Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

mysql: Recognize when client/server negotiate SSL

Browse source 
This instantiates the SSL analyzer when the client requests SSL
so that Zeek now has a bit more visibility into encrypted MySQL
connections.

The pattern used is the same as in the IMAP, POP or XMPP analyzer.
This commit is contained in:
Arne Welzel 2023-01-27 11:15:23 +01:00
parent e9caea9694
commit fa48c88533
16 changed files with 144 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/analyzer/protocol/mysql/mysql-protocol.pac
View file

@ -158,7 +158,8 @@ enum EOFType {
};
enum Client_Capabilities {
# Expects an OK (instead of EOF) after the resultset rows of a Text Resultset.
CLIENT_SSL = 0x00000800,
# Expects an OK (instead of EOF) after the resultset rows of a Text Resultset.
CLIENT_DEPRECATE_EOF = 0x01000000,
};
@ -237,13 +238,17 @@ type Handshake_Response_Packet = case $context.connection.get_version() of {
version: uint8 = $context.connection.get_version();
};
type Handshake_Credentials_v10 = record {
username : NUL_String;
password : bytestring &restofdata;
};
type Handshake_Response_Packet_v10 = record {
cap_flags : uint32;
max_pkt_size: uint32;
char_set : uint8;
pad : padding[23];
username : NUL_String;
password : bytestring &restofdata;
credentials : Handshake_Credentials_v10[] &until($input.length() == 0);
} &let {
deprecate_eof: bool = $context.connection.set_deprecate_eof(cap_flags & CLIENT_DEPRECATE_EOF);
};