diff --git a/aux/binpac b/aux/binpac index cae5a82ba1..ab7cdd4511 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit cae5a82ba1a3c1d1f0221aa151988759b85e520f +Subproject commit ab7cdd45114d3d1e8aa8b8c12ac3f3b8cb0bf8fc diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif index bd81e8b8a4..34cbc54b4b 100644 --- a/src/analyzer/protocol/mysql/events.bif +++ b/src/analyzer/protocol/mysql/events.bif @@ -38,6 +38,18 @@ event mysql_error%(c: connection, code: count, msg: string%); ## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake event mysql_ok%(c: connection, affected_rows: count%); +## Generated for each MySQL ResultsetRow response packet. +## +## See the MySQL `documentation `__ +## for more information about the MySQL protocol. +## +## c: The connection. +## +## row: The result row data. +## +## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok +event mysql_result_row%(c: connection, row: string_vec%); + ## Generated for the initial server handshake packet, which includes the MySQL server version. ## ## See the MySQL `documentation `__ diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac index 66710fb2bb..24401c110e 100644 --- a/src/analyzer/protocol/mysql/mysql-analyzer.pac +++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac @@ -67,10 +67,41 @@ refine flow MySQL_Flow += { function proc_resultset(msg: Resultset): bool %{ - if ( mysql_ok ) - BifEvent::generate_mysql_ok(connection()->bro_analyzer(), - connection()->bro_analyzer()->Conn(), - ${msg.rows}->size()); + if ( connection()->get_results_seen() == 1 ) + { + // This is a bit fake... + if ( mysql_ok ) + BifEvent::generate_mysql_ok(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + 0); + } + + if ( ${msg.is_eof} ) + return true; + + if ( ! mysql_result_row ) + return true; + + auto vt = internal_type("string_vec")->AsVectorType(); + auto vv = new VectorVal(vt); + + auto& bstring = ${msg.row.first_field.val}; + auto ptr = reinterpret_cast(bstring.data()); + vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr)); + + auto& fields = *${msg.row.fields}; + + for ( auto& f : fields ) + { + auto& bstring = f->val(); + auto ptr = reinterpret_cast(bstring.data()); + vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr)); + } + + BifEvent::generate_mysql_result_row(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + vv); + return true; %} diff --git a/src/analyzer/protocol/mysql/mysql-protocol.pac b/src/analyzer/protocol/mysql/mysql-protocol.pac index ec9efd4d40..e352de0d37 100644 --- a/src/analyzer/protocol/mysql/mysql-protocol.pac +++ b/src/analyzer/protocol/mysql/mysql-protocol.pac @@ -17,6 +17,10 @@ type LengthEncodedInteger = record { integer : LengthEncodedIntegerLookahead(length); }; +type LengthEncodedIntegerArg(length: uint8) = record { + integer : LengthEncodedIntegerLookahead(length); +}; + type LengthEncodedIntegerLookahead(length: uint8) = record { val: case length of { 0xfb -> i0 : empty; @@ -33,6 +37,11 @@ type LengthEncodedString = record { val: bytestring &length=to_int()(len); }; +type LengthEncodedStringArg(first_byte: uint8) = record { + len: LengthEncodedIntegerArg(first_byte); + val: bytestring &length=to_int()(len); +}; + %header{ class to_int { @@ -56,6 +65,20 @@ type LengthEncodedString = record { return 0; } + int operator()(LengthEncodedIntegerArg* lei) const + { + if ( lei->length() < 0xfb ) + return lei->length(); + else if ( lei->length() == 0xfc ) + return lei->integer()->i2(); + else if ( lei->length() == 0xfd ) + return to_int()(lei->integer()->i3()); + else if ( lei->length() == 0xfe ) + return lei->integer()->i4(); + else + return 0; + } + int operator()(LengthEncodedIntegerLookahead* lei) const { if ( lei->length() < 0xfb ) @@ -107,7 +130,8 @@ enum command_consts { COM_SET_OPTION = 0x1b, COM_STMT_FETCH = 0x1c, COM_DAEMON = 0x1d, - COM_BINLOG_DUMP_GTID = 0x1e + COM_BINLOG_DUMP_GTID = 0x1e, + COM_RESET_CONNECTION = 0x1f, }; enum state { @@ -119,11 +143,12 @@ enum Expected { NO_EXPECTATION, EXPECT_STATUS, EXPECT_COLUMN_DEFINITION, + EXPECT_COLUMN_DEFINITION_OR_EOF, EXPECT_COLUMN_COUNT, - EXPECT_EOF1, - EXPECT_EOF2, + EXPECT_EOF, EXPECT_RESULTSET, - EXPECT_QUERY_RESPONSE, + EXPECT_REST_OF_PACKET, + EXPECT_AUTH_SWITCH, }; type NUL_String = RE/[^\0]*/; @@ -133,7 +158,7 @@ type NUL_String = RE/[^\0]*/; type MySQL_PDU(is_orig: bool) = record { hdr : Header; msg : case is_orig of { - false -> server_msg: Server_Message(hdr.seq_id); + false -> server_msg: Server_Message(hdr.seq_id, hdr.len); true -> client_msg: Client_Message(state); } &requires(state); } &let { @@ -147,9 +172,9 @@ type Header = record { len : uint32 = to_int()(le_len) + 4; } &length=4; -type Server_Message(seq_id: uint8) = case seq_id of { +type Server_Message(seq_id: uint8, pkt_len: uint32) = case seq_id of { 0 -> initial_handshake: Initial_Handshake_Packet; - default -> command_response : Command_Response; + default -> command_response : Command_Response(pkt_len); }; type Client_Message(state: int) = case state of { @@ -225,18 +250,20 @@ type Command_Request_Packet = record { command : uint8; arg : bytestring &restofdata; } &let { - update_expectation : bool = $context.connection.set_next_expected(EXPECT_COLUMN_COUNT); + update_expectation : bool = $context.connection.set_next_expected_from_command(command); }; # Command Response -type Command_Response = case $context.connection.get_expectation() of { +type Command_Response(pkt_len: uint32) = case $context.connection.get_expectation() of { EXPECT_COLUMN_COUNT -> col_count_meta : ColumnCountMeta; - EXPECT_COLUMN_DEFINITION -> col_defs : ColumnDefinitions; - EXPECT_RESULTSET -> resultset : Resultset; + EXPECT_COLUMN_DEFINITION -> col_def : ColumnDefinition; + EXPECT_COLUMN_DEFINITION_OR_EOF -> def_or_eof : ColumnDefinitionOrEOF(pkt_len); + EXPECT_RESULTSET -> resultset : Resultset(pkt_len); + EXPECT_REST_OF_PACKET -> rest : bytestring &restofdata; EXPECT_STATUS -> status : Command_Response_Status; - EXPECT_EOF1 -> eof1 : EOF1; - EXPECT_EOF2 -> eof2 : EOF2; + EXPECT_AUTH_SWITCH -> auth_switch : AuthSwitchRequest; + EXPECT_EOF -> eof : EOF1; default -> unknow : empty; }; @@ -265,39 +292,55 @@ type ColumnCount(byte: uint8) = record { } &let { col_num : uint32 = to_int()(le_column_count); update_col_num : bool = $context.connection.set_col_count(col_num); + update_remain : bool = $context.connection.set_remaining_cols(col_num); update_expectation : bool = $context.connection.set_next_expected(EXPECT_COLUMN_DEFINITION); }; -type ColumnDefinitions = record { - defs : ColumnDefinition41[1]; +type ColumnDefinition = record { + dummy: uint8; + def : ColumnDefinition41(dummy); } &let { - update_expectation : bool = $context.connection.set_next_expected(EXPECT_EOF1); + update_remain : bool = $context.connection.dec_remaining_cols(); + update_expectation : bool = $context.connection.set_next_expected($context.connection.get_remaining_cols() > 0 ? EXPECT_COLUMN_DEFINITION : EXPECT_EOF); }; +type ColumnDefinitionOrEOF(pkt_len: uint32) = record { + marker: uint8; + def_or_eof: case is_eof of { + true -> eof: EOF_Packet; + false -> def: ColumnDefinition41(marker); + } &requires(is_eof); +} &let { + is_eof: bool = (marker == 0xfe && pkt_len <= 9); +}; + + type EOF1 = record { eof : EOF_Packet; } &let { + update_result_seen : bool = $context.connection.set_results_seen(0); update_expectation : bool = $context.connection.set_next_expected(EXPECT_RESULTSET); }; -type EOF2 = record { - eof : EOF_Packet; +type Resultset(pkt_len: uint32) = record { + marker: uint8; + row_or_eof: case is_eof of { + true -> eof: EOF_Packet; + false -> row: ResultsetRow(marker); + } &requires(is_eof); } &let { - update_expectation : bool = $context.connection.set_next_expected(NO_EXPECTATION); + is_eof: bool = (marker == 0xfe && pkt_len <= 9); + update_result_seen : bool = $context.connection.inc_results_seen(); + update_expectation : bool = $context.connection.set_next_expected(is_eof ? NO_EXPECTATION : EXPECT_RESULTSET); }; -type Resultset = record { - rows : ResultsetRow[] &until($input.length()==0); -} &let { - update_expectation : bool = $context.connection.set_next_expected(EXPECT_EOF2); +type ResultsetRow(first_byte: uint8) = record { + first_field: LengthEncodedStringArg(first_byte); + fields: LengthEncodedString[$context.connection.get_col_count() - 1]; }; -type ResultsetRow = record { - fields: LengthEncodedString[$context.connection.get_col_count()]; -}; - -type ColumnDefinition41 = record { - catalog : LengthEncodedString; +type ColumnDefinition41(first_byte: uint8) = record { + catalog : LengthEncodedStringArg(first_byte); schema : LengthEncodedString; table : LengthEncodedString; org_table: LengthEncodedString; @@ -312,6 +355,12 @@ type ColumnDefinition41 = record { filler : padding[2]; }; +type AuthSwitchRequest = record { + status: uint8; + name: NUL_String; + data: bytestring &restofdata; +}; + type ColumnDefinition320 = record { table : LengthEncodedString; name : LengthEncodedString; @@ -352,6 +401,8 @@ refine connection MySQL_Conn += { int state_; Expected expected_; uint32 col_count_; + uint32 remaining_cols_; + uint32 results_seen_; %} %init{ @@ -359,6 +410,8 @@ refine connection MySQL_Conn += { state_ = CONNECTION_PHASE; expected_ = EXPECT_STATUS; col_count_ = 0; + remaining_cols_ = 0; + results_seen_ = 0; %} function get_version(): uint8 @@ -394,6 +447,112 @@ refine connection MySQL_Conn += { return true; %} + function set_next_expected_from_command(cmd: uint8): bool + %{ + switch ( cmd ) { + case COM_SLEEP: + expected_ = EXPECT_STATUS; + break; + case COM_QUIT: + expected_ = EXPECT_STATUS; + break; + case COM_INIT_DB: + expected_ = EXPECT_STATUS; + break; + case COM_QUERY: + expected_ = EXPECT_COLUMN_COUNT; + break; + case COM_FIELD_LIST: + expected_ = EXPECT_COLUMN_DEFINITION_OR_EOF; + break; + case COM_CREATE_DB: + expected_ = EXPECT_STATUS; + break; + case COM_DROP_DB: + expected_ = EXPECT_STATUS; + break; + case COM_REFRESH: + expected_ = EXPECT_STATUS; + break; + case COM_SHUTDOWN: + expected_ = EXPECT_STATUS; + break; + case COM_STATISTICS: + expected_ = EXPECT_REST_OF_PACKET; + break; + case COM_PROCESS_INFO: + expected_ = EXPECT_COLUMN_COUNT; + break; + case COM_CONNECT: + expected_ = EXPECT_STATUS; + break; + case COM_PROCESS_KILL: + expected_ = EXPECT_STATUS; + break; + case COM_DEBUG: + expected_ = EXPECT_STATUS; + break; + case COM_PING: + expected_ = EXPECT_STATUS; + break; + case COM_TIME: + expected_ = EXPECT_STATUS; + break; + case COM_DELAYED_INSERT: + expected_ = EXPECT_STATUS; + break; + case COM_CHANGE_USER: + expected_ = EXPECT_AUTH_SWITCH; + break; + case COM_BINLOG_DUMP: + expected_ = NO_EXPECTATION; + break; + case COM_TABLE_DUMP: + expected_ = NO_EXPECTATION; + break; + case COM_CONNECT_OUT: + expected_ = NO_EXPECTATION; + break; + case COM_REGISTER_SLAVE: + expected_ = NO_EXPECTATION; + break; + case COM_STMT_PREPARE: + expected_ = NO_EXPECTATION; + break; + case COM_STMT_EXECUTE: + expected_ = NO_EXPECTATION; + break; + case COM_STMT_SEND_LONG_DATA: + expected_ = NO_EXPECTATION; + break; + case COM_STMT_CLOSE: + expected_ = NO_EXPECTATION; + break; + case COM_STMT_RESET: + expected_ = NO_EXPECTATION; + break; + case COM_SET_OPTION: + expected_ = NO_EXPECTATION; + break; + case COM_STMT_FETCH: + expected_ = NO_EXPECTATION; + break; + case COM_DAEMON: + expected_ = EXPECT_STATUS; + break; + case COM_BINLOG_DUMP_GTID: + expected_ = NO_EXPECTATION; + break; + case COM_RESET_CONNECTION: + expected_ = EXPECT_STATUS; + break; + default: + expected_ = NO_EXPECTATION; + break; + } + return true; + %} + function get_col_count(): uint32 %{ return col_count_; @@ -404,4 +563,38 @@ refine connection MySQL_Conn += { col_count_ = i; return true; %} + + function get_remaining_cols(): uint32 + %{ + return remaining_cols_; + %} + + function set_remaining_cols(i: uint32): bool + %{ + remaining_cols_ = i; + return true; + %} + + function dec_remaining_cols(): bool + %{ + --remaining_cols_; + return true; + %} + + function get_results_seen(): uint32 + %{ + return results_seen_; + %} + + function set_results_seen(i: uint32): bool + %{ + results_seen_ = i; + return true; + %} + + function inc_results_seen(): bool + %{ + ++results_seen_; + return true; + %} }; diff --git a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac index ee96c08d86..854290d0d0 100644 --- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac +++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac @@ -99,7 +99,7 @@ refine connection SMB_Conn += { response->Assign(1, new Val(${val.ntlm.is_guest}, TYPE_BOOL)); response->Assign(2, smb_string2stringval(${val.ntlm.native_os})); response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman})); - response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain})); + //response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain})); //response->Assign(5, bytestring_to_val(${val.ntlm.security_blob})); break; default: // Error! @@ -242,7 +242,6 @@ type SMB1_session_setup_andx_response_ntlm(header: SMB_Header, offset: uint16) = # offset + 1 due to word_count in the parent type native_os : SMB_string(header.unicode, offsetof(native_os) + 1); native_lanman : SMB_string(header.unicode, offsetof(native_lanman) + 1); - primary_domain : SMB_string(header.unicode, offsetof(primary_domain) + 1); extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters))); diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log index 201f5e65ea..58b1974c67 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log @@ -3,7 +3,7 @@ #empty_field (empty) #unset_field - #path mysql -#open 2016-07-13-16-16-46 +#open 2018-05-17-12-54-47 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response #types time string addr port addr port string string bool count string 1362452327.618353 CtPZjS20MLrsMUOJi2 192.168.1.3 55845 192.168.1.8 3306 login root_nope F - Access denied for user 'root_nope'@'lumberjack.home' (using password: NO) @@ -16,6 +16,6 @@ 1362452360.410803 C0LAHyvtKSQHyJxIl 192.168.1.3 55863 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) 1362452361.886123 CFLRIC3zaTU1loLGxh 192.168.1.3 55864 192.168.1.8 3306 login root F - Access denied for user 'root'@'lumberjack.home' (using password: YES) 1362452372.452858 C9rXSW3KSpTYvPrlI1 192.168.1.3 55865 192.168.1.8 3306 login root T 0 - -1362452372.454995 C9rXSW3KSpTYvPrlI1 192.168.1.3 55865 192.168.1.8 3306 query select @@version_comment limit 1 T 1 - +1362452372.454995 C9rXSW3KSpTYvPrlI1 192.168.1.3 55865 192.168.1.8 3306 query select @@version_comment limit 1 T 0 - 1362452372.991997 C9rXSW3KSpTYvPrlI1 192.168.1.3 55865 192.168.1.8 3306 quit (empty) - - - -#close 2016-07-13-16-16-46 +#close 2018-05-17-12-54-47 diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log index da1de035b2..ac18135111 100644 --- a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log @@ -3,25 +3,25 @@ #empty_field (empty) #unset_field - #path mysql -#open 2016-07-13-16-16-46 +#open 2018-05-17-04-01-33 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response #types time string addr port addr port string string bool count string 1216281025.136728 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 login tfoerste T 0 - -1216281025.137062 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 T 1 - -1216281030.835001 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() T 1 - +1216281025.137062 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 T 0 - +1216281030.835001 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() T 0 - 1216281030.835395 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 init_db test T 0 - -1216281030.835742 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show databases T 1 - -1216281030.836349 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show tables T 1 - -1216281030.836757 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 field_list agent T 3 - +1216281030.835742 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show databases T 0 - +1216281030.836349 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show tables T 0 - +1216281030.836757 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 field_list agent - - - 1216281048.287657 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM T 0 - 1216281057.746222 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("dog", "Goofy") T 1 - 1216281061.713980 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("cat", "Garfield") T 1 - -1216281066.549786 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 - +1216281066.549786 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 0 - 1216281072.304467 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where name like '%oo%' T 1 - 1216281079.450037 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where id = 1 T 0 - -1216281087.437392 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo T 1 - -1216281109.107769 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 - +1216281087.437392 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo T 0 - +1216281109.107769 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 0 - 1216281116.209268 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query delete from foo T 1 - 1216281122.880561 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query drop table foo T 0 - 1216281124.418765 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 quit (empty) - - - -#close 2016-07-13-16-16-46 +#close 2018-05-17-04-01-33 diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out new file mode 100644 index 0000000000..d322011e9d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out @@ -0,0 +1,42 @@ +mysql ok, 0 +mysql request, 3, select @@version_comment limit 1 +mysql ok, 0 +mysql result row, [Gentoo Linux mysql-5.0.54] +mysql request, 3, SELECT DATABASE() +mysql ok, 0 +mysql result row, [] +mysql request, 2, test +mysql ok, 0 +mysql request, 3, show databases +mysql ok, 0 +mysql result row, [information_schema] +mysql result row, [test] +mysql request, 3, show tables +mysql ok, 0 +mysql result row, [agent] +mysql request, 4, agent\x00 +mysql request, 3, create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM +mysql ok, 0 +mysql request, 3, insert into foo (animal, name) values ("dog", "Goofy") +mysql ok, 1 +mysql request, 3, insert into foo (animal, name) values ("cat", "Garfield") +mysql ok, 1 +mysql request, 3, select * from foo +mysql ok, 0 +mysql result row, [1, dog, Goofy] +mysql result row, [2, cat, Garfield] +mysql request, 3, delete from foo where name like '%oo%' +mysql ok, 1 +mysql request, 3, delete from foo where id = 1 +mysql ok, 0 +mysql request, 3, select count(*) from foo +mysql ok, 0 +mysql result row, [1] +mysql request, 3, select * from foo +mysql ok, 0 +mysql result row, [2, cat, Garfield] +mysql request, 3, delete from foo +mysql ok, 1 +mysql request, 3, drop table foo +mysql ok, 0 +mysql request, 1, diff --git a/testing/btest/scripts/base/protocols/mysql/wireshark.test b/testing/btest/scripts/base/protocols/mysql/wireshark.test index 64f4aacdda..55fe5be16c 100644 --- a/testing/btest/scripts/base/protocols/mysql/wireshark.test +++ b/testing/btest/scripts/base/protocols/mysql/wireshark.test @@ -1,6 +1,27 @@ # This tests a PCAP with a few MySQL commands from the Wireshark samples. -# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT +# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out +# @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff mysql.log -@load base/protocols/mysql \ No newline at end of file +@load base/protocols/mysql + +event mysql_ok(c: connection, affected_rows: count) + { + print "mysql ok", affected_rows; + } + +event mysql_result_row(c: connection, row: string_vec) + { + print "mysql result row", row; + } + +event mysql_error(c: connection, code: count, msg: string) + { + print "mysql error", code, msg; + } + +event mysql_command_request(c: connection, command: count, arg: string) + { + print "mysql request", command, arg; + }