Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/vladg/mysql_nul_string_fix'

Browse source 
* origin/topic/vladg/mysql_nul_string_fix:
  Add a test with an encrypted MySQL connection
  Fix parsing of MySQL NUL Strings, where we now require it to have a NUL value at the end.
This commit is contained in:
Jon Siwek 2018-10-30 09:59:44 -05:00
commit 8c02aa5211
7 changed files with 32 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,4 +1,10 @@
2.6-beta2-55 | 2018-10-30 09:59:44 -0500
* Add a test with an encrypted MySQL connection (Vlad Grigorescu)
* Fix parsing of MySQL NUL Strings (Vlad Grigorescu)
2.6-beta2-51 | 2018-10-26 10:41:42 -0500 2.6-beta2-51 | 2018-10-26 10:41:42 -0500
* Add missing record field comment (Jon Siwek, Corelight) * Add missing record field comment (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.6-beta2-51 2.6-beta2-55

8
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -8,11 +8,11 @@ refine flow MySQL_Flow += {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.handshake10.server_version})); new StringVal(c_str(${msg.handshake10.server_version})));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.handshake9.server_version})); new StringVal(c_str(${msg.handshake9.server_version})));
} }
return true; return true;
%} %}
@ -27,11 +27,11 @@ refine flow MySQL_Flow += {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(), BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.v10_response.username})); new StringVal(c_str(${msg.v10_response.username})));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
BifEvent::generate_mysql_handshake(connection()->bro_analyzer(), BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.v9_response.username})); new StringVal(c_str(${msg.v9_response.username})));
} }
return true; return true;
%} %}

2
src/analyzer/protocol/mysql/mysql-protocol.pac
View file

@ -151,7 +151,7 @@ enum Expected {
EXPECT_AUTH_SWITCH, EXPECT_AUTH_SWITCH,
}; };
type NUL_String = RE/[^\0]*/; type NUL_String = RE/[^\0]*\0/;
# MySQL PDU # MySQL PDU

0
testing/btest/Baseline/scripts.base.protocols.mysql.encrypted/mysql.log Normal file
View file

BIN
testing/btest/Traces/mysql/encrypted.trace Normal file
View file

Binary file not shown.

8
testing/btest/scripts/base/protocols/mysql/encrypted.test Normal file
View file

@ -0,0 +1,8 @@
# This tests how Bro deals with encrypted connections. Right now, it doesn't log them as it
# can't parse much of value. We're testing for an empty mysql.log file.
# @TEST-EXEC: touch mysql.log
# @TEST-EXEC: bro -b -r $TRACES/mysql/encrypted.trace %INPUT
# @TEST-EXEC: btest-diff mysql.log
@load base/protocols/mysql