"Fossies" - the Fresh Open Source Software Archive

Member "snort3_extra-3.1.53.0/src/inspectors/appid_listener/appid_listener_event_handler.cc" (20 Dec 2022, 8083 Bytes) of package /linux/misc/snort3_extra-3.1.53.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "appid_listener_event_handler.cc" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 3.1.45.0_vs_3.1.47.0.

    1 //--------------------------------------------------------------------------
    2 // Copyright (C) 2020-2022 Cisco and/or its affiliates. All rights reserved.
    3 //
    4 // This program is free software; you can redistribute it and/or modify it
    5 // under the terms of the GNU General Public License Version 2 as published
    6 // by the Free Software Foundation.  You may not use, modify or distribute
    7 // this program under any other version of the GNU General Public License.
    8 //
    9 // This program is distributed in the hope that it will be useful, but
   10 // WITHOUT ANY WARRANTY; without even the implied warranty of
   11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   12 // General Public License for more details.
   13 //
   14 // You should have received a copy of the GNU General Public License along
   15 // with this program; if not, write to the Free Software Foundation, Inc.,
   16 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   17 //--------------------------------------------------------------------------
   18 // appid_listener_event_handler.cc author Shravan Rangaraju <shrarang@cisco.com>
   19 
   20 #include "appid_listener_event_handler.h"
   21 
   22 #include <iomanip>
   23 
   24 #include "flow/flow.h"
   25 #include "network_inspectors/appid/appid_api.h"
   26 #include "utils/stats.h"
   27 #include "utils/util.h"
   28 
   29 using namespace snort;
   30 using namespace std;
   31 
   32 void AppIdListenerEventHandler::handle(DataEvent& event, Flow* flow)
   33 {
   34     AppidEvent& appid_event = static_cast<AppidEvent&>(event);
   35     const AppidChangeBits& ac_bits = appid_event.get_change_bitset();
   36 
   37     AppidChangeBits temp_ac_bits = ac_bits;
   38     temp_ac_bits.reset(APPID_CREATED_BIT);
   39     temp_ac_bits.reset(APPID_DISCOVERY_FINISHED_BIT);
   40     if (temp_ac_bits.none())
   41         return;
   42 
   43     if (!flow)
   44     {
   45         if (!config.json_logging)
   46             WarningMessage("appid_listener: flow is null\n");
   47         return;
   48     }
   49 
   50     if (!config.json_logging and !appid_changed(ac_bits))
   51         return;
   52 
   53     char cli_ip_str[INET6_ADDRSTRLEN], srv_ip_str[INET6_ADDRSTRLEN];
   54     flow->client_ip.ntop(cli_ip_str, sizeof(cli_ip_str));
   55     flow->server_ip.ntop(srv_ip_str, sizeof(srv_ip_str));
   56 
   57     if (!config.json_logging and ac_bits.test(APPID_RESET_BIT))
   58     {
   59         print_header(cli_ip_str, srv_ip_str, flow->client_port, flow->server_port,
   60             flow->ip_proto, get_packet_number());
   61 
   62         ostringstream ss(" appid data is reset\n");
   63         if (!write_to_file(ss.str()))
   64             LogMessage("%s", ss.str().c_str());
   65 
   66         return;
   67     }
   68 
   69     const AppIdSessionApi& api = appid_event.get_appid_session_api();
   70     AppId service = api.get_service_app_id();
   71     PegCount packet_num = get_packet_number();
   72     uint32_t httpx_stream_index = 0;
   73     bool is_httpx = appid_event.get_is_httpx();
   74     if (is_httpx)
   75         httpx_stream_index = appid_event.get_httpx_stream_index();
   76 
   77     AppId client = api.get_client_app_id(httpx_stream_index);
   78     AppId payload = api.get_payload_app_id(httpx_stream_index);
   79     AppId misc = api.get_misc_app_id(httpx_stream_index);
   80     AppId referred = api.get_referred_app_id(httpx_stream_index);
   81 
   82     const char *netbios_name = api.get_netbios_name();
   83     const char *netbios_domain = api.get_netbios_domain();
   84 
   85     if (config.json_logging)
   86     {
   87         ostringstream ss;
   88         JsonStream js(ss);
   89         print_json_message(js, cli_ip_str, srv_ip_str, *flow, packet_num, api, service,
   90             client, payload, misc, referred, is_httpx, httpx_stream_index, appid_event.get_packet(),
   91             netbios_name, netbios_domain);
   92         if (!write_to_file(ss.str()))
   93             LogMessage("%s", ss.str().c_str());
   94     }
   95     else
   96         print_message(cli_ip_str, srv_ip_str, *flow, packet_num, service, client,
   97             payload, misc, referred);
   98 }
   99 
  100 void AppIdListenerEventHandler::print_message(const char* cli_ip_str, const char* srv_ip_str,
  101     const Flow& flow, PegCount packet_num, AppId service, AppId client, AppId payload, AppId misc,
  102     AppId referred)
  103 {
  104     print_header(cli_ip_str, srv_ip_str, flow.client_port, flow.server_port, flow.ip_proto,
  105         packet_num);
  106 
  107     ostringstream ss;
  108     ss << " service: " << service << " client: " << client << " payload: " <<
  109         payload << " misc: " << misc << " referred: " << referred << endl;
  110 
  111     if (!write_to_file(ss.str()))
  112         LogMessage("%s", ss.str().c_str());
  113 }
  114 
  115 void AppIdListenerEventHandler::print_json_message(JsonStream& js, const char* cli_ip_str,
  116     const char* srv_ip_str, const Flow& flow, PegCount packet_num, const AppIdSessionApi& api,
  117     AppId service, AppId client, AppId payload, AppId misc, AppId referred,
  118     bool is_httpx, uint32_t httpx_stream_index, const Packet* p, const char* netbios_name,
  119     const char* netbios_domain)
  120 {
  121     assert(p);
  122     char timebuf[TIMEBUF_SIZE];
  123     ts_print((const struct timeval*)&p->pkth->ts, timebuf, true);
  124     js.open();
  125     js.put("session_num", api.get_session_id());
  126     js.put("pkt_time", timebuf);
  127     js.put("pkt_num", packet_num);
  128 
  129     const char* service_str = appid_api.get_application_name(service, flow);
  130     const char* client_str = appid_api.get_application_name(client, flow);
  131     const char* payload_str = appid_api.get_application_name(payload, flow);
  132     const char* misc_str = appid_api.get_application_name(misc, flow);
  133     const char* referred_str = appid_api.get_application_name(referred, flow);
  134     js.open("apps");
  135     js.put("service", service_str);
  136     js.put("client", client_str);
  137     js.put("payload", payload_str);
  138     js.put("misc", misc_str);
  139     js.put("referred", referred_str);
  140     js.close();
  141 
  142     js.put("proto", get_proto_str(flow.ip_proto));
  143 
  144     js.open("client_info");
  145     js.put("ip", cli_ip_str);
  146     js.put("port", flow.client_port);
  147     js.put("version", api.get_client_info(httpx_stream_index));
  148     js.close();
  149 
  150     const char* vendor;
  151     const char* version;
  152     const AppIdServiceSubtype* subtype;
  153     api.get_service_info(vendor, version, subtype);
  154     js.open("service_info");
  155     js.put("ip", srv_ip_str);
  156     js.put("port", flow.server_port);
  157     js.put("version", version);
  158     js.put("vendor", vendor);
  159     while (subtype)
  160     {
  161         js.open("subtype");
  162         js.put("service", subtype->service);
  163         js.put("vendor", subtype->vendor);
  164         js.put("version", subtype->version);
  165         js.close();
  166         subtype = subtype->next;
  167     }
  168     js.close();
  169 
  170     bool login_status = false;
  171     AppId id;
  172     const char* username = api.get_user_info(id, login_status);
  173     js.open("user_info");
  174     js.put("id", id);
  175     js.put("username", username);
  176     if (username)
  177         js.put("login_status", login_status ? "success" : "failure");
  178     else
  179         js.put("login_status", "n/a");
  180     js.close();
  181 
  182     const char* tls_host = api.get_tls_host();
  183     js.put("tls_host", tls_host);
  184 
  185     const char* dns_host = nullptr;
  186     if (api.get_dns_session())
  187         dns_host = api.get_dns_session()->get_host();
  188     js.put("dns_host", dns_host);
  189 
  190     js.open("netbios_info");
  191     js.put("netbios_name", netbios_name);
  192     js.put("netbios_domain", netbios_domain);
  193     js.close();
  194 
  195     const AppIdHttpSession* hsession = api.get_http_session(httpx_stream_index);
  196     js.open("http");
  197     if (!hsession)
  198     {
  199         js.put("httpx_stream");
  200         js.put("host");
  201         js.put("url");
  202         js.put("user_agent");
  203         js.put("response_code");
  204         js.put("referrer");
  205     }
  206     else
  207     {
  208         const char* host = hsession->get_cfield(REQ_HOST_FID);
  209         const char* url = hsession->get_cfield(MISC_URL_FID);
  210         const char* user_agent = hsession->get_cfield(REQ_AGENT_FID);
  211         const char* response_code = hsession->get_cfield(MISC_RESP_CODE_FID);
  212         const char* referrer = hsession->get_cfield(REQ_REFERER_FID);
  213 
  214         if (is_httpx)
  215             js.put("httpx_stream", to_string(hsession->get_httpx_stream_id()));
  216         else
  217             js.put("httpx_stream", nullptr);
  218         js.put("host", host);
  219         js.put("url", url);
  220         js.put("user_agent", user_agent);
  221         js.put("response_code", response_code);
  222         js.put("referrer", referrer);
  223     }
  224 
  225     js.close();
  226     js.close();
  227 }