Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

A bit of MySQL cleanup - removed unused events, consolidated similar events, fixed up main.bro a bit

Browse source
This commit is contained in:
Vlad Grigorescu 2014-10-28 16:25:32 -06:00
parent 45d5080870
commit e2ad93c543
6 changed files with 167 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

38
scripts/base/protocols/mysql/consts.bro Normal file
View file

@ -0,0 +1,38 @@
module MySQL;
export {
const commands: table[count] of string = {
[0] = "sleep",
[1] = "quit",
[2] = "init_db",
[3] = "query",
[4] = "field_list",
[5] = "create_db",
[6] = "drop_db",
[7] = "refresh",
[8] = "shutdown",
[9] = "statistics",
[10] = "process_info",
[11] = "connect",
[12] = "process_kill",
[13] = "debug",
[14] = "ping",
[15] = "time",
[16] = "delayed_insert",
[17] = "change_user",
[18] = "binlog_dump",
[19] = "table_dump",
[20] = "connect_out",
[21] = "register_slave",
[22] = "stmt_prepare",
[23] = "stmt_execute",
[24] = "stmt_send_long_data",
[25] = "stmt_close",
[26] = "stmt_reset",
[27] = "set_option",
[28] = "stmt_fetch",
[29] = "daemon",
[30] = "binlog_dump_gtid",
[31] = "reset_connection",
} &default=function(i: count): string { return fmt("unknown-%d", i); };
}

77
scripts/base/protocols/mysql/main.bro
View file

@ -2,6 +2,8 @@
module MySQL; module MySQL;
@load ./consts
export { export {
redef enum Log::ID += { mysql::LOG }; redef enum Log::ID += { mysql::LOG };
@ -33,48 +35,13 @@ redef record connection += {
const ports = { 1434/tcp, 3306/tcp }; const ports = { 1434/tcp, 3306/tcp };
const commands: table[count] of string = {
[0] = "sleep",
[1] = "quit",
[2] = "init_db",
[3] = "query",
[4] = "field_list",
[5] = "create_db",
[6] = "drop_db",
[7] = "refresh",
[8] = "shutdown",
[9] = "statistics",
[10] = "process_info",
[11] = "connect",
[12] = "process_kill",
[13] = "debug",
[14] = "ping",
[15] = "time",
[16] = "delayed_insert",
[17] = "change_user",
[18] = "binlog_dump",
[19] = "table_dump",
[20] = "connect_out",
[21] = "register_slave",
[22] = "stmt_prepare",
[23] = "stmt_execute",
[24] = "stmt_send_long_data",
[25] = "stmt_close",
[26] = "stmt_reset",
[27] = "set_option",
[28] = "stmt_fetch",
[29] = "daemon",
[30] = "binlog_dump_gtid",
[31] = "reset_connection",
} &default=function(i: count): string { return fmt("unknown-%d", i); };
event bro_init() &priority=5 event bro_init() &priority=5
{ {
Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql]); Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql]);
Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports); Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
} }
event mysql_handshake_response(c: connection, username: string) event mysql_handshake(c: connection, username: string)
{ {
if ( !c?$mysql ) if ( !c?$mysql )
{ {
@ -88,7 +55,7 @@ event mysql_handshake_response(c: connection, username: string)
} }
} }
event mysql_command_request(c: connection, command: count, arg: string) event mysql_command_request(c: connection, command: count, arg: string) &priority=5
{ {
if ( !c?$mysql ) if ( !c?$mysql )
{ {
@ -99,6 +66,13 @@ event mysql_command_request(c: connection, command: count, arg: string)
info$cmd = commands[command]; info$cmd = commands[command];
info$arg = sub(arg, /\0$/, ""); info$arg = sub(arg, /\0$/, "");
c$mysql = info; c$mysql = info;
}
}
event mysql_command_request(c: connection, command: count, arg: string) &priority=-5
{
if ( !c?$mysql )
{
if ( command == 1 ) if ( command == 1 )
{ {
# We get no response for quits, so let's just log it now. # We get no response for quits, so let's just log it now.
@ -108,34 +82,37 @@ event mysql_command_request(c: connection, command: count, arg: string)
} }
} }
event mysql_command_response(c: connection, response: count) event mysql_error(c: connection, code: count, msg: string) &priority=5
{
if ( c?$mysql )
{
c$mysql$result = "ok";
c$mysql$response = fmt("Affected rows: %d", response);
Log::write(mysql::LOG, c$mysql);
delete c$mysql;
}
}
event mysql_error(c: connection, code: count, msg: string)
{ {
if ( c?$mysql ) if ( c?$mysql )
{ {
c$mysql$result = "error"; c$mysql$result = "error";
c$mysql$response = msg; c$mysql$response = msg;
}
}
event mysql_error(c: connection, code: count, msg: string) &priority=-5
{
if ( c?$mysql )
{
Log::write(mysql::LOG, c$mysql); Log::write(mysql::LOG, c$mysql);
delete c$mysql; delete c$mysql;
} }
} }
event mysql_ok(c: connection, affected_rows: count) event mysql_ok(c: connection, affected_rows: count) &priority=5
{ {
if ( c?$mysql ) if ( c?$mysql )
{ {
c$mysql$result = "ok"; c$mysql$result = "ok";
c$mysql$response = fmt("Affected rows: %d", affected_rows); c$mysql$response = fmt("Affected rows: %d", affected_rows);
}
}
event mysql_ok(c: connection, affected_rows: count) &priority=-5
{
if ( c?$mysql )
{
Log::write(mysql::LOG, c$mysql); Log::write(mysql::LOG, c$mysql);
delete c$mysql; delete c$mysql;
} }

2
src/analyzer/protocol/mysql/MySQL.h
View file

@ -33,7 +33,7 @@ public:
static bool Available() static bool Available()
{ {
return ( mysql_command_response || mysql_server_version || mysql_debug || mysql_handshake_response || mysql_login || mysql_command_request ); return ( mysql_command_request || mysql_error || mysql_ok || mysql_server_version || mysql_handshake );
} }
protected: protected:

67
src/analyzer/protocol/mysql/events.bif
View file

@ -1,10 +1,65 @@
event mysql_command_response%(c: connection, response: count%); ## Generated for a command request from a MySQL client.
event mysql_server_version%(c: connection, ver: string%); ##
event mysql_debug%(c: connection, ver: count%); ## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
event mysql_handshake_response%(c: connection, username: string%); ## for more information about the MySQL protocol.
##
event mysql_login%(c: connection, username: string, success: bool%); ## c: The connection.
##
## command: The numerical code of the command issued.
##
## arg: The argument for the command (empty string if not provided).
##
## .. bro:see:: mysql_error mysql_ok mysql_server_version mysql_handshake_response
event mysql_command_request%(c: connection, command: count, arg: string%); event mysql_command_request%(c: connection, command: count, arg: string%);
## Generated for an unsuccessful MySQL response.
##
## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
## for more information about the MySQL protocol.
##
## c: The connection.
##
## code: The error code.
##
## msg: Any extra details about the error (empty string if not provided).
##
## .. bro:see:: mysql_command_request mysql_ok mysql_server_version mysql_handshake_response
event mysql_error%(c: connection, code: count, msg: string%); event mysql_error%(c: connection, code: count, msg: string%);
## Generated for a successful MySQL response.
##
## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
## for more information about the MySQL protocol.
##
## c: The connection.
##
## affected_rows: The number of rows that were affected.
##
## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake_response
event mysql_ok%(c: connection, affected_rows: count%); event mysql_ok%(c: connection, affected_rows: count%);
## Generated for the initial server handshake packet, which includes the MySQL server version.
##
## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
## for more information about the MySQL protocol.
##
## c: The connection.
##
## ver: The server version string.
##
## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_handshake_response
event mysql_server_version%(c: connection, ver: string%);
## Generated for a client handshake response packet, which includes the username the client is attempting
## to connect as.
##
## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
## for more information about the MySQL protocol.
##
## c: The connection.
##
## username: The username supplied by the client
##
## .. bro:see:: mysql_command_request mysql_error mysql_ok mysql_server_version
event mysql_handshake%(c: connection, username: string%);

59
src/analyzer/protocol/mysql/mysql-analyzer.pac
View file

@ -1,25 +1,32 @@
refine flow MySQL_Flow += { refine flow MySQL_Flow += {
function proc_mysql_handshakev10(msg: Handshake_v10): bool function proc_mysql_initial_handshake_packet(msg: Initial_Handshake_Packet): bool
%{ %{
if ( mysql_server_version ) if ( mysql_server_version )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), {
bytestring_to_val(${msg.server_version})); if ( ${msg.version} == 10 )
connection()->bro_analyzer()->ProtocolConfirmation(); BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.handshake10.server_version}));
if ( ${msg.version} == 9 )
BifEvent::generate_mysql_server_version(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.handshake9.server_version}));
}
return true; return true;
%} %}
function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
%{ %{
if ( mysql_handshake_response ) if ( mysql_handshake )
{ {
if ( ${msg.version} == 10 ) if ( ${msg.version} == 10 )
BifEvent::generate_mysql_handshake_response(connection()->bro_analyzer(), BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.v10_response.username})); bytestring_to_val(${msg.v10_response.username}));
if ( ${msg.version} == 9 ) if ( ${msg.version} == 9 )
BifEvent::generate_mysql_handshake_response(connection()->bro_analyzer(), BifEvent::generate_mysql_handshake(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${msg.v9_response.username})); bytestring_to_val(${msg.v9_response.username}));
} }
return true; return true;
%} %}
@ -27,37 +34,45 @@ refine flow MySQL_Flow += {
function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
%{ %{
if ( mysql_command_request ) if ( mysql_command_request )
BifEvent::generate_mysql_command_request(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), BifEvent::generate_mysql_command_request(connection()->bro_analyzer(),
${msg.command}, bytestring_to_val(${msg.arg})); connection()->bro_analyzer()->Conn(),
${msg.command},
bytestring_to_val(${msg.arg}));
return true; return true;
%} %}
function proc_err_packet(msg: ERR_Packet): bool function proc_err_packet(msg: ERR_Packet): bool
%{ %{
if ( mysql_error ) if ( mysql_error )
BifEvent::generate_mysql_error(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), BifEvent::generate_mysql_error(connection()->bro_analyzer(),
${msg.code}, bytestring_to_val(${msg.msg})); connection()->bro_analyzer()->Conn(),
${msg.code},
bytestring_to_val(${msg.msg}));
return true; return true;
%} %}
function proc_ok_packet(msg: OK_Packet): bool function proc_ok_packet(msg: OK_Packet): bool
%{ %{
if ( mysql_ok ) if ( mysql_ok )
BifEvent::generate_mysql_ok(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.rows}); BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.rows});
return true; return true;
%} %}
function proc_resultset(msg: Resultset): bool function proc_resultset(msg: Resultset): bool
%{ %{
if ( mysql_command_response ) if ( mysql_ok )
BifEvent::generate_mysql_command_response(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.rows}->size()); BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
${msg.rows}->size());
return true; return true;
%} %}
}; };
refine typeattr Handshake_v10 += &let { refine typeattr Initial_Handshake_Packet += &let {
proc = $context.flow.proc_mysql_handshakev10(this); proc = $context.flow.proc_mysql_initial_handshake_packet(this);
}; };
refine typeattr Handshake_Response_Packet += &let { refine typeattr Handshake_Response_Packet += &let {
@ -77,5 +92,5 @@ refine typeattr OK_Packet += &let {
}; };
refine typeattr Resultset += &let { refine typeattr Resultset += &let {
debug = $context.flow.proc_resultset(this); proc = $context.flow.proc_resultset(this);
}; };

6
src/analyzer/protocol/mysql/mysql-protocol.pac
View file

@ -159,14 +159,14 @@ type Client_Message(state: int) = case state of {
# Handshake Request # Handshake Request
type Initial_Handshake_Packet = record { type Initial_Handshake_Packet = record {
protocol_version: uint8; version : uint8;
pkt : case protocol_version of { pkt : case version of {
10 -> handshake10 : Handshake_v10; 10 -> handshake10 : Handshake_v10;
9 -> handshake9 : Handshake_v9; 9 -> handshake9 : Handshake_v9;
default -> error : ERR_Packet; default -> error : ERR_Packet;
}; };
} &let { } &let {
set_version : bool = $context.connection.set_version(protocol_version); set_version : bool = $context.connection.set_version(version);
}; };
type Handshake_v10 = record { type Handshake_v10 = record {