{ {
// TP needs to see its own future flows and does a better // TP needs to see its own future flows and does a better
// job of it than we do, so stay out of its way, and don't // job of it than we do, so stay out of its way, and don't
// waste time (but we will still get the Snort callbacks // waste time (but we will still get the Snort callbacks
skipping to change at line 3946 skipping to change at line 4028
#endif #endif
//decision to directly call validator or go through elaborate servic e_state tracking //decision to directly call validator or go through elaborate servic e_state tracking
//is made once at the beginning of session. //is made once at the beginning of session.
if (session->rnaClientState == RNA_STATE_NONE && p->payload_size && direction == APP_ID_FROM_INITIATOR) if (session->rnaClientState == RNA_STATE_NONE && p->payload_size && direction == APP_ID_FROM_INITIATOR)
{ {
if (getAppIdFlag(session, APPID_SESSION_MID)) if (getAppIdFlag(session, APPID_SESSION_MID))
session->rnaClientState = RNA_STATE_FINISHED; session->rnaClientState = RNA_STATE_FINISHED;
else if (TPIsAppIdAvailable(session->tpsession) && (tpAppId = se ssion->tpAppId) > APP_ID_NONE && tpAppId < SF_APPID_MAX) else if (TPIsAppIdAvailable(session->tpsession) && (tpAppId = se ssion->tpAppId) > APP_ID_NONE && tpAppId < SF_APPID_MAX)
{ {
#ifdef TARGET_BASED
if ((entry = appInfoEntryGet(tpAppId, pConfig)) && entry->cl ntValidator && if ((entry = appInfoEntryGet(tpAppId, pConfig)) && entry->cl ntValidator &&
((entry->flags & APPINFO_FLAG_CLIENT_ADDITIONAL) || ((entry->flags & APPINFO_FLAG_CLIENT_ADDITIONAL) ||
((entry->flags & APPINFO_FLAG_CLIENT_USER) && ((entry->flags & APPINFO_FLAG_CLIENT_USER) &&
getAppIdFlag(session, APPID_SESSION_DISCOVER_USER) ))) getAppIdFlag(session, APPID_SESSION_DISCOVER_USER) )))
{ {
//tp has positively identified appId, Dig deeper only if sourcefire detector //tp has positively identified appId, Dig deeper only if sourcefire detector
//identifies additional information //identifies additional information
session->clientData = entry->clntValidator; session->clientData = entry->clntValidator;
session->rnaClientState = RNA_STATE_DIRECT; session->rnaClientState = RNA_STATE_DIRECT;
} }
else else
{ {
setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED); setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED);
session->rnaClientState = RNA_STATE_FINISHED; session->rnaClientState = RNA_STATE_FINISHED;
} }
#endif
} }
else if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION)) else if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION))
session->rnaClientState = RNA_STATE_FINISHED; session->rnaClientState = RNA_STATE_FINISHED;
else else
session->rnaClientState = RNA_STATE_STATEFUL; session->rnaClientState = RNA_STATE_STATEFUL;
} }
//stop rna inspection as soon as tp has classified a valid AppId lat er in the session //stop rna inspection as soon as tp has classified a valid AppId lat er in the session
if ((session->rnaClientState == RNA_STATE_STATEFUL || if ((session->rnaClientState == RNA_STATE_STATEFUL ||
session->rnaClientState == RNA_STATE_DIRECT) && session->rnaClientState == RNA_STATE_DIRECT) &&
session->rnaClientState == prevRnaClientState && session->rnaClientState == prevRnaClientState &&
!getAppIdFlag(session, APPID_SESSION_NO_TPI) && !getAppIdFlag(session, APPID_SESSION_NO_TPI) &&
TPIsAppIdAvailable(session->tpsession) && TPIsAppIdAvailable(session->tpsession) &&
tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX) tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX)
{ {
#ifdef TARGET_BASED
entry = appInfoEntryGet(tpAppId, pConfig); entry = appInfoEntryGet(tpAppId, pConfig);
if (!(entry && entry->clntValidator && entry->clntValidator == s ession->clientData && (entry->flags & (APPINFO_FLAG_CLIENT_ADDITIONAL|APPINFO_FL AG_CLIENT_USER)))) if (!(entry && entry->clntValidator && entry->clntValidator == s ession->clientData && (entry->flags & (APPINFO_FLAG_CLIENT_ADDITIONAL|APPINFO_FL AG_CLIENT_USER))))
{ {
session->rnaClientState = RNA_STATE_FINISHED; session->rnaClientState = RNA_STATE_FINISHED;
setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED); setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED);
} }
#endif
} }
if (session->rnaClientState == RNA_STATE_DIRECT) if (session->rnaClientState == RNA_STATE_DIRECT)
{ {
int ret = CLIENT_APP_INPROCESS; int ret = CLIENT_APP_INPROCESS;
#ifdef DEBUG_FW_APPID #ifdef DEBUG_FW_APPID
#if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT #if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT
if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_port == DEBUG_F W_APPID_PORT) if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_port == DEBUG_F W_APPID_PORT)
#endif #endif
skipping to change at line 4328 skipping to change at line 4414
} }
static inline void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRE CTION direction, tAppIdData* appIdSession, int confidence, tAppId* proto_list, T hirdPartyAppIDAttributeData* attribute_data) static inline void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRE CTION direction, tAppIdData* appIdSession, int confidence, tAppId* proto_list, T hirdPartyAppIDAttributeData* attribute_data)
{ {
int size; int size;
tAppId serviceAppId = 0; tAppId serviceAppId = 0;
tAppId clientAppId = 0; tAppId clientAppId = 0;
tAppId payloadAppId = 0; tAppId payloadAppId = 0;
tAppId referredPayloadAppId = 0; tAppId referredPayloadAppId = 0;
tAppIdConfig *pConfig = appIdActiveConfigGet(); tAppIdConfig *pConfig = appIdActiveConfigGet();
#ifdef TARGET_BASED
AppInfoTableEntry *entry = NULL; AppInfoTableEntry *entry = NULL;
#endif
if (!appIdSession->payloadAppId && ThirdPartyAppIDFoundProto(APP_ID_EXCHANGE , proto_list)) if (!appIdSession->payloadAppId && ThirdPartyAppIDFoundProto(APP_ID_EXCHANGE , proto_list))
appIdSession->payloadAppId = APP_ID_EXCHANGE; appIdSession->payloadAppId = APP_ID_EXCHANGE;
if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list)) if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list))
{ {
setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION); setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION);
} }
if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list)) if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list))
{ {
setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SESSION_SP DY_SESSION); setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SESSION_SP DY_SESSION);
} }
if (ThirdPartyAppIDFoundProto(APP_ID_SSL, proto_list)) if (ThirdPartyAppIDFoundProto(APP_ID_SSL, proto_list))
{ {
if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_TUNNEL)) if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_TUNNEL))
{ {
if (!appIdSession->serviceData) if (!appIdSession->serviceData)
{ {
#ifdef TARGET_BASED
entry = appInfoEntryGet(APP_ID_SSL, pConfig); entry = appInfoEntryGet(APP_ID_SSL, pConfig);
appIdSession->serviceData = entry->svrValidator; appIdSession->serviceData = entry->svrValidator;
#endif
} }
if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SE SSION_SPDY_SESSION)) if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SE SSION_SPDY_SESSION))
clearAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_ SESSION_SPDY_SESSION); clearAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_ SESSION_SPDY_SESSION);
} }
setAppIdFlag(appIdSession, APPID_SESSION_SSL_SESSION); setAppIdFlag(appIdSession, APPID_SESSION_SSL_SESSION);
} }
if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION)) if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION))
{ {
if (!appIdSession->hsession) if (!appIdSession->hsession)
skipping to change at line 4830 skipping to change at line 4920
DynamicPreprocessorFatalMessage("Could not allocate tlsSession d ata"); DynamicPreprocessorFatalMessage("Could not allocate tlsSession d ata");
} }
if (!appIdSession->clientAppId) if (!appIdSession->clientAppId)
setClientAppIdData(p, direction, appIdSession, APP_ID_SSL_CLIENT, NU LL); setClientAppIdData(p, direction, appIdSession, APP_ID_SSL_CLIENT, NU LL);
reInspectSSLAppId = testSSLAppIdForReinspect(tmpAppId); reInspectSSLAppId = testSSLAppIdForReinspect(tmpAppId);
if (attribute_data->tlsHost) if (attribute_data->tlsHost)
{ {
if (appIdSession->tsession->tls_host) /* This flag is to avoid NAVL overwritting SSL provided SNI */
free(appIdSession->tsession->tls_host); if (!(appIdSession->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
appIdSession->tsession->tls_host = attribute_data->tlsHost; {
attribute_data->tlsHost = NULL; if (appIdSession->tsession->tls_host)
if (reInspectSSLAppId) free(appIdSession->tsession->tls_host);
appIdSession->scan_flags |= SCAN_SSL_HOST_FLAG; appIdSession->tsession->tls_host = attribute_data->tlsHost;
attribute_data->tlsHost = NULL;
if (reInspectSSLAppId)
appIdSession->scan_flags |= SCAN_SSL_HOST_FLAG;
}
} }
if (attribute_data->tlsCname) if (attribute_data->tlsCname)
{ {
if (appIdSession->tsession->tls_cname) /* This flag is to avoid NAVL overwritting SSL provided CN */
free(appIdSession->tsession->tls_cname); if (!(appIdSession->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
appIdSession->tsession->tls_cname = attribute_data->tlsCname; {
attribute_data->tlsCname = NULL; if (appIdSession->tsession->tls_cname)
if (reInspectSSLAppId) free(appIdSession->tsession->tls_cname);
appIdSession->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; appIdSession->tsession->tls_cname = attribute_data->tlsCname;
attribute_data->tlsCname = NULL;
if (reInspectSSLAppId)
appIdSession->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
}
} }
if (reInspectSSLAppId) if (reInspectSSLAppId)
{ {
if (attribute_data->tlsOrgUnit) if (attribute_data->tlsOrgUnit)
{ {
if (appIdSession->tsession->tls_orgUnit) /* This flag is to avoid NAVL overwritting SSL provided ORG */
free(appIdSession->tsession->tls_orgUnit); if (!(appIdSession->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
appIdSession->tsession->tls_orgUnit = attribute_data->tlsOrgUnit {
; if (appIdSession->tsession->tls_orgUnit)
attribute_data->tlsOrgUnit = NULL; free(appIdSession->tsession->tls_orgUnit);
appIdSession->tsession->tls_orgUnit = attribute_data->tlsOrg
Unit;
attribute_data->tlsOrgUnit = NULL;
}
} }
} }
} }
else if (ThirdPartyAppIDFoundProto(APP_ID_FTP_CONTROL, proto_list)) else if (ThirdPartyAppIDFoundProto(APP_ID_FTP_CONTROL, proto_list))
{ {
if (!appidStaticConfig->ftp_userid_disabled && attribute_data->ftpComman dUser) if (!appidStaticConfig->ftp_userid_disabled && attribute_data->ftpComman dUser)
{ {
if (appIdSession->username) if (appIdSession->username)
free(appIdSession->username); free(appIdSession->username);
appIdSession->username = attribute_data->ftpCommandUser; appIdSession->username = attribute_data->ftpCommandUser;
attribute_data->ftpCommandUser = NULL; attribute_data->ftpCommandUser = NULL;
appIdSession->usernameService = APP_ID_FTP_CONTROL; appIdSession->usernameService = APP_ID_FTP_CONTROL;
setAppIdFlag(appIdSession, APPID_SESSION_LOGIN_SUCCEEDED); setAppIdFlag(appIdSession, APPID_SESSION_LOGIN_SUCCEEDED);
} }
} }
} }
void appSetServiceDetectorCallback(RNAServiceCallbackFCN fcn, tAppId appId, stru ct _Detector *userdata, tAppIdConfig *pConfig) void appSetServiceDetectorCallback(RNAServiceCallbackFCN fcn, tAppId appId, stru ct _Detector *userdata, tAppIdConfig *pConfig)
{ {
#ifdef TARGET_BASED
AppInfoTableEntry* entry; AppInfoTableEntry* entry;
if ((entry = appInfoEntryGet(appId, pConfig))) if ((entry = appInfoEntryGet(appId, pConfig)))
{ {
if (entry->svrValidator) if (entry->svrValidator)
{ {
if (entry->flags & APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK) if (entry->flags & APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK)
{ {
_dpd.errMsg("AppId: Service detector callback already registerte d for appid %d\n", appId); _dpd.errMsg("AppId: Service detector callback already registerte d for appid %d\n", appId);
return; return;
} }
entry->svrValidator->userdata = userdata; entry->svrValidator->userdata = userdata;
entry->svrValidator->detectorCallback = fcn; entry->svrValidator->detectorCallback = fcn;
entry->flags |= APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK; entry->flags |= APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK;
} }
} }
#endif
return; return;
} }
void appSetClientDetectorCallback(RNAClientAppCallbackFCN fcn, tAppId appId, str uct _Detector *userdata, tAppIdConfig *pConfig) void appSetClientDetectorCallback(RNAClientAppCallbackFCN fcn, tAppId appId, str uct _Detector *userdata, tAppIdConfig *pConfig)
{ {
#ifdef TARGET_BASED
AppInfoTableEntry* entry; AppInfoTableEntry* entry;
if ((entry = appInfoEntryGet(appId, pConfig))) if ((entry = appInfoEntryGet(appId, pConfig)))
{ {
if (entry->clntValidator) if (entry->clntValidator)
{ {
if (entry->flags & APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK) if (entry->flags & APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK)
{ {
_dpd.errMsg("AppId: Client detector callback already registerted for appid %d\n", appId); _dpd.errMsg("AppId: Client detector callback already registerted for appid %d\n", appId);
return; return;
} }
entry->clntValidator->userData = userdata; entry->clntValidator->userData = userdata;
entry->clntValidator->detectorCallback = fcn; entry->clntValidator->detectorCallback = fcn;
entry->flags |= APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK; entry->flags |= APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK;
} }
} }
#endif
return; return;
} }
void appSetServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsigned extractsInfo, tAppIdConfig *pConfig) void appSetServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsigned extractsInfo, tAppIdConfig *pConfig)
{ {
AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig); AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig);
if (!pEntry) if (!pEntry)
{ {
_dpd.errMsg("AppId", "Invalid direct service AppId, %d, for %p", appId, fcn); _dpd.errMsg("AppId", "Invalid direct service AppId, %d, for %p", appId, fcn);
return; return;
skipping to change at line 4936 skipping to change at line 5042
} }
pEntry->svrValidator = ServiceGetServiceElement(fcn, NULL, pConfig); pEntry->svrValidator = ServiceGetServiceElement(fcn, NULL, pConfig);
if (pEntry->svrValidator) if (pEntry->svrValidator)
pEntry->flags |= extractsInfo; pEntry->flags |= extractsInfo;
else else
_dpd.errMsg("AppId", "Failed to find a service element for %p with AppId %d", fcn, appId); _dpd.errMsg("AppId", "Failed to find a service element for %p with AppId %d", fcn, appId);
} }
void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsign ed extractsInfo, struct _Detector *data) void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsign ed extractsInfo, struct _Detector *data)
{ {
#ifdef TARGET_BASED
AppInfoTableEntry *entry; AppInfoTableEntry *entry;
tAppIdConfig *pConfig = appIdNewConfigGet(); tAppIdConfig *pConfig = appIdNewConfigGet();
if ((entry = appInfoEntryGet(appId, pConfig))) if ((entry = appInfoEntryGet(appId, pConfig)))
{ {
entry->flags |= APPINFO_FLAG_ACTIVE; entry->flags |= APPINFO_FLAG_ACTIVE;
extractsInfo &= (APPINFO_FLAG_SERVICE_ADDITIONAL | APPINFO_FLAG_SERVICE_ UDP_REVERSED); extractsInfo &= (APPINFO_FLAG_SERVICE_ADDITIONAL | APPINFO_FLAG_SERVICE_ UDP_REVERSED);
if (!extractsInfo) if (!extractsInfo)
skipping to change at line 4961 skipping to change at line 5068
entry->svrValidator = ServiceGetServiceElement(fcn, data, pConfig); entry->svrValidator = ServiceGetServiceElement(fcn, data, pConfig);
if (entry->svrValidator) if (entry->svrValidator)
entry->flags |= extractsInfo; entry->flags |= extractsInfo;
else else
_dpd.errMsg("AppId: Failed to find a service element for %p %p with AppId %d", fcn, data, appId); _dpd.errMsg("AppId: Failed to find a service element for %p %p with AppId %d", fcn, data, appId);
} }
else else
{ {
_dpd.errMsg("Invalid direct service AppId, %d, for %p %p\n",appId, fcn, data); _dpd.errMsg("Invalid direct service AppId, %d, for %p %p\n",appId, fcn, data);
} }
#endif
} }
void appSetClientValidator(RNAClientAppFCN fcn, tAppId appId, unsigned extractsI nfo, tAppIdConfig *pConfig) void appSetClientValidator(RNAClientAppFCN fcn, tAppId appId, unsigned extractsI nfo, tAppIdConfig *pConfig)
{ {
AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig); AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig);
if (!pEntry) if (!pEntry)
{ {
_dpd.errMsg("AppId", "Invalid direct client application AppId, %d, for % p", appId, fcn); _dpd.errMsg("AppId", "Invalid direct client application AppId, %d, for % p", appId, fcn);
return; return;
} }
skipping to change at line 5197 skipping to change at line 5305
} }
if(*serviceAppId != APP_ID_NONE || if(*serviceAppId != APP_ID_NONE ||
*clientAppId != APP_ID_NONE || *clientAppId != APP_ID_NONE ||
*payloadAppId != APP_ID_NONE) *payloadAppId != APP_ID_NONE)
{ {
return 1; return 1;
} }
return 0; return 0;
} }
/*
* In TLS 1.3, certificates come encrypted, hence SSL module does the
* certificate decryption and provides the SNI/first-SAN/CN/ON to AppId module.
* This API does the following:
* 1. AppIds detection corresponding to the SNI/first-SAN/CN/ON
* 2. Store the AppIds and SNI/first-SAN/CN/ON in AppID session struct.
* 3. To make sure the SSL provided SNI/first-SAN/CN/ON are not further overwri
tten
* by NAVL, appropriate flags are set.
* Note:
* Valid SNI: SNI->first_SAN->CN->OU
* No SNI/Mismatched SNI: first_SAN->CN->OU
*/
void setTlsHost(void *ssnptr, const char *serverName, const char *commonName,
const char *orgName, const char *subjectAltName, bool isSniMisma
tch,
tAppId *serviceAppId, tAppId *clientAppId, tAppId *payloadAppId)
{
tAppIdData *session;
*serviceAppId = *clientAppId = *payloadAppId = APP_ID_NONE;
if (app_id_debug_session_flag)
_dpd.logMsg("Received serverName=%s, commonName=%s, orgName=%s, subjectA
ltName=%s, isSniMismatch=%s, from SSL\n",
serverName, commonName, orgName, subjectAltName, isSniMismatch?"
true":"false");
if (ssnptr && (session = getAppIdData(ssnptr)))
{
if (!session->tsession)
session->tsession = calloc(1, sizeof(*session->tsession));
session->scan_flags |= SCAN_SSL_HOST_FLAG;
session->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
session->scan_flags |= SCAN_CERTVIZ_ENABLED_FLAG;
if (isSniMismatch)
session->scan_flags |= SCAN_SPOOFED_SNI_FLAG;
if (serverName && !isSniMismatch)
{
if (session->tsession->tls_host)
free(session->tsession->tls_host);
session->tsession->tls_host = strdup(serverName);
session->tsession->tls_host_strlen = strlen(serverName);
}
if (subjectAltName)
{
if (session->tsession->tls_first_san)
free(session->tsession->tls_first_san);
session->tsession->tls_first_san = strdup(subjectAltName);
session->tsession->tls_first_san_strlen = strlen(subjectAltName);
}
if (commonName)
{
if (session->tsession->tls_cname)
free(session->tsession->tls_cname);
session->tsession->tls_cname = strdup(commonName);
session->tsession->tls_cname_strlen = strlen(commonName);
}
if (orgName)
{
if (session->tsession->tls_orgUnit)
free(session->tsession->tls_orgUnit);
session->tsession->tls_orgUnit = strdup(orgName);
session->tsession->tls_orgUnit_strlen = strlen(orgName);
}
(void)scanSslParamsLookupAppId(session, (const char*)session->tsession->
tls_host,
isSniMismatch, (const char*)session->tsession->tls_first_san,
(const char*)session->tsession->tls_cname,
(const char*)session->tsession->tls_orgUnit, clientAppId, payloa
dAppId);
*serviceAppId = pickServiceAppId(session);
if (APP_ID_NONE == *clientAppId)
*clientAppId = pickClientAppId(session);
if (APP_ID_NONE == *payloadAppId)
*payloadAppId = pickPayloadId(session);
session->serviceAppId = *serviceAppId;
session->clientAppId = *clientAppId;
session->payloadAppId = *payloadAppId;
if (app_id_debug_session_flag)
_dpd.logMsg("serviceAppId %d, clientAppId %d, payloadAppId %d\n",
session->serviceAppId, session->clientAppId, session->payloa
dAppId);
}
}
void httpHeaderCallback (SFSnortPacket *p, HttpParsedHeaders *const headers) void httpHeaderCallback (SFSnortPacket *p, HttpParsedHeaders *const headers)
{ {
tAppIdData *session; tAppIdData *session;
APPID_SESSION_DIRECTION direction; APPID_SESSION_DIRECTION direction;
tAppIdConfig *pConfig = appIdActiveConfigGet(); tAppIdConfig *pConfig = appIdActiveConfigGet();
if (thirdparty_appid_module) if (thirdparty_appid_module)
return; return;
if (!p || !(session = getAppIdData(p->stream_session))) if (!p || !(session = getAppIdData(p->stream_session)))
return; return;
 End of changes. 49 change blocks. 
64 lines changed or deleted 279 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)