From 6144ac536f8dd3eae453a275cf246a317c2d63c5 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 29 Oct 2018 15:56:51 -0500 Subject: [PATCH 1/2] Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end. We don't pass that NUL to the script layer, so we moved away from bytestring_to_val for those. --- .../protocol/mysql/mysql-analyzer.pac | 32 +++++++++---------- .../protocol/mysql/mysql-protocol.pac | 2 +- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac index 24401c110e..06b637aa5d 100644 --- a/src/analyzer/protocol/mysql/mysql-analyzer.pac +++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac @@ -7,12 +7,12 @@ refine flow MySQL_Flow += { { if ( ${msg.version} == 10 ) BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(${msg.handshake10.server_version})); + connection()->bro_analyzer()->Conn(), + new StringVal(c_str(${msg.handshake10.server_version}))); if ( ${msg.version} == 9 ) BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(${msg.handshake9.server_version})); + connection()->bro_analyzer()->Conn(), + new StringVal(c_str(${msg.handshake9.server_version}))); } return true; %} @@ -26,12 +26,12 @@ refine flow MySQL_Flow += { { if ( ${msg.version} == 10 ) BifEvent::generate_mysql_handshake(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(${msg.v10_response.username})); + connection()->bro_analyzer()->Conn(), + new StringVal(c_str(${msg.v10_response.username}))); if ( ${msg.version} == 9 ) BifEvent::generate_mysql_handshake(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - bytestring_to_val(${msg.v9_response.username})); + connection()->bro_analyzer()->Conn(), + new StringVal(c_str(${msg.v9_response.username}))); } return true; %} @@ -40,9 +40,9 @@ refine flow MySQL_Flow += { %{ if ( mysql_command_request ) BifEvent::generate_mysql_command_request(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - ${msg.command}, - bytestring_to_val(${msg.arg})); + connection()->bro_analyzer()->Conn(), + ${msg.command}, + bytestring_to_val(${msg.arg})); return true; %} @@ -50,9 +50,9 @@ refine flow MySQL_Flow += { %{ if ( mysql_error ) BifEvent::generate_mysql_error(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - ${msg.code}, - bytestring_to_val(${msg.msg})); + connection()->bro_analyzer()->Conn(), + ${msg.code}, + bytestring_to_val(${msg.msg})); return true; %} @@ -60,8 +60,8 @@ refine flow MySQL_Flow += { %{ if ( mysql_ok ) BifEvent::generate_mysql_ok(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - ${msg.rows}); + connection()->bro_analyzer()->Conn(), + ${msg.rows}); return true; %} diff --git a/src/analyzer/protocol/mysql/mysql-protocol.pac b/src/analyzer/protocol/mysql/mysql-protocol.pac index e352de0d37..b61cd0c4bc 100644 --- a/src/analyzer/protocol/mysql/mysql-protocol.pac +++ b/src/analyzer/protocol/mysql/mysql-protocol.pac @@ -151,7 +151,7 @@ enum Expected { EXPECT_AUTH_SWITCH, }; -type NUL_String = RE/[^\0]*/; +type NUL_String = RE/[^\0]*\0/; # MySQL PDU From b0638dbdcf959d0cd30ae141245bf9e5412b7814 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Mon, 29 Oct 2018 15:58:06 -0500 Subject: [PATCH 2/2] Add a test with an encrypted MySQL connection --- .../mysql.log | 0 testing/btest/Traces/mysql/encrypted.trace | Bin 0 -> 4188 bytes .../scripts/base/protocols/mysql/encrypted.test | 8 ++++++++ 3 files changed, 8 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/mysql.log create mode 100644 testing/btest/Traces/mysql/encrypted.trace create mode 100644 testing/btest/scripts/base/protocols/mysql/encrypted.test diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/mysql.log new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/Traces/mysql/encrypted.trace b/testing/btest/Traces/mysql/encrypted.trace new file mode 100644 index 0000000000000000000000000000000000000000..dcf3689394f15a2962a9c2e4b500a3d251e770b9 GIT binary patch literal 4188 zcmb`Jc|4R|8^_N*!!XQbOQ@%^Bw1z*gBV#tibozp;0PfP_kuLwkJx- znpS(3qEgvXDBfgiL3r3- z6Cdvvw&Q>Y7{bp;tQ?$R7XUj(&S(Q|jHzM>`~xJ0&*Da8XpiiWZ)Tth3jSyW0L8ZW zf(^yVrE5TZg?tX7(HsbQ?w4c$5b}=7WioDL_$*B%;XF*Y&)_d8==ijnjL?_K91suC zfmcFeLUU$i@%XPDImdEDby@!kM`jU6uGFp8k2una;Q_9&4kT6%mLvN|B3MN3za_$s zT!8ChrN^T1^mLIH{0~5cmADnp$g17&s{fE#PM}m_g{&Ipw7lw49%kV@Fj)J@TD>Yl z+=b%-8SpAdtQ@R;#EqOsi2K@?iA&Bf;98kQGTW%~llU5`m33$ou!fJ01sWwWBzQZV zUA@=v{N3;Vy>H9nE>mihu+Sd;_gAOQG-V}K5P z01dFiN0JL*!8#xS1OY$9%A^sj_ZJTAXF1@wtapV2{VWIIpDy{1=zWbiFiz$H%^1Ln zzdC@qQ(=t|gI@eC5q3ba^(V0hAtDYKq5#lGqvppaweQ4m;Wtu~=Ax{FKTeS(^U8mSI5RD>nean`6Ld6y6&biUC2OEhI(DS^X2Cm?wVkr>&)h z;@)aW(Pt^wQ*9RY?z~zTW686q?Vy_V+^0y>ic%xw`~Lpr{bi@Min@4*wC6;hz7#lq zsH_(+LFei;FhMKJwXgr0bl_m`fdP5%p)Et_Z;y`T9u2DB<6)mIVKFru4=KO@%6HIZ z{mp1O$?|o;r>@*|tj^iJU!0dP=%xD1=Y*<=mVp1Ga}yCXSKg-iAZdobQ`~2P{Ecpj zFOs+fY(MVmkcs0S+eCA_G{bA$DM5_>EZOR`_}x$B=H(A(Z)Xd6sur}jRoGSMVQj<} zj*!xaTLas72=RH9j1eAo#7PZ)D~=rqwV2hh4WBhqmJ_-$izor;=2m-#kC6;rg z+9;*Ac{T#BY4`Rl>uhC{!NmIh(aZBGd+O9@!V1?&r!+G&Lwr7#yfwEIEtqZ1_xM_m z*KWwvjDF!6ZW4{6K*+=?Tl6cjZ64ayG#3>=LP`Tp(Q7$F>piO_?_i3t@ zX8`T8!O=j=GPGyuCtsz5=p0av<)F$3mr&gu zGW2|+`Sa+jT%wJx><8_E)8MyzT#3i>6?(aS_ioy}F085dj@bA6jO{99Zdc5XsbVoJ ztI#hOH{^GIVG28~c_cn#>-1PlB);u;aP=^Ear(1a4eBdW7)R`%f{RRR^AX8v<53Uu zK3^=2=aYnYe;(V&VvKpqDdBs*u}M6c{y2`Z+FlDxVEiFDvRbuVJGE!FyOhaL`{t%M z(e>4zFZo!C+3x4Ec5dZm)%RZnI0-(e4NJ)VcI)yNW^(GiL|H`Q*Z=JR#cx@p5l zC!%lkcUV@{1V1lPyKprGy2tyPkFIMFZ@yU*XQyfGVR=ovt+M$1AJfJCylwLD6dQ(! zm9()ii^ z6jcwO)v^Dqu(LHY(0T2N9Dki;*Afqr`Fr+tKKfK+mj`J1I-=u7FI|`U3uh*^GbAh9 zA3Q8!=Pt#*_fBgntmPrITQ%{`)CU+wa2RdT?qOfc=4aR0t-fZx$l%p%^_>k#pTkW| z?WaCA+^&40$QL_r=r&fMnUwQVozuDNk+arR3L`FH29szr?P?$OHltr4M&lw$$;b1H zP?7Adtlgt|V}_$OQenbUg_IpZYVjS^pob4M#7`S+w(XUX)3~?ZOH}%}p2o)RYKPpK zjH%YL`)x?a!Qug6M?rAkL1t`g;68@5wgtGg{d2P%i9}kPDPg&_Ej9Oknn+q$C@;H3 z^6gcvtp_1)(c}R+aDzu;ZcvP+DcwLP5m^B=(#^11P z931^Og(p<=sqvNXn0*t&#Q|G?TWjMY>A;~9)kC>kl5n}9xcm@j&;!F`FSS4HW;=0x zzM^Tr=q!G=?$DPHl4hwXbr)ZHRmSQb|72v{A!XcCWjot+(|z+^`z~Sbm$d%*s%_R@ zo3C-3Q5Q4f-`Tv0nhLJGNc4D!y&@GFoTBt(@)=l(W$=ly{#!-K~+2%x-pz`EBhop*H-cJP@N~38KX$iZP#Y?vJBs)eE zo3Dh5#H@vFfgr>jZJx#(nkQ3qNx{SyhYV0fcy1q>@fA5^*A&^u0q$ShEv8Evbg01@ zgAU7{Mp1tADRXOWjA&z6wb-U9-zgkzgg6XEd*wpv+5hphfF#8AwAqkf@h{xn`KP6+m_KUJ1~PCrD@{mGz{7h}qmV?ZF={9R2WnV6i-h-7PY zisz4)u&%%0?MrQz!d@4tQYt^}LY%$yMgl)DuM8Uf^18;2C{LP$B_#+gT18dIXRUE< z0>}0W^{2dTR=lhD?(}W)_Q=ech^{$;Q%lQs`MjG{rNAc~p6v0sm(Jr`QE!Td$DT~P z$!*A<$Kt8Q5w+p`&W?rMx2}(V#(Kw{8WDdVI(6i(^|sEilLI2j!zxy?Qos4nQInYY zx*_g)^R12H3#Y91<`$No`9fKw7s_fJZt6WXX|G(wyz%=)amfT?n+$wpa$&!aSUFfZ zO{%a(Y-7wU+qRU`RvB8o6r5AH8u|aV?cnbg>b9nlCk*iz8U^r_+nBta6k!viU&J4X z`aWzbxZ{4_X^kNDPP60ZMl22Qwv=l;?leW6E_6SZYp(}I1?8a?Phw3E;>rUj{}dUY zR=1u^SIn3pB%$OFXEp?mNn0bb9bnnNcp)(n*`_kfvVUZ|UWz7?P7dW`w@9d7EgK=$ z3;c>$ae!6acFV*cMx>KrBesR|L2fB|KZ$+t3#k_&cK?z%62sCcy-ZxvxDD2*guFBp JDpnEu{sR?K(mntH literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/mysql/encrypted.test b/testing/btest/scripts/base/protocols/mysql/encrypted.test new file mode 100644 index 0000000000..e41c93186f --- /dev/null +++ b/testing/btest/scripts/base/protocols/mysql/encrypted.test @@ -0,0 +1,8 @@ +# This tests how Bro deals with encrypted connections. Right now, it doesn't log them as it +# can't parse much of value. We're testing for an empty mysql.log file. + +# @TEST-EXEC: touch mysql.log +# @TEST-EXEC: bro -b -r $TRACES/mysql/encrypted.trace %INPUT +# @TEST-EXEC: btest-diff mysql.log + +@load base/protocols/mysql \ No newline at end of file