"Fossies" - the Fresh Open Source Software Archive 
Member "snort3_extra-3.1.53.0/src/inspectors/appid_listener/appid_listener_event_handler.cc" (20 Dec 2022, 8083 Bytes) of package /linux/misc/snort3_extra-3.1.53.0.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "appid_listener_event_handler.cc" see the
Fossies "Dox" file reference documentation and the last
Fossies "Diffs" side-by-side code changes report:
3.1.45.0_vs_3.1.47.0.
1 //--------------------------------------------------------------------------
2 // Copyright (C) 2020-2022 Cisco and/or its affiliates. All rights reserved.
3 //
4 // This program is free software; you can redistribute it and/or modify it
5 // under the terms of the GNU General Public License Version 2 as published
6 // by the Free Software Foundation. You may not use, modify or distribute
7 // this program under any other version of the GNU General Public License.
8 //
9 // This program is distributed in the hope that it will be useful, but
10 // WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 // General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License along
15 // with this program; if not, write to the Free Software Foundation, Inc.,
16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 //--------------------------------------------------------------------------
18 // appid_listener_event_handler.cc author Shravan Rangaraju <shrarang@cisco.com>
19
20 #include "appid_listener_event_handler.h"
21
22 #include <iomanip>
23
24 #include "flow/flow.h"
25 #include "network_inspectors/appid/appid_api.h"
26 #include "utils/stats.h"
27 #include "utils/util.h"
28
29 using namespace snort;
30 using namespace std;
31
32 void AppIdListenerEventHandler::handle(DataEvent& event, Flow* flow)
33 {
34 AppidEvent& appid_event = static_cast<AppidEvent&>(event);
35 const AppidChangeBits& ac_bits = appid_event.get_change_bitset();
36
37 AppidChangeBits temp_ac_bits = ac_bits;
38 temp_ac_bits.reset(APPID_CREATED_BIT);
39 temp_ac_bits.reset(APPID_DISCOVERY_FINISHED_BIT);
40 if (temp_ac_bits.none())
41 return;
42
43 if (!flow)
44 {
45 if (!config.json_logging)
46 WarningMessage("appid_listener: flow is null\n");
47 return;
48 }
49
50 if (!config.json_logging and !appid_changed(ac_bits))
51 return;
52
53 char cli_ip_str[INET6_ADDRSTRLEN], srv_ip_str[INET6_ADDRSTRLEN];
54 flow->client_ip.ntop(cli_ip_str, sizeof(cli_ip_str));
55 flow->server_ip.ntop(srv_ip_str, sizeof(srv_ip_str));
56
57 if (!config.json_logging and ac_bits.test(APPID_RESET_BIT))
58 {
59 print_header(cli_ip_str, srv_ip_str, flow->client_port, flow->server_port,
60 flow->ip_proto, get_packet_number());
61
62 ostringstream ss(" appid data is reset\n");
63 if (!write_to_file(ss.str()))
64 LogMessage("%s", ss.str().c_str());
65
66 return;
67 }
68
69 const AppIdSessionApi& api = appid_event.get_appid_session_api();
70 AppId service = api.get_service_app_id();
71 PegCount packet_num = get_packet_number();
72 uint32_t httpx_stream_index = 0;
73 bool is_httpx = appid_event.get_is_httpx();
74 if (is_httpx)
75 httpx_stream_index = appid_event.get_httpx_stream_index();
76
77 AppId client = api.get_client_app_id(httpx_stream_index);
78 AppId payload = api.get_payload_app_id(httpx_stream_index);
79 AppId misc = api.get_misc_app_id(httpx_stream_index);
80 AppId referred = api.get_referred_app_id(httpx_stream_index);
81
82 const char *netbios_name = api.get_netbios_name();
83 const char *netbios_domain = api.get_netbios_domain();
84
85 if (config.json_logging)
86 {
87 ostringstream ss;
88 JsonStream js(ss);
89 print_json_message(js, cli_ip_str, srv_ip_str, *flow, packet_num, api, service,
90 client, payload, misc, referred, is_httpx, httpx_stream_index, appid_event.get_packet(),
91 netbios_name, netbios_domain);
92 if (!write_to_file(ss.str()))
93 LogMessage("%s", ss.str().c_str());
94 }
95 else
96 print_message(cli_ip_str, srv_ip_str, *flow, packet_num, service, client,
97 payload, misc, referred);
98 }
99
100 void AppIdListenerEventHandler::print_message(const char* cli_ip_str, const char* srv_ip_str,
101 const Flow& flow, PegCount packet_num, AppId service, AppId client, AppId payload, AppId misc,
102 AppId referred)
103 {
104 print_header(cli_ip_str, srv_ip_str, flow.client_port, flow.server_port, flow.ip_proto,
105 packet_num);
106
107 ostringstream ss;
108 ss << " service: " << service << " client: " << client << " payload: " <<
109 payload << " misc: " << misc << " referred: " << referred << endl;
110
111 if (!write_to_file(ss.str()))
112 LogMessage("%s", ss.str().c_str());
113 }
114
115 void AppIdListenerEventHandler::print_json_message(JsonStream& js, const char* cli_ip_str,
116 const char* srv_ip_str, const Flow& flow, PegCount packet_num, const AppIdSessionApi& api,
117 AppId service, AppId client, AppId payload, AppId misc, AppId referred,
118 bool is_httpx, uint32_t httpx_stream_index, const Packet* p, const char* netbios_name,
119 const char* netbios_domain)
120 {
121 assert(p);
122 char timebuf[TIMEBUF_SIZE];
123 ts_print((const struct timeval*)&p->pkth->ts, timebuf, true);
124 js.open();
125 js.put("session_num", api.get_session_id());
126 js.put("pkt_time", timebuf);
127 js.put("pkt_num", packet_num);
128
129 const char* service_str = appid_api.get_application_name(service, flow);
130 const char* client_str = appid_api.get_application_name(client, flow);
131 const char* payload_str = appid_api.get_application_name(payload, flow);
132 const char* misc_str = appid_api.get_application_name(misc, flow);
133 const char* referred_str = appid_api.get_application_name(referred, flow);
134 js.open("apps");
135 js.put("service", service_str);
136 js.put("client", client_str);
137 js.put("payload", payload_str);
138 js.put("misc", misc_str);
139 js.put("referred", referred_str);
140 js.close();
141
142 js.put("proto", get_proto_str(flow.ip_proto));
143
144 js.open("client_info");
145 js.put("ip", cli_ip_str);
146 js.put("port", flow.client_port);
147 js.put("version", api.get_client_info(httpx_stream_index));
148 js.close();
149
150 const char* vendor;
151 const char* version;
152 const AppIdServiceSubtype* subtype;
153 api.get_service_info(vendor, version, subtype);
154 js.open("service_info");
155 js.put("ip", srv_ip_str);
156 js.put("port", flow.server_port);
157 js.put("version", version);
158 js.put("vendor", vendor);
159 while (subtype)
160 {
161 js.open("subtype");
162 js.put("service", subtype->service);
163 js.put("vendor", subtype->vendor);
164 js.put("version", subtype->version);
165 js.close();
166 subtype = subtype->next;
167 }
168 js.close();
169
170 bool login_status = false;
171 AppId id;
172 const char* username = api.get_user_info(id, login_status);
173 js.open("user_info");
174 js.put("id", id);
175 js.put("username", username);
176 if (username)
177 js.put("login_status", login_status ? "success" : "failure");
178 else
179 js.put("login_status", "n/a");
180 js.close();
181
182 const char* tls_host = api.get_tls_host();
183 js.put("tls_host", tls_host);
184
185 const char* dns_host = nullptr;
186 if (api.get_dns_session())
187 dns_host = api.get_dns_session()->get_host();
188 js.put("dns_host", dns_host);
189
190 js.open("netbios_info");
191 js.put("netbios_name", netbios_name);
192 js.put("netbios_domain", netbios_domain);
193 js.close();
194
195 const AppIdHttpSession* hsession = api.get_http_session(httpx_stream_index);
196 js.open("http");
197 if (!hsession)
198 {
199 js.put("httpx_stream");
200 js.put("host");
201 js.put("url");
202 js.put("user_agent");
203 js.put("response_code");
204 js.put("referrer");
205 }
206 else
207 {
208 const char* host = hsession->get_cfield(REQ_HOST_FID);
209 const char* url = hsession->get_cfield(MISC_URL_FID);
210 const char* user_agent = hsession->get_cfield(REQ_AGENT_FID);
211 const char* response_code = hsession->get_cfield(MISC_RESP_CODE_FID);
212 const char* referrer = hsession->get_cfield(REQ_REFERER_FID);
213
214 if (is_httpx)
215 js.put("httpx_stream", to_string(hsession->get_httpx_stream_id()));
216 else
217 js.put("httpx_stream", nullptr);
218 js.put("host", host);
219 js.put("url", url);
220 js.put("user_agent", user_agent);
221 js.put("response_code", response_code);
222 js.put("referrer", referrer);
223 }
224
225 js.close();
226 js.close();
227 }