Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

mysql: Introduce mysql_ssl_request event

Browse source 
This should've been added with fa48c885 for completion. Do it now.
The MySQL spec calls it SSLRequest packet, so keep SSL in the name for
consistency.
This commit is contained in:
Arne Welzel 2024-07-09 11:43:18 +02:00
parent 6ea1045245
commit 0a1568f1a1
7 changed files with 40 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/analyzer/protocol/mysql/events.bif
View file

@ -84,9 +84,20 @@ event mysql_server_version%(c: connection, ver: string%);
## ##
## username: The username supplied by the client ## username: The username supplied by the client
## ##
## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version ## .. zeek:see:: mysql_command_request mysql_error mysql_ok mysql_server_version mysql_ssl_request
event mysql_handshake%(c: connection, username: string%); event mysql_handshake%(c: connection, username: string%);
## Generated for a short client handshake response packet with the CLIENT_SSL
## flag set. Usually the client will initiate a TLS handshake afterwards.
#
## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
## for more information about the MySQL protocol.
##
## c: The connection.
##
## .. zeek:see:: mysql_handshake
event mysql_ssl_request%(c: connection%);
## Generated for information about plugin authentication within handshake packets. ## Generated for information about plugin authentication within handshake packets.
## ##
## c: The connection. ## c: The connection.

4
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -47,6 +47,10 @@ refine flow MySQL_Flow += {
if ( ${msg.version} == 10 && ( ${msg.v10_response.cap_flags} & CLIENT_SSL )) if ( ${msg.version} == 10 && ( ${msg.v10_response.cap_flags} & CLIENT_SSL ))
{ {
connection()->zeek_analyzer()->StartTLS(); connection()->zeek_analyzer()->StartTLS();
if ( mysql_ssl_request )
zeek::BifEvent::enqueue_mysql_ssl_request(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn());
return true; return true;
} }

2
testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-12.out Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
mysql ssl request, CHhAvVGS1DHFjwGM9

2
testing/btest/Baseline/scripts.base.protocols.mysql.encrypted-aws-rds/tls-13.out Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
mysql ssl request, CHhAvVGS1DHFjwGM9

2
testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/out Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
mysql ssl request, CHhAvVGS1DHFjwGM9

15
testing/btest/scripts/base/protocols/mysql/encrypted-aws-rds.test
View file

@ -1,15 +1,17 @@
# Just two traces with MySQL running in Amazon RDS tls1.3 and tls1.2 # Just two traces with MySQL running in Amazon RDS tls1.3 and tls1.2
# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-12-amazon-rds.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-12-amazon-rds.trace %INPUT >out
# @TEST-EXEC: mkdir tls-12 && mv *log tls-12 # @TEST-EXEC: mkdir tls-12 && mv *log out tls-12
# #
# @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-13-amazon-rds.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/mysql/tls-13-amazon-rds.trace %INPUT >out
# @TEST-EXEC: mkdir tls-13 && mv *log tls-13 # @TEST-EXEC: mkdir tls-13 && mv *log out tls-13
# #
# @TEST-EXEC: btest-diff tls-12/out
# @TEST-EXEC: btest-diff tls-12/conn.log # @TEST-EXEC: btest-diff tls-12/conn.log
# @TEST-EXEC: btest-diff tls-12/ssl.log # @TEST-EXEC: btest-diff tls-12/ssl.log
# @TEST-EXEC: btest-diff tls-12/x509.log # @TEST-EXEC: btest-diff tls-12/x509.log
# #
# @TEST-EXEC: btest-diff tls-13/out
# @TEST-EXEC: btest-diff tls-13/conn.log # @TEST-EXEC: btest-diff tls-13/conn.log
# @TEST-EXEC: btest-diff tls-13/ssl.log # @TEST-EXEC: btest-diff tls-13/ssl.log
# @TEST-EXEC: ! test -f tls-13/x509.log # @TEST-EXEC: ! test -f tls-13/x509.log
@ -17,3 +19,8 @@
@load base/protocols/conn @load base/protocols/conn
@load base/protocols/mysql @load base/protocols/mysql
@load base/protocols/ssl @load base/protocols/ssl
event mysql_ssl_request(c: connection)
{
print "mysql ssl request", c$uid;
}

8
testing/btest/scripts/base/protocols/mysql/encrypted.test
View file

@ -3,8 +3,9 @@
# empty mysql.log file. # empty mysql.log file.
# @TEST-EXEC: touch mysql.log # @TEST-EXEC: touch mysql.log
# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT >out
# @TEST-EXEC: btest-diff mysql.log # @TEST-EXEC: btest-diff mysql.log
# @TEST-EXEC: btest-diff out
# #
# Ensure the connection was handed off by peaking into some other logs. # Ensure the connection was handed off by peaking into some other logs.
# @TEST-EXEC: btest-diff conn.log # @TEST-EXEC: btest-diff conn.log
@ -14,3 +15,8 @@
@load base/protocols/conn @load base/protocols/conn
@load base/protocols/mysql @load base/protocols/mysql
@load base/protocols/ssl @load base/protocols/ssl
event mysql_ssl_request(c: connection)
{
print "mysql ssl request", c$uid;
}