Fixes for MySQL and SMB protocol parsers

* MySQL: the parser for this was generally broken (not following the specification well) and needed many changes. One addition is a new "mysql_result_row" event that provides access to the results of queries. * SMB: the spec seems to explitly call out the omission of the PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I don't see that field in pcaps either), so this may have just been a typo that used to work fine in the past only due to faulty array parsing behavior in binpac.
2025-10-06 08:38:20 +00:00 · 2018-05-17 10:23:23 -05:00 · 2018-05-17 10:23:23 -05:00 · 954e7980cf
commit 954e7980cf
parent 9c1e20394b
9 changed files with 349 additions and 51 deletions
--- a/testing/btest/scripts/base/protocols/mysql/wireshark.test
+++ b/testing/btest/scripts/base/protocols/mysql/wireshark.test
@ -1,6 +1,27 @@
 # This tests a PCAP with a few MySQL commands from the Wireshark samples.

-# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff mysql.log

-@load base/protocols/mysql
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}