mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Merge remote-tracking branch 'origin/topic/vladg/mysql'
* origin/topic/vladg/mysql: Update baselines. Fix a logic bug with handling quits after the cleanup. Integrate MySQL with the software framework A bit of MySQL cleanup - removed unused events, consolidated similar events, fixed up main.bro a bit Move MySQL analyzer to the new plugin architecture. Add a btest for the Wireshark sample MySQL PCAP Add support for more commands, and support quit Redo the response handling.. Whitespace/readability fixes. Add memleak and auth btests. Update baselines. Get MySQL to compile and add basic v9 support. MySQL analyzer
This commit is contained in:
Robin Sommer
commit
e8e81043a1
37 changed files with 1390 additions and 348 deletions
1
scripts/base/protocols/mysql/__load__.bro
Normal file
1
scripts/base/protocols/mysql/__load__.bro
Normal file
|
|
@ -0,0 +1 @@
|
|||
@load ./main
|
||||
38
scripts/base/protocols/mysql/consts.bro
Normal file
38
scripts/base/protocols/mysql/consts.bro
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
module MySQL;
|
||||
|
||||
export {
|
||||
const commands: table[count] of string = {
|
||||
[0] = "sleep",
|
||||
[1] = "quit",
|
||||
[2] = "init_db",
|
||||
[3] = "query",
|
||||
[4] = "field_list",
|
||||
[5] = "create_db",
|
||||
[6] = "drop_db",
|
||||
[7] = "refresh",
|
||||
[8] = "shutdown",
|
||||
[9] = "statistics",
|
||||
[10] = "process_info",
|
||||
[11] = "connect",
|
||||
[12] = "process_kill",
|
||||
[13] = "debug",
|
||||
[14] = "ping",
|
||||
[15] = "time",
|
||||
[16] = "delayed_insert",
|
||||
[17] = "change_user",
|
||||
[18] = "binlog_dump",
|
||||
[19] = "table_dump",
|
||||
[20] = "connect_out",
|
||||
[21] = "register_slave",
|
||||
[22] = "stmt_prepare",
|
||||
[23] = "stmt_execute",
|
||||
[24] = "stmt_send_long_data",
|
||||
[25] = "stmt_close",
|
||||
[26] = "stmt_reset",
|
||||
[27] = "set_option",
|
||||
[28] = "stmt_fetch",
|
||||
[29] = "daemon",
|
||||
[30] = "binlog_dump_gtid",
|
||||
[31] = "reset_connection",
|
||||
} &default=function(i: count): string { return fmt("unknown-%d", i); };
|
||||
}
|
||||
116
scripts/base/protocols/mysql/main.bro
Normal file
116
scripts/base/protocols/mysql/main.bro
Normal file
|
|
@ -0,0 +1,116 @@
|
|||
##! Implements base functionality for MySQL analysis. Generates the mysql.log file.
|
||||
|
||||
module MySQL;
|
||||
|
||||
@load ./consts
|
||||
|
||||
export {
|
||||
redef enum Log::ID += { mysql::LOG };
|
||||
|
||||
type Info: record {
|
||||
## Timestamp for when the event happened.
|
||||
ts: time &log;
|
||||
## Unique ID for the connection.
|
||||
uid: string &log;
|
||||
## The connection's 4-tuple of endpoint addresses/ports.
|
||||
id: conn_id &log;
|
||||
## The command that was issued
|
||||
cmd: string &log;
|
||||
## The argument issued to the command
|
||||
arg: string &log;
|
||||
## The result (error, OK, etc.) from the server
|
||||
result: string &log &optional;
|
||||
## Server message, if any
|
||||
response: string &log &optional;
|
||||
};
|
||||
|
||||
## Event that can be handled to access the MySQL record as it is sent on
|
||||
## to the logging framework.
|
||||
global log_mysql: event(rec: Info);
|
||||
}
|
||||
|
||||
redef record connection += {
|
||||
mysql: Info &optional;
|
||||
};
|
||||
|
||||
const ports = { 1434/tcp, 3306/tcp };
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Log::create_stream(mysql::LOG, [$columns=Info, $ev=log_mysql]);
|
||||
Analyzer::register_for_ports(Analyzer::ANALYZER_MYSQL, ports);
|
||||
}
|
||||
|
||||
event mysql_handshake(c: connection, username: string)
|
||||
{
|
||||
if ( ! c?$mysql )
|
||||
{
|
||||
local info: Info;
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
info$cmd = "login";
|
||||
info$arg = username;
|
||||
c$mysql = info;
|
||||
}
|
||||
}
|
||||
|
||||
event mysql_command_request(c: connection, command: count, arg: string) &priority=5
|
||||
{
|
||||
if ( ! c?$mysql )
|
||||
{
|
||||
local info: Info;
|
||||
info$ts = network_time();
|
||||
info$uid = c$uid;
|
||||
info$id = c$id;
|
||||
info$cmd = commands[command];
|
||||
info$arg = sub(arg, /\0$/, "");
|
||||
c$mysql = info;
|
||||
}
|
||||
}
|
||||
|
||||
event mysql_command_request(c: connection, command: count, arg: string) &priority=-5
|
||||
{
|
||||
if ( c?$mysql && c$mysql?$cmd && c$mysql$cmd == "quit" )
|
||||
{
|
||||
# We get no response for quits, so let's just log it now.
|
||||
Log::write(mysql::LOG, c$mysql);
|
||||
delete c$mysql;
|
||||
}
|
||||
}
|
||||
|
||||
event mysql_error(c: connection, code: count, msg: string) &priority=5
|
||||
{
|
||||
if ( c?$mysql )
|
||||
{
|
||||
c$mysql$result = "error";
|
||||
c$mysql$response = msg;
|
||||
}
|
||||
}
|
||||
|
||||
event mysql_error(c: connection, code: count, msg: string) &priority=-5
|
||||
{
|
||||
if ( c?$mysql )
|
||||
{
|
||||
Log::write(mysql::LOG, c$mysql);
|
||||
delete c$mysql;
|
||||
}
|
||||
}
|
||||
|
||||
event mysql_ok(c: connection, affected_rows: count) &priority=5
|
||||
{
|
||||
if ( c?$mysql )
|
||||
{
|
||||
c$mysql$result = "ok";
|
||||
c$mysql$response = fmt("Affected rows: %d", affected_rows);
|
||||
}
|
||||
}
|
||||
|
||||
event mysql_ok(c: connection, affected_rows: count) &priority=-5
|
||||
{
|
||||
if ( c?$mysql )
|
||||
{
|
||||
Log::write(mysql::LOG, c$mysql);
|
||||
delete c$mysql;
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue