From 272916c18922575add906fde9ec85be9e03d8a19 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 13 Jan 2015 14:39:25 -0500 Subject: [PATCH] Updating MySQL with Robin's suggestions: - Use a boolean success instead of a result string - Change the affected_rows response detail string to a "rows" count - Fix the state tracking to log incomplete commands --- scripts/base/protocols/mysql/main.bro | 42 ++++++++++++------ .../mysql.log | 32 +++++++------- .../mysql.log | 44 +++++++++---------- 3 files changed, 67 insertions(+), 51 deletions(-) diff --git a/scripts/base/protocols/mysql/main.bro b/scripts/base/protocols/mysql/main.bro index d0d3d4b3d6..49bb6e7564 100644 --- a/scripts/base/protocols/mysql/main.bro +++ b/scripts/base/protocols/mysql/main.bro @@ -18,8 +18,10 @@ export { cmd: string &log; ## The argument issued to the command arg: string &log; - ## The result (error, OK, etc.) from the server - result: string &log &optional; + ## Did the server tell us that the command succeeded? + success: bool &log &optional; + ## The number of affected rows, if any + rows: count &log &optional; ## Server message, if any response: string &log &optional; }; @@ -57,16 +59,21 @@ event mysql_handshake(c: connection, username: string) event mysql_command_request(c: connection, command: count, arg: string) &priority=5 { - if ( ! c?$mysql ) + if ( c?$mysql ) { - local info: Info; - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; - info$cmd = commands[command]; - info$arg = sub(arg, /\0$/, ""); - c$mysql = info; + # We got a request, but we haven't logged our + # previous request yet, so let's do that now. + Log::write(mysql::LOG, c$mysql); + delete c$mysql; } + + local info: Info; + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + info$cmd = commands[command]; + info$arg = sub(arg, /\0$/, ""); + c$mysql = info; } event mysql_command_request(c: connection, command: count, arg: string) &priority=-5 @@ -83,7 +90,7 @@ event mysql_error(c: connection, code: count, msg: string) &priority=5 { if ( c?$mysql ) { - c$mysql$result = "error"; + c$mysql$success = F; c$mysql$response = msg; } } @@ -101,8 +108,8 @@ event mysql_ok(c: connection, affected_rows: count) &priority=5 { if ( c?$mysql ) { - c$mysql$result = "ok"; - c$mysql$response = fmt("Affected rows: %d", affected_rows); + c$mysql$success = T; + c$mysql$rows = affected_rows; } } @@ -114,3 +121,12 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5 delete c$mysql; } } + +event connection_state_remove(c: connection) &priority=-5 + { + if ( c?$mysql ) + { + Log::write(mysql::LOG, c$mysql); + delete c$mysql; + } + } \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log index 536ac3aaac..df7f3b800b 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log @@ -3,19 +3,19 @@ #empty_field (empty) #unset_field - #path mysql -#open 2014-09-05-03-02-01 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg result response -#types time string addr port addr port string string string string -1362452327.618353 CsRx2w45OKnoww6xl4 192.168.1.3 55845 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: NO) -1362452330.947463 CRJuHdVW0XPVINV8a 192.168.1.3 55846 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452332.571339 CPbrpk1qSsw6ESzHV4 192.168.1.3 55847 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452334.559420 C6pKV8GSxOnSLghOa 192.168.1.3 55857 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452336.361958 CIPOse170MGiRM1Qf4 192.168.1.3 55860 192.168.1.8 3306 login root_nope error Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) -1362452357.320858 C7XEbhP654jzLoe3a 192.168.1.3 55861 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: NO) -1362452358.565340 CJ3xTn1c4Zw9TmAE05 192.168.1.3 55862 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: YES) -1362452360.410803 CMXxB5GvmoxJFXdTa 192.168.1.3 55863 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: YES) -1362452361.886123 Caby8b1slFea8xwSmb 192.168.1.3 55864 192.168.1.8 3306 login root error Access denied for user 'root'@'lumberjack.home' (using password: YES) -1362452372.452858 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 login root ok Affected rows: 0 -1362452372.454995 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 query select @@version_comment limit 1 ok Affected rows: 1 -1362452372.991997 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 quit (empty) - - -#close 2014-09-05-03-02-01 +#open 2015-01-13-18-11-40 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response +#types time string addr port addr port string string bool count string +1362452327.618353 CsRx2w45OKnoww6xl4 192.168.1.3 55845 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: NO) +1362452330.947463 CRJuHdVW0XPVINV8a 192.168.1.3 55846 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452332.571339 CPbrpk1qSsw6ESzHV4 192.168.1.3 55847 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452334.559420 C6pKV8GSxOnSLghOa 192.168.1.3 55857 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452336.361958 CIPOse170MGiRM1Qf4 192.168.1.3 55860 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: YES) +1362452357.320858 C7XEbhP654jzLoe3a 192.168.1.3 55861 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: NO) +1362452358.565340 CJ3xTn1c4Zw9TmAE05 192.168.1.3 55862 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) +1362452360.410803 CMXxB5GvmoxJFXdTa 192.168.1.3 55863 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) +1362452361.886123 Caby8b1slFea8xwSmb 192.168.1.3 55864 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) +1362452372.452858 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 login root T 0 - +1362452372.454995 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 query select @@version_comment limit 1 T 1 - +1362452372.991997 Che1bq3i2rO3KD1Syg 192.168.1.3 55865 192.168.1.8 3306 quit (empty) - - - +#close 2015-01-13-18-11-40 diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log index 7baf2954ae..a35f1a136d 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log @@ -3,25 +3,25 @@ #empty_field (empty) #unset_field - #path mysql -#open 2014-09-05-03-02-01 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg result response -#types time string addr port addr port string string string string -1216281025.136728 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 login tfoerste ok Affected rows: 0 -1216281025.137062 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 ok Affected rows: 1 -1216281030.835001 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() ok Affected rows: 1 -1216281030.835395 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 init_db test ok Affected rows: 0 -1216281030.835742 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show databases ok Affected rows: 1 -1216281030.836349 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show tables ok Affected rows: 1 -1216281030.836757 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 field_list agent ok Affected rows: 3 -1216281048.287657 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM ok Affected rows: 0 -1216281057.746222 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("dog", "Goofy") ok Affected rows: 1 -1216281061.713980 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("cat", "Garfield") ok Affected rows: 1 -1216281066.549786 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo ok Affected rows: 3 -1216281072.304467 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where name like '%oo%' ok Affected rows: 1 -1216281079.450037 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where id = 1 ok Affected rows: 0 -1216281087.437392 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo ok Affected rows: 1 -1216281109.107769 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo ok Affected rows: 3 -1216281116.209268 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo ok Affected rows: 1 -1216281122.880561 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query drop table foo ok Affected rows: 0 -1216281124.418765 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 quit (empty) - - -#close 2014-09-05-03-02-01 +#open 2015-01-13-18-12-10 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response +#types time string addr port addr port string string bool count string +1216281025.136728 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 login tfoerste T 0 - +1216281025.137062 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 T 1 - +1216281030.835001 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() T 1 - +1216281030.835395 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 init_db test T 0 - +1216281030.835742 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show databases T 1 - +1216281030.836349 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query show tables T 1 - +1216281030.836757 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 field_list agent T 3 - +1216281048.287657 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM T 0 - +1216281057.746222 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("dog", "Goofy") T 1 - +1216281061.713980 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("cat", "Garfield") T 1 - +1216281066.549786 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 - +1216281072.304467 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where name like '%oo%' T 1 - +1216281079.450037 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where id = 1 T 0 - +1216281087.437392 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo T 1 - +1216281109.107769 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 - +1216281116.209268 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query delete from foo T 1 - +1216281122.880561 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 query drop table foo T 0 - +1216281124.418765 CXWv6p3arKYeMETxOg 192.168.0.254 56162 192.168.0.254 3306 quit (empty) - - - +#close 2015-01-13-18-12-10