"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/network_inspectors/appid/appid_eve_process_event_handler.cc" between
snort3-3.1.28.0.tar.gz and snort3-3.1.29.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

appid_eve_process_event_handler.cc  (snort3-3.1.28.0):appid_eve_process_event_handler.cc  (snort3-3.1.29.0)
skipping to change at line 37 skipping to change at line 37
#include "appid_debug.h" #include "appid_debug.h"
#include "appid_inspector.h" #include "appid_inspector.h"
#include "appid_session.h" #include "appid_session.h"
using namespace snort; using namespace snort;
void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow) void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow)
{ {
assert(flow); assert(flow);
if (!pkt_thread_odp_ctxt)
return;
Packet* p = DetectionEngine::get_current_packet();
assert(p);
AppIdSession* asd = appid_api.get_appid_session(*flow); AppIdSession* asd = appid_api.get_appid_session(*flow);
if (!asd or if (!asd)
!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECI {
AL_MONITORED)) AppidSessionDirection dir;
dir = p->is_from_client() ? APP_ID_FROM_INITIATOR : APP_ID_FROM_RESPONDE
R;
asd = AppIdSession::allocate_session(p, p->get_ip_proto_next(), dir,
inspector, *pkt_thread_odp_ctxt);
if (appidDebug->is_enabled())
{
appidDebug->activate(flow, asd, inspector.get_ctxt().config.log_all_
sessions);
if (appidDebug->is_active())
LogMessage("AppIdDbg %s New AppId session at mercury event\n",
appidDebug->get_debug_session());
}
}
if (!asd->get_session_flags(APPID_SESSION_DISCOVER_APP | APPID_SESSION_SPECI
AL_MONITORED))
return; return;
if (!pkt_thread_odp_ctxt or if (pkt_thread_odp_ctxt->get_version() != asd->get_odp_ctxt_version())
(pkt_thread_odp_ctxt->get_version() != asd->get_odp_ctxt_version()))
return; return;
const EveProcessEvent &eve_process_event = static_cast<EveProcessEvent&>(eve nt); const EveProcessEvent &eve_process_event = static_cast<EveProcessEvent&>(eve nt);
const std::string& name = eve_process_event.get_process_name(); const std::string& name = eve_process_event.get_process_name();
uint8_t conf = eve_process_event.get_process_confidence(); uint8_t conf = eve_process_event.get_process_confidence();
const std::string& server_name = eve_process_event.get_server_name(); const std::string& server_name = eve_process_event.get_server_name();
AppId app_id = APP_ID_NONE; const std::string& user_agent = eve_process_event.get_user_agent();
std::vector<std::string> alpn_vec = eve_process_event.get_alpn();
const bool is_quic = eve_process_event.is_flow_quic();
if (!name.empty()) AppidChangeBits change_bits;
if (is_quic && alpn_vec.size())
{ {
app_id = asd->get_odp_ctxt().get_eve_ca_matchers().match_eve_ca_pattern( AppId service_id = APP_ID_NONE;
name, service_id = asd->get_odp_ctxt().get_alpn_matchers().match_alpn_pattern(
conf); alpn_vec[0]);
if (service_id)
{
asd->set_alpn_service_app_id(service_id);
asd->update_encrypted_app_id(service_id);
}
else
{
asd->set_service_appid_data(APP_ID_QUIC, change_bits);
asd->set_session_flags(APPID_SESSION_SERVICE_DETECTED);
}
}
AppId client_id = APP_ID_NONE;
if (!user_agent.empty())
{
char* version = nullptr;
AppId service_id = APP_ID_NONE;
asd->set_eve_client_app_id(app_id); asd->get_odp_ctxt().get_http_matchers().identify_user_agent(user_agent.c
_str(),
user_agent.size(), service_id, client_id, &version);
if (client_id != APP_ID_NONE)
asd->set_client_appid_data(client_id, change_bits, version);
snort_free(version);
} }
else if (!name.empty())
{
client_id = asd->get_odp_ctxt().get_eve_ca_matchers().match_eve_ca_patte
rn(name,
conf);
if (appidDebug->is_active()) asd->set_eve_client_app_id(client_id);
LogMessage("AppIdDbg %s encrypted client app %d process name '%s', " }
"confidence: %d, server name '%s'\n", appidDebug->get_debug_session(
), app_id,
name.c_str(), conf, server_name.c_str());
if (!server_name.empty()) if (!server_name.empty())
{ {
AppId client_id; AppId client_id = APP_ID_NONE;
AppId payload_id; AppId payload_id = APP_ID_NONE;
AppidChangeBits change_bits;
snort::Packet* p = snort::DetectionEngine::get_current_packet();
if (!asd->tsession) if (!asd->tsession)
asd->tsession = new TlsSession(); asd->tsession = new TlsSession();
asd->tsession->set_tls_host(server_name.c_str(), server_name.length(), c hange_bits); asd->tsession->set_tls_host(server_name.c_str(), server_name.length(), c hange_bits);
asd->set_tls_host(change_bits); asd->set_tls_host(change_bits);
asd->get_odp_ctxt().get_ssl_matchers().scan_hostname(reinterpret_cast<co nst uint8_t*>(server_name.c_str()), asd->get_odp_ctxt().get_ssl_matchers().scan_hostname(reinterpret_cast<co nst uint8_t*>(server_name.c_str()),
server_name.length(), client_id, payload_id); server_name.length(), client_id, payload_id);
asd->set_payload_id(payload_id); asd->set_payload_id(payload_id);
asd->set_ss_application_ids_payload(payload_id, change_bits); asd->set_ss_application_ids_payload(payload_id, change_bits);
}
asd->publish_appid_event(change_bits, *p); if (appidDebug->is_active())
{
std::string debug_str;
debug_str += "encrypted client app: " + std::to_string(client_id);
if (!name.empty())
debug_str += ", process name: " + name + ", confidence: " + std::to_
string(conf);
if (!server_name.empty())
debug_str += ", server name: " + server_name;
if (!user_agent.empty())
debug_str += ", user agent: " + user_agent;
if (is_quic && alpn_vec.size())
{
debug_str += ", alpn: [ ";
for(unsigned int i = 0; i < alpn_vec.size(); i++)
debug_str += alpn_vec[i] + " ";
debug_str += "]";
}
LogMessage("AppIdDbg %s %s\n",
appidDebug->get_debug_session(), debug_str.c_str());
} }
if (change_bits.any())
asd->publish_appid_event(change_bits, *p);
} }
 End of changes. 13 change blocks. 
21 lines changed or deleted 101 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)