mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Fixes for MySQL and SMB protocol parsers
* MySQL: the parser for this was generally broken (not following the specification well) and needed many changes. One addition is a new "mysql_result_row" event that provides access to the results of queries. * SMB: the spec seems to explitly call out the omission of the PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I don't see that field in pcaps either), so this may have just been a typo that used to work fine in the past only due to faulty array parsing behavior in binpac.
This commit is contained in:
Jon Siwek
parent
9c1e20394b
commit
954e7980cf
9 changed files with 349 additions and 51 deletions
|
|
@ -3,25 +3,25 @@
|
|||
#empty_field (empty)
|
||||
#unset_field -
|
||||
#path mysql
|
||||
#open 2016-07-13-16-16-46
|
||||
#open 2018-05-17-04-01-33
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cmd arg success rows response
|
||||
#types time string addr port addr port string string bool count string
|
||||
1216281025.136728 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 login tfoerste T 0 -
|
||||
1216281025.137062 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 T 1 -
|
||||
1216281030.835001 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() T 1 -
|
||||
1216281025.137062 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select @@version_comment limit 1 T 0 -
|
||||
1216281030.835001 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query SELECT DATABASE() T 0 -
|
||||
1216281030.835395 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 init_db test T 0 -
|
||||
1216281030.835742 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show databases T 1 -
|
||||
1216281030.836349 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show tables T 1 -
|
||||
1216281030.836757 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 field_list agent T 3 -
|
||||
1216281030.835742 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show databases T 0 -
|
||||
1216281030.836349 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query show tables T 0 -
|
||||
1216281030.836757 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 field_list agent - - -
|
||||
1216281048.287657 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM T 0 -
|
||||
1216281057.746222 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("dog", "Goofy") T 1 -
|
||||
1216281061.713980 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query insert into foo (animal, name) values ("cat", "Garfield") T 1 -
|
||||
1216281066.549786 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 -
|
||||
1216281066.549786 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 0 -
|
||||
1216281072.304467 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where name like '%oo%' T 1 -
|
||||
1216281079.450037 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query delete from foo where id = 1 T 0 -
|
||||
1216281087.437392 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo T 1 -
|
||||
1216281109.107769 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 3 -
|
||||
1216281087.437392 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select count(*) from foo T 0 -
|
||||
1216281109.107769 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query select * from foo T 0 -
|
||||
1216281116.209268 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query delete from foo T 1 -
|
||||
1216281122.880561 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 query drop table foo T 0 -
|
||||
1216281124.418765 CHhAvVGS1DHFjwGM9 192.168.0.254 56162 192.168.0.254 3306 quit (empty) - - -
|
||||
#close 2016-07-13-16-16-46
|
||||
#close 2018-05-17-04-01-33
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue