Fixes for MySQL and SMB protocol parsers

* MySQL: the parser for this was generally broken (not following
  the specification well) and needed many changes.  One addition is a
  new "mysql_result_row" event that provides access to the results of
  queries.

* SMB: the spec seems to explitly call out the omission of the
  PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I
  don't see that field in pcaps either), so this may have just been a
  typo that used to work fine in the past only due to faulty array
  parsing behavior in binpac.

aux/binpac

@@ -1 +1 @@
-Subproject commit cae5a82ba1a3c1d1f0221aa151988759b85e520f
+Subproject commit ab7cdd45114d3d1e8aa8b8c12ac3f3b8cb0bf8fc

src/analyzer/protocol/mysql/events.bif

@@ -38,6 +38,18 @@ event mysql_error%(c: connection, code: count, msg: string%);
 ## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
 event mysql_ok%(c: connection, affected_rows: count%);
 
+## Generated for each MySQL ResultsetRow response packet.
+##
+## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+## for more information about the MySQL protocol.
+##
+## c: The connection.
+##
+## row: The result row data.
+##
+## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
+event mysql_result_row%(c: connection, row: string_vec%);
+
 ## Generated for the initial server handshake packet, which includes the MySQL server version.
 ##
 ## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__

src/analyzer/protocol/mysql/mysql-analyzer.pac

@@ -67,10 +67,41 @@ refine flow MySQL_Flow += {
 
 	function proc_resultset(msg: Resultset): bool
 		%{
-		if ( mysql_ok )
+		if ( connection()->get_results_seen() == 1 )
-			BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
+			{
-										connection()->bro_analyzer()->Conn(),
+			// This is a bit fake...
-										${msg.rows}->size());
+			if ( mysql_ok )
+				BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
+				                            connection()->bro_analyzer()->Conn(),
+				                            0);
+			}
+
+		if ( ${msg.is_eof} )
+			return true;
+
+		if ( ! mysql_result_row )
+			return true;
+
+		auto vt = internal_type("string_vec")->AsVectorType();
+		auto vv = new VectorVal(vt);
+
+		auto& bstring = ${msg.row.first_field.val};
+		auto ptr = reinterpret_cast<const char*>(bstring.data());
+		vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr));
+
+		auto& fields = *${msg.row.fields};
+
+		for ( auto& f : fields )
+			{
+			auto& bstring = f->val();
+			auto ptr = reinterpret_cast<const char*>(bstring.data());
+			vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr));
+			}
+
+		BifEvent::generate_mysql_result_row(connection()->bro_analyzer(),
+		                                    connection()->bro_analyzer()->Conn(),
+		                                    vv);
+
 		return true;
 		%}
 

src/analyzer/protocol/mysql/mysql-protocol.pac

@@ -17,6 +17,10 @@ type LengthEncodedInteger = record {
 	integer : LengthEncodedIntegerLookahead(length);
 };
 
+type LengthEncodedIntegerArg(length: uint8) = record {
+	integer : LengthEncodedIntegerLookahead(length);
+};
+
 type LengthEncodedIntegerLookahead(length: uint8) = record {
 	val: case length of {
 		0xfb    -> i0        : empty;
@@ -33,6 +37,11 @@ type LengthEncodedString = record {
 	val: bytestring &length=to_int()(len);
 };
 
+type LengthEncodedStringArg(first_byte: uint8) = record {
+	len: LengthEncodedIntegerArg(first_byte);
+	val: bytestring &length=to_int()(len);
+};
+
 %header{
 	class to_int
 		{
@@ -56,6 +65,20 @@ type LengthEncodedString = record {
 				return 0;
 			}
 
+		int operator()(LengthEncodedIntegerArg* lei) const
+			{
+			if ( lei->length() < 0xfb )
+				return lei->length();
+			else if ( lei->length() == 0xfc )
+				return lei->integer()->i2();
+			else if ( lei->length() == 0xfd )
+				return to_int()(lei->integer()->i3());
+			else if ( lei->length() == 0xfe )
+				return lei->integer()->i4();
+			else
+				return 0;
+			}
+
 		int operator()(LengthEncodedIntegerLookahead* lei) const
 			{
 			if ( lei->length() < 0xfb )
@@ -107,7 +130,8 @@ enum command_consts {
 	COM_SET_OPTION          = 0x1b,
 	COM_STMT_FETCH          = 0x1c,
 	COM_DAEMON              = 0x1d,
-	COM_BINLOG_DUMP_GTID    = 0x1e
+	COM_BINLOG_DUMP_GTID    = 0x1e,
+	COM_RESET_CONNECTION    = 0x1f,
 };
 
 enum state {
@@ -119,11 +143,12 @@ enum Expected {
 	NO_EXPECTATION,
 	EXPECT_STATUS,
 	EXPECT_COLUMN_DEFINITION,
+	EXPECT_COLUMN_DEFINITION_OR_EOF,
 	EXPECT_COLUMN_COUNT,
-	EXPECT_EOF1,
+	EXPECT_EOF,
-	EXPECT_EOF2,
 	EXPECT_RESULTSET,
-	EXPECT_QUERY_RESPONSE,
+	EXPECT_REST_OF_PACKET,
+	EXPECT_AUTH_SWITCH,
 };
 
 type NUL_String = RE/[^\0]*/;
@@ -133,7 +158,7 @@ type NUL_String = RE/[^\0]*/;
 type MySQL_PDU(is_orig: bool) = record {
 	hdr		: Header;
 	msg		: case is_orig of {
-		false -> server_msg: Server_Message(hdr.seq_id);
+		false -> server_msg: Server_Message(hdr.seq_id, hdr.len);
 		true  -> client_msg: Client_Message(state);
 	} &requires(state);
 } &let {
@@ -147,9 +172,9 @@ type Header = record {
 	len   : uint32 = to_int()(le_len) + 4;
 } &length=4;
 
-type Server_Message(seq_id: uint8) = case seq_id of {
+type Server_Message(seq_id: uint8, pkt_len: uint32) = case seq_id of {
 	0       -> initial_handshake: Initial_Handshake_Packet;
-	default -> command_response : Command_Response;
+	default -> command_response : Command_Response(pkt_len);
 };
 
 type Client_Message(state: int) = case state of {
@@ -225,18 +250,20 @@ type Command_Request_Packet = record {
 	command			: uint8;
 	arg    			: bytestring &restofdata;
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_COLUMN_COUNT);
+	update_expectation	: bool = $context.connection.set_next_expected_from_command(command);
 };
 
 # Command Response
 
-type Command_Response = case $context.connection.get_expectation() of {
+type Command_Response(pkt_len: uint32) = case $context.connection.get_expectation() of {
 	EXPECT_COLUMN_COUNT		-> col_count_meta	: ColumnCountMeta;
-	EXPECT_COLUMN_DEFINITION	-> col_defs		: ColumnDefinitions;
+	EXPECT_COLUMN_DEFINITION	-> col_def		: ColumnDefinition;
-	EXPECT_RESULTSET		-> resultset		: Resultset;
+	EXPECT_COLUMN_DEFINITION_OR_EOF	-> def_or_eof	: ColumnDefinitionOrEOF(pkt_len);
+	EXPECT_RESULTSET		-> resultset		: Resultset(pkt_len);
+	EXPECT_REST_OF_PACKET		-> rest		: bytestring &restofdata;
 	EXPECT_STATUS			-> status		: Command_Response_Status;
-	EXPECT_EOF1			-> eof1			: EOF1;
+	EXPECT_AUTH_SWITCH -> auth_switch : AuthSwitchRequest;
-	EXPECT_EOF2			-> eof2			: EOF2;
+	EXPECT_EOF			-> eof			: EOF1;
 	default				-> unknow		: empty;
 };
 
@@ -265,39 +292,55 @@ type ColumnCount(byte: uint8) = record {
 } &let {
 	col_num			: uint32 = to_int()(le_column_count);
 	update_col_num		: bool = $context.connection.set_col_count(col_num);
+	update_remain		: bool = $context.connection.set_remaining_cols(col_num);
 	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_COLUMN_DEFINITION);
 };
 
-type ColumnDefinitions = record {
+type ColumnDefinition = record {
-	defs				: ColumnDefinition41[1];
+	dummy: uint8;
+	def				: ColumnDefinition41(dummy);
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_EOF1);
+	update_remain	: bool = $context.connection.dec_remaining_cols();
+	update_expectation	: bool = $context.connection.set_next_expected($context.connection.get_remaining_cols() > 0 ? EXPECT_COLUMN_DEFINITION : EXPECT_EOF);
 };
 
+type ColumnDefinitionOrEOF(pkt_len: uint32) = record {
+	marker: uint8;
+	def_or_eof: case is_eof of {
+		true  -> eof: EOF_Packet;
+		false -> def: ColumnDefinition41(marker);
+	} &requires(is_eof);
+} &let {
+	is_eof: bool = (marker == 0xfe && pkt_len <= 9);
+};
+
+
 type EOF1 = record {
 	eof					: EOF_Packet;
 } &let {
+	update_result_seen	: bool = $context.connection.set_results_seen(0);
 	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_RESULTSET);
 };
 
-type EOF2 = record {
+type Resultset(pkt_len: uint32) = record {
-	eof					: EOF_Packet;
+	marker: uint8;
+	row_or_eof: case is_eof of {
+		true  -> eof: EOF_Packet;
+		false -> row: ResultsetRow(marker);
+	} &requires(is_eof);
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(NO_EXPECTATION);
+	is_eof: bool = (marker == 0xfe && pkt_len <= 9);
+	update_result_seen	: bool = $context.connection.inc_results_seen();
+	update_expectation	: bool = $context.connection.set_next_expected(is_eof ? NO_EXPECTATION : EXPECT_RESULTSET);
 };
 
-type Resultset = record {
+type ResultsetRow(first_byte: uint8) = record {
-	rows				: ResultsetRow[] &until($input.length()==0);
+	first_field: LengthEncodedStringArg(first_byte);
-} &let {
+	fields: LengthEncodedString[$context.connection.get_col_count() - 1];
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_EOF2);
 };
 
-type ResultsetRow = record {
+type ColumnDefinition41(first_byte: uint8) = record {
-	fields: LengthEncodedString[$context.connection.get_col_count()];
+	catalog  : LengthEncodedStringArg(first_byte);
-};
-
-type ColumnDefinition41 = record {
-	catalog  : LengthEncodedString;
 	schema   : LengthEncodedString;
 	table    : LengthEncodedString;
 	org_table: LengthEncodedString;
@@ -312,6 +355,12 @@ type ColumnDefinition41 = record {
 	filler   : padding[2];
 };
 
+type AuthSwitchRequest = record {
+	status: uint8;
+	name: NUL_String;
+	data: bytestring &restofdata;
+};
+
 type ColumnDefinition320 = record {
 	table            : LengthEncodedString;
 	name             : LengthEncodedString;
@@ -352,6 +401,8 @@ refine connection MySQL_Conn += {
 		int state_;
 		Expected expected_;
 		uint32 col_count_;
+		uint32 remaining_cols_;
+		uint32 results_seen_;
 	%}
 
 	%init{
@@ -359,6 +410,8 @@ refine connection MySQL_Conn += {
 		state_ = CONNECTION_PHASE;
 		expected_ = EXPECT_STATUS;
 		col_count_ = 0;
+		remaining_cols_ = 0;
+		results_seen_ = 0;
 	%}
 
 	function get_version(): uint8
@@ -394,6 +447,112 @@ refine connection MySQL_Conn += {
 		return true;
 		%}
 
+	function set_next_expected_from_command(cmd: uint8): bool
+		%{
+		switch ( cmd ) {
+		case COM_SLEEP:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_QUIT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_INIT_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_QUERY:
+			expected_ = EXPECT_COLUMN_COUNT;
+			break;
+		case COM_FIELD_LIST:
+			expected_ = EXPECT_COLUMN_DEFINITION_OR_EOF;
+			break;
+		case COM_CREATE_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DROP_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_REFRESH:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_SHUTDOWN:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_STATISTICS:
+			expected_ = EXPECT_REST_OF_PACKET;
+			break;
+		case COM_PROCESS_INFO:
+			expected_ = EXPECT_COLUMN_COUNT;
+			break;
+		case COM_CONNECT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_PROCESS_KILL:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DEBUG:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_PING:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_TIME:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DELAYED_INSERT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_CHANGE_USER:
+			expected_ = EXPECT_AUTH_SWITCH;
+			break;
+		case COM_BINLOG_DUMP:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_TABLE_DUMP:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_CONNECT_OUT:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_REGISTER_SLAVE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_PREPARE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_EXECUTE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_SEND_LONG_DATA:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_CLOSE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_RESET:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_SET_OPTION:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_FETCH:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_DAEMON:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_BINLOG_DUMP_GTID:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_RESET_CONNECTION:
+			expected_ = EXPECT_STATUS;
+			break;
+		default:
+			expected_ = NO_EXPECTATION;
+			break;
+		}
+		return true;
+		%}
+
 	function get_col_count(): uint32
 		%{
 		return col_count_;
@@ -404,4 +563,38 @@ refine connection MySQL_Conn += {
 		col_count_ = i;
 		return true;
 		%}
+
+	function get_remaining_cols(): uint32
+		%{
+		return remaining_cols_;
+		%}
+
+	function set_remaining_cols(i: uint32): bool
+		%{
+		remaining_cols_ = i;
+		return true;
+		%}
+
+	function dec_remaining_cols(): bool
+		%{
+		--remaining_cols_;
+		return true;
+		%}
+
+	function get_results_seen(): uint32
+		%{
+		return results_seen_;
+		%}
+
+	function set_results_seen(i: uint32): bool
+		%{
+		results_seen_ = i;
+		return true;
+		%}
+
+	function inc_results_seen(): bool
+		%{
+		++results_seen_;
+		return true;
+		%}
 };

src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac

@@ -99,7 +99,7 @@ refine connection SMB_Conn += {
 					response->Assign(1, new Val(${val.ntlm.is_guest}, TYPE_BOOL));
 					response->Assign(2, smb_string2stringval(${val.ntlm.native_os}));
 					response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman}));
-					response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
+					//response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
 					//response->Assign(5, bytestring_to_val(${val.ntlm.security_blob}));
 					break;
 				default: // Error!
@@ -242,7 +242,6 @@ type SMB1_session_setup_andx_response_ntlm(header: SMB_Header, offset: uint16) =
 	# offset + 1 due to word_count in the parent type
 	native_os            : SMB_string(header.unicode, offsetof(native_os) + 1);
 	native_lanman        : SMB_string(header.unicode, offsetof(native_lanman) + 1);
-	primary_domain       : SMB_string(header.unicode, offsetof(primary_domain) + 1);
 
 	extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters)));
 

testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2016-07-13-16-16-46
+#open	2018-05-17-12-54-47
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
 #types	time	string	addr	port	addr	port	string	string	bool	count	string
 1362452327.618353	CtPZjS20MLrsMUOJi2	192.168.1.3	55845	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: NO)
@@ -16,6 +16,6 @@
 1362452360.410803	C0LAHyvtKSQHyJxIl	192.168.1.3	55863	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
 1362452361.886123	CFLRIC3zaTU1loLGxh	192.168.1.3	55864	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
 1362452372.452858	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	login	root	T	0	-
-1362452372.454995	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	1	-
+1362452372.454995	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	0	-
 1362452372.991997	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	quit	(empty)	-	-	-
-#close	2016-07-13-16-16-46
+#close	2018-05-17-12-54-47

testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log

@@ -3,25 +3,25 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2016-07-13-16-16-46
+#open	2018-05-17-04-01-33
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
 #types	time	string	addr	port	addr	port	string	string	bool	count	string
 1216281025.136728	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	login	tfoerste	T	0	-
-1216281025.137062	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	1	-
+1216281025.137062	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	0	-
-1216281030.835001	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	1	-
+1216281030.835001	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	0	-
 1216281030.835395	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	init_db	test	T	0	-
-1216281030.835742	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	1	-
+1216281030.835742	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	0	-
-1216281030.836349	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	1	-
+1216281030.836349	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	0	-
-1216281030.836757	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	T	3	-
+1216281030.836757	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	-	-	-
 1216281048.287657	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM	T	0	-
 1216281057.746222	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("dog", "Goofy")	T	1	-
 1216281061.713980	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("cat", "Garfield")	T	1	-
-1216281066.549786	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
+1216281066.549786	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	0	-
 1216281072.304467	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where name like '%oo%'	T	1	-
 1216281079.450037	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where id = 1	T	0	-
-1216281087.437392	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	1	-
+1216281087.437392	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	0	-
-1216281109.107769	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
+1216281109.107769	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	0	-
 1216281116.209268	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo	T	1	-
 1216281122.880561	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	drop table foo	T	0	-
 1216281124.418765	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	quit	(empty)	-	-	-
-#close	2016-07-13-16-16-46
+#close	2018-05-17-04-01-33

testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out

@@ -0,0 +1,42 @@
+mysql ok, 0
+mysql request, 3, select @@version_comment limit 1
+mysql ok, 0
+mysql result row, [Gentoo Linux mysql-5.0.54]
+mysql request, 3, SELECT DATABASE()
+mysql ok, 0
+mysql result row, []
+mysql request, 2, test
+mysql ok, 0
+mysql request, 3, show databases
+mysql ok, 0
+mysql result row, [information_schema]
+mysql result row, [test]
+mysql request, 3, show tables
+mysql ok, 0
+mysql result row, [agent]
+mysql request, 4, agent\x00
+mysql request, 3, create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM
+mysql ok, 0
+mysql request, 3, insert into foo (animal, name) values ("dog", "Goofy")
+mysql ok, 1
+mysql request, 3, insert into foo (animal, name) values ("cat", "Garfield")
+mysql ok, 1
+mysql request, 3, select * from foo
+mysql ok, 0
+mysql result row, [1, dog, Goofy]
+mysql result row, [2, cat, Garfield]
+mysql request, 3, delete from foo where name like '%oo%'
+mysql ok, 1
+mysql request, 3, delete from foo where id = 1
+mysql ok, 0
+mysql request, 3, select count(*) from foo
+mysql ok, 0
+mysql result row, [1]
+mysql request, 3, select * from foo
+mysql ok, 0
+mysql result row, [2, cat, Garfield]
+mysql request, 3, delete from foo
+mysql ok, 1
+mysql request, 3, drop table foo
+mysql ok, 0
+mysql request, 1, 

testing/btest/scripts/base/protocols/mysql/wireshark.test

@@ -1,6 +1,27 @@
 # This tests a PCAP with a few MySQL commands from the Wireshark samples.
 
-# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff mysql.log
 
 @load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}