The ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap file was harvested
from the CTU-SME-11 (Experiment-VM-Microsoft-Windows7AD-1) dataset
at https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
Closes#3853
* origin/topic/awelzel/mysql-amazing-pp-issue-2716-additions:
mysql: Simplify length computation
mysql: Improve date and time parsing
btest/mysql: Clean query-attr.pcapng
mysql: Support non-string query attributes
btest/mysql: Add pcap with non-string query attributes
mysql: Introduce mysql_ssl_request event
mysql: Fix EOFIfLegacyThenResultSet
mysql: Add data parameter to mysql_auth_plugin
mysql: Add mysql_auth_plugin, mysql_auth_more_data and mysql_auth_switch_request events
mysql: AuthSwitchRequest: &enforce a 0xfe / 254 status
mysql: Make auth_plugin_ a std::string
mysql: Fix auth_plugin_data_part2 length computation
Refactored connection phase state handling
Add support for "auth switch" and "query attrs"
Add support for parsing the "caching_sha2_password" auth plugin
Pcap was generated as follows. Doesn't seem wireshark even parses
this properly right now.
with common.get_connection() as c:
with c.cursor() as cur:
date1 = datetime.date(1987, 10, 18)
datetime1 = datetime.datetime(1990, 9, 26, 12, 13, 14)
cur.add_attribute("number1", 42)
cur.add_attribute("string1", "a string")
cur.add_attribute("date1", date1)
cur.add_attribute("datetime1", datetime1)
cur.execute("SELECT version()")
result = cur.fetchall()
print("result", result)
Remove caching_sha2_password parsing/state from the analyzer and implement
the generic events. If we actually want to peak into the authentication
mechanism, we could write a separate analyzer for it. For now, treat it
as opaque values that are exposed to script land.
The added tests show the --get-server-public-key in use where
mysql_auth_more_data contains an RSA public key.
* origin/topic/vern/script-opt-maint.Aug24:
minor optimization of boolean comparisons
fix & regression test for GH-3839 (spurious warnings for "when" constructs)
The analyzer now detects partial connections at the beginning of a
connection - and will skip them. This makes behavior more similar to the
binpac analyzer.
The decryption test is skipped.
And some minor refacoring.
Instead of dissecting the GSSAPI handshake, add another heuristic
into MaybeEncrypted to check for the WRAP token identifier.
After this change, the pcap on the following ticket is processed
nicely: https://gitlab.com/wireshark/migration-test/-/issues/9398
@dopheide-esnet provided sample captures where SASL SRP is used as
a SASL mechanism and the follow-up LDAP messages are encrypted. It's
not clear how to determine whether encryption will or will not happen,
so re-add a heuristic to determine this based on the first byte of
the first message *after* the successful bindResponse handshake. If
that byte is 0x30, assume cleartext.
I haven't been able to produce such pcaps, unfortunately, but the
cleartext path is tested via the existing sasl-ntlm.pcap.
PCAP was produced with a local OpenLDAP server configured to support StartTLS.
This puts the Zeek calls into a separate ldap_zeek.spicy file/module
to separate it from LDAP.
* origin/master:
Update broker submodule [nomail]
telemetry: Deprecate prometheus.zeek policy script
input/Manager: Improve type checks of record fields with type any
Bump zeek-testing-cluster to pull in tee SIGPIPE fix
ldap: Remove MessageWrapper with magic 0x30 searching
ldap: Harden parsing a bit
ldap: Handle integrity-only KRB wrap tokens
Bump auxil/spicy to latest development snapshot
CI: Set FETCH_CONTENT_FULLY_DISCONNECTED flag for configure
Update broker and cmake submodules [nomail]
Fix a broken merge
Do not emit hook files for builtin modules
Fix warning about grealpath when running 'make dist' on Linux
Start of 7.1.0 development
Updating submodule(s) [nomail]
Update the scripts.base.frameworks.telemetry.internal-metrics test
Revert "Temporarily disable the scripts/base/frameworks/telemetry/internal-metrics btest"
Bump Broker to pull in new Prometheus support and pass in Zeek's registry
Do not emit hook files for builtin modules
