snort  2.9.17
About: Snort is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.
  Fossies Dox: snort-2.9.17.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

fw_appid.c File Reference
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <ctype.h>
#include <dlfcn.h>
#include <fcntl.h>
#include <syslog.h>
#include <strings.h>
#include <sys/time.h>
#include <pthread.h>
#include "appIdApi.h"
#include "fw_appid.h"
#include "profiler.h"
#include "client_app_base.h"
#include "httpCommon.h"
#include "luaDetectorApi.h"
#include "http_url_patterns.h"
#include "detector_http.h"
#include "service_ssl.h"
#include "detector_dns.h"
#include "flow.h"
#include "common_util.h"
#include "spp_appid.h"
#include "hostPortAppCache.h"
#include "lengthAppCache.h"
#include "appInfoTable.h"
#include "appIdStats.h"
#include "sf_mlmp.h"
#include "ip_funcs.h"
#include "app_forecast.h"
#include "thirdparty_appid_types.h"
#include "thirdparty_appid_utils.h"
#include "service_base.h"
Include dependency graph for fw_appid.c:

Go to the source code of this file.

Macros

#define MAX_ATTR_LEN   1024
 
#define HTTP_PREFIX   "http://"
 
#define MULTI_BUF_SIZE   1024
 
#define APP_MAPPING_FILE   "appMapping.data"
 
#define HTTP_PATTERN_MAX_LEN   1024
 
#define PORT_MAX   65535
 
#define RESPONSE_CODE_LENGTH   3
 
#define printSnortPacket(SFSnortPacket_ptr)
 

Functions

static void ProcessThirdPartyResults (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *appIdSession, int confidence, tAppId *proto_list, ThirdPartyAppIDAttributeData *attribute_data)
 
static void ExamineRtmpMetadata (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *appIdSession)
 
static void appSharedDataFree (tAppIdData *sharedData)
 
static void appTmpSharedDataFree (tTmpAppIdData *sharedData)
 
static void appHttpFieldClear (httpSession *hsession)
 
static void appHttpSessionDataFree (httpSession *hsession)
 
static void appDNSSessionDataFree (dnsSession *dsession)
 
static void appTlsSessionDataFree (tlsSession *tsession)
 
void appSharedDataDelete (tAppIdData *sharedData)
 
tAppIdDataappSharedDataAlloc (uint8_t proto, const struct in6_addr *ip, uint16_t port)
 
static tAppIdDataappSharedCreateData (const SFSnortPacket *p, uint8_t proto, APPID_SESSION_DIRECTION direction)
 
static void appSharedReInitData (tAppIdData *session)
 
void fwAppIdFini (tAppIdConfig *pConfig)
 
static int PENetworkMatch (const sfaddr_t *pktAddr, const PortExclusion *pe)
 
static int checkPortExclusion (const SFSnortPacket *pkt, int reversed)
 
static signed char fwAppIdDebugCheck (void *lwssn, tAppIdData *session, volatile int debug_flag, FWDebugSessionConstraints *info, char *debug_session, APPID_SESSION_DIRECTION direction)
 
static void appIdDebugParse (const char *desc, const uint8_t *data, uint32_t length, volatile int *debug_flag, FWDebugSessionConstraints *info)
 
int AppIdDebug (uint16_t type, const uint8_t *data, uint32_t length, void **new_context, char *statusBuf, int statusBuf_len)
 
unsigned isIPv4HostMonitored (uint32_t ip4, int32_t zone)
 
static unsigned isIPMonitored (const SFSnortPacket *p, int dst)
 
static int isSpecialSessionMonitored (const SFSnortPacket *p)
 
static uint64_t isSessionMonitored (const SFSnortPacket *p, APPID_SESSION_DIRECTION dir, tAppIdData *session)
 
void CheckDetectorCallback (const SFSnortPacket *p, tAppIdData *session, APPID_SESSION_DIRECTION direction, tAppId appId, const tAppIdConfig *pConfig)
 
static signed char svcTakingTooMuchTime (tAppIdData *session)
 
static void setServiceAppIdData (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *session, tAppId serviceAppId, char *vendor, char **version)
 
static void setClientAppIdData (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *session, tAppId clientAppId, char **version)
 
static void setReferredPayloadAppIdData (tAppIdData *session, tAppId referredPayloadAppId)
 
static void setPayloadAppIdData (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *session, tAppId payloadAppId, char **version)
 
static void setTPAppIdData (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *session, tAppId tpAppId)
 
static void setTPPayloadAppIdData (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *session, tAppId tpPayloadAppId)
 
static void clearSessionAppIdData (tAppIdData *session)
 
static int initial_CHP_sweep (char **chp_buffers, uint16_t *chp_buffer_lengths, MatchedCHPAction **ppmatches, tAppIdData *session, const tDetectorHttpConfig *pHttpConfig)
 
static void processCHP (tAppIdData *session, char **version, SFSnortPacket *p, APPID_SESSION_DIRECTION direction, const tAppIdConfig *pConfig)
 
static signed char payloadAppIdIsSet (tAppIdData *session)
 
static void clearMiscHttpFlags (tAppIdData *session)
 
STATIC INLINE int processHTTPPacket (SFSnortPacket *p, tAppIdData *session, APPID_SESSION_DIRECTION direction, HttpParsedHeaders *const headers, const tAppIdConfig *pConfig)
 
static void stopRnaServiceInspection (SFSnortPacket *p, tAppIdData *session, APPID_SESSION_DIRECTION direction)
 
static signed char isSslDecryptionEnabled (tAppIdData *session)
 
static void checkRestartSSLDetection (tAppIdData *session)
 
static void checkRestartTunnelDetection (tAppIdData *session)
 
static void checkRestartAppDetection (tAppIdData *session)
 
static void updateEncryptedAppId (tAppIdData *session, tAppId serviceAppId)
 
static int scanSslParamsLookupAppId (tAppIdData *session, const char *serverName, signed char isSniMismatch, const char *subjectAltName, const char *commonName, const char *orgName, tAppId *clientAppId, tAppId *payloadAppId)
 
static void ExamineSslMetadata (SFSnortPacket *p, APPID_SESSION_DIRECTION direction, tAppIdData *session, tAppIdConfig *pConfig)
 
static int RunClientDetectors (tAppIdData *session, SFSnortPacket *p, int direction, tAppIdConfig *pConfig)
 
static void synchAppIdWithSnortId (tAppId newAppId, SFSnortPacket *p, tAppIdData *session, tAppIdConfig *pConfig)
 
static void checkTerminateTpModule (uint16_t tpPktCount, tAppIdData *session)
 
static APPID_SESSION_DIRECTION getIP4_direction (SFSnortPacket *p)
 
static APPID_SESSION_DIRECTION getIP6_direction (SFSnortPacket *p)
 
static int appDetermineProtocol (SFSnortPacket *p, tAppIdData *session, uint8_t *protocolp, uint8_t *outer_protocol, APPID_SESSION_DIRECTION *directionp)
 
static signed char checkThirdPartyReinspect (const SFSnortPacket *p, tAppIdData *session)
 
static int getIpPortFromHttpTunnel (char *url, int url_len, tunnelDest **tunDest)
 
static int checkHostCache (SFSnortPacket *p, tAppIdData *session, sfaddr_t *ip, uint16_t port, uint8_t protocol, tAppIdConfig *pConfig)
 
static signed char isCheckHostCacheValid (tAppIdData *session, tAppId serviceAppId, tAppId clientAppId, tAppId payloadAppId, tAppId miscAppId)
 
void fwAppIdInit (void)
 
static tAppId processThirdParty (SFSnortPacket *p, tAppIdData *session, APPID_SESSION_DIRECTION direction, uint8_t protocol, signed char *isTpAppidDiscoveryDone, tAppIdConfig *pConfig)
 
void fwAppIdSearch (SFSnortPacket *p)
 
STATIC INLINE void pickHttpXffAddress (SFSnortPacket *p, tAppIdData *appIdSession, ThirdPartyAppIDAttributeData *attribute_data)
 
void appSetServiceDetectorCallback (RNAServiceCallbackFCN fcn, tAppId appId, struct _Detector *userdata, tAppIdConfig *pConfig)
 
void appSetClientDetectorCallback (RNAClientAppCallbackFCN fcn, tAppId appId, struct _Detector *userdata, tAppIdConfig *pConfig)
 
void appSetServiceValidator (RNAServiceValidationFCN fcn, tAppId appId, unsigned extractsInfo, tAppIdConfig *pConfig)
 
void appSetLuaServiceValidator (RNAServiceValidationFCN fcn, tAppId appId, unsigned extractsInfo, struct _Detector *data)
 
void appSetClientValidator (RNAClientAppFCN fcn, tAppId appId, unsigned extractsInfo, tAppIdConfig *pConfig)
 
void appSetLuaClientValidator (RNAClientAppFCN fcn, tAppId appId, unsigned extractsInfo, struct _Detector *data)
 
void AppIdAddUser (tAppIdData *flowp, const char *username, tAppId appId, int success)
 
void AppIdAddDnsQueryInfo (tAppIdData *flow, uint16_t id, const uint8_t *host, uint8_t host_len, uint16_t host_offset, uint16_t record_type, uint16_t options_offset)
 
void AppIdAddDnsResponseInfo (tAppIdData *flow, uint16_t id, const uint8_t *host, uint8_t host_len, uint16_t host_offset, uint8_t response_type, uint32_t ttl)
 
void AppIdResetDnsInfo (tAppIdData *flow)
 
void AppIdAddPayload (tAppIdData *flow, tAppId payload_id)
 
void AppIdAddMultiPayload (tAppIdData *flow, tAppId payload_id)
 
tAppId getOpenAppId (void *ssnptr)
 
int sslAppGroupIdLookup (void *ssnptr, const char *serverName, const char *commonName, tAppId *serviceAppId, tAppId *clientAppId, tAppId *payloadAppId)
 
void setTlsHost (void *ssnptr, const char *serverName, const char *commonName, const char *orgName, const char *subjectAltName, signed char isSniMismatch, tAppId *serviceAppId, tAppId *clientAppId, tAppId *payloadAppId)
 
void httpHeaderCallback (SFSnortPacket *p, HttpParsedHeaders *const headers)
 
void checkSandboxDetection (tAppId appId)
 

Variables

static volatile int app_id_debug_flag
 
static FWDebugSessionConstraints app_id_debug_info
 
char app_id_debug_session [(39+1+5+4+39+1+5+1+3+1+1+1+2+1+10+1+1+1+10+1)]
 
signed char app_id_debug_session_flag
 
unsigned long app_id_ongoing_session = 0
 
unsigned long app_id_total_alloc = 0
 
unsigned long app_id_raw_packet_count = 0
 
unsigned long app_id_processed_packet_count = 0
 
unsigned long app_id_ignored_packet_count = 0
 
static tAppIdDataapp_id_free_list
 
static tTmpAppIdDatatmp_app_id_free_list
 
static uint32_t snortInstance
 
int app_id_debug
 
static int ptype_scan_counts [9]
 
AppIdDebugHostInfo_t AppIdDebugHostInfo
 
static int16_t snortId_for_unsynchronized
 
static int16_t snortId_for_ftp_data
 
static int16_t snortId_for_http2
 
static char * httpFieldName [9]
 

Macro Definition Documentation

◆ APP_MAPPING_FILE

#define APP_MAPPING_FILE   "appMapping.data"

Definition at line 74 of file fw_appid.c.

◆ HTTP_PATTERN_MAX_LEN

#define HTTP_PATTERN_MAX_LEN   1024

Definition at line 93 of file fw_appid.c.

◆ HTTP_PREFIX

#define HTTP_PREFIX   "http://"

Definition at line 70 of file fw_appid.c.

◆ MAX_ATTR_LEN

#define MAX_ATTR_LEN   1024

Definition at line 69 of file fw_appid.c.

◆ MULTI_BUF_SIZE

#define MULTI_BUF_SIZE   1024

Definition at line 72 of file fw_appid.c.

◆ PORT_MAX

#define PORT_MAX   65535

Definition at line 94 of file fw_appid.c.

◆ printSnortPacket

#define printSnortPacket (   SFSnortPacket_ptr)

Definition at line 2687 of file fw_appid.c.

◆ RESPONSE_CODE_LENGTH

#define RESPONSE_CODE_LENGTH   3

Function Documentation

◆ appDetermineProtocol()

◆ appDNSSessionDataFree()

static void appDNSSessionDataFree ( dnsSession dsession)
inlinestatic

Definition at line 252 of file fw_appid.c.

References _dnsSession::host, and NULL.

Referenced by appSharedDataDelete(), and clearSessionAppIdData().

◆ appHttpFieldClear()

◆ appHttpSessionDataFree()

◆ AppIdAddDnsQueryInfo()

◆ AppIdAddDnsResponseInfo()

◆ AppIdAddMultiPayload()

◆ AppIdAddPayload()

void AppIdAddPayload ( tAppIdData flow,
tAppId  payload_id 
)

Definition at line 5212 of file fw_appid.c.

References appidStaticConfig, checkSandboxDetection(), and AppIdData::payloadAppId.

◆ AppIdAddUser()

void AppIdAddUser ( tAppIdData flowp,
const char *  username,
tAppId  appId,
int  success 
)

◆ AppIdDebug()

int AppIdDebug ( uint16_t  type,
const uint8_t data,
uint32_t  length,
void **  new_context,
char *  statusBuf,
int  statusBuf_len 
)

Definition at line 895 of file fw_appid.c.

References app_id_debug_flag, app_id_debug_info, appIdDebugParse(), and length.

Referenced by AppIdInit().

◆ appIdDebugParse()

◆ AppIdResetDnsInfo()

void AppIdResetDnsInfo ( tAppIdData flow)

Definition at line 5203 of file fw_appid.c.

References AppIdData::dsession, and _dnsSession::host.

Referenced by AppIdAddDnsQueryInfo(), and AppIdAddDnsResponseInfo().

◆ appSetClientDetectorCallback()

◆ appSetClientValidator()

◆ appSetLuaClientValidator()

◆ appSetLuaServiceValidator()

◆ appSetServiceDetectorCallback()

◆ appSetServiceValidator()

◆ appSharedCreateData()

◆ appSharedDataAlloc()

◆ appSharedDataDelete()

◆ appSharedDataFree()

static void appSharedDataFree ( tAppIdData sharedData)
inlinestatic

Definition at line 112 of file fw_appid.c.

References app_id_free_list, and AppIdData::next.

Referenced by appSharedDataDelete().

◆ appSharedReInitData()

◆ appTlsSessionDataFree()

static void appTlsSessionDataFree ( tlsSession tsession)
inlinestatic

◆ appTmpSharedDataFree()

static void appTmpSharedDataFree ( tTmpAppIdData sharedData)
inlinestatic

Definition at line 118 of file fw_appid.c.

References _tTmpAppIdData::next, and tmp_app_id_free_list.

Referenced by fwAppIdSearch().

◆ CheckDetectorCallback()

◆ checkHostCache()

◆ checkPortExclusion()

◆ checkRestartAppDetection()

static void checkRestartAppDetection ( tAppIdData session)
inlinestatic

Definition at line 2319 of file fw_appid.c.

References checkRestartSSLDetection(), and checkRestartTunnelDetection().

Referenced by fwAppIdSearch().

◆ checkRestartSSLDetection()

◆ checkRestartTunnelDetection()

◆ checkSandboxDetection()

◆ checkTerminateTpModule()

◆ checkThirdPartyReinspect()

static signed char checkThirdPartyReinspect ( const SFSnortPacket p,
tAppIdData session 
)
inlinestatic

◆ clearMiscHttpFlags()

◆ clearSessionAppIdData()

◆ ExamineRtmpMetadata()

◆ ExamineSslMetadata()

◆ fwAppIdDebugCheck()

◆ fwAppIdFini()

void fwAppIdFini ( tAppIdConfig pConfig)

◆ fwAppIdInit()

void fwAppIdInit ( void  )

◆ fwAppIdSearch()

void fwAppIdSearch ( SFSnortPacket p)

Definition at line 3360 of file fw_appid.c.

References _dpd, AddFTPServiceState(), _DynamicPreprocessorData::addPktTrace, app_id_debug_flag, app_id_debug_info, app_id_debug_session, app_id_debug_session_flag, APP_ID_DNS, APP_ID_FROM_INITIATOR, APP_ID_FROM_RESPONDER, APP_ID_HTTP_SSL_TUNNEL, APP_ID_HTTP_TUNNEL, app_id_ignored_packet_count, APP_ID_NONE, app_id_processed_packet_count, app_id_raw_packet_count, APP_ID_RTMP, APP_ID_RTP, APP_ID_RTP_AUDIO, APP_ID_RTP_VIDEO, APP_ID_SFTP, APP_ID_SIP, APP_ID_SSH, APP_ID_UNKNOWN, appDetermineProtocol(), appGetAppName(), APPID_DEBUG_HOST_NOT_MONITORED, APPID_SESSION_ADDITIONAL_PACKET, APPID_SESSION_BIDIRECTIONAL_CHECKED, APPID_SESSION_CLIENT_DETECTED, APPID_SESSION_CLIENT_GETS_SERVER_PACKETS, APPID_SESSION_CONTINUE, APPID_SESSION_DATA_SERVICE_MODSTATE_BIT, APPID_SESSION_DECRYPTED, APPID_SESSION_DISCOVER_APP, APPID_SESSION_DISCOVER_USER, APPID_SESSION_HOST_CACHE_MATCHED, APPID_SESSION_HTTP_SESSION, APPID_SESSION_IGNORE_FLOW, APPID_SESSION_IGNORE_FLOW_LOGGED, APPID_SESSION_IGNORE_HOST, APPID_SESSION_INITIATOR_MONITORED, APPID_SESSION_MID, APPID_SESSION_NO_TPI, APPID_SESSION_NOT_A_SERVICE, APPID_SESSION_OOO, APPID_SESSION_OOO_CHECK_TP, APPID_SESSION_PORT_SERVICE_DONE, APPID_SESSION_RESPONDER_MONITORED, APPID_SESSION_RESPONDER_SEEN, APPID_SESSION_REXEC_STDERR, APPID_SESSION_SERVICE_DELETED, APPID_SESSION_SERVICE_DETECTED, APPID_SESSION_SPECIAL_MONITORED, APPID_SESSION_SSL_SESSION, APPID_SESSION_SYN_RST, APPID_SESSION_TYPE_IGNORE, APPID_SESSION_TYPE_TMP, appIdActiveConfigGet(), AppIdDebugHostInfo, AppIdDiscoverClientApp(), AppIdDiscoverService(), AppIdFlowdataDeleteAllByMask(), AppIdGetServiceIDState(), appIdPolicyId, AppIdRemoveServiceIDState(), AppIdServiceDetectionLevel(), appidStaticConfig, APPINFO_FLAG_CLIENT_ADDITIONAL, APPINFO_FLAG_CLIENT_USER, APPINFO_FLAG_SEARCH_ENGINE, APPINFO_FLAG_SERVICE_ADDITIONAL, APPINFO_FLAG_SERVICE_UDP_REVERSED, APPINFO_FLAG_SUPPORTED_SEARCH, appInfoEntryFlagGet(), appInfoEntryGet(), appSharedCreateData(), appSharedGetData(), appTmpSharedDataFree(), AppIdData::candidate_client_list, checkHostCache(), checkRestartAppDetection(), checkSessionForAFForecast(), checkSessionForAFIndicator(), clearAppIdFlag(), CLIENT_APP_INPROCESS, AppIdData::clientAppId, AppIdData::clientData, _AppInfoTableEntry::clntValidator, _tTmpAppIdData::common, AppIdData::common, compareServiceElements(), appIdConfig_::debugHostIp, AppIdDebugHostInfo_t::direction, _tLengthSequenceEntry::direction, dns_host_scan_hostname(), AppIdData::dsession, _SFSnortPacket::dst_port, DynamicPreprocessorFatalMessage(), ExamineRtmpMetadata(), ExamineSslMetadata(), AppIdDebugHostInfo_t::family, _httpSession::fieldEndOffset, _httpSession::fieldOffset, FLAG_REBUILT_STREAM, FLAG_RETRANSMIT, FLAG_STREAM_ORDER_BAD, FLAG_STREAM_ORDER_OK, _TCPHeader::flags, _SFSnortPacket::flags, _AppInfoTableEntry::flags, _tCommonAppIdData::flags, _APPID_SESSION_STRUCT_FLAG::flow_type, _tCommonAppIdData::fsf_type, fwAppIdDebugCheck(), fwPickClientAppId(), fwPickMiscAppId(), fwPickPayloadAppId(), fwPickServiceAppId(), GET_DST_IP, GET_IPH_TOS, _httpSession::get_offsets_from_rebuilt, _session_api::get_session_flags, GET_SRC_IP, getAppIdFlag(), getIpPortFromHttpTunnel(), GetPacketRealTime, getPortServiceId(), getProtocolServiceId(), _dnsSession::host, _dnsSession::host_len, AppIdData::hsession, httpGetNewOffsetsFromPacket(), index, INET6_ADDRSTRLEN, AppIdData::init_tpPackets, _tCommonAppIdData::initiator_ip, _tCommonAppIdData::initiator_port, AppIdData::initiatorBytes, AppIdData::initiatorBytesWithoutServerReply, AppIdDebugHostInfo_t::initiatorIp, AppIdData::initiatorPcketCountWithoutReply, AppIdDebugHostInfo_t::initiatorPort, _tunnelDest::ip, appIdConfig_::ip_protocol, AppIdData::is_http2, _stream_api::is_session_decrypted, _stream_api::is_session_http2, isCheckHostCacheValid(), isHttpTunnel(), isSessionMonitored(), _DynamicPreprocessorData::isSSLPolicyEnabled, isSslServiceAppId(), _tLengthSequenceEntry::length, AppIdData::length_sequence, LENGTH_SEQUENCE_CNT_MAX, lengthAppCacheFind(), _DynamicPreprocessorData::logMsg, MAX_SFTP_PACKET_COUNT, MIN_SFTP_PACKET_COUNT, AppIdData::miscAppId, AppIdDebugHostInfo_t::monitorType, RNAServiceElement::name, _tTmpAppIdData::next, NOT_A_SEARCH_ENGINE, NULL, AppIdData::pastForecast, AppIdData::pastIndicator, _SFSnortPacket::payload, _SFSnortPacket::payload_size, AppIdData::payloadAppId, pickClientAppId(), pickPayloadId(), pickServiceAppId(), _SFSnortPacket::pkt_header, _DynamicPreprocessorData::pkt_tracer_enabled, _tCommonAppIdData::policyId, _tunnelDest::port, AppIdData::portServiceAppId, PP_APP_ID, PREPROC_PROFILE_END, PREPROC_PROFILE_START, AppIdData::previous_tcp_flags, PRIx64, processThirdParty(), PROFILE_VARS, _tLengthKey::proto, AppIdDebugHostInfo_t::protocol, REQ_COOKIE_FID, REQ_URI_FID, _APP_ID_SERVICE_ID_STATE::reset_time, AppIdData::resp_tpPackets, AppIdData::responderBytes, RNA_STATE_DIRECT, RNA_STATE_FINISHED, RNA_STATE_NONE, RNA_STATE_STATEFUL, AppIdData::rnaClientState, AppIdData::rnaServiceState, RunClientDetectors(), AppIdData::scan_flags, SCAN_HTTP_URI_FLAG, AppIdData::search_support_type, SEARCH_SUPPORT_TYPE_UNKNOWN, _tLengthKey::sequence, _tLengthKey::sequence_cnt, AppIdData::service_ip, AppIdData::service_port, AppIdData::serviceAppId, AppIdData::serviceData, appIdConfig_::serviceDnsConfig, AppIdDebugHostInfo_t::session, AppIdData::session_packet_count, _ThirdPartyAppIDModule::session_state_get, _ThirdPartyAppIDModule::session_state_set, _DynamicPreprocessorData::sessionAPI, _session_api::set_application_data, setAppIdFlag(), setClientAppIdData(), SetPacketRealTime(), SF_APPID_MAX, SF_DEBUG_FILE, sfaddr_copy_to_raw(), sfaddr_family, sfaddr_get_ptr, sfaddr_is_set(), sflist_count(), snprintf, _SFSnortPacket::src_port, SSNFLAG_MIDSTREAM, AppIdData::stats, stopRnaServiceInspection(), _SFSnortPacket::stream_session, _DynamicPreprocessorData::streamAPI, SUPPORTED_SEARCH_ENGINE, svcTakingTooMuchTime(), _AppInfoTableEntry::svrValidator, synchAppIdWithSnortId(), _SFSnortPacket::tcp_header, TCPHEADER_ACK, TCPHEADER_FIN, TCPHEADER_RST, TCPHEADER_SYN, thirdparty_appid_module, tmp_app_id_free_list, TP_STATE_TERMINATED, AppIdData::tpAppId, TPIsAppIdAvailable(), TPIsAppIdDone(), AppIdData::tpsession, _DynamicPreprocessorData::trace, _DynamicPreprocessorData::traceMax, true, AppIdData::tsession, _httpSession::tunDest, UNSUPPORTED_SEARCH_ENGINE, updateEncryptedAppId(), _httpSession::uri, _httpSession::uri_buflen, and VERDICT_REASON_APPID.

Referenced by AppIdProcess().

◆ getIP4_direction()

◆ getIP6_direction()

◆ getIpPortFromHttpTunnel()

static int getIpPortFromHttpTunnel ( char *  url,
int  url_len,
tunnelDest **  tunDest 
)
inlinestatic

◆ getOpenAppId()

tAppId getOpenAppId ( void *  ssnptr)

Definition at line 5254 of file fw_appid.c.

References APP_ID_NONE, getAppIdData(), and AppIdData::payloadAppId.

Referenced by AppIdInit().

◆ httpHeaderCallback()

◆ initial_CHP_sweep()

◆ isCheckHostCacheValid()

static signed char isCheckHostCacheValid ( tAppIdData session,
tAppId  serviceAppId,
tAppId  clientAppId,
tAppId  payloadAppId,
tAppId  miscAppId 
)
inlinestatic

◆ isIPMonitored()

◆ isIPv4HostMonitored()

unsigned isIPv4HostMonitored ( uint32_t  ip4,
int32_t  zone 
)

◆ isSessionMonitored()

◆ isSpecialSessionMonitored()

static int isSpecialSessionMonitored ( const SFSnortPacket p)
inlinestatic

◆ isSslDecryptionEnabled()

static signed char isSslDecryptionEnabled ( tAppIdData session)
inlinestatic

◆ payloadAppIdIsSet()

static signed char payloadAppIdIsSet ( tAppIdData session)
inlinestatic

Definition at line 1854 of file fw_appid.c.

References AppIdData::payloadAppId, and AppIdData::tpPayloadAppId.

Referenced by processHTTPPacket().

◆ PENetworkMatch()

static int PENetworkMatch ( const sfaddr_t pktAddr,
const PortExclusion pe 
)
inlinestatic

Definition at line 537 of file fw_appid.c.

References _port_ex::ip, _port_ex::netmask, and sfaddr_get_ip6_ptr.

Referenced by checkPortExclusion().

◆ pickHttpXffAddress()

◆ processCHP()

static void processCHP ( tAppIdData session,
char **  version,
SFSnortPacket p,
APPID_SESSION_DIRECTION  direction,
const tAppIdConfig pConfig 
)
inlinestatic

Definition at line 1614 of file fw_appid.c.

References _dpd, app_id_debug_session, app_id_debug_session_flag, APP_TYPE_CLIENT, _httpSession::app_type_flags, APP_TYPE_PAYLOAD, APP_TYPE_SERVICE, _fflow_info::appId, APPID_SESSION_LOGIN_SUCCEEDED, _httpSession::body, _httpSession::body_buflen, _httpSession::chp_alt_candidate, CHP_APPIDINSTANCE_TO_ID, _httpSession::chp_candidate, _httpSession::chp_finished, _httpSession::chp_hold_flow, _httpSession::content_type, _httpSession::content_type_buflen, _httpSession::cookie, _httpSession::cookie_buflen, appIdConfig_::detectorHttpConfig, _httpSession::fflow, finalizeFflow(), _fflow_info::flow_prepared, FreeMatchedCHPActions(), _httpSession::get_offsets_from_rebuilt, _httpSession::host, _httpSession::host_buflen, AppIdData::hsession, httpFieldName, initial_CHP_sweep(), _httpSession::location, _httpSession::location_buflen, _DynamicPreprocessorData::logMsg, _httpSession::new_field, _httpSession::new_field_contents, NULL, _httpSession::num_matches, _httpSession::num_scans, NUMBER_OF_PTYPES, ptype_scan_counts, _httpSession::referer, _httpSession::referer_buflen, _httpSession::req_body, _httpSession::req_body_buflen, AppIdData::scan_flags, SCAN_HTTP_HOST_URL_FLAG, SCAN_HTTP_USER_AGENT_FLAG, SCAN_HTTP_VIA_FLAG, scanCHP(), AppIdData::serviceAppId, setAppIdFlag(), setClientAppIdData(), setPayloadAppIdData(), setServiceAppIdData(), _httpSession::skip_simple_detect, _httpSession::total_found, _httpSession::uri, _httpSession::uri_buflen, _httpSession::useragent, _httpSession::useragent_buflen, AppIdData::username, and AppIdData::usernameService.

Referenced by processHTTPPacket().

◆ processHTTPPacket()

STATIC INLINE int processHTTPPacket ( SFSnortPacket p,
tAppIdData session,
APPID_SESSION_DIRECTION  direction,
HttpParsedHeaders *const  headers,
const tAppIdConfig pConfig 
)

Definition at line 1869 of file fw_appid.c.

References _dpd, APP_ID_APPLE_CORE_MEDIA, app_id_debug_session, app_id_debug_session_flag, APP_ID_FROM_INITIATOR, APP_ID_FROM_RESPONDER, APP_ID_HTTP, APP_ID_NONE, APP_ID_WEBDAV, APPID_SESSION_APP_REINSPECT, APPID_SESSION_RESPONSE_CODE_CHECKED, appidStaticConfig, appInfoEntryGet(), checkSandboxDetection(), _httpSession::chp_finished, _httpSession::chp_hold_flow, clearMiscHttpFlags(), clearSessionAppIdData(), AppIdData::clientAppId, _AppInfoTableEntry::clientId, _httpSession::content_type, appIdConfig_::detectorHttpConfig, getAppidByContentType(), getAppidByViaPattern(), getAppIdFlag(), getAppIdFromUrl(), getHTTPHeaderLocation(), getServerVendorVersion(), _httpSession::host, AppIdData::hsession, HTTP_ID_CONTENT_TYPE, HTTP_ID_SERVER, HTTP_ID_X_WORKING_WITH, identifyUserAgent(), _DynamicPreprocessorData::logMsg, AppIdData::miscAppId, _RNAServiceSubtype::next, NULL, _SFSnortPacket::payload, _SFSnortPacket::payload_size, AppIdData::payloadAppId, payloadAppIdIsSet(), PREPROC_PROFILE_END, PREPROC_PROFILE_START, processCHP(), PROFILE_VARS, _httpSession::referer, _httpSession::response_code, _httpSession::response_code_buflen, RESPONSE_CODE_LENGTH, RESPONSE_CODE_PACKET_THRESHHOLD, AppIdData::scan_flags, scan_header_x_working_with(), SCAN_HTTP_CONTENT_TYPE_FLAG, SCAN_HTTP_HOST_URL_FLAG, SCAN_HTTP_USER_AGENT_FLAG, SCAN_HTTP_VENDOR_FLAG, SCAN_HTTP_VIA_FLAG, SCAN_HTTP_XWORKINGWITH_FLAG, _httpSession::server, AppIdData::serviceAppId, AppIdData::serviceVendor, AppIdData::serviceVersion, setAppIdFlag(), setClientAppIdData(), setPayloadAppIdData(), setReferredPayloadAppIdData(), setServiceAppIdData(), _httpSession::skip_simple_detect, start, AppIdData::subtype, thirdparty_appid_module, AppIdData::tpPayloadAppId, _httpSession::uri, _httpSession::url, _httpSession::useragent, _httpSession::useragent_buflen, _httpSession::via, webdav_found(), and _httpSession::x_working_with.

Referenced by httpHeaderCallback(), and processThirdParty().

◆ processThirdParty()

static tAppId processThirdParty ( SFSnortPacket p,
tAppIdData session,
APPID_SESSION_DIRECTION  direction,
uint8_t  protocol,
signed char *  isTpAppidDiscoveryDone,
tAppIdConfig pConfig 
)
inlinestatic

Definition at line 3061 of file fw_appid.c.

References _dpd, APP_ID_CIP, app_id_debug_session, app_id_debug_session_flag, APP_ID_ENIP, APP_ID_FROM_INITIATOR, APP_ID_FROM_RESPONDER, APP_ID_HTTP, APP_ID_HTTP2, APP_ID_NONE, APP_ID_SSL, appHttpFieldClear(), APPID_SESSION_APP_REINSPECT, APPID_SESSION_APP_REINSPECT_SSL, APPID_SESSION_CLIENT_DETECTED, APPID_SESSION_CONTINUE, APPID_SESSION_HTTP_CONNECT, APPID_SESSION_HTTP_SESSION, APPID_SESSION_SERVICE_DETECTED, APPID_SESSION_SSL_SESSION, appidStaticConfig, APPINFO_FLAG_IGNORE, APPINFO_FLAG_SSL_SQUELCH, APPINFO_FLAG_TP_CLIENT, appInfoEntryFlags(), checkTerminateTpModule(), checkThirdPartyReinspect(), clearAppIdFlag(), AppIdData::clientAppId, _ThirdPartyAppIDModule::disable_flags, _SFSnortPacket::dst_port, DynamicPreprocessorFatalMessage(), ExamineSslMetadata(), FLAG_STREAM_ORDER_BAD, FLAG_STREAM_ORDER_OK, _SFSnortPacket::flags, GET_DST_IP, GET_SRC_IP, getAppIdFlag(), getSslServiceAppId(), AppIdData::hsession, AppIdData::init_tpPackets, AppIdData::is_http2, _httpSession::is_tunnel, isTPProcessingDone(), _DynamicPreprocessorData::logMsg, NULL, _SFSnortPacket::payload, _SFSnortPacket::payload_size, AppIdData::payloadAppId, _SFSnortPacket::pkt_header, AppIdData::portServiceAppId, PREPROC_PROFILE_END, PREPROC_PROFILE_START, printSnortPacket, processHTTPPacket(), ProcessThirdPartyResults(), PROFILE_VARS, AppIdData::resp_tpPackets, RNA_STATE_FINISHED, AppIdData::rnaClientState, AppIdData::rnaServiceState, AppIdData::scan_flags, SCAN_SPOOFED_SNI_FLAG, SCAN_SSL_HOST_FLAG, AppIdData::service_ip, AppIdData::service_port, AppIdData::serviceAppId, _ThirdPartyAppIDModule::session_create, _ThirdPartyAppIDModule::session_process, _ThirdPartyAppIDModule::session_state_get, _DynamicPreprocessorData::sessionAPI, setAppIdFlag(), setSSLSquelch(), setTPAppIdData(), setTPPayloadAppIdData(), SF_DEBUG_FILE, snortId_for_ftp_data, _SFSnortPacket::src_port, _SFSnortPacket::stream_session, strncasecmp, synchAppIdWithSnortId(), thirdparty_appid_module, TP_SESSION_FLAG_ATTRIBUTE, TP_SESSION_FLAG_FUTUREFLOW, TP_SESSION_FLAG_TUNNELING, TP_STATE_CLASSIFIED, TP_STATE_MONITORING, AppIdData::tpAppId, TPIsAppIdAvailable(), AppIdData::tpReinspectByInitiator, AppIdData::tpsession, and AppIdData::tsession.

Referenced by fwAppIdSearch().

◆ ProcessThirdPartyResults()

static void ProcessThirdPartyResults ( SFSnortPacket p,
APPID_SESSION_DIRECTION  direction,
tAppIdData appIdSession,
int  confidence,
tAppId proto_list,
ThirdPartyAppIDAttributeData attribute_data 
)
inlinestatic

Definition at line 4406 of file fw_appid.c.

References _dpd, app_id_debug_session, app_id_debug_session_flag, APP_ID_EXCHANGE, APP_ID_FTP_CONTROL, APP_ID_HTTP, APP_ID_NONE, APP_ID_RTMP, APP_ID_RTSP, APP_ID_SPDY, APP_ID_SSL, APP_ID_SSL_CLIENT, APPID_SESSION_APP_REINSPECT, APPID_SESSION_CHP_INSPECTING, APPID_SESSION_DECRYPTED, APPID_SESSION_HTTP_CONNECT, APPID_SESSION_HTTP_SESSION, APPID_SESSION_HTTP_TUNNEL, APPID_SESSION_LOGIN_SUCCEEDED, APPID_SESSION_SPDY_SESSION, APPID_SESSION_SSL_SESSION, appIdActiveConfigGet(), appidStaticConfig, appInfoEntryGet(), _httpSession::body, _httpSession::body_buflen, BODY_PT, _httpSession::chp_finished, _httpSession::chp_hold_flow, clearAppIdFlag(), AppIdData::clientAppId, _httpSession::content_type, _httpSession::content_type_buflen, _httpSession::cookie, _httpSession::cookie_buflen, appIdConfig_::detectorHttpConfig, _ThirdPartyAppIDModule::disable_flags, DynamicPreprocessorFatalMessage(), _httpSession::fieldEndOffset, _httpSession::fieldOffset, ThirdPartyAppIDAttributeData::ftpCommandUser, getAppIdFlag(), getAppIdFromUrl(), _httpSession::host, _httpSession::host_buflen, AppIdData::hsession, ThirdPartyAppIDAttributeData::httpRequestBody, ThirdPartyAppIDAttributeData::httpRequestBodyLen, ThirdPartyAppIDAttributeData::httpRequestCookie, ThirdPartyAppIDAttributeData::httpRequestCookieEndOffset, ThirdPartyAppIDAttributeData::httpRequestCookieLen, ThirdPartyAppIDAttributeData::httpRequestCookieOffset, ThirdPartyAppIDAttributeData::httpRequestHost, ThirdPartyAppIDAttributeData::httpRequestHostEndOffset, ThirdPartyAppIDAttributeData::httpRequestHostLen, ThirdPartyAppIDAttributeData::httpRequestHostOffset, ThirdPartyAppIDAttributeData::httpRequestMethod, ThirdPartyAppIDAttributeData::httpRequestReferer, ThirdPartyAppIDAttributeData::httpRequestRefererEndOffset, ThirdPartyAppIDAttributeData::httpRequestRefererLen, ThirdPartyAppIDAttributeData::httpRequestRefererOffset, ThirdPartyAppIDAttributeData::httpRequestUri, ThirdPartyAppIDAttributeData::httpRequestUriEndOffset, ThirdPartyAppIDAttributeData::httpRequestUriLen, ThirdPartyAppIDAttributeData::httpRequestUriOffset, ThirdPartyAppIDAttributeData::httpRequestUrl, ThirdPartyAppIDAttributeData::httpRequestUserAgent, ThirdPartyAppIDAttributeData::httpRequestUserAgentEndOffset, ThirdPartyAppIDAttributeData::httpRequestUserAgentLen, ThirdPartyAppIDAttributeData::httpRequestUserAgentOffset, ThirdPartyAppIDAttributeData::httpRequestVia, ThirdPartyAppIDAttributeData::httpRequestXWorkingWith, ThirdPartyAppIDAttributeData::httpResponseBody, ThirdPartyAppIDAttributeData::httpResponseBodyLen, ThirdPartyAppIDAttributeData::httpResponseCode, ThirdPartyAppIDAttributeData::httpResponseCodeLen, ThirdPartyAppIDAttributeData::httpResponseContent, ThirdPartyAppIDAttributeData::httpResponseContentLen, ThirdPartyAppIDAttributeData::httpResponseLocation, ThirdPartyAppIDAttributeData::httpResponseLocationLen, ThirdPartyAppIDAttributeData::httpResponseServer, ThirdPartyAppIDAttributeData::httpResponseUpgrade, ThirdPartyAppIDAttributeData::httpResponseVersion, ThirdPartyAppIDAttributeData::httpResponseVia, identifyUserAgent(), AppIdData::is_http2, _httpSession::location, _httpSession::location_buflen, LOCATION_PT, _DynamicPreprocessorData::logMsg, NULL, ThirdPartyAppIDAttributeData::numXffFields, AppIdData::payloadAppId, pickHttpXffAddress(), ptype_scan_counts, _httpSession::referer, _httpSession::referer_buflen, REQ_AGENT_FID, _httpSession::req_body, _httpSession::req_body_buflen, REQ_COOKIE_FID, REQ_HOST_FID, REQ_REFERER_FID, REQ_URI_FID, _httpSession::response_code, _httpSession::response_code_buflen, SCAN_CERTVIZ_ENABLED_FLAG, AppIdData::scan_flags, SCAN_HTTP_CONTENT_TYPE_FLAG, SCAN_HTTP_HOST_URL_FLAG, SCAN_HTTP_URI_FLAG, SCAN_HTTP_USER_AGENT_FLAG, SCAN_HTTP_VENDOR_FLAG, SCAN_HTTP_VIA_FLAG, SCAN_HTTP_XWORKINGWITH_FLAG, SCAN_SSL_CERTIFICATE_FLAG, SCAN_SSL_HOST_FLAG, _httpSession::server, AppIdData::serviceAppId, AppIdData::serviceData, _ThirdPartyAppIDModule::session_appid_get, _ThirdPartyAppIDModule::session_attr_set, _ThirdPartyAppIDModule::session_delete, AppIdData::session_packet_count, setAppIdFlag(), setClientAppIdData(), setPayloadAppIdData(), setReferredPayloadAppIdData(), setServiceAppIdData(), ThirdPartyAppIDAttributeData::spdyRequestHost, ThirdPartyAppIDAttributeData::spdyRequestHostEndOffset, ThirdPartyAppIDAttributeData::spdyRequestHostOffset, ThirdPartyAppIDAttributeData::spdyRequestPath, ThirdPartyAppIDAttributeData::spdyRequestPathEndOffset, ThirdPartyAppIDAttributeData::spdyRequestPathOffset, ThirdPartyAppIDAttributeData::spdyRequestScheme, _AppInfoTableEntry::svrValidator, testSSLAppIdForReinspect(), thirdparty_appid_module, ThirdPartyAppIDFoundProto(), _tlsSession::tls_cname, _tlsSession::tls_host, _tlsSession::tls_orgUnit, ThirdPartyAppIDAttributeData::tlsCname, ThirdPartyAppIDAttributeData::tlsHost, ThirdPartyAppIDAttributeData::tlsOrgUnit, TP_ATTR_CONTINUE_MONITORING, TP_SESSION_FLAG_ATTRIBUTE, TP_SESSION_FLAG_FUTUREFLOW, TP_SESSION_FLAG_TUNNELING, AppIdData::tpsession, AppIdData::tsession, _httpSession::uri, _httpSession::uri_buflen, _httpSession::url, _httpSession::useragent, _httpSession::useragent_buflen, AppIdData::username, AppIdData::usernameService, _httpSession::via, and _httpSession::x_working_with.

Referenced by processThirdParty().

◆ RunClientDetectors()

◆ scanSslParamsLookupAppId()

static int scanSslParamsLookupAppId ( tAppIdData session,
const char *  serverName,
signed char  isSniMismatch,
const char *  subjectAltName,
const char *  commonName,
const char *  orgName,
tAppId clientAppId,
tAppId payloadAppId 
)
static

◆ setClientAppIdData()

◆ setPayloadAppIdData()

◆ setReferredPayloadAppIdData()

static void setReferredPayloadAppIdData ( tAppIdData session,
tAppId  referredPayloadAppId 
)
inlinestatic

◆ setServiceAppIdData()

◆ setTlsHost()

◆ setTPAppIdData()

static void setTPAppIdData ( SFSnortPacket p,
APPID_SESSION_DIRECTION  direction,
tAppIdData session,
tAppId  tpAppId 
)
inlinestatic

◆ setTPPayloadAppIdData()

static void setTPPayloadAppIdData ( SFSnortPacket p,
APPID_SESSION_DIRECTION  direction,
tAppIdData session,
tAppId  tpPayloadAppId 
)
inlinestatic

◆ sslAppGroupIdLookup()

int sslAppGroupIdLookup ( void *  ssnptr,
const char *  serverName,
const char *  commonName,
tAppId serviceAppId,
tAppId clientAppId,
tAppId payloadAppId 
)
Returns
1 if some appid is found, 0 otherwise.

Definition at line 5269 of file fw_appid.c.

References APP_ID_NONE, getAppIdData(), pAppidActiveConfig, pickClientAppId(), pickPayloadId(), pickServiceAppId(), appIdConfig_::serviceSslConfig, ssl_scan_cname(), and ssl_scan_hostname().

Referenced by AppIdInit().

◆ stopRnaServiceInspection()

◆ svcTakingTooMuchTime()

static signed char svcTakingTooMuchTime ( tAppIdData session)
inlinestatic

◆ synchAppIdWithSnortId()

◆ updateEncryptedAppId()

Variable Documentation

◆ app_id_debug

int app_id_debug

Definition at line 104 of file fw_appid.c.

Referenced by ClientAppInit(), and ReloadServiceModules().

◆ app_id_debug_flag

volatile int app_id_debug_flag
static

Definition at line 80 of file fw_appid.c.

Referenced by AppIdDebug(), and fwAppIdSearch().

◆ app_id_debug_info

FWDebugSessionConstraints app_id_debug_info
static

Definition at line 81 of file fw_appid.c.

Referenced by AppIdDebug(), and fwAppIdSearch().

◆ app_id_debug_session

◆ app_id_debug_session_flag

◆ app_id_free_list

tAppIdData* app_id_free_list
static

Definition at line 101 of file fw_appid.c.

Referenced by appSharedDataAlloc(), appSharedDataFree(), and fwAppIdFini().

◆ app_id_ignored_packet_count

unsigned long app_id_ignored_packet_count = 0

Definition at line 100 of file fw_appid.c.

Referenced by AppIdDumpStats(), AppIdResetStats(), and fwAppIdSearch().

◆ app_id_ongoing_session

unsigned long app_id_ongoing_session = 0

◆ app_id_processed_packet_count

unsigned long app_id_processed_packet_count = 0

Definition at line 99 of file fw_appid.c.

Referenced by AppIdDumpStats(), AppIdResetStats(), Detector_getPktCount(), and fwAppIdSearch().

◆ app_id_raw_packet_count

unsigned long app_id_raw_packet_count = 0

Definition at line 98 of file fw_appid.c.

Referenced by AppIdDumpStats(), AppIdResetStats(), and fwAppIdSearch().

◆ app_id_total_alloc

unsigned long app_id_total_alloc = 0

Definition at line 97 of file fw_appid.c.

Referenced by AppIdDumpStats(), AppIdResetStats(), and appSharedDataAlloc().

◆ AppIdDebugHostInfo

AppIdDebugHostInfo_t AppIdDebugHostInfo

Definition at line 110 of file fw_appid.c.

Referenced by dumpDebugHostInfo(), fwAppIdSearch(), and isSessionMonitored().

◆ httpFieldName

char* httpFieldName[ 9]
static
Initial value:
=
{
"useragent",
"host",
"referer",
"uri",
"cookie",
"req_body",
"content_type",
"location",
"body",
}

Definition at line 1601 of file fw_appid.c.

Referenced by processCHP().

◆ ptype_scan_counts

int ptype_scan_counts[9]
static

Definition at line 105 of file fw_appid.c.

Referenced by initial_CHP_sweep(), processCHP(), and ProcessThirdPartyResults().

◆ snortId_for_ftp_data

int16_t snortId_for_ftp_data
static

Definition at line 376 of file fw_appid.c.

Referenced by fwAppIdInit(), and processThirdParty().

◆ snortId_for_http2

int16_t snortId_for_http2
static

Definition at line 377 of file fw_appid.c.

Referenced by fwAppIdInit(), and synchAppIdWithSnortId().

◆ snortId_for_unsynchronized

int16_t snortId_for_unsynchronized
static

Definition at line 375 of file fw_appid.c.

Referenced by appSharedDataAlloc(), and fwAppIdInit().

◆ snortInstance

uint32_t snortInstance
static

Definition at line 103 of file fw_appid.c.

Referenced by fwAppIdDebugCheck(), and fwAppIdInit().

◆ tmp_app_id_free_list

tTmpAppIdData* tmp_app_id_free_list
static

Definition at line 102 of file fw_appid.c.

Referenced by appTmpSharedDataFree(), fwAppIdFini(), and fwAppIdSearch().