diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 121762e..c910edc 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -1854,17 +1854,28 @@ int session_app_gather_results_update(struct app_attributes **update_result, cha } } - int i; - - for(i=0; iapp_id_num; i++) - { - (*update_result)[i].app_id=identify_result->origin; - (*update_result)[i].app_id=identify_result->app_id[i]; - (*update_result)[i].surrogate_id=identify_result->surrogate_id[i]; - (*update_result)[i].packet_sequence=packet_sequence; + int idx=0; + unsigned int quic_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_QUIC].name, g_tsg_proto_name2id[PROTO_QUIC].len); + for(int i=0; iapp_id_num; i++) + { + (*update_result)[idx].app_id=identify_result->origin; + (*update_result)[idx].app_id=identify_result->app_id[i]; + (*update_result)[idx].surrogate_id=identify_result->surrogate_id[i]; + (*update_result)[idx].packet_sequence=packet_sequence; + idx++; + + if(identify_result->app_id[i]==quic_id && (i+1 < identify_result->app_id_num)) + { + unsigned int ssl_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_SSL].name, g_tsg_proto_name2id[PROTO_SSL].len); + if(identify_result->app_id[i+1]==ssl_id) + { + i++; + continue; + } + } } - return i; + return idx; } int session_app_identify_result_cb(const struct streaminfo *a_stream, int bridge_id, void *data) diff --git a/test/bin/gtest_maat.json b/test/bin/gtest_maat.json index b92c120..295d1cf 100644 --- a/test/bin/gtest_maat.json +++ b/test/bin/gtest_maat.json @@ -2312,6 +2312,7 @@ "68\thttps\t0\tnull\tnetworking\tinfrastructure\tnetwork-protocol\t3\tused-by-malware,vulnerability,widely-used\tnull\tnull\t{\"method\":\"rate_limit\",\"bps\":1000}\t0\t0\t0\t0\t0\t1", "4\tunknown\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1", "199\tssl\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1", + "2521\tquic\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1", "240\tyoutube\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1", "15009\tuser_define_youtube\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1", "1500\tbuilt_in_youtube\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1", diff --git a/test/src/gtest_master.cpp b/test/src/gtest_master.cpp index 24abc1a..91a59a9 100644 --- a/test/src/gtest_master.cpp +++ b/test/src/gtest_master.cpp @@ -1035,7 +1035,6 @@ TEST(TSGMaster, SessionApplicationFullPathTSG15999) gather_result->qm_engine[1].packet_sequence=4; session_gather_app_results_async(&a_stream, (void *)gather_result); - session_application_full_path_update(&a_stream, out_full_path, out_full_path_len); EXPECT_STREQ("ssl.https", out_full_path); @@ -1045,6 +1044,37 @@ TEST(TSGMaster, SessionApplicationFullPathTSG15999) session_gather_app_results_async(&a_stream, NULL); } +int session_app_gather_results_update(struct app_attributes **update_result, char update_result_num, struct app_identify_result *identify_result, int packet_sequence, int thread_seq); + +TEST(TSGMaster, SessionApplicationFullPathTSG13811) +{ + const struct streaminfo a_stream={0}; + char out_full_path[256]={0}; + int out_full_path_len=sizeof(out_full_path); + struct gather_app_result *gather_result=(struct gather_app_result *)calloc(1, sizeof(struct gather_app_result)); + + gather_result->l7_protocol_num=1; + gather_result->l7_protocol=(struct app_attributes *)calloc(1, sizeof(struct app_attributes)); + gather_result->l7_protocol->app_id=2521; + gather_result->l7_protocol->surrogate_id=0; + gather_result->l7_protocol->packet_sequence=1; + + struct app_identify_result identify_result={ORIGIN_QM_ENGINE, 3, {2521, 199, 240}, {0, 0, 0}}; + gather_result->qm_engine_num=session_app_gather_results_update(&(gather_result->qm_engine), gather_result->qm_engine_num, &identify_result, 1, 0); + EXPECT_EQ(2, gather_result->qm_engine_num); + EXPECT_EQ(2521, gather_result->qm_engine[0].app_id); + EXPECT_EQ(240, gather_result->qm_engine[1].app_id); + + session_gather_app_results_async(&a_stream, (void *)gather_result); + session_application_full_path_update(&a_stream, out_full_path, out_full_path_len); + EXPECT_STREQ("quic.youtube", out_full_path); + + free(gather_result->l7_protocol); + free(gather_result->qm_engine); + free(gather_result); + session_gather_app_results_async(&a_stream, NULL); +} + extern int session_application_full_path_combine(struct gather_app_result * gather_result, char * out_full_path, int out_full_path_len); TEST(TSGMaster, SessionApplicationFullPath) @@ -1198,39 +1228,6 @@ TEST(TSGMaster, SessionQuicIdentify) g_test_quic_info=NULL; } -TEST(TSGMaster, SessionApplicationFullPathTSG13811) -{ - char out_full_path[256]={0}; - int out_full_path_len=sizeof(out_full_path); - struct gather_app_result gather_result={0}; - - gather_result.l7_protocol_num=1; - struct app_attributes l7_protocol={68, 0, 4}; - gather_result.l7_protocol=&l7_protocol; - - gather_result.qm_engine_num=3; - gather_result.l7_qm_engine_num=2; - struct app_attributes qm_engine[3]={{199, 0, 6}, {68, 0, 4}, {240, 0, 6}}; - gather_result.qm_engine=qm_engine; - - int offset=session_application_full_path_combine(&gather_result, out_full_path, out_full_path_len); - EXPECT_NE(0, offset); - EXPECT_STREQ("ssl.https.youtube", out_full_path); - - // l7 protocol is empty - gather_result.l7_protocol_num=0; - gather_result.l7_protocol=NULL; - - gather_result.qm_engine_num=3; - gather_result.l7_qm_engine_num=0; - struct app_attributes qm_engine2[3]={{199, 0, 6}, {68, 0, 4}, {240, 0, 6}}; - gather_result.qm_engine=qm_engine2; - - offset=session_application_full_path_combine(&gather_result, out_full_path, out_full_path_len); - EXPECT_NE(0, offset); - EXPECT_STREQ("ssl.https.youtube", out_full_path); -} - int main(int argc, char *argv[]) { TSG_MASTER_INIT();