From 8dca753f308092771a68477c4858e29957f40ce5 Mon Sep 17 00:00:00 2001
From: ales stibal <astib@mag0.net>
Date: Thu, 11 Apr 2024 10:32:23 +0200
Subject: [PATCH] webhook - add detected signatures into webhook data details

---
 src/proxy/mitmhost.cpp  | 4 ++++
 src/proxy/mitmhost.hpp  | 4 ++++
 src/proxy/mitmproxy.cpp | 5 ++++-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/proxy/mitmhost.cpp b/src/proxy/mitmhost.cpp
index 7dc235f4..78996051 100644
--- a/src/proxy/mitmhost.cpp
+++ b/src/proxy/mitmhost.cpp
@@ -262,6 +262,10 @@ void MitmHostCX::on_detect(std::shared_ptr<duplexFlowMatch> x_sig, flowMatchStat
         reported = true;
     }
 
+    matched_signatures_.emplace_back(string_format("%s/%s",
+                                                   sig_sig->sig_category.c_str(),
+                                                   sig_sig->name().c_str()));
+
     if(! reported) {
         // diagnose on "inspect" topic
         _dia("matching signature: cat='%s', name='%s' at %s",
diff --git a/src/proxy/mitmhost.hpp b/src/proxy/mitmhost.hpp
index 52e01606..8bc4ec35 100644
--- a/src/proxy/mitmhost.hpp
+++ b/src/proxy/mitmhost.hpp
@@ -69,6 +69,8 @@ class MitmHostCX : public AppHostCX, public socle::sobject {
     int matched_policy() const { return matched_policy_; }
     void matched_policy(int p) { matched_policy_ = p; }
 
+    std::vector<std::string> const& matched_signatures() const { return matched_signatures_; }
+
     using replacetype_t = enum { REPLACETYPE_NONE=0, REPLACETYPE_HTTP=1 };
     replacetype_t replacement_type() const { return replacement_type_; }
     void replacement_type(replacetype_t r) { replacement_type_ = r; }
@@ -107,6 +109,8 @@ class MitmHostCX : public AppHostCX, public socle::sobject {
     int inspect_verdict = Inspector::OK;
     std::shared_ptr<buffer> inspect_verdict_response;
 
+    std::vector<std::string> matched_signatures_;
+
 public:
     TYPENAME_OVERRIDE("MitmHostCX")
     DECLARE_LOGGING(to_string)
diff --git a/src/proxy/mitmproxy.cpp b/src/proxy/mitmproxy.cpp
index d645250b..30fb1203 100644
--- a/src/proxy/mitmproxy.cpp
+++ b/src/proxy/mitmproxy.cpp
@@ -283,7 +283,10 @@ void MitmProxy::webhook_session_stop() const {
         dB = l->meter_write_bytes;
 
         if(auto app = l->engine_ctx.application_data; app) {
-            l7 =  { { "app", app->protocol() }, { "details", app->requests_all() } };
+            l7 =  { { "app", app->protocol() },
+                    { "details", app->requests_all() },
+                    { "signatures", l->matched_signatures() }
+            };
         }
     }
     auto const* r = first_right();