is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
| fw_appid.c (snort-2.9.16.1) | : | fw_appid.c (snort-2.9.17) |
|---|
| | |
| skipping to change at line 96 | | skipping to change at line 96 |
|---|
| PreprocStats tpPerfStats; | | PreprocStats tpPerfStats; |
| PreprocStats tpLibPerfStats; | | PreprocStats tpLibPerfStats; |
| PreprocStats httpPerfStats; | | PreprocStats httpPerfStats; |
| PreprocStats clientMatchPerfStats; | | PreprocStats clientMatchPerfStats; |
| PreprocStats serviceMatchPerfStats; | | PreprocStats serviceMatchPerfStats; |
| #endif | | #endif |
| | |
| #define HTTP_PATTERN_MAX_LEN 1024 | | #define HTTP_PATTERN_MAX_LEN 1024 |
| #define PORT_MAX 65535 | | #define PORT_MAX 65535 |
| | |
|
| | unsigned long app_id_ongoing_session = 0; |
| | unsigned long app_id_total_alloc = 0; |
| unsigned long app_id_raw_packet_count = 0; | | unsigned long app_id_raw_packet_count = 0; |
| unsigned long app_id_processed_packet_count = 0; | | unsigned long app_id_processed_packet_count = 0; |
| unsigned long app_id_ignored_packet_count = 0; | | unsigned long app_id_ignored_packet_count = 0; |
| static tAppIdData *app_id_free_list; | | static tAppIdData *app_id_free_list; |
| static tTmpAppIdData *tmp_app_id_free_list; | | static tTmpAppIdData *tmp_app_id_free_list; |
| static uint32_t snortInstance; | | static uint32_t snortInstance; |
| int app_id_debug; | | int app_id_debug; |
| static int ptype_scan_counts[NUMBER_OF_PTYPES]; | | static int ptype_scan_counts[NUMBER_OF_PTYPES]; |
| | |
| static void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRECTION d
irection, tAppIdData* appIdSession, int confidence, tAppId* proto_list, ThirdPar
tyAppIDAttributeData* attribute_data); | | static void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRECTION d
irection, tAppIdData* appIdSession, int confidence, tAppId* proto_list, ThirdPar
tyAppIDAttributeData* attribute_data); |
| | |
| skipping to change at line 316 | | skipping to change at line 318 |
|---|
| RNAServiceSubtype *subtype; | | RNAServiceSubtype *subtype; |
| | |
| if (sharedData) | | if (sharedData) |
| { | | { |
| #ifdef DEBUG_FW_APPID | | #ifdef DEBUG_FW_APPID |
| #if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT | | #if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT |
| if (sharedData->service_port == DEBUG_FW_APPID_PORT) | | if (sharedData->service_port == DEBUG_FW_APPID_PORT) |
| #endif | | #endif |
| fprintf(SF_DEBUG_FILE, "Deleting session %p\n", sharedData); | | fprintf(SF_DEBUG_FILE, "Deleting session %p\n", sharedData); |
| #endif | | #endif |
|
| | app_id_ongoing_session--; |
| #ifdef REG_TEST | | #ifdef REG_TEST |
| if (appidStaticConfig->appid_reg_test_mode) | | if (appidStaticConfig->appid_reg_test_mode) |
| appIdRegTestDumpEndOfSession(sharedData); | | appIdRegTestDumpEndOfSession(sharedData); |
| #endif | | #endif |
| /*check daq flag */ | | /*check daq flag */ |
| appIdStatsUpdate(sharedData); | | appIdStatsUpdate(sharedData); |
| | |
| if (sharedData->ssn) | | if (sharedData->ssn) |
| FailInProcessService(sharedData, pAppidActiveConfig); | | FailInProcessService(sharedData, pAppidActiveConfig); |
| AppIdFlowdataFree(sharedData); | | AppIdFlowdataFree(sharedData); |
| | |
| skipping to change at line 381 | | skipping to change at line 384 |
|---|
| | |
| static int16_t snortId_for_unsynchronized; | | static int16_t snortId_for_unsynchronized; |
| static int16_t snortId_for_ftp_data; | | static int16_t snortId_for_ftp_data; |
| static int16_t snortId_for_http2; | | static int16_t snortId_for_http2; |
| | |
| tAppIdData* appSharedDataAlloc(uint8_t proto, const struct in6_addr *ip, uint16
_t port) | | tAppIdData* appSharedDataAlloc(uint8_t proto, const struct in6_addr *ip, uint16
_t port) |
| { | | { |
| static uint32_t gFlowId; | | static uint32_t gFlowId; |
| tAppIdData *data; | | tAppIdData *data; |
| | |
|
| | app_id_ongoing_session++; |
| if (app_id_free_list) | | if (app_id_free_list) |
| { | | { |
| data = app_id_free_list; | | data = app_id_free_list; |
| app_id_free_list = data->next; | | app_id_free_list = data->next; |
| memset(data, 0, sizeof(*data)); | | memset(data, 0, sizeof(*data)); |
| } | | } |
| else if (!(data = calloc(1, sizeof(*data)))) | | else if (!(data = calloc(1, sizeof(*data)))) |
| DynamicPreprocessorFatalMessage("Could not allocate tAppIdData data"); | | DynamicPreprocessorFatalMessage("Could not allocate tAppIdData data"); |
| | |
|
| | app_id_total_alloc++; |
| | |
| if (thirdparty_appid_module) | | if (thirdparty_appid_module) |
| if (!(data->tpsession = thirdparty_appid_module->session_create())) | | if (!(data->tpsession = thirdparty_appid_module->session_create())) |
| DynamicPreprocessorFatalMessage("Could not allocate tAppIdData->tpse
ssion data"); | | DynamicPreprocessorFatalMessage("Could not allocate tAppIdData->tpse
ssion data"); |
| | |
| data->flowId = ++gFlowId; | | data->flowId = ++gFlowId; |
| data->common.fsf_type.flow_type = APPID_SESSION_TYPE_NORMAL; | | data->common.fsf_type.flow_type = APPID_SESSION_TYPE_NORMAL; |
| data->proto = proto; | | data->proto = proto; |
| data->common.initiator_ip = *ip; | | data->common.initiator_ip = *ip; |
| data->common.initiator_port = port; | | data->common.initiator_port = port; |
| data->snortId = snortId_for_unsynchronized; | | data->snortId = snortId_for_unsynchronized; |
| | |
| skipping to change at line 2248 | | skipping to change at line 2254 |
|---|
| // Next packet after the command will have encrypted traffic. | | // Next packet after the command will have encrypted traffic. |
| // In the case of a session which starts as SSL, current packet itself i
s encrypted. Set the special flag | | // In the case of a session which starts as SSL, current packet itself i
s encrypted. Set the special flag |
| // APPID_SESSION_APP_REINSPECT_SSL which allows reinspection of this pac
ket. | | // APPID_SESSION_APP_REINSPECT_SSL which allows reinspection of this pac
ket. |
| if (isSsl) | | if (isSsl) |
| setAppIdFlag(session, APPID_SESSION_APP_REINSPECT_SSL); | | setAppIdFlag(session, APPID_SESSION_APP_REINSPECT_SSL); |
| } | | } |
| } | | } |
| | |
| static inline void checkRestartTunnelDetection(tAppIdData *session) | | static inline void checkRestartTunnelDetection(tAppIdData *session) |
| { | | { |
|
| if (session->tpPayloadAppId == APP_ID_HTTP_TUNNEL && !getAppIdFlag(session, | | if ((session->hsession && session->hsession->is_tunnel) || |
| APPID_SESSION_HTTP_TUNNEL)) | | (session->tpPayloadAppId == APP_ID_HTTP_TUNNEL && !getAppIdFlag(session, |
| | APPID_SESSION_HTTP_TUNNEL))) |
| { | | { |
| if (app_id_debug_session_flag) | | if (app_id_debug_session_flag) |
| _dpd.logMsg("AppIdDbg %s Found HTTP Tunnel, restarting app Detection
\n", app_id_debug_session); | | _dpd.logMsg("AppIdDbg %s Found HTTP Tunnel, restarting app Detection
\n", app_id_debug_session); |
| | |
| // Service | | // Service |
| if (session->serviceAppId == session->portServiceAppId) | | if (session->serviceAppId == session->portServiceAppId) |
| session->serviceAppId = APP_ID_NONE; | | session->serviceAppId = APP_ID_NONE; |
| session->portServiceAppId = APP_ID_NONE; | | session->portServiceAppId = APP_ID_NONE; |
| if (session->serviceVendor) | | if (session->serviceVendor) |
| { | | { |
| | |
| skipping to change at line 2297 | | skipping to change at line 2304 |
|---|
| } | | } |
| session->num_candidate_clients_tried = 0; | | session->num_candidate_clients_tried = 0; |
| AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_DATA_CLIENT_MODSTATE
_BIT); | | AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_DATA_CLIENT_MODSTATE
_BIT); |
| | |
| session->init_tpPackets = 0; | | session->init_tpPackets = 0; |
| session->resp_tpPackets = 0; | | session->resp_tpPackets = 0; |
| | |
| session->scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; | | session->scan_flags &= ~SCAN_HTTP_HOST_URL_FLAG; |
| clearAppIdFlag(session, APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_C
LIENT_DETECTED | | clearAppIdFlag(session, APPID_SESSION_SERVICE_DETECTED | APPID_SESSION_C
LIENT_DETECTED |
| | APPID_SESSION_HTTP_SESSION | APPID_SESSION_HTT
P_CONNECT); | | | APPID_SESSION_HTTP_SESSION | APPID_SESSION_HTT
P_CONNECT); |
|
| | if (session->hsession && session->hsession->is_tunnel) |
| | { |
| | session->hsession->is_tunnel = false; |
| | if (appidStaticConfig->http_tunnel_detect == HTTP_TUNNEL_DETECT_REST |
| | ART_AND_RESET && thirdparty_appid_module) |
| | { |
| | thirdparty_appid_module->session_delete(session->tpsession, 0); |
| | session->tpsession = NULL; |
| | } |
| | } |
| | |
| setAppIdFlag(session, APPID_SESSION_HTTP_TUNNEL); | | setAppIdFlag(session, APPID_SESSION_HTTP_TUNNEL); |
| } | | } |
| return; | | return; |
| } | | } |
| | |
| static inline void checkRestartAppDetection(tAppIdData *session) | | static inline void checkRestartAppDetection(tAppIdData *session) |
| { | | { |
| checkRestartSSLDetection(session); | | checkRestartSSLDetection(session); |
| checkRestartTunnelDetection(session); | | checkRestartTunnelDetection(session); |
| | |
| skipping to change at line 2357 | | skipping to change at line 2373 |
|---|
| session->miscAppId = APP_ID_IRCS; | | session->miscAppId = APP_ID_IRCS; |
| break; | | break; |
| case APP_ID_POP3: | | case APP_ID_POP3: |
| session->miscAppId = APP_ID_POP3S; | | session->miscAppId = APP_ID_POP3S; |
| break; | | break; |
| default: | | default: |
| break; | | break; |
| } | | } |
| } | | } |
| | |
|
| static inline void ExamineSslMetadata(SFSnortPacket *p, APPID_SESSION_DIRECTION | | /* |
| direction, tAppIdData *session, tAppIdConfig *pConfig) | | * Desc: This function does AppId detection corresponding to the SSL params |
| | * The order of processing is: |
| | * Valid SNI: SNI->first_SAN->CN->OU |
| | * No SNI/Mismatched SNI: first_SAN->CN->OU |
| | */ |
| | static int scanSslParamsLookupAppId(tAppIdData *session, const char *serverName, |
| | bool isSniMismatch, const char *subjectAltName, const char *commonNa |
| | me, |
| | const char *orgName, tAppId *clientAppId, tAppId *payloadAppId) |
| { | | { |
|
| size_t size; | | int ret = 0; |
| int ret; | | |
| tAppId clientAppId = 0; | | |
| tAppId payloadAppId = 0; | | |
| | |
|
| if ((session->scan_flags & SCAN_SSL_HOST_FLAG) && session->tsession->tls_hos
t) | | if ((session->scan_flags & SCAN_SSL_HOST_FLAG) && serverName && !isSniMismat
ch) |
| { | | { |
|
| size = strlen(session->tsession->tls_host); | | ret = ssl_scan_hostname((const uint8_t *)serverName, strlen(serverName), |
| if ((ret = ssl_scan_hostname((const u_int8_t *)session->tsession->tls_ho | | clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig |
| st, size, &clientAppId, &payloadAppId, &pConfig->serviceSslConfig))) | | ); |
| { | | session->tsession->matched_tls_type = MATCHED_TLS_HOST; |
| if (session->clientAppId == APP_ID_NONE || | | |
| session->clientAppId == APP_ID_SSL_CLIENT) | | |
| setClientAppIdData(p, direction, session, clientAppId, NULL); | | |
| setPayloadAppIdData(p, direction, session, payloadAppId, NULL); | | |
| setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId)); | | |
| } | | |
| session->scan_flags &= ~SCAN_SSL_HOST_FLAG; | | session->scan_flags &= ~SCAN_SSL_HOST_FLAG; |
|
| // ret = 0; | | |
| } | | } |
|
| if ((session->scan_flags & SCAN_SSL_CERTIFICATE_FLAG) && session->tsession-> | | |
| tls_cname) | | if (subjectAltName && (APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payl |
| | oadAppId)) |
| { | | { |
|
| size = strlen(session->tsession->tls_cname); | | ret = ssl_scan_hostname((const uint8_t *)subjectAltName, strlen(subjectA |
| if ((ret = ssl_scan_cname((const u_int8_t *)session->tsession->tls_cname | | ltName), |
| , size, &clientAppId, &payloadAppId, &pConfig->serviceSslConfig))) | | clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig |
| { | | ); |
| if (session->clientAppId == APP_ID_NONE || | | session->tsession->matched_tls_type = MATCHED_TLS_FIRST_SAN; |
| session->clientAppId == APP_ID_SSL_CLIENT) | | } |
| setClientAppIdData(p, direction, session, clientAppId, NULL); | | |
| setPayloadAppIdData(p, direction, session, payloadAppId, NULL); | | if ((session->scan_flags & SCAN_SSL_CERTIFICATE_FLAG) && commonName && |
| setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId)); | | (APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payloadAppId)) |
| } | | { |
| | ret = ssl_scan_cname((const uint8_t *)commonName, strlen(commonName), |
| | clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig |
| | ); |
| | session->tsession->matched_tls_type = MATCHED_TLS_CNAME; |
| session->scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG; | | session->scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG; |
|
| // ret = 0; | | |
| } | | } |
|
| | |
| | if (orgName && (APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payloadAppI |
| | d)) |
| | { |
| | ret = ssl_scan_cname((const uint8_t *)orgName, strlen(orgName), |
| | clientAppId, payloadAppId, &pAppidActiveConfig->serviceSslConfig |
| | ); |
| | session->tsession->matched_tls_type = MATCHED_TLS_ORG_UNIT; |
| | } |
| | |
| | if ((APP_ID_NONE == *clientAppId) && (APP_ID_NONE == *payloadAppId)) |
| | session->tsession->matched_tls_type = MATCHED_TLS_NONE; |
| | |
| | return ret; |
| | } |
| | |
| | static inline void ExamineSslMetadata(SFSnortPacket *p, APPID_SESSION_DIRECTION |
| | direction, tAppIdData *session, tAppIdConfig *pConfig) |
| | { |
| | int ret = 0; |
| | tAppId clientAppId = 0; |
| | tAppId payloadAppId = 0; |
| | |
| | /* TLS params already scanned, skip scanning again */ |
| | if ((session->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG)) |
| | return; |
| | |
| | ret = scanSslParamsLookupAppId(session, (const char*)session->tsession->tls_ |
| | host, |
| | false, NULL, (const char*)session->tsession->tls_cname, |
| | (const char*)session->tsession->tls_orgUnit, &clientAppId, &payloadA |
| | ppId); |
| | |
| | if (session->clientAppId == APP_ID_NONE || |
| | session->clientAppId == APP_ID_SSL_CLIENT) |
| | setClientAppIdData(p, direction, session, clientAppId, NULL); |
| | setPayloadAppIdData(p, direction, session, payloadAppId, NULL); |
| | setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId)); |
| | |
| if (session->tsession->tls_orgUnit) | | if (session->tsession->tls_orgUnit) |
| { | | { |
|
| size = strlen(session->tsession->tls_orgUnit); | | |
| if ((ret = ssl_scan_cname((const u_int8_t *)session->tsession->tls_orgUn | | |
| it, size, &clientAppId, &payloadAppId, &pConfig->serviceSslConfig))) | | |
| { | | |
| if (session->clientAppId == APP_ID_NONE) | | |
| setClientAppIdData(p, direction, session, clientAppId, NULL); | | |
| setPayloadAppIdData(p, direction, session, payloadAppId, NULL); | | |
| setSSLSquelch(p, ret, (ret == 1 ? payloadAppId : clientAppId)); | | |
| } | | |
| free(session->tsession->tls_orgUnit); | | free(session->tsession->tls_orgUnit); |
| session->tsession->tls_orgUnit = NULL; | | session->tsession->tls_orgUnit = NULL; |
|
| // ret = 0; | | |
| } | | } |
|
| | |
| | if (session->tsession->tls_handshake_done && |
| | session->payloadAppId == APP_ID_NONE) |
| | { |
| | if (app_id_debug_session_flag) |
| | _dpd.logMsg("AppIdDbg %s End of SSL/TLS handshake detected with no p |
| | ayloadAppId, so setting to unknown\n", app_id_debug_session); |
| | session->payloadAppId = APP_ID_UNKNOWN; |
| | } |
| | |
| } | | } |
| | |
| static inline int RunClientDetectors(tAppIdData *session, | | static inline int RunClientDetectors(tAppIdData *session, |
| SFSnortPacket *p, | | SFSnortPacket *p, |
| int direction, | | int direction, |
| tAppIdConfig *pConfig) | | tAppIdConfig *pConfig) |
| { | | { |
| int ret = CLIENT_APP_INPROCESS; | | int ret = CLIENT_APP_INPROCESS; |
| const struct RNAClientAppModule *tmpClientData = session->clientData; | | const struct RNAClientAppModule *tmpClientData = session->clientData; |
| | |
| | |
| skipping to change at line 2517 | | skipping to change at line 2567 |
|---|
| // in the rna_app.yaml file entry; so ignore the tempSnortId == 0 ca
se. | | // in the rna_app.yaml file entry; so ignore the tempSnortId == 0 ca
se. |
| // Then if the value is different call the api. | | // Then if the value is different call the api. |
| if ((tempSnortId != 0 || (tempSnortId = (newAppId == APP_ID_HTTP2) ?
snortId_for_http2 : 0)) && | | if ((tempSnortId != 0 || (tempSnortId = (newAppId == APP_ID_HTTP2) ?
snortId_for_http2 : 0)) && |
| tempSnortId != session->snortId) | | tempSnortId != session->snortId) |
| { | | { |
| session->snortId = tempSnortId; // remember the most recent chan
ge | | session->snortId = tempSnortId; // remember the most recent chan
ge |
| // inform Snort so that other preprocessors can be turned on/off | | // inform Snort so that other preprocessors can be turned on/off |
| if (app_id_debug_session_flag) | | if (app_id_debug_session_flag) |
| if (tempSnortId == snortId_for_http2) | | if (tempSnortId == snortId_for_http2) |
| _dpd.logMsg("AppIdDbg %s Telling Snort that it's HTTP/2\
n", app_id_debug_session); | | _dpd.logMsg("AppIdDbg %s Telling Snort that it's HTTP/2\
n", app_id_debug_session); |
|
| | #ifdef TARGET_BASED |
| _dpd.sessionAPI->set_application_protocol_id(p->stream_session,
tempSnortId); | | _dpd.sessionAPI->set_application_protocol_id(p->stream_session,
tempSnortId); |
|
| | #endif |
| p->application_protocol_ordinal = tempSnortId; | | p->application_protocol_ordinal = tempSnortId; |
| } | | } |
| } | | } |
| } | | } |
| } | | } |
| | |
| static inline void checkTerminateTpModule(uint16_t tpPktCount, tAppIdData *sessi
on) | | static inline void checkTerminateTpModule(uint16_t tpPktCount, tAppIdData *sessi
on) |
| { | | { |
| if ((tpPktCount >= appidStaticConfig->max_tp_flow_depth) || | | if ((tpPktCount >= appidStaticConfig->max_tp_flow_depth) || |
| (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_RE
INSPECT) == | | (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION | APPID_SESSION_APP_RE
INSPECT) == |
| | |
| skipping to change at line 3001 | | skipping to change at line 3053 |
|---|
| if(isAppIdNone || isSslNone || appidStaticConfig->check_host_port_app_cache) | | if(isAppIdNone || isSslNone || appidStaticConfig->check_host_port_app_cache) |
| { | | { |
| return true; | | return true; |
| } | | } |
| return false; | | return false; |
| } | | } |
| | |
| void fwAppIdInit(void) | | void fwAppIdInit(void) |
| { | | { |
| /* init globals for snortId compares etc. */ | | /* init globals for snortId compares etc. */ |
|
| | #ifdef TARGET_BASED |
| snortId_for_unsynchronized = _dpd.addProtocolReference("unsynchronized"); | | snortId_for_unsynchronized = _dpd.addProtocolReference("unsynchronized"); |
| snortId_for_ftp_data = _dpd.findProtocolReference("ftp-data"); | | snortId_for_ftp_data = _dpd.findProtocolReference("ftp-data"); |
| snortId_for_http2 = _dpd.findProtocolReference("http2"); | | snortId_for_http2 = _dpd.findProtocolReference("http2"); |
|
| | #endif |
| snortInstance = _dpd.getSnortInstance(); | | snortInstance = _dpd.getSnortInstance(); |
| } | | } |
| | |
| static inline tAppId processThirdParty(SFSnortPacket* p, tAppIdData* session, AP
PID_SESSION_DIRECTION direction, uint8_t protocol, bool* isTpAppidDiscoveryDone, | | static inline tAppId processThirdParty(SFSnortPacket* p, tAppIdData* session, AP
PID_SESSION_DIRECTION direction, uint8_t protocol, bool* isTpAppidDiscoveryDone, |
| tAppIdConfig *pConfig) | | tAppIdConfig *pConfig) |
| { | | { |
| tAppId tpAppId = session->tpAppId; | | tAppId tpAppId = session->tpAppId; |
| int tp_confidence; | | int tp_confidence; |
| tAppId* tp_proto_list; | | tAppId* tp_proto_list; |
| ThirdPartyAppIDAttributeData* tp_attribute_data; | | ThirdPartyAppIDAttributeData* tp_attribute_data; |
| | |
| skipping to change at line 3089 | | skipping to change at line 3143 |
|---|
| uint32_t entryFlags = appInfoEntryFlags(tpAppId, pConfig); | | uint32_t entryFlags = appInfoEntryFlags(tpAppId, pConfig); |
| if (entryFlags & APPINFO_FLAG_TP_CLIENT) | | if (entryFlags & APPINFO_FLAG_TP_CLIENT) |
| session->clientAppId = tpAppId; | | session->clientAppId = tpAppId; |
| | |
| ProcessThirdPartyResults(p, direction, session, tp_confidence, t
p_proto_list, tp_attribute_data); | | ProcessThirdPartyResults(p, direction, session, tp_confidence, t
p_proto_list, tp_attribute_data); |
| | |
| if ((entryFlags & APPINFO_FLAG_SSL_SQUELCH) && | | if ((entryFlags & APPINFO_FLAG_SSL_SQUELCH) && |
| getAppIdFlag(session, APPID_SESSION_SSL_SESSION) && | | getAppIdFlag(session, APPID_SESSION_SSL_SESSION) && |
| !(session->scan_flags & SCAN_SSL_HOST_FLAG)) | | !(session->scan_flags & SCAN_SSL_HOST_FLAG)) |
| { | | { |
|
| setSSLSquelch(p, 1, tpAppId); | | if (!(session->scan_flags & SCAN_SPOOFED_SNI_FLAG)) |
| | { |
| | setSSLSquelch(p, 1, tpAppId); |
| | } |
| | else |
| | { |
| | if (app_id_debug_session_flag) |
| | _dpd.logMsg("AppIdDbg %s Ignored 3rd party returned |
| | %d, SNI is spoofed\n", |
| | app_id_debug_session, tpAppId); |
| | } |
| } | | } |
| | |
| if (entryFlags & APPINFO_FLAG_IGNORE) | | if (entryFlags & APPINFO_FLAG_IGNORE) |
| { | | { |
| if (app_id_debug_session_flag) | | if (app_id_debug_session_flag) |
| _dpd.logMsg("AppIdDbg %s 3rd party ignored\n", app_id_de
bug_session); | | _dpd.logMsg("AppIdDbg %s 3rd party ignored\n", app_id_de
bug_session); |
| if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION)) | | if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION)) |
| tpAppId = APP_ID_HTTP; | | tpAppId = APP_ID_HTTP; |
| else if(getAppIdFlag(session, APPID_SESSION_SSL_SESSION)) | | else if(getAppIdFlag(session, APPID_SESSION_SSL_SESSION)) |
| tpAppId = APP_ID_SSL; | | tpAppId = APP_ID_SSL; |
| | |
| skipping to change at line 3120 | | skipping to change at line 3183 |
|---|
| #endif | | #endif |
| fprintf(SF_DEBUG_FILE, "%u -> %u %u Skipping ooo\n", | | fprintf(SF_DEBUG_FILE, "%u -> %u %u Skipping ooo\n", |
| (unsigned)p->src_port, (unsigned)p->dst_port, (unsig
ned)protocol); | | (unsigned)p->src_port, (unsigned)p->dst_port, (unsig
ned)protocol); |
| #endif | | #endif |
| } | | } |
| | |
| if (thirdparty_appid_module->session_state_get(session->tpsession) =
= TP_STATE_MONITORING) | | if (thirdparty_appid_module->session_state_get(session->tpsession) =
= TP_STATE_MONITORING) |
| { | | { |
| thirdparty_appid_module->disable_flags(session->tpsession, TP_SE
SSION_FLAG_ATTRIBUTE | TP_SESSION_FLAG_TUNNELING | TP_SESSION_FLAG_FUTUREFLOW); | | thirdparty_appid_module->disable_flags(session->tpsession, TP_SE
SSION_FLAG_ATTRIBUTE | TP_SESSION_FLAG_TUNNELING | TP_SESSION_FLAG_FUTUREFLOW); |
| } | | } |
|
| | | #ifdef TARGET_BASED |
| if(tpAppId == APP_ID_SSL && (_dpd.sessionAPI->get_application_protoc
ol_id(p->stream_session) == snortId_for_ftp_data)) | | if(tpAppId == APP_ID_SSL && (_dpd.sessionAPI->get_application_protoc
ol_id(p->stream_session) == snortId_for_ftp_data)) |
| { | | { |
| // If we see SSL on an FTP data channel set tpAppId back | | // If we see SSL on an FTP data channel set tpAppId back |
| // to APP_ID_NONE so the FTP preprocessor picks up the flow. | | // to APP_ID_NONE so the FTP preprocessor picks up the flow. |
| tpAppId = APP_ID_NONE; | | tpAppId = APP_ID_NONE; |
| } | | } |
|
| | | #endif |
| if (tpAppId > APP_ID_NONE && (!getAppIdFlag(session, APPID_SESSION_A
PP_REINSPECT) || session->payloadAppId > APP_ID_NONE)) | | if (tpAppId > APP_ID_NONE && (!getAppIdFlag(session, APPID_SESSION_A
PP_REINSPECT) || session->payloadAppId > APP_ID_NONE)) |
| { | | { |
| #ifdef TARGET_BASED | | #ifdef TARGET_BASED |
| tAppId snortAppId; | | tAppId snortAppId; |
| #endif | | #endif |
| | |
| // if the packet is HTTP, then search for via pattern | | // if the packet is HTTP, then search for via pattern |
| if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION) && session
->hsession) | | if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION) && session
->hsession) |
| { | | { |
| #ifdef TARGET_BASED | | #ifdef TARGET_BASED |
| | |
| skipping to change at line 3209 | | skipping to change at line 3272 |
|---|
| | |
| //SSL policy needs to determine IMAPS/POP3S etc before a
ppId sees first server packet | | //SSL policy needs to determine IMAPS/POP3S etc before a
ppId sees first server packet |
| session->portServiceAppId = portAppId; | | session->portServiceAppId = portAppId; |
| | |
| if (app_id_debug_session_flag) | | if (app_id_debug_session_flag) |
| _dpd.logMsg("AppIdDbg %s SSL is service %d, portServ
iceAppId %d\n", | | _dpd.logMsg("AppIdDbg %s SSL is service %d, portServ
iceAppId %d\n", |
| app_id_debug_session, tpAppId, session->port
ServiceAppId); | | app_id_debug_session, tpAppId, session->port
ServiceAppId); |
| } | | } |
| else | | else |
| { | | { |
|
| setTPPayloadAppIdData(p, direction, session, tpAppId); | | if (!(session->scan_flags & SCAN_SPOOFED_SNI_FLAG)) |
| | { |
| | setTPPayloadAppIdData(p, direction, session, tpAppId |
| | ); |
| | } |
| | else |
| | { |
| | if (app_id_debug_session_flag) |
| | _dpd.logMsg("AppIdDbg %s Ignoring 3rd party retu |
| | rned %d, SNI is spoofed\n", |
| | app_id_debug_session, tpAppId); |
| | } |
| tpAppId = portAppId; | | tpAppId = portAppId; |
| if (app_id_debug_session_flag) | | if (app_id_debug_session_flag) |
| _dpd.logMsg("AppIdDbg %s SSL is %d\n", app_id_debug_
session, tpAppId); | | _dpd.logMsg("AppIdDbg %s SSL is %d\n", app_id_debug_
session, tpAppId); |
| } | | } |
| setTPAppIdData(p, direction, session, tpAppId); | | setTPAppIdData(p, direction, session, tpAppId); |
| #ifdef TARGET_BASED | | #ifdef TARGET_BASED |
| snortAppId = APP_ID_SSL; | | snortAppId = APP_ID_SSL; |
| #endif | | #endif |
| | |
| #ifdef DEBUG_FW_APPID | | #ifdef DEBUG_FW_APPID |
| | |
| skipping to change at line 3268 | | skipping to change at line 3340 |
|---|
| } | | } |
| else | | else |
| { | | { |
| session->resp_tpPackets++; | | session->resp_tpPackets++; |
| checkTerminateTpModule(session->resp_tpPackets, session)
; | | checkTerminateTpModule(session->resp_tpPackets, session)
; |
| } | | } |
| } | | } |
| } | | } |
| } | | } |
| | |
|
| | else if (session->hsession && (direction == APP_ID_FROM_RESPONDER) && |
| | getAppIdFlag(session, APPID_SESSION_HTTP_CONNECT)) |
| | { |
| | if ((p->payload_size >= 13) && !strncasecmp((char *)p->payload, "HTT |
| | P/1.1 200 ", 13)) |
| | session->hsession->is_tunnel = true; |
| | } |
| if (session->tpReinspectByInitiator && checkThirdPartyReinspect(p, sessi
on)) | | if (session->tpReinspectByInitiator && checkThirdPartyReinspect(p, sessi
on)) |
| { | | { |
| if (*isTpAppidDiscoveryDone) | | if (*isTpAppidDiscoveryDone) |
| clearAppIdFlag(session, APPID_SESSION_APP_REINSPECT); | | clearAppIdFlag(session, APPID_SESSION_APP_REINSPECT); |
| if (direction == APP_ID_FROM_RESPONDER) | | if (direction == APP_ID_FROM_RESPONDER) |
| session->tpReinspectByInitiator = 0; //toggle at OK response | | session->tpReinspectByInitiator = 0; //toggle at OK response |
| } | | } |
| } | | } |
| PREPROC_PROFILE_END(tpPerfStats); | | PREPROC_PROFILE_END(tpPerfStats); |
| /*** End of third-party processing. ***/ | | /*** End of third-party processing. ***/ |
| | |
| skipping to change at line 3797 | | skipping to change at line 3875 |
|---|
| session->payloadAppId == APP_ID_NONE) | | session->payloadAppId == APP_ID_NONE) |
| session->payloadAppId = APP_ID_UNKNOWN; | | session->payloadAppId = APP_ID_UNKNOWN; |
| } | | } |
| } | | } |
| else if (TPIsAppIdAvailable(session->tpsession)) | | else if (TPIsAppIdAvailable(session->tpsession)) |
| { | | { |
| if (tpAppId > APP_ID_NONE) | | if (tpAppId > APP_ID_NONE) |
| { | | { |
| //tp has positively identified appId, Dig deeper only if
sourcefire detector | | //tp has positively identified appId, Dig deeper only if
sourcefire detector |
| //identifies additional information or flow is UDP rever
esed. | | //identifies additional information or flow is UDP rever
esed. |
|
| | #ifdef TARGET_BASED |
| if ((entry = appInfoEntryGet(tpAppId, pConfig)) | | if ((entry = appInfoEntryGet(tpAppId, pConfig)) |
| && entry->svrValidator && | | && entry->svrValidator && |
| ((entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL
) || | | ((entry->flags & APPINFO_FLAG_SERVICE_ADDITIONAL
) || |
| ((entry->flags & APPINFO_FLAG_SERVICE_UDP_REVER
SED) && protocol == IPPROTO_UDP && | | ((entry->flags & APPINFO_FLAG_SERVICE_UDP_REVER
SED) && protocol == IPPROTO_UDP && |
| getAppIdFlag(session, APPID_SESSION_INITIATOR_
MONITORED | APPID_SESSION_RESPONDER_MONITORED)))) | | getAppIdFlag(session, APPID_SESSION_INITIATOR_
MONITORED | APPID_SESSION_RESPONDER_MONITORED)))) |
| { | | { |
| AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_
DATA_SERVICE_MODSTATE_BIT); | | AppIdFlowdataDeleteAllByMask(session, APPID_SESSION_
DATA_SERVICE_MODSTATE_BIT); |
| | |
| #ifdef DEBUG_FW_APPID | | #ifdef DEBUG_FW_APPID |
| if (session->serviceData && compareServiceElements(s
ession->serviceData, entry->svrValidator)) | | if (session->serviceData && compareServiceElements(s
ession->serviceData, entry->svrValidator)) |
| | |
| skipping to change at line 3826 | | skipping to change at line 3905 |
|---|
| if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_por
t == DEBUG_FW_APPID_PORT) | | if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_por
t == DEBUG_FW_APPID_PORT) |
| #endif | | #endif |
| fprintf(SF_DEBUG_FILE, "%u -> %u %u RNA doing de
eper inspection\n", | | fprintf(SF_DEBUG_FILE, "%u -> %u %u RNA doing de
eper inspection\n", |
| (unsigned)p->src_port, (unsigned)p->dst_
port, (unsigned)protocol); | | (unsigned)p->src_port, (unsigned)p->dst_
port, (unsigned)protocol); |
| #endif | | #endif |
| } | | } |
| else | | else |
| { | | { |
| stopRnaServiceInspection(p, session, direction); | | stopRnaServiceInspection(p, session, direction); |
| } | | } |
|
| | #endif |
| } | | } |
| else | | else |
| session->rnaServiceState = RNA_STATE_STATEFUL; | | session->rnaServiceState = RNA_STATE_STATEFUL; |
| } | | } |
| else | | else |
| session->rnaServiceState = RNA_STATE_STATEFUL; | | session->rnaServiceState = RNA_STATE_STATEFUL; |
| } | | } |
| | |
| //stop rna inspection as soon as tp has classified a valid AppId lat
er in the session | | //stop rna inspection as soon as tp has classified a valid AppId lat
er in the session |
| if (session->rnaServiceState == RNA_STATE_STATEFUL && | | if (session->rnaServiceState == RNA_STATE_STATEFUL && |
| prevRnaServiceState == RNA_STATE_STATEFUL && | | prevRnaServiceState == RNA_STATE_STATEFUL && |
| !getAppIdFlag(session, APPID_SESSION_NO_TPI) && | | !getAppIdFlag(session, APPID_SESSION_NO_TPI) && |
| TPIsAppIdAvailable(session->tpsession) && | | TPIsAppIdAvailable(session->tpsession) && |
| tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX) | | tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| entry = appInfoEntryGet(tpAppId, pConfig); | | entry = appInfoEntryGet(tpAppId, pConfig); |
| | |
| if (entry && entry->svrValidator && !(entry->flags & APPINFO_FLA
G_SERVICE_ADDITIONAL)) | | if (entry && entry->svrValidator && !(entry->flags & APPINFO_FLA
G_SERVICE_ADDITIONAL)) |
| { | | { |
| if (app_id_debug_session_flag) | | if (app_id_debug_session_flag) |
| _dpd.logMsg("AppIdDbg %s Stopping service detection\n",
app_id_debug_session); | | _dpd.logMsg("AppIdDbg %s Stopping service detection\n",
app_id_debug_session); |
| stopRnaServiceInspection(p, session, direction); | | stopRnaServiceInspection(p, session, direction); |
| } | | } |
|
| | #endif |
| } | | } |
| | |
| // Check to see if we want to stop any detectors for SIP/RTP. | | // Check to see if we want to stop any detectors for SIP/RTP. |
| if (session->rnaServiceState != RNA_STATE_FINISHED) | | if (session->rnaServiceState != RNA_STATE_FINISHED) |
| { | | { |
| if (tpAppId == APP_ID_SIP) | | if (tpAppId == APP_ID_SIP) |
| { | | { |
| // TP needs to see its own future flows and does a better | | // TP needs to see its own future flows and does a better |
| // job of it than we do, so stay out of its way, and don't | | // job of it than we do, so stay out of its way, and don't |
| // waste time (but we will still get the Snort callbacks | | // waste time (but we will still get the Snort callbacks |
| | |
| skipping to change at line 3946 | | skipping to change at line 4028 |
|---|
| #endif | | #endif |
| | |
| //decision to directly call validator or go through elaborate servic
e_state tracking | | //decision to directly call validator or go through elaborate servic
e_state tracking |
| //is made once at the beginning of session. | | //is made once at the beginning of session. |
| if (session->rnaClientState == RNA_STATE_NONE && p->payload_size &&
direction == APP_ID_FROM_INITIATOR) | | if (session->rnaClientState == RNA_STATE_NONE && p->payload_size &&
direction == APP_ID_FROM_INITIATOR) |
| { | | { |
| if (getAppIdFlag(session, APPID_SESSION_MID)) | | if (getAppIdFlag(session, APPID_SESSION_MID)) |
| session->rnaClientState = RNA_STATE_FINISHED; | | session->rnaClientState = RNA_STATE_FINISHED; |
| else if (TPIsAppIdAvailable(session->tpsession) && (tpAppId = se
ssion->tpAppId) > APP_ID_NONE && tpAppId < SF_APPID_MAX) | | else if (TPIsAppIdAvailable(session->tpsession) && (tpAppId = se
ssion->tpAppId) > APP_ID_NONE && tpAppId < SF_APPID_MAX) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| if ((entry = appInfoEntryGet(tpAppId, pConfig)) && entry->cl
ntValidator && | | if ((entry = appInfoEntryGet(tpAppId, pConfig)) && entry->cl
ntValidator && |
| ((entry->flags & APPINFO_FLAG_CLIENT_ADDITIONAL) || | | ((entry->flags & APPINFO_FLAG_CLIENT_ADDITIONAL) || |
| ((entry->flags & APPINFO_FLAG_CLIENT_USER) && | | ((entry->flags & APPINFO_FLAG_CLIENT_USER) && |
| getAppIdFlag(session, APPID_SESSION_DISCOVER_USER)
))) | | getAppIdFlag(session, APPID_SESSION_DISCOVER_USER)
))) |
| { | | { |
| //tp has positively identified appId, Dig deeper only if
sourcefire detector | | //tp has positively identified appId, Dig deeper only if
sourcefire detector |
| //identifies additional information | | //identifies additional information |
| session->clientData = entry->clntValidator; | | session->clientData = entry->clntValidator; |
| session->rnaClientState = RNA_STATE_DIRECT; | | session->rnaClientState = RNA_STATE_DIRECT; |
| } | | } |
| else | | else |
| { | | { |
| setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED); | | setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED); |
| session->rnaClientState = RNA_STATE_FINISHED; | | session->rnaClientState = RNA_STATE_FINISHED; |
| } | | } |
|
| | #endif |
| } | | } |
| else if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION)) | | else if (getAppIdFlag(session, APPID_SESSION_HTTP_SESSION)) |
| session->rnaClientState = RNA_STATE_FINISHED; | | session->rnaClientState = RNA_STATE_FINISHED; |
| else | | else |
| session->rnaClientState = RNA_STATE_STATEFUL; | | session->rnaClientState = RNA_STATE_STATEFUL; |
| } | | } |
| | |
| //stop rna inspection as soon as tp has classified a valid AppId lat
er in the session | | //stop rna inspection as soon as tp has classified a valid AppId lat
er in the session |
| if ((session->rnaClientState == RNA_STATE_STATEFUL || | | if ((session->rnaClientState == RNA_STATE_STATEFUL || |
| session->rnaClientState == RNA_STATE_DIRECT) && | | session->rnaClientState == RNA_STATE_DIRECT) && |
| session->rnaClientState == prevRnaClientState && | | session->rnaClientState == prevRnaClientState && |
| !getAppIdFlag(session, APPID_SESSION_NO_TPI) && | | !getAppIdFlag(session, APPID_SESSION_NO_TPI) && |
| TPIsAppIdAvailable(session->tpsession) && | | TPIsAppIdAvailable(session->tpsession) && |
| tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX) | | tpAppId > APP_ID_NONE && tpAppId < SF_APPID_MAX) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| entry = appInfoEntryGet(tpAppId, pConfig); | | entry = appInfoEntryGet(tpAppId, pConfig); |
| | |
| if (!(entry && entry->clntValidator && entry->clntValidator == s
ession->clientData && (entry->flags & (APPINFO_FLAG_CLIENT_ADDITIONAL|APPINFO_FL
AG_CLIENT_USER)))) | | if (!(entry && entry->clntValidator && entry->clntValidator == s
ession->clientData && (entry->flags & (APPINFO_FLAG_CLIENT_ADDITIONAL|APPINFO_FL
AG_CLIENT_USER)))) |
| { | | { |
| session->rnaClientState = RNA_STATE_FINISHED; | | session->rnaClientState = RNA_STATE_FINISHED; |
| setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED); | | setAppIdFlag(session, APPID_SESSION_CLIENT_DETECTED); |
| } | | } |
|
| | #endif |
| } | | } |
| | |
| if (session->rnaClientState == RNA_STATE_DIRECT) | | if (session->rnaClientState == RNA_STATE_DIRECT) |
| { | | { |
| int ret = CLIENT_APP_INPROCESS; | | int ret = CLIENT_APP_INPROCESS; |
| | |
| #ifdef DEBUG_FW_APPID | | #ifdef DEBUG_FW_APPID |
| #if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT | | #if defined(DEBUG_FW_APPID_PORT) && DEBUG_FW_APPID_PORT |
| if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_port == DEBUG_F
W_APPID_PORT) | | if (p->dst_port == DEBUG_FW_APPID_PORT || p->src_port == DEBUG_F
W_APPID_PORT) |
| #endif | | #endif |
| | |
| skipping to change at line 4328 | | skipping to change at line 4414 |
|---|
| } | | } |
| | |
| static inline void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRE
CTION direction, tAppIdData* appIdSession, int confidence, tAppId* proto_list, T
hirdPartyAppIDAttributeData* attribute_data) | | static inline void ProcessThirdPartyResults(SFSnortPacket* p, APPID_SESSION_DIRE
CTION direction, tAppIdData* appIdSession, int confidence, tAppId* proto_list, T
hirdPartyAppIDAttributeData* attribute_data) |
| { | | { |
| int size; | | int size; |
| tAppId serviceAppId = 0; | | tAppId serviceAppId = 0; |
| tAppId clientAppId = 0; | | tAppId clientAppId = 0; |
| tAppId payloadAppId = 0; | | tAppId payloadAppId = 0; |
| tAppId referredPayloadAppId = 0; | | tAppId referredPayloadAppId = 0; |
| tAppIdConfig *pConfig = appIdActiveConfigGet(); | | tAppIdConfig *pConfig = appIdActiveConfigGet(); |
|
| | #ifdef TARGET_BASED |
| AppInfoTableEntry *entry = NULL; | | AppInfoTableEntry *entry = NULL; |
|
| | #endif |
| | |
| if (!appIdSession->payloadAppId && ThirdPartyAppIDFoundProto(APP_ID_EXCHANGE
, proto_list)) | | if (!appIdSession->payloadAppId && ThirdPartyAppIDFoundProto(APP_ID_EXCHANGE
, proto_list)) |
| appIdSession->payloadAppId = APP_ID_EXCHANGE; | | appIdSession->payloadAppId = APP_ID_EXCHANGE; |
| | |
| if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list)) | | if (ThirdPartyAppIDFoundProto(APP_ID_HTTP, proto_list)) |
| { | | { |
| setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION); | | setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION); |
| } | | } |
| if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list)) | | if (ThirdPartyAppIDFoundProto(APP_ID_SPDY, proto_list)) |
| { | | { |
| setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SESSION_SP
DY_SESSION); | | setAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SESSION_SP
DY_SESSION); |
| } | | } |
| if (ThirdPartyAppIDFoundProto(APP_ID_SSL, proto_list)) | | if (ThirdPartyAppIDFoundProto(APP_ID_SSL, proto_list)) |
| { | | { |
| if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_TUNNEL)) | | if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_TUNNEL)) |
| { | | { |
| if (!appIdSession->serviceData) | | if (!appIdSession->serviceData) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| entry = appInfoEntryGet(APP_ID_SSL, pConfig); | | entry = appInfoEntryGet(APP_ID_SSL, pConfig); |
| appIdSession->serviceData = entry->svrValidator; | | appIdSession->serviceData = entry->svrValidator; |
|
| | #endif |
| } | | } |
| if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SE
SSION_SPDY_SESSION)) | | if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_SE
SSION_SPDY_SESSION)) |
| clearAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_
SESSION_SPDY_SESSION); | | clearAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION | APPID_
SESSION_SPDY_SESSION); |
| } | | } |
| setAppIdFlag(appIdSession, APPID_SESSION_SSL_SESSION); | | setAppIdFlag(appIdSession, APPID_SESSION_SSL_SESSION); |
| } | | } |
| | |
| if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION)) | | if (getAppIdFlag(appIdSession, APPID_SESSION_HTTP_SESSION)) |
| { | | { |
| if (!appIdSession->hsession) | | if (!appIdSession->hsession) |
| | |
| skipping to change at line 4830 | | skipping to change at line 4920 |
|---|
| DynamicPreprocessorFatalMessage("Could not allocate tlsSession d
ata"); | | DynamicPreprocessorFatalMessage("Could not allocate tlsSession d
ata"); |
| } | | } |
| | |
| if (!appIdSession->clientAppId) | | if (!appIdSession->clientAppId) |
| setClientAppIdData(p, direction, appIdSession, APP_ID_SSL_CLIENT, NU
LL); | | setClientAppIdData(p, direction, appIdSession, APP_ID_SSL_CLIENT, NU
LL); |
| | |
| reInspectSSLAppId = testSSLAppIdForReinspect(tmpAppId); | | reInspectSSLAppId = testSSLAppIdForReinspect(tmpAppId); |
| | |
| if (attribute_data->tlsHost) | | if (attribute_data->tlsHost) |
| { | | { |
|
| if (appIdSession->tsession->tls_host) | | /* This flag is to avoid NAVL overwritting SSL provided SNI */ |
| free(appIdSession->tsession->tls_host); | | if (!(appIdSession->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG)) |
| appIdSession->tsession->tls_host = attribute_data->tlsHost; | | { |
| attribute_data->tlsHost = NULL; | | if (appIdSession->tsession->tls_host) |
| if (reInspectSSLAppId) | | free(appIdSession->tsession->tls_host); |
| appIdSession->scan_flags |= SCAN_SSL_HOST_FLAG; | | appIdSession->tsession->tls_host = attribute_data->tlsHost; |
| | attribute_data->tlsHost = NULL; |
| | if (reInspectSSLAppId) |
| | appIdSession->scan_flags |= SCAN_SSL_HOST_FLAG; |
| | } |
| } | | } |
| if (attribute_data->tlsCname) | | if (attribute_data->tlsCname) |
| { | | { |
|
| if (appIdSession->tsession->tls_cname) | | /* This flag is to avoid NAVL overwritting SSL provided CN */ |
| free(appIdSession->tsession->tls_cname); | | if (!(appIdSession->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG)) |
| appIdSession->tsession->tls_cname = attribute_data->tlsCname; | | { |
| attribute_data->tlsCname = NULL; | | if (appIdSession->tsession->tls_cname) |
| if (reInspectSSLAppId) | | free(appIdSession->tsession->tls_cname); |
| appIdSession->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; | | appIdSession->tsession->tls_cname = attribute_data->tlsCname; |
| | attribute_data->tlsCname = NULL; |
| | if (reInspectSSLAppId) |
| | appIdSession->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; |
| | } |
| } | | } |
| if (reInspectSSLAppId) | | if (reInspectSSLAppId) |
| { | | { |
| if (attribute_data->tlsOrgUnit) | | if (attribute_data->tlsOrgUnit) |
| { | | { |
|
| if (appIdSession->tsession->tls_orgUnit) | | /* This flag is to avoid NAVL overwritting SSL provided ORG */ |
| free(appIdSession->tsession->tls_orgUnit); | | if (!(appIdSession->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG)) |
| appIdSession->tsession->tls_orgUnit = attribute_data->tlsOrgUnit | | { |
| ; | | if (appIdSession->tsession->tls_orgUnit) |
| attribute_data->tlsOrgUnit = NULL; | | free(appIdSession->tsession->tls_orgUnit); |
| | appIdSession->tsession->tls_orgUnit = attribute_data->tlsOrg |
| | Unit; |
| | attribute_data->tlsOrgUnit = NULL; |
| | } |
| } | | } |
| } | | } |
| } | | } |
| else if (ThirdPartyAppIDFoundProto(APP_ID_FTP_CONTROL, proto_list)) | | else if (ThirdPartyAppIDFoundProto(APP_ID_FTP_CONTROL, proto_list)) |
| { | | { |
| if (!appidStaticConfig->ftp_userid_disabled && attribute_data->ftpComman
dUser) | | if (!appidStaticConfig->ftp_userid_disabled && attribute_data->ftpComman
dUser) |
| { | | { |
| if (appIdSession->username) | | if (appIdSession->username) |
| free(appIdSession->username); | | free(appIdSession->username); |
| appIdSession->username = attribute_data->ftpCommandUser; | | appIdSession->username = attribute_data->ftpCommandUser; |
| attribute_data->ftpCommandUser = NULL; | | attribute_data->ftpCommandUser = NULL; |
| appIdSession->usernameService = APP_ID_FTP_CONTROL; | | appIdSession->usernameService = APP_ID_FTP_CONTROL; |
| setAppIdFlag(appIdSession, APPID_SESSION_LOGIN_SUCCEEDED); | | setAppIdFlag(appIdSession, APPID_SESSION_LOGIN_SUCCEEDED); |
| } | | } |
| } | | } |
| } | | } |
| | |
| void appSetServiceDetectorCallback(RNAServiceCallbackFCN fcn, tAppId appId, stru
ct _Detector *userdata, tAppIdConfig *pConfig) | | void appSetServiceDetectorCallback(RNAServiceCallbackFCN fcn, tAppId appId, stru
ct _Detector *userdata, tAppIdConfig *pConfig) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| AppInfoTableEntry* entry; | | AppInfoTableEntry* entry; |
| | |
| if ((entry = appInfoEntryGet(appId, pConfig))) | | if ((entry = appInfoEntryGet(appId, pConfig))) |
| { | | { |
| if (entry->svrValidator) | | if (entry->svrValidator) |
| { | | { |
| if (entry->flags & APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK) | | if (entry->flags & APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK) |
| { | | { |
| _dpd.errMsg("AppId: Service detector callback already registerte
d for appid %d\n", appId); | | _dpd.errMsg("AppId: Service detector callback already registerte
d for appid %d\n", appId); |
| return; | | return; |
| } | | } |
| entry->svrValidator->userdata = userdata; | | entry->svrValidator->userdata = userdata; |
| entry->svrValidator->detectorCallback = fcn; | | entry->svrValidator->detectorCallback = fcn; |
| entry->flags |= APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK; | | entry->flags |= APPINFO_FLAG_SERVICE_DETECTOR_CALLBACK; |
| } | | } |
| } | | } |
|
| | #endif |
| return; | | return; |
| } | | } |
| | |
| void appSetClientDetectorCallback(RNAClientAppCallbackFCN fcn, tAppId appId, str
uct _Detector *userdata, tAppIdConfig *pConfig) | | void appSetClientDetectorCallback(RNAClientAppCallbackFCN fcn, tAppId appId, str
uct _Detector *userdata, tAppIdConfig *pConfig) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| AppInfoTableEntry* entry; | | AppInfoTableEntry* entry; |
| | |
| if ((entry = appInfoEntryGet(appId, pConfig))) | | if ((entry = appInfoEntryGet(appId, pConfig))) |
| { | | { |
| if (entry->clntValidator) | | if (entry->clntValidator) |
| { | | { |
| if (entry->flags & APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK) | | if (entry->flags & APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK) |
| { | | { |
| _dpd.errMsg("AppId: Client detector callback already registerted
for appid %d\n", appId); | | _dpd.errMsg("AppId: Client detector callback already registerted
for appid %d\n", appId); |
| return; | | return; |
| } | | } |
| entry->clntValidator->userData = userdata; | | entry->clntValidator->userData = userdata; |
| entry->clntValidator->detectorCallback = fcn; | | entry->clntValidator->detectorCallback = fcn; |
| entry->flags |= APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK; | | entry->flags |= APPINFO_FLAG_CLIENT_DETECTOR_CALLBACK; |
| } | | } |
| } | | } |
|
| | #endif |
| return; | | return; |
| } | | } |
| | |
| void appSetServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsigned
extractsInfo, tAppIdConfig *pConfig) | | void appSetServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsigned
extractsInfo, tAppIdConfig *pConfig) |
| { | | { |
| AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig); | | AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig); |
| if (!pEntry) | | if (!pEntry) |
| { | | { |
| _dpd.errMsg("AppId", "Invalid direct service AppId, %d, for %p", appId,
fcn); | | _dpd.errMsg("AppId", "Invalid direct service AppId, %d, for %p", appId,
fcn); |
| return; | | return; |
| | |
| skipping to change at line 4936 | | skipping to change at line 5042 |
|---|
| } | | } |
| pEntry->svrValidator = ServiceGetServiceElement(fcn, NULL, pConfig); | | pEntry->svrValidator = ServiceGetServiceElement(fcn, NULL, pConfig); |
| if (pEntry->svrValidator) | | if (pEntry->svrValidator) |
| pEntry->flags |= extractsInfo; | | pEntry->flags |= extractsInfo; |
| else | | else |
| _dpd.errMsg("AppId", "Failed to find a service element for %p with AppId
%d", fcn, appId); | | _dpd.errMsg("AppId", "Failed to find a service element for %p with AppId
%d", fcn, appId); |
| } | | } |
| | |
| void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsign
ed extractsInfo, struct _Detector *data) | | void appSetLuaServiceValidator(RNAServiceValidationFCN fcn, tAppId appId, unsign
ed extractsInfo, struct _Detector *data) |
| { | | { |
|
| | #ifdef TARGET_BASED |
| AppInfoTableEntry *entry; | | AppInfoTableEntry *entry; |
| tAppIdConfig *pConfig = appIdNewConfigGet(); | | tAppIdConfig *pConfig = appIdNewConfigGet(); |
| | |
| if ((entry = appInfoEntryGet(appId, pConfig))) | | if ((entry = appInfoEntryGet(appId, pConfig))) |
| { | | { |
| | |
| entry->flags |= APPINFO_FLAG_ACTIVE; | | entry->flags |= APPINFO_FLAG_ACTIVE; |
| | |
| extractsInfo &= (APPINFO_FLAG_SERVICE_ADDITIONAL | APPINFO_FLAG_SERVICE_
UDP_REVERSED); | | extractsInfo &= (APPINFO_FLAG_SERVICE_ADDITIONAL | APPINFO_FLAG_SERVICE_
UDP_REVERSED); |
| if (!extractsInfo) | | if (!extractsInfo) |
| | |
| skipping to change at line 4961 | | skipping to change at line 5068 |
|---|
| entry->svrValidator = ServiceGetServiceElement(fcn, data, pConfig); | | entry->svrValidator = ServiceGetServiceElement(fcn, data, pConfig); |
| if (entry->svrValidator) | | if (entry->svrValidator) |
| entry->flags |= extractsInfo; | | entry->flags |= extractsInfo; |
| else | | else |
| _dpd.errMsg("AppId: Failed to find a service element for %p %p with
AppId %d", fcn, data, appId); | | _dpd.errMsg("AppId: Failed to find a service element for %p %p with
AppId %d", fcn, data, appId); |
| } | | } |
| else | | else |
| { | | { |
| _dpd.errMsg("Invalid direct service AppId, %d, for %p %p\n",appId, fcn,
data); | | _dpd.errMsg("Invalid direct service AppId, %d, for %p %p\n",appId, fcn,
data); |
| } | | } |
|
| | #endif |
| } | | } |
| | |
| void appSetClientValidator(RNAClientAppFCN fcn, tAppId appId, unsigned extractsI
nfo, tAppIdConfig *pConfig) | | void appSetClientValidator(RNAClientAppFCN fcn, tAppId appId, unsigned extractsI
nfo, tAppIdConfig *pConfig) |
| { | | { |
| AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig); | | AppInfoTableEntry* pEntry = appInfoEntryGet(appId, pConfig); |
| if (!pEntry) | | if (!pEntry) |
| { | | { |
| _dpd.errMsg("AppId", "Invalid direct client application AppId, %d, for %
p", appId, fcn); | | _dpd.errMsg("AppId", "Invalid direct client application AppId, %d, for %
p", appId, fcn); |
| return; | | return; |
| } | | } |
| | |
| skipping to change at line 5197 | | skipping to change at line 5305 |
|---|
| } | | } |
| if(*serviceAppId != APP_ID_NONE || | | if(*serviceAppId != APP_ID_NONE || |
| *clientAppId != APP_ID_NONE || | | *clientAppId != APP_ID_NONE || |
| *payloadAppId != APP_ID_NONE) | | *payloadAppId != APP_ID_NONE) |
| { | | { |
| return 1; | | return 1; |
| } | | } |
| return 0; | | return 0; |
| } | | } |
| | |
|
| | /* |
| | * In TLS 1.3, certificates come encrypted, hence SSL module does the |
| | * certificate decryption and provides the SNI/first-SAN/CN/ON to AppId module. |
| | * This API does the following: |
| | * 1. AppIds detection corresponding to the SNI/first-SAN/CN/ON |
| | * 2. Store the AppIds and SNI/first-SAN/CN/ON in AppID session struct. |
| | * 3. To make sure the SSL provided SNI/first-SAN/CN/ON are not further overwri |
| | tten |
| | * by NAVL, appropriate flags are set. |
| | * Note: |
| | * Valid SNI: SNI->first_SAN->CN->OU |
| | * No SNI/Mismatched SNI: first_SAN->CN->OU |
| | */ |
| | void setTlsHost(void *ssnptr, const char *serverName, const char *commonName, |
| | const char *orgName, const char *subjectAltName, bool isSniMisma |
| | tch, |
| | tAppId *serviceAppId, tAppId *clientAppId, tAppId *payloadAppId) |
| | { |
| | tAppIdData *session; |
| | *serviceAppId = *clientAppId = *payloadAppId = APP_ID_NONE; |
| | |
| | if (app_id_debug_session_flag) |
| | _dpd.logMsg("Received serverName=%s, commonName=%s, orgName=%s, subjectA |
| | ltName=%s, isSniMismatch=%s, from SSL\n", |
| | serverName, commonName, orgName, subjectAltName, isSniMismatch?" |
| | true":"false"); |
| | |
| | if (ssnptr && (session = getAppIdData(ssnptr))) |
| | { |
| | if (!session->tsession) |
| | session->tsession = calloc(1, sizeof(*session->tsession)); |
| | |
| | session->scan_flags |= SCAN_SSL_HOST_FLAG; |
| | session->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; |
| | session->scan_flags |= SCAN_CERTVIZ_ENABLED_FLAG; |
| | if (isSniMismatch) |
| | session->scan_flags |= SCAN_SPOOFED_SNI_FLAG; |
| | |
| | if (serverName && !isSniMismatch) |
| | { |
| | if (session->tsession->tls_host) |
| | free(session->tsession->tls_host); |
| | session->tsession->tls_host = strdup(serverName); |
| | session->tsession->tls_host_strlen = strlen(serverName); |
| | } |
| | |
| | if (subjectAltName) |
| | { |
| | if (session->tsession->tls_first_san) |
| | free(session->tsession->tls_first_san); |
| | session->tsession->tls_first_san = strdup(subjectAltName); |
| | session->tsession->tls_first_san_strlen = strlen(subjectAltName); |
| | } |
| | |
| | if (commonName) |
| | { |
| | if (session->tsession->tls_cname) |
| | free(session->tsession->tls_cname); |
| | session->tsession->tls_cname = strdup(commonName); |
| | session->tsession->tls_cname_strlen = strlen(commonName); |
| | } |
| | |
| | if (orgName) |
| | { |
| | if (session->tsession->tls_orgUnit) |
| | free(session->tsession->tls_orgUnit); |
| | session->tsession->tls_orgUnit = strdup(orgName); |
| | session->tsession->tls_orgUnit_strlen = strlen(orgName); |
| | } |
| | |
| | (void)scanSslParamsLookupAppId(session, (const char*)session->tsession-> |
| | tls_host, |
| | isSniMismatch, (const char*)session->tsession->tls_first_san, |
| | (const char*)session->tsession->tls_cname, |
| | (const char*)session->tsession->tls_orgUnit, clientAppId, payloa |
| | dAppId); |
| | |
| | *serviceAppId = pickServiceAppId(session); |
| | if (APP_ID_NONE == *clientAppId) |
| | *clientAppId = pickClientAppId(session); |
| | |
| | if (APP_ID_NONE == *payloadAppId) |
| | *payloadAppId = pickPayloadId(session); |
| | |
| | session->serviceAppId = *serviceAppId; |
| | session->clientAppId = *clientAppId; |
| | session->payloadAppId = *payloadAppId; |
| | |
| | if (app_id_debug_session_flag) |
| | _dpd.logMsg("serviceAppId %d, clientAppId %d, payloadAppId %d\n", |
| | session->serviceAppId, session->clientAppId, session->payloa |
| | dAppId); |
| | } |
| | } |
| | |
| void httpHeaderCallback (SFSnortPacket *p, HttpParsedHeaders *const headers) | | void httpHeaderCallback (SFSnortPacket *p, HttpParsedHeaders *const headers) |
| { | | { |
| tAppIdData *session; | | tAppIdData *session; |
| APPID_SESSION_DIRECTION direction; | | APPID_SESSION_DIRECTION direction; |
| tAppIdConfig *pConfig = appIdActiveConfigGet(); | | tAppIdConfig *pConfig = appIdActiveConfigGet(); |
| | |
| if (thirdparty_appid_module) | | if (thirdparty_appid_module) |
| return; | | return; |
| if (!p || !(session = getAppIdData(p->stream_session))) | | if (!p || !(session = getAppIdData(p->stream_session))) |
| return; | | return; |
| | | |
| End of changes. 49 change blocks. |
|---|
| 64 lines changed or deleted | | 279 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 