gfwleak/tango-tsg-master
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-13344: app_label和app_full_path字段取值不同导致字段展示不一致

Browse Source
This commit is contained in:
刘学利
2023-01-11 01:37:14 +00:00
parent 3965ac7150
commit 8e48dfd982
4 changed files with 174 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
inc/app_label.h
View File

@@ -22,11 +22,11 @@ enum APP_IDENTIFY_ORIGIN
{ {
ORIGIN_BASIC_PROTOCOL=0, ORIGIN_BASIC_PROTOCOL=0,
ORIGIN_USER_DEFINE, ORIGIN_USER_DEFINE,
ORIGIN_DKPT, ORIGIN_HITED_APP,
ORIGIN_QM_ENGINE, ORIGIN_QM_ENGINE,
ORIGIN_BUILT_IN, ORIGIN_BUILT_IN,
ORIGIN_ANALYZE, ORIGIN_ANALYZE,
ORIGIN_UNKNOWN, // unknown app ID=4 ORIGIN_UNKNOWN, // 0: unknown app ID=4; 1: hited app id; app_num=1
ORIGIN_QM_ENGINE_L7, ORIGIN_QM_ENGINE_L7,
ORIGIN_MAX ORIGIN_MAX
}; };

116
src/tsg_entry.cpp
View File

@@ -391,6 +391,36 @@ static int is_deny_application(Maat_rule_t *p_result)
return ret; return ret;
} }
static int is_alone_business(tsg_protocol_t proto, unsigned int hited_app_id)
{
unsigned int l7_proto_id=0;
switch(proto)
{
case PROTO_HTTP:
case PROTO_MAIL:
case PROTO_DNS:
case PROTO_FTP:
case PROTO_SSL:
case PROTO_SIP:
case PROTO_QUIC:
case PROTO_SMTP:
case PROTO_IMAP:
case PROTO_POP3:
case PROTO_RTP:
case PROTO_DTLS:
l7_proto_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[proto].name);
if(l7_proto_id==hited_app_id)
{
return 1;
}
break;
default:
break;
}
return 0;
}
long long get_current_time_ms(void) long long get_current_time_ms(void)
{ {
int size=sizeof(long long); int size=sizeof(long long);
@@ -573,6 +603,24 @@ static int is_do_default_policy(const struct streaminfo *a_stream, int after_n_p
return 0; return 0;
} }
int set_hited_app_id(const struct streaminfo *a_stream, unsigned int hited_app_id)
{
struct gather_app_result *gather_result=NULL;
gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id);
if(gather_result==NULL)
{
return 0;
}
gather_result[ORIGIN_HITED_APP].app_num=1;
gather_result[ORIGIN_HITED_APP].origin=ORIGIN_HITED_APP;
gather_result[ORIGIN_HITED_APP].attributes[0].app_id=hited_app_id;
gather_result[ORIGIN_HITED_APP].attributes[0].surrogate_id=0;
return 1;
}
static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, struct master_context *context, int thread_seq) static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, struct master_context *context, int thread_seq)
{ {
tsg_log_t log_msg; tsg_log_t log_msg;
@@ -692,10 +740,7 @@ static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t
if(context!=NULL && context->hited_app_id>0) if(context!=NULL && context->hited_app_id>0)
{ {
char app_label_name[512]={0}; set_hited_app_id(a_stream, context->hited_app_id);
tsg_app_id2name(context->hited_app_id, app_label_name, sizeof(app_label_name), 0);
char *app_label_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_APP_LABEL);
TLD_append(TLD_handle, app_label_field_name, (void *)app_label_name, TLD_TYPE_STRING);
} }
tsg_send_log(g_tsg_log_instance, TLD_handle, &log_msg, thread_seq); tsg_send_log(g_tsg_log_instance, TLD_handle, &log_msg, thread_seq);
@@ -916,9 +961,12 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas
((char *)priority_label->para)[length]='\0'; ((char *)priority_label->para)[length]='\0';
} }
if(priority_label->result_num<=0 || (priority_label->result[0].action < p_result->action))
{
priority_label->result_num=1; priority_label->result_num=1;
priority_label->result_type=result_type; priority_label->result_type=result_type;
memcpy(priority_label->result, p_result, sizeof(struct Maat_rule_t)); memcpy(priority_label->result, p_result, sizeof(struct Maat_rule_t));
}
ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.priority_project_id, (void *)priority_label); ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.priority_project_id, (void *)priority_label);
if(ret<0) if(ret<0)
@@ -990,6 +1038,50 @@ static void copy_bypass_result(const struct streaminfo *a_stream, struct master_
return ; return ;
} }
static void copy_deny_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int thread_seq)
{
if(context->result==NULL)
{
context->hit_cnt=1;
context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t));
memcpy(context->result, p_result, sizeof(struct Maat_rule_t));
}
else
{
if(context->result[0].action==TSG_ACTION_BYPASS)
{
return ;
}
if(context->result[0].action==TSG_ACTION_DENY)
{
if(p_result->config_id>context->result[0].config_id)
{
context->hit_cnt=1;
memcpy(&(context->result[0]), p_result, sizeof(struct Maat_rule_t));
}
}
else // hit monitor
{
context->hit_cnt=1;
memcpy(context->result, p_result, sizeof(struct Maat_rule_t));
}
}
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_DEBUG,
"DENY",
"Hit deny policy, policy_id: %d service: %d action: %d addr: %s",
p_result[0].config_id,
p_result[0].service_id,
(unsigned char)p_result[0].action,
PRINTADDR(a_stream, g_tsg_para.level)
);
return ;
}
int copy_app_result(struct gather_app_result *gather_result, struct app_identify_result *identify_result, int packet_sequence) int copy_app_result(struct gather_app_result *gather_result, struct app_identify_result *identify_result, int packet_sequence)
{ {
if(identify_result->app_id_num<=gather_result->app_num) if(identify_result->app_id_num<=gather_result->app_num)
@@ -1837,8 +1929,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER)) if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER))
{ {
context->hit_cnt=0; copy_deny_result(a_stream, context, p_result, a_stream->threadnum);
master_send_log(a_stream, p_result, 1, context, a_stream->threadnum);
copy_result_to_project(a_stream, context, p_result, PULL_FW_RESULT, a_stream->threadnum); copy_result_to_project(a_stream, context, p_result, PULL_FW_RESULT, a_stream->threadnum);
MESA_handle_runtime_log(g_tsg_para.logger, MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_DEBUG, RLOG_LV_DEBUG,
@@ -1919,9 +2010,6 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
switch(identify_result->origin) switch(identify_result->origin)
{ {
case ORIGIN_DKPT:
context->is_app_link=FLAG_TRUE;
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_APP_DPKT_RESULT], 0, FS_OP_ADD, 1);
break; break;
case ORIGIN_QM_ENGINE: case ORIGIN_QM_ENGINE:
context->is_app_link=FLAG_TRUE; context->is_app_link=FLAG_TRUE;
@@ -1971,7 +2059,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
context->last_scan_time=get_current_time_ms(); context->last_scan_time=get_current_time_ms();
hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, context, &(gather_result[identify_result->origin]), a_stream->threadnum); hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, context, &(gather_result[identify_result->origin]), a_stream->threadnum);
p_result=tsg_policy_decision_criteria(scan_result, hit_num); p_result=tsg_policy_decision_criteria(scan_result, hit_num);
if(p_result==NULL || (p_result->action==TSG_ACTION_MONITOR && is_parent_ssl==1)) if(p_result==NULL || (p_result->action==TSG_ACTION_MONITOR && is_parent_ssl==1) || is_alone_business(context->proto, context->hited_para.hited_app_id))
{ {
return 0; return 0;
} }
@@ -2052,6 +2140,10 @@ static int deal_pending_state(const struct streaminfo *a_stream, struct master_c
gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id); gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id);
for(i=0; i<ORIGIN_MAX && gather_result!=NULL; i++) for(i=0; i<ORIGIN_MAX && gather_result!=NULL; i++)
{ {
if(i==ORIGIN_HITED_APP || i==ORIGIN_QM_ENGINE_L7)
{
continue;
}
hit_num+=scan_application_id_and_properties(a_stream, result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), a_stream->threadnum); hit_num+=scan_application_id_and_properties(a_stream, result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), a_stream->threadnum);
} }
@@ -2158,6 +2250,10 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id); gather_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id);
for(i=0; i<ORIGIN_MAX && gather_result!=NULL; i++) for(i=0; i<ORIGIN_MAX && gather_result!=NULL; i++)
{ {
if(i==ORIGIN_HITED_APP || i==ORIGIN_QM_ENGINE_L7)
{
continue;
}
hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq); hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq);
} }

4
src/tsg_entry.h
View File

@@ -267,7 +267,7 @@ struct master_context
unsigned short timeout; unsigned short timeout;
tsg_protocol_t proto; tsg_protocol_t proto;
int hit_cnt; int hit_cnt;
int hited_app_id; int hited_app_id; // only app
unsigned int quic_version; unsigned int quic_version;
unsigned long session_flag; unsigned long session_flag;
char *domain; char *domain;
@@ -279,7 +279,7 @@ struct master_context
}; };
scan_status_t mid; scan_status_t mid;
struct Maat_rule_t *result; struct Maat_rule_t *result;
struct hited_app_para hited_para; struct hited_app_para hited_para; // l7 protocol and app
long long last_scan_time; long long last_scan_time;
}; };

121
src/tsg_send_log.cpp
View File

@@ -622,7 +622,7 @@ static int set_app_identify_info(struct TLD_handle_t *_handle, char *field_name,
for(i=ORIGIN_USER_DEFINE; i<ORIGIN_MAX; i++) for(i=ORIGIN_USER_DEFINE; i<ORIGIN_MAX; i++)
{ {
if(result[i].app_num<=0 || i==ORIGIN_QM_ENGINE || i==ORIGIN_QM_ENGINE_L7) if(result[i].app_num<=0 || i==ORIGIN_QM_ENGINE || i==ORIGIN_QM_ENGINE_L7 || i==ORIGIN_HITED_APP)
{ {
continue; continue;
} }
@@ -712,14 +712,8 @@ static int set_userdefine_app(struct TLD_handle_t *_handle, char *field_name, st
return 1; return 1;
} }
static unsigned int get_userdefine_name(struct gather_app_result *result, char *app_name, int app_name_len, int *flag, int is_joint_parent) static unsigned int get_max_app_id(struct gather_app_result *result)
{ {
if((*flag)==1 || result->app_num<=0)
{
return 0;
}
int i=0; int i=0;
unsigned int max_app_id=0; unsigned int max_app_id=0;
@@ -731,37 +725,19 @@ static unsigned int get_userdefine_name(struct gather_app_result *result, char *
} }
} }
(*flag)=1;
tsg_app_id2name(max_app_id, app_name, app_name_len, is_joint_parent);
return max_app_id; return max_app_id;
} }
static int get_app_name_list(struct gather_app_result *result, char *app_name, int app_name_len, int *flag, int is_joint_parent) static unsigned int get_lastest_app_id(struct gather_app_result *result)
{ {
int i=0; if(result->app_num>0)
int offset=0; {
return result->attributes[result->app_num-1].app_id;
}
if((*flag)==1 || result->app_num<=0)
{
return 0; return 0;
} }
for(i=result->app_num-1; i<result->app_num; i++)
{
(*flag)=1;
if(i>0 && offset>0 && (app_name_len-offset)>0)
{
app_name[offset++]='.';
}
offset+=tsg_app_id2name(result->attributes[i].app_id, app_name+offset, app_name_len-offset, is_joint_parent);
}
return 1;
}
/* /*
L7(openvpn), appSketch(psiphon), Thrid(openvpn.ssl.wechat) = openvpn.ssl.psiphon L7(openvpn), appSketch(psiphon), Thrid(openvpn.ssl.wechat) = openvpn.ssl.psiphon
L7(openvpn), appSketch(psiphon), Thrid(openvpn.qq_web.wechat) = openvpn.psiphon L7(openvpn), appSketch(psiphon), Thrid(openvpn.qq_web.wechat) = openvpn.psiphon
@@ -830,13 +806,22 @@ int set_app_full_path(struct TLD_handle_t *_handle, char *field_name, struct gat
combined_num+=copy_app_id(result[ORIGIN_QM_ENGINE_L7].attributes, result[ORIGIN_QM_ENGINE_L7].app_num, combined_array, COMBINED_APP_ID_NUM); combined_num+=copy_app_id(result[ORIGIN_QM_ENGINE_L7].attributes, result[ORIGIN_QM_ENGINE_L7].app_num, combined_array, COMBINED_APP_ID_NUM);
} }
if(result[ORIGIN_USER_DEFINE].app_num>0) if(result[ORIGIN_HITED_APP].app_num > 0)
{ {
combined_num+=copy_app_id(result[ORIGIN_USER_DEFINE].attributes, 1, combined_array+combined_num, COMBINED_APP_ID_NUM-combined_num); combined_array[combined_num]=get_lastest_app_id(&(result[ORIGIN_HITED_APP]));
combined_num+=1;
}
else if(result[ORIGIN_USER_DEFINE].app_num>0)
{
if(combined_num<COMBINED_APP_ID_NUM)
{
combined_array[combined_num]=get_max_app_id(&(result[ORIGIN_USER_DEFINE]));
combined_num+=1;
}
} }
else if(result[ORIGIN_BUILT_IN].app_num>0) else if(result[ORIGIN_BUILT_IN].app_num>0)
{ {
combined_num+=copy_app_id(result[ORIGIN_BUILT_IN].attributes, 1, combined_array+combined_num, COMBINED_APP_ID_NUM-combined_num); combined_num+=copy_app_id(result[ORIGIN_BUILT_IN].attributes, result[ORIGIN_BUILT_IN].app_num, combined_array+combined_num, COMBINED_APP_ID_NUM-combined_num);
} }
else if(result[ORIGIN_QM_ENGINE].app_num-result[ORIGIN_QM_ENGINE_L7].app_num > 0) else if(result[ORIGIN_QM_ENGINE].app_num-result[ORIGIN_QM_ENGINE_L7].app_num > 0)
{ {
@@ -876,11 +861,46 @@ int set_app_full_path(struct TLD_handle_t *_handle, char *field_name, struct gat
return 1; return 1;
} }
int set_app_label(struct TLD_handle_t *_handle, char *field_name, struct gather_app_result *result)
{
int max_app_id=0;
char app_name[512]={0};
if(result[ORIGIN_HITED_APP].app_num > 0)
{
max_app_id=get_lastest_app_id(&(result[ORIGIN_HITED_APP]));
}
else if(result[ORIGIN_USER_DEFINE].app_num > 0)
{
max_app_id=get_max_app_id(&(result[ORIGIN_USER_DEFINE]));
}
else if(result[ORIGIN_BUILT_IN].app_num > 0)
{
max_app_id=get_lastest_app_id(&(result[ORIGIN_BUILT_IN]));
}
else if(result[ORIGIN_QM_ENGINE].app_num - result[ORIGIN_QM_ENGINE_L7].app_num > 0)
{
max_app_id=get_lastest_app_id(&(result[ORIGIN_QM_ENGINE]));
}
else if(result[ORIGIN_UNKNOWN].app_num > 0)
{
max_app_id=get_lastest_app_id(&(result[ORIGIN_UNKNOWN]));
}
if(max_app_id>0)
{
tsg_app_id2name(max_app_id, app_name, sizeof(app_name), 0);
TLD_append(_handle, field_name, (void *)app_name, TLD_TYPE_STRING);
}
return 1;
}
static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t *_handle, struct streaminfo *a_stream) static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t *_handle, struct streaminfo *a_stream)
{ {
int app_id_flag=0;
char app_name[512]={0}; char app_name[512]={0};
struct gather_app_result *gather_result=NULL; struct gather_app_result *gather_result=NULL;
gather_result=(struct gather_app_result *)project_req_get_struct(a_stream, g_tsg_para.gather_app_project_id); gather_result=(struct gather_app_result *)project_req_get_struct(a_stream, g_tsg_para.gather_app_project_id);
@@ -900,36 +920,9 @@ static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t
set_app_full_path(_handle, _instance->id2field[LOG_COMMON_APP_FULL_PATH].name, gather_result); set_app_full_path(_handle, _instance->id2field[LOG_COMMON_APP_FULL_PATH].name, gather_result);
if(gather_result[ORIGIN_USER_DEFINE].app_num > 0) set_app_label(_handle, _instance->id2field[LOG_COMMON_APP_LABEL].name, gather_result);
{
get_userdefine_name(&(gather_result[ORIGIN_USER_DEFINE]), app_name, sizeof(app_name), &app_id_flag, 0);
}
else if(gather_result[ORIGIN_BUILT_IN].app_num > 0)
{
get_app_name_list(&(gather_result[ORIGIN_BUILT_IN]), app_name, sizeof(app_name), &app_id_flag, 0);
}
else if(gather_result[ORIGIN_DKPT].app_num > 0)
{
get_app_name_list(&(gather_result[ORIGIN_DKPT]), app_name, sizeof(app_name), &app_id_flag, 0);
}
else if(gather_result[ORIGIN_QM_ENGINE].app_num - gather_result[ORIGIN_QM_ENGINE_L7].app_num > 0)
{
get_app_name_list(&(gather_result[ORIGIN_QM_ENGINE]), app_name, sizeof(app_name), &app_id_flag, 0);
}
else if(gather_result[ORIGIN_UNKNOWN].app_num > 0)
{
get_app_name_list(&(gather_result[ORIGIN_UNKNOWN]), app_name, sizeof(app_name), &app_id_flag, 0);
}
if(app_id_flag==1)
{
if(!(TLD_search(_handle, _instance->id2field[LOG_COMMON_APP_LABEL].name)))
{
TLD_append(_handle, _instance->id2field[LOG_COMMON_APP_LABEL].name, (void *)app_name, TLD_TYPE_STRING);
}
set_app_identify_info(_handle, _instance->id2field[LOG_COMMON_APP_IDENTIFY_INFO].name, gather_result); set_app_identify_info(_handle, _instance->id2field[LOG_COMMON_APP_IDENTIFY_INFO].name, gather_result);
}
if(_instance->send_app_id) if(_instance->send_app_id)
{ {
@@ -937,7 +930,7 @@ static int set_app_id(struct tsg_log_instance_t *_instance, struct TLD_handle_t
get_app_id_list(&app_id_object, _handle, "LPI_L7", &(gather_result[ORIGIN_BASIC_PROTOCOL])); get_app_id_list(&app_id_object, _handle, "LPI_L7", &(gather_result[ORIGIN_BASIC_PROTOCOL]));
get_app_id_list(&app_id_object, _handle, "USER_DEFINE", &(gather_result[ORIGIN_USER_DEFINE])); get_app_id_list(&app_id_object, _handle, "USER_DEFINE", &(gather_result[ORIGIN_USER_DEFINE]));
get_app_id_list(&app_id_object, _handle, "BUILT_IN", &(gather_result[ORIGIN_BUILT_IN])); get_app_id_list(&app_id_object, _handle, "BUILT_IN", &(gather_result[ORIGIN_BUILT_IN]));
get_app_id_list(&app_id_object, _handle, "DKPT", &(gather_result[ORIGIN_DKPT])); get_app_id_list(&app_id_object, _handle, "HITED_APP", &(gather_result[ORIGIN_HITED_APP]));
get_app_id_list(&app_id_object, _handle, "THIRD", &(gather_result[ORIGIN_QM_ENGINE])); get_app_id_list(&app_id_object, _handle, "THIRD", &(gather_result[ORIGIN_QM_ENGINE]));
get_app_id_list(&app_id_object, _handle, "UNKNOWN", &(gather_result[ORIGIN_UNKNOWN])); get_app_id_list(&app_id_object, _handle, "UNKNOWN", &(gather_result[ORIGIN_UNKNOWN]));
get_app_id_list(&app_id_object, _handle, "QM_L7", &(gather_result[ORIGIN_QM_ENGINE_L7])); get_app_id_list(&app_id_object, _handle, "QM_L7", &(gather_result[ORIGIN_QM_ENGINE_L7]));