From b8d0533f7f5c0b48b3960d6bb9d6ba944b51213f Mon Sep 17 00:00:00 2001 From: QianKai Lin Date: Sun, 29 Sep 2024 09:45:40 +0800 Subject: [PATCH 1/4] mysql: add tests --- tests/mysql-command/input.pcap | Bin 0 -> 5330 bytes tests/mysql-command/suricata.yaml | 15 +++++ tests/mysql-command/test.rules | 1 + tests/mysql-command/test.yaml | 11 ++++ tests/mysql-prepare-statement/README.md | 6 ++ tests/mysql-prepare-statement/input.pcap | Bin 0 -> 14066 bytes tests/mysql-prepare-statement/test.yaml | 73 +++++++++++++++++++++++ tests/mysql-query/README.md | 6 ++ tests/mysql-query/input.pcap | Bin 0 -> 16189 bytes tests/mysql-query/test.yaml | 22 +++++++ tests/mysql-rows/input.pcap | Bin 0 -> 5330 bytes tests/mysql-rows/suricata.yaml | 15 +++++ tests/mysql-rows/test.rules | 1 + tests/mysql-rows/test.yaml | 10 ++++ 14 files changed, 160 insertions(+) create mode 100644 tests/mysql-command/input.pcap create mode 100644 tests/mysql-command/suricata.yaml create mode 100644 tests/mysql-command/test.rules create mode 100644 tests/mysql-command/test.yaml create mode 100644 tests/mysql-prepare-statement/README.md create mode 100644 tests/mysql-prepare-statement/input.pcap create mode 100644 tests/mysql-prepare-statement/test.yaml create mode 100644 tests/mysql-query/README.md create mode 100644 tests/mysql-query/input.pcap create mode 100644 tests/mysql-query/test.yaml create mode 100644 tests/mysql-rows/input.pcap create mode 100644 tests/mysql-rows/suricata.yaml create mode 100644 tests/mysql-rows/test.rules create mode 100644 tests/mysql-rows/test.yaml diff --git a/tests/mysql-command/input.pcap b/tests/mysql-command/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cfec35de27dc2264b60c63bc80fda19d48366184 GIT binary patch literal 5330 zcmc(j4Qvy27{>qo7#*Xc6k(uD4@le~*=)DT*rFQ(<@-YzN`aYD)^@9G?QFZTAs<6! z5d{=51Ofyw5fh`1=pdFaH5e5GgG4dT87C82EU2igf@7=C`|sNI?%ImcgogiUukG*N z=Xu||dwO4 z6Z%a#jO_|~&woVg-+N6l^qZZIwe@!?I!$vKQz(*CoK1xb3*IqKB;r{Skys&ah-mZ@ zaZftYh^qDbj}Q&iR1hzPi3N=hO>s7E-`)-4b5;$Tf%<64YJ52GA`!17hilw$P3v#1 zwZDfCvwh0Hu9_C&Tk51HwUX*w{|#+ds8kvv9~F@$wLZ)kk=wWR)w9Y*1Kc40dwvN7U{<0-37z`>|ux$vo^*-*H z@^r!CO#RAv_S8I9YAG#uILpkQa!a~@?a#%IlhP-_JIK9^FvAOYabGggo zO)=zUXBoz$Q90!DS0a}s1DmV6hY!Iz$q;n6)|S=4<4{ zy_~o*CUF>uk4MJp6b-8q5QU1kgB%(*8%$andI;aTklZ8pc!v!Xo%u zz!MDHW`bYQibtcYCawAUK*_MR!irNw+z+A&bXu}un-O@Kh?hHK5;1HhTV&WcQ3r~u z*tkHL^XP12u~6-`kFQ*oOZ$20sf4zqaa%kRTL!|GjW~*>wzR?)I+2HMd0@GQ;cUm3 zOvLoSD=|fEge}7X516cC5jcQI#4O{a1;P`?`Nh-c&dC@<8a~2q8t^79S!-)`_i+vR z5)H$lVL#WfP1M>}2v8{Q2T5hM*+J|d*%#9W+1=REtzdXR3DxwF)_yo8B=J)hHYM>* zR8?JthE2t%Y01Rr2ewdESJaXY?uYm%x%dSU@!!%+kgWp=y9?L^b9_G+`?N&tlMs7A z(y-5Qe0(cu*oS~uV^6eXHJ1gp68!RcNzDgPb2+d1Sy9cOKM2ZDkFCO1>J`QccDJii zpmSB0!-_MK!(Jz>D7U$7LgeKmLJ=w4T%%#X;;Xb|?Yy89sED)85{2bZ*uoXwjI{GK zDb(U+?@*G5EEUk+&MJziqc?--C=+!w3mv7;sHxoKaD9;{N{1Eyv_)(Hcq$bg_yy>E zf^S5=8hJuH#u)@V#shQHFETeRkY9$4v}8S46xhal&@SmgOIq`dA&}o`@ir zNKjI_@X((grpw9E=jgKy`T2PUL$*F!Z!nSTZ7VeF5wiRCKLgjl!_E{+*vPH^S2n8tlZ|TFIEoGDmXhEYVtdUV#ZTNX)Fz5@9X!Nz)kVw> zX#Mu=B_{!n73JD!dpK|%5RoNU##m7qI_MwAh;rmd_Pm~Gb~ZPr&=?pR`fnP%JDj*qFf3}RO?-(<5y2G z#)xvd>H7S%Y4(BvGZ(IilVGU4CX|;zFpmUXYhwtmjwkpF5aUO=ju9mIuVXQZ;wZ;0 zJb|v?T9o_r`UivUN7fxX{>ulGmu?<=$hc#`)z2#P2Gq5rZQbjte&u#Xxr-u~B?Fu5 z`-Km|+ma!uwr7_#NTM7c0_xl7XA(s@->;l_ASO{9= zpT3lLTQfleitS~BhcN}r(kotU2ef`vsiIcMJRPuR#rP5r53Nl zwlMZL-TVD@ literal 0 HcmV?d00001 diff --git a/tests/mysql-command/suricata.yaml b/tests/mysql-command/suricata.yaml new file mode 100644 index 000000000..4f6e6be34 --- /dev/null +++ b/tests/mysql-command/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-command/test.rules b/tests/mysql-command/test.rules new file mode 100644 index 000000000..a74b8ebd8 --- /dev/null +++ b/tests/mysql-command/test.rules @@ -0,0 +1 @@ +alert mysql any any -> any any (msg:"test mysql";mysql.command; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml new file mode 100644 index 000000000..2a597e84c --- /dev/null +++ b/tests/mysql-command/test.yaml @@ -0,0 +1,11 @@ +args: +- -k none + + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature: "test mysql" + diff --git a/tests/mysql-prepare-statement/README.md b/tests/mysql-prepare-statement/README.md new file mode 100644 index 000000000..f3c46bf42 --- /dev/null +++ b/tests/mysql-prepare-statement/README.md @@ -0,0 +1,6 @@ +# Test Description + +Test mysql prepare statement like `select * from xxx where id = ?`. + +## PCAP +This PCAP was generated from flow in my workspace. diff --git a/tests/mysql-prepare-statement/input.pcap b/tests/mysql-prepare-statement/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b6367a427813bdd99063ab45bfd6c7e09f2c518c GIT binary patch literal 14066 zcmeI3eQZQcAO{gInQ%{_ndp3ziKC5wkkFy@vtctJehp_NSk%HLs^bKHS6NnoQl=D z__4FwSLQ1&Kd>@GPD_|I>0FRK>{Hg#W{#P*idK{?x!nlmGl&cl(z|{c`e) zeQPgVS@6XN6GQ92)%@yHI~x7BB7x3murttJ(bgW?l4eG}S>$VJ58{o!PJc&WbZw}j z?%NIZD=U_SgU{XYZY}V2wfm!Op>Rj8zoT`w+ve*Ew&uAXnK5t9>>^(z z5XQTGn?jMOW9FP$l{4p5&ZwM4VQ`yfTL`W@_ID1$X(0@Ky_KUIFxvwo@fryODV~Jl zQp^Xnq8*$x-Ge@mDsRBQm-HN7Jd$5mszSsff@uHJd|M3YDCO znnu^EMRhd|E;ZUVx1-rjl^5)jPRj>8Ex!?_4TVrglwMF=4c5A{Lw(G&mT2(QP-Cs zV(+07Bc$vZNvU0}BT|X3E;SWWn5KN5CNk?GnDqo+q?VMHRh~JVmO3FVhcq>34a~aM z1RI7=Rh$-JR~g4ckAKO>^Z0{)SM~QD$`*WsT2e5Au@5;I-!%s#XAOdJf`idx4hBRl zHaN{`xHG47GMQ1MyT-ogbVi9Y*lXzO_6$3nQ34$adktM(YS`&Kb{dx3b;~!vh81vy zT9V}pJagIdCk4w-XsT^5TfW9@Ii!^d@Pd&XfwY7@^H_SeApMpuefR9yhXUv@rY1&A zamPNQ0=#dTBWBx+i1iDnMrIF%wjYWTnw{s+`cf*UqZysVvNX%&*fRv%&=oVDpqV8m zrP+MW-*O>;{hFG4AuY|wEI$7zmi+ktcuv9iHGY?bW*0aZ-!TUx_d;)Fi7iVr{S2&k z4E7qjqSGm8_6}^2(CksR{Bg78B{og9mkTtTOv@dn8Cgya{{_+#npLs%!-90NE}ftm zOW(mt>JtWVV&eXjhtl@5oo6Z&99ukF>+5mXy^d&qB`X zd?BlcHMP*ihe4M)t1hUFBOi704f2H~dc_`3Ctp{a_M()57dbsU%;_m~A&**?f%-yD z?--VGhHeHcIuC4+FmMr@-zb=`X=+jYl0;&E%AjHflKI5IT1ZP)bcG2?E`S0g$orTI@SZS7tO%DtN^Yh@-Z3aj_NSk4XxFAxOt+#dz-(n#boY*HiT&yC zV3uS>_jS(SA|Zb_HMRISb1iYTEwQ2_vvjV}^&@&v))%}arP-$(jBVy%6d&)cbe3gl zrbA5c7!YRYWcQ%A)wNu;6~Sxyc=4rvL^YFPR~LHaAY^xe}; zMFA3;U7`ZKzcNQ`6fS`{>(bHeBorky`;0?NcVG%uY7o;ULTguX36{Nd# z=>*MKdOB2Zw?7r`Tkb^x5}IA10=%!8Bj&^<5U02u<%rRc{s=`0%|7SQu1=|#OtUGx z9WBPVvNXFNGg3)q7O0%mR4B_KErSBqY zr?NEDmt=a!upl#ZGgzBF0~;hXTh5lR5G+5Xsbg~4@>Db<%gN!Lke1MF1xrsAq|fNm zcTck)qW}rbu2BKrpPSh;CKnOAEUe9Rn*9xm5}IA-(9%Z*3~RGt#dI_qjoHf5?0(R! zA7)8twvzKVSIFOGO)cAymS$v@PBXroHk|e5gHoFPhl3F|2cv95Z)Is=mS#G{^o{{x zhHeHli^2v8&Fa|lrDn@Z3pI7@fwVLu%ZX;&A^j}+)RL~pMm?)oxiw!s?B)sVAl_&47|bV37OL~z7Tobnq{DlKD}cApP{SAXDaN# z-Z91f)0bd_gn_Hs{2Iaht(rO^en}#+qMJ$wGVf2xd}82XNJ|)4&(g($bdN5bU?5B1 z3kIG-MG^+yq>8*p&6%5kYa*qm1qSW}v8K`(l|xbn-r^KLlv2^mKvrZ1(nnac4E#Sc z&YZO=4S5f1~fNfHZ{{!ny BKxzO0 literal 0 HcmV?d00001 diff --git a/tests/mysql-prepare-statement/test.yaml b/tests/mysql-prepare-statement/test.yaml new file mode 100644 index 000000000..38c69293f --- /dev/null +++ b/tests/mysql-prepare-statement/test.yaml @@ -0,0 +1,73 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =1 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =2 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=3 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =4 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =5 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =6 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =7 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=8 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=9 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 diff --git a/tests/mysql-query/README.md b/tests/mysql-query/README.md new file mode 100644 index 000000000..1de54b6bc --- /dev/null +++ b/tests/mysql-query/README.md @@ -0,0 +1,6 @@ +# Test Description + +Test mysql normal sql statement. + +## PCAP +This PCAP was generated from flow in my workspace. diff --git a/tests/mysql-query/input.pcap b/tests/mysql-query/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..458bc25e8f0cff003ea45ed9091837cbb35edfe7 GIT binary patch literal 16189 zcmajm3tW};9mnzKa8m(qXlY&owZtomGQ4G|h^VAIN4zv`oe)7u;TVvlRGO}|nz^Lr z7M0CPQkf>2uIOT8CADpN2|MP$S|Ghe;W*^@F-}5}@ zdH8p#tF8WRh!tl2_(z!K!cRWjcs%c(eJ*P{eoQYbdSLnMFXFGie!f#%E6uX*aQB&D zO^A3nsj5@tmv}9CZGQB3JCY`yrr-QZ$RiIGJa1VcVd4A3LfS@lyCq{Y{kkhOv<;Py z?ib2vHusy$mNmgjiTLXrs!~1ryVvH|M!m2C_4-$08aF)o{*Ptcj0R~38zoZ-xni|^v6k8kV2YZ}_JH2H5uUT=vNH|43K7oUvy zOXRZ`Uv6Jj`bm_hYt^~b$NqL~Q`_lzKQyhqT|EO&v?pg-er{ojr!c!9w`00@=!}(F z?z@IgF3Mk#TNLW?7Kbm(FMRN!cAn+SvP<&3MFrv61&flC!aU3K7qv-DN={B5lNjwO z&Mm@k_bl-im$XkDH6kG~IU#X4{!F5Yy!d-z#^U*!bS0L~fiK2O=fFohl2R+zbaLI; zA0eCr~kSvB@b92b+7#qO>fZ(eYUopDx`htRzQvc(Oa&J@)=Mw^jmoaX9(UbFDQ$cO6ToPF$Txg(M?u&{K^fNg?}E7^)=G;FvhTm=66^8S~&k2v37mnveNO}>D6kUW84FH zo^(|N-N{mq)<#wI=Xv7Z)pA#O9`lT$Bh`Vja}H_ehqD*+lP={gZ-qf^NX>mdS%J}$V zynW{v<}UN(E%TOovKJNP7sk^#4t}T|Fpe9>K~Eq-Cul|Dj-<(>c)&OZ=(ypSb;0Sx z1CIa5Wz|AXuU04MTURgxoS@apA_iQt+9`IWBA=i$TTalJ{6f0BWS8W73q8d-OL7ac z+Xfcx{2(f5-N8S``Ao;^#$z^I&iULG=W`duaD8>P3M$%;8P!noQ^#ZU1l5mc0oST&5&?Y+X8V-udjnlFeNHa4Po=j!m_ zqHIiH<1phKdyK`gu5nXw&SOGRHe%H-?xvao)Q^Q8r@LFj7%z?C8vK z7te7VikE*9tuu~b<6xt)=OD~+mz#15oYTt23vXSo6 z`tz}89_CnYQ*r4kp(q=%Y8d7FzH?n~!J`mg*W3HeqW7NpWW3ZyH^(G44m2CL)%j7S zVvoy0Q8r@LFj7%D#|5_pj2=GL`6w0?w$~Yd!o~q+BXx5e%f^02WA8}J@o6^||D7)sWg}J%BNdg#i;nRy&+%gvN53RIrO0y} z$Hu;9;}jSV+f;mPt5B4UST&4PR2mNkjBkXp@iP?H_7v`1vhfZ!N;?mVXNulyeSTD_ z*uA$9ph3q zCZf3F7j1R#kCWKg(`@_>#-%nDPdpm8N+9zFrZZz6>|mpsQ* zHuf+YWBbEc>89e7?S-Oj#HwMWqSAN_|J8w?A9tK$qmAO*`aOWjY`n#6TnOVSHx)PN z_W-bJ7^$c}%&yOkHEBUTL~6_v(*j&TbcA4M@izXy=c#+!}CxSL_z zVpH*|Sd@)eHH=hL8tVh+<4zwNH=_9P4dE$8KGsv&c$3*U3r3$!#fgnVQ8r@LFj7%z z+!ZkH>d3~IP+Xzk1DM9fu4dyiK0m5doIX~2FT|>0q@vR3b&MHotU~edLE$Myp5t^j zb}<|O0%L|v#Z_+$MR|@`HH=hL8b>cc#z$dnvZ?q#u_zm{Y8a`gG_DR9tH!bMKPY;Ogzwm8<4iVoG#lTk z^P@_|``m+7!$?J? zv5hmweLTmuzr=r{9wOYi@d5+ys z{9eBY;AUgA*;t4qm#!Z1^{ky?D$9NPQz81b?m*+T(jZtRfPM;rD zDjqr|6y-T$)i6>~Y0Pqri`kfrVy1o%Ad8KWX5(oX7u!@UU#PtoV%0EGQEBYv7++=M z6cjV`djPZ9*v@F|*B8cDZ7SaOvi7+LtA>$^O5=&Z`S`n&Y@CDQ>{#K>B_HcKY;0>b z-dpEKm5Kx6gra<`v1%Bps5EZv+;YwA?#b88A{1-%djNCU*v4#p!RJSnikn~1?g3!c zFj7%z%n8hK_dK3s35t94djRv;7-2Sk4&ywViuZo5eeS`kVWgtc81ER%*|-kHYx+Ha zyV)3SG~N~iW4TSmx919XSNT|D)i6>~X*}Z`>rdFY8O7n^ckJ@{_)|89nT<1H{KTeW zFQ2fhARDo27^$c zy(kvy_W%~KF~n^A7{+v)iUT%k_W-bJ7^$cF=pQ2c!-vjs=8!fZ(P8dJ1shE?ly%%EDFj7%z{J=3@ zXX8l}FYEUJ?j>Vcli9cm#_Ki}_v-fmuxflngo;Yzx`6S`QEWVmVuOAUz{AEyv+;n> zk17@4!e>P^p98?EVWgtcnC=*h+1QAp;d21@vGIo4cmc*@n~FEB(S8m9tA>$^N@J8` z+{4E9&mPZvM85}+&Bp&3jr|i~++$PmUi}^bRt+N+mBvpxwp=rBo?&Be6u0U302Z?G zy4iR?jAv{rzO3H^z^Y-SqS9C%Fz$_K;}8_9^m_m~Y`kVRZuj|7rQ$2U*FN`P)i6>~ zX`JU6bJ#cz#UJ#a16ahyt7hZZFy`1){8+ySfK|gtMWwN)W8BKd3>3TS_W*L)_=C|H ze=CezZ7TNF?*U-dFj7%zJlUb;eB672jq_2wL;Q|iex}G{V}sc^AI1|l6|2u{pL?)s z7^$c6JN2If$Yr>LYC2g5ov(9>D!FB|`BHm-oN!KUI4{T={T z4I>qm#`OW?{*i3Fgkp_;4`4YPzc(AJeSTD__=A2A0IP8{xJr{vHCrLA~v2e8V3!+ z9Cx{?n4sSSz^Y-SqSEMdjP*Rnz9$^N@Hca7UO{~e82Xhcrr}*j$MB5d5Dew zHXAqB`BA0fBjG|(zGkp$7^$cTJB#wjo!wyC&PzXyO-!$?J?@nFDsFqDl|D88fL19+H?Uzv?-eSTD___%%# w0IPqo7#*Xc6k(uD4@le~*=)DT*rFQ(<@-YzN`aYD)^@9G?QFZTAs<6! z5d{=51Ofyw5fh`1=pdFaH5e5GgG4dT87C82EU2igf@7=C`|sNI?%ImcgogiUukG*N z=Xu||dwO4 z6Z%a#jO_|~&woVg-+N6l^qZZIwe@!?I!$vKQz(*CoK1xb3*IqKB;r{Skys&ah-mZ@ zaZftYh^qDbj}Q&iR1hzPi3N=hO>s7E-`)-4b5;$Tf%<64YJ52GA`!17hilw$P3v#1 zwZDfCvwh0Hu9_C&Tk51HwUX*w{|#+ds8kvv9~F@$wLZ)kk=wWR)w9Y*1Kc40dwvN7U{<0-37z`>|ux$vo^*-*H z@^r!CO#RAv_S8I9YAG#uILpkQa!a~@?a#%IlhP-_JIK9^FvAOYabGggo zO)=zUXBoz$Q90!DS0a}s1DmV6hY!Iz$q;n6)|S=4<4{ zy_~o*CUF>uk4MJp6b-8q5QU1kgB%(*8%$andI;aTklZ8pc!v!Xo%u zz!MDHW`bYQibtcYCawAUK*_MR!irNw+z+A&bXu}un-O@Kh?hHK5;1HhTV&WcQ3r~u z*tkHL^XP12u~6-`kFQ*oOZ$20sf4zqaa%kRTL!|GjW~*>wzR?)I+2HMd0@GQ;cUm3 zOvLoSD=|fEge}7X516cC5jcQI#4O{a1;P`?`Nh-c&dC@<8a~2q8t^79S!-)`_i+vR z5)H$lVL#WfP1M>}2v8{Q2T5hM*+J|d*%#9W+1=REtzdXR3DxwF)_yo8B=J)hHYM>* zR8?JthE2t%Y01Rr2ewdESJaXY?uYm%x%dSU@!!%+kgWp=y9?L^b9_G+`?N&tlMs7A z(y-5Qe0(cu*oS~uV^6eXHJ1gp68!RcNzDgPb2+d1Sy9cOKM2ZDkFCO1>J`QccDJii zpmSB0!-_MK!(Jz>D7U$7LgeKmLJ=w4T%%#X;;Xb|?Yy89sED)85{2bZ*uoXwjI{GK zDb(U+?@*G5EEUk+&MJziqc?--C=+!w3mv7;sHxoKaD9;{N{1Eyv_)(Hcq$bg_yy>E zf^S5=8hJuH#u)@V#shQHFETeRkY9$4v}8S46xhal&@SmgOIq`dA&}o`@ir zNKjI_@X((grpw9E=jgKy`T2PUL$*F!Z!nSTZ7VeF5wiRCKLgjl!_E{+*vPH^S2n8tlZ|TFIEoGDmXhEYVtdUV#ZTNX)Fz5@9X!Nz)kVw> zX#Mu=B_{!n73JD!dpK|%5RoNU##m7qI_MwAh;rmd_Pm~Gb~ZPr&=?pR`fnP%JDj*qFf3}RO?-(<5y2G z#)xvd>H7S%Y4(BvGZ(IilVGU4CX|;zFpmUXYhwtmjwkpF5aUO=ju9mIuVXQZ;wZ;0 zJb|v?T9o_r`UivUN7fxX{>ulGmu?<=$hc#`)z2#P2Gq5rZQbjte&u#Xxr-u~B?Fu5 z`-Km|+ma!uwr7_#NTM7c0_xl7XA(s@->;l_ASO{9= zpT3lLTQfleitS~BhcN}r(kotU2ef`vsiIcMJRPuR#rP5r53Nl zwlMZL-TVD@ literal 0 HcmV?d00001 diff --git a/tests/mysql-rows/suricata.yaml b/tests/mysql-rows/suricata.yaml new file mode 100644 index 000000000..4f6e6be34 --- /dev/null +++ b/tests/mysql-rows/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-rows/test.rules b/tests/mysql-rows/test.rules new file mode 100644 index 000000000..075d8ba43 --- /dev/null +++ b/tests/mysql-rows/test.rules @@ -0,0 +1 @@ +alert mysql any any -> any any (msg:"test mysql";mysql.rows; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml new file mode 100644 index 000000000..2dea04e54 --- /dev/null +++ b/tests/mysql-rows/test.yaml @@ -0,0 +1,10 @@ +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature: "test mysql" + From d987e7e4995fd47176421790cae232a1fa973741 Mon Sep 17 00:00:00 2001 From: QianKai Lin Date: Tue, 8 Oct 2024 11:39:26 +0800 Subject: [PATCH 2/4] mysql: add MySQL upgrade to TLS test Task: #3446 --- tests/mysql-tls/README.md | 6 ++++++ tests/mysql-tls/input.pcap | Bin 0 -> 10213 bytes tests/mysql-tls/test.yaml | 19 +++++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 tests/mysql-tls/README.md create mode 100644 tests/mysql-tls/input.pcap create mode 100644 tests/mysql-tls/test.yaml diff --git a/tests/mysql-tls/README.md b/tests/mysql-tls/README.md new file mode 100644 index 000000000..c5e1ba166 --- /dev/null +++ b/tests/mysql-tls/README.md @@ -0,0 +1,6 @@ +# Test Description + +Check MySQL protocol upgrade to TLS protocol. + +## PCAP +From my desktop's docker. diff --git a/tests/mysql-tls/input.pcap b/tests/mysql-tls/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c07b5992124be177cc321229d3aa81a1b54550ee GIT binary patch literal 10213 zcmch7cRZH;`~G#i?Y;LV%HFrVGqWjslf6llEfU!xd(Uh_k&KKKSs^7OWJFfk-|O;x z9-k-meSW{!?~k9?>-6HjZ^wC_$8o&R`@F8(XlHFM5`YZ+_X`<-fxmPXBj3~{#RF8p zpP@jKtsn&8NV0u&XrIu5s{kNg@>3d+Miog1ABREDJ>0}zu~UzphmdlR4mR~~fPaOI zQjd&;jwxfQG6+2mgTv7vkp&@^RbQyJ5UMqZ9Co6g@fYHM>KsxAQ7}cgc(`~09Pmdhn1Hk+t*I4o zdU}ckoX(JdkNxLMOiP~eu9p)1B}RU4z{3L*unDt zrQw6KhI9YW@Yes<@HQnLU<(!j#cveqmmHoU-uWXUIY^=BIfd__rs=_72M^27n)-b9 z{r7JW&FEDB?BjwZ1Q6M0G#_1{dCN{c1|96<#nqx^W zb~pJg^@$K!g1sdD#0)#XR(qAOb-k>yZu$!YAr$uFh5~P=32a*w)M*9;z)S=qLL!2< zbGNg%^R#meln#`%W3&^sW403m89*k$4G035U@|X&3;<4H(22wZ&;e9{27G`VzygrK zN0>k&aR6d~5E+h+j0{78qobg}&{0ug;FJ6S3&0G%nm&hlaB-HA-^bU2Et^YNWRa2q zd;Yi*c`%ym6ALa~CJVp`V!;4*00SM442Q#!;4p|gPmsI+y6QJIa?aE^{DT^htB(Jq zh9xZ?PzY8G#c#*x5hC{t@zEa<$w9>0^J8QT=}QWS1Nuk+pbLi&GCcA6^4Nl)jV2n2 z)}|@GBaeX8?^(1dS{BA!ZwY_K|4|JhkV|Zk0VFsw$Qu$sMht?(&S;ot!~=A|r=j@G zLRU+U&ny&k!9rV`h0c0s7BWA#&3gib+?Tc)HkT1d&r{YdzQctjNHf_*O^aViZGx7T zuq<|r{HWr1-RFOCnhqNtFpLhI#YJDBcOmj1iu3G$^@X#Zoq8-Br1;Q$=G+%%pf5%s zU!;S+cm#*n)!q(lWaw}DE+ocZ`IDmjO73!MtJ1Yi6e>&3FPTx5|5v`yIQPY0BvhK_ z(Ymy6d>J%(G#?`NkFS~rRJhTbeRheE!y#_reXheJf72pVIqds8nxwy;ltzRw3ZjiUn1P{EfXb^{_ViMSnn5TQH2i7WOpYE z*h0vAb~<|cZntQZGA>g;nQNXD+&SP(nOmGMf2b^~xX+xSzPajM zo_`7Tfs3?t7%OWCtxwJKJ(RIUx^Bl!m>yaTZCm7Ov_=zOx^`Jnc9su`P}DSI7h>4D zi+#pfsp49SLPbhd{AQZ(8V?!Ya3U@B2GQ*ME6yRCIi#uN0lq0@Yu(P#4EBT82^gh! z*2_u=V^H2C$=teHU#xH+7dEW$ zdU4SQXtCC#SP7!X5j10j{dDsW@Y=8p3mSrnl{mR(nj5NhNVNkcPaWH&d0LNcqq7Ee z4Y&}!q6*iVahKKA>%KH7nPa&bnuW`Mi zMDvn_Uk*vFFUKD6L9Hh8+prnb) zh#9x&=tF<+Kr_dKSAm)FlYf!bO$C?M6T6z2t3UpX;(B&zGb5lxJ4^K6u-n zJUKG^J?W`YP42zdt?#$zGt#P#yWDXeNT|XG^;iYejQKH!B3U(}W(?ay;*Cw;q>Tk~ zQc(8bs@5Ae=!ZlaF`@{N8}_BEvfE(UcC}v>l&01SMsmG7`)bbk`=KPtLB7eiZL;yu z($FjBEk_f>9-Ol)`f#*$**(f*B-7XNql8ahtvuCwiYAIu>JYu-d}l4J0oZjJLuxlY zz|+U$-rSfl@ab{D!$B{DKcPY$O8hDu%@rjPPl9P7$b4${$mk_^z_(t_r`u(>SE$Wv z;By~H;}2UKm}D|qIMUFxd#?sA!dF!{PBR5LL`$)?e=xoF!TVAE_^uDDvDBrP!3V6; zV$nHw}N8o2u{$yTYuUT+7OW(5qe2DVMbXOzGPNEA;99(M<1*`LylJmQ`v z&Wq|dC5Ue%Zu{nZY&s&@dSJ{XgU5HXquGaeO_gkR zoz&$Rm15$atCr1|v{N&xD>sJHRpo4Hg)-7ztm;`rMUA=@6*1AC*I08imx*zFu_s^o zs+!T?&PbCYv}XCamTRtPW+J-b(?XbRL^*x$17wrw075}4N|yJEC{?Vp!&!d2RLZqO z6}D5DMyI0oQ`9v-xPke)1pO@hvYKmgY!CWw@uEfSp;98q3PMn)mv3)OZV?$FEtA|N z4D1=v?xhVW9u-evxc0ffTL0NqEtX)^cb48I^4L-b=hSak>lV+E2QJEORfl-d!g6c0HpTc&#!8Z;V zg-LI0S~vgex7;!JV>WGVT+3RU4MG)PHoQRDath~tab4A!-kUTGUtDf;4@Zw}Dj4(2 zE5vi(Y@$;yQ_V50)>?Ob4^0JlJn~Qf%R?in>vf4YI96ZX_^@s@Q<*d-MizraMLT6+ z!x|S~b=&hXN_Wqdw_JphIj7Vsjpl0Ajl1=Cx@1bFZeAlq_0ad|M24kpQ}On=p^9}# z7j%Tl8b`4#*mEB05I4DOn8Y5D1!SeT50b*dMeWHK=k%Pc_P>j*XHKb&Oq58x>dIg& z^iznu@8M5-l!Lx*vVt~>HhvPD`}0scam+v*!_||?;TF$P?TpDOVsKr~Lph(c=P93h zgVi>U-zL8&guA{VTQkN6UJJl6 z$P`B#-CIW{{6M&_7w={^)7$YKY=O_?ah-*gDyq;fP0jw#T^ibC{&5*CP;vroI3k(9 zE|IbD%|h=l;4Z!U_bv@?H)G%uX$B#7bKwCS;2sUd#kCZeEjc|~OE>6uybz4UElw5~-*MNAY#V%K?YPV5< zX8(ZXNwX%ODWNAqh5HPDsV;U;=i%Y2?MBZuPR$_QgZ6hQ5lq5rxvdVc{|#%ge7JTQ7Z6TYV+gdQT;6&xhJ&vJ+8q! z4-M=C*D0;+?#JnU6_O>`Y)5FE;^NkQTo|!Aoc&3P=J}!4Hn>pBOH%NbM7<IJ~f+#S!**1PfN+`y8=W4#pTQ;(!BfS;5+B|OeA6{$D$O=Y5#G@~K3$pY^a!ye~ zY16z{X*l?=q>H&ZY)c=OIzSHbbg(a*v+5%fb(F%-_j${-I%2Rz8liB_@vOznJ5FL^n-qqo~nmx z@8ClB*+^`={7ET4Q`)Zy?l~EYzBL)te-*wmcjL;Blp%;fdLBF=5L!Dyt;Q@ERE}{5s)VP$w&JfMPO#iqC_#Z@Q)Z9NGHSZxr=&T8<@7nNX zJi$*Q^}Fse3aCFRu)hE1$*w~_T}0&03T|hAJg-)KFDoq*+C2Yz3gVS7SZaIY3{WjO zU@fL#9Z>wnx+bFdjP;3MS@*>NSzm$9y}si)>lWa-e-G6{Cehwr?N=`LxPfwm$ydfR z#ueLp|Jv41DBB2_%?iu}#c$d45G7~XhA(8hbe_%a_iWVGp6hRhZ7=;y9C4dxRp+ja zT4}z=^70z3N%D$2loE^oU*$tOBRlN^*(;!Y3K!&q$hLqG#|7{J53m6!ev{9-6n=(i z_eVrXzQAAPvw$dLzdd@xF329o*YiEvcG|m*Z){k3_@&wdi%c^Sw(pTGw|&r@4Q)TE zhE@rXLKUnC;sHrub|`+M@gAb|jK-V`G%DDs$5Eb%mU~X4<=>*Iq58d@O_};yUHitk zkG%ye_Db6HJO#$`iS#Yjm_pv;*4HyRb;0)j%K3Glli>2&BmIsUE?ze&OUV7|S=xTQ zqAcm%cYXH7Jkcmt5Y?;;tdS@6uN%hD(fN%ffl}l%mY{o6|1fzRCCGc~ue_@wfxKHn zi0wEq0QB2g{Dx>!igJeN{6|EHci+ExSEYv#A>Nta$jH%fE8eyAjEy#ze;#Omw?fQd z7EYC0Snc%FuDfsYI&$L-lzNB&27ComL-8Bo9}s0{gsWU2JQXBd?u_ugbHdAIELG{D z)Omrk&e|IWd;3%``}kHbId@XyvapsseAg{YU5Xvj$|fM(Aje)d?x6PWDibx~~3nV>8W6}3ak6z2*SMw%&)j?wO~Iy)XZ6Zv^) zN7K{VLiZj#$}$SKkM!ubP&kRH7B^CA=C~_S>t6AAS2*Gw5sLzY-ROvtbQo_v(wOP} z!le1d$jE4$D;-edGhpNYGW<}_I8VO7x!h*qZK(??GJu?yLx>TKFaQ@^GN8DqA`B=+ zgAj##|A+{xXh3zY;w1r`u~8>auWBXxhpe0SbY!Be3C*b4SZl|4R|g`W_MsFPvycJ(G9%65 z(W!dV_oXDh?qJ{t!jiKE3Sh-}V!C0i+;It0b)LgjPdP)jTh|y8QYcOiCp-OWKkvr( zQ5`<}7fGW^rQ2b`JTtxYq(L#SU+HEO2^>{qcX#4ul&y7|M8toFq zj$P?Pn`54eiWs7HlRJaULmV4&H3#Amq&wUt31bm`E){-Uo(xYSGWiqoQv8K9Va1Pj z%{-=`2R1pB5FNz&6V1Sz2^jqefwdPx9cj`Pt=|y#xh?NT`OW>JyrsR$lDyV?o7$CF zelS4gTS>xzMX+=zE{Y3Gl%k)Bdtr%=#{=zB0hYh3zkMz)2PkeeRDQN4HlsJIVK~|_ zzeo{v|K;~`Evxt5iIhpTHcHKXn_b|dv73<+7u{{qG?G%3n&z55?cGF}Yga!}j?ugp zQbLZlm<0PM)U(Eg^mCzqa;%&uEm&m&k5zs6vb9PC6Oueh*R8R)?VtP}$kJNF+$Z@s z7m`B-o*!MB*okCFh$?(M8racvOFA+9-O;n>;enxtlDRU$s@mpUQhXy>@Hn~GP}gFz zFrX6b7>eIS%RyB9QM3wBv^ucspZd?vMSBX0#sPJGb4tiJE)7ZXP&@ii9o0ygm6%QA z8Be}P1BPB_FseNgL8g@DsGPRRWqzy&SJCpf>V%^NUE_4qLY_yA_*X|%ait9S47^fJ zp%bjJy1%X8wwh#X+h4mJSeq`2QamN>Qse-;&1Z?r0acH#0t48PfU~%$84`6V22?$w z?AHSsU$ImyVWV*Q@?!Lz zFXfgL*ZfcsUYdch?a%9z-&BzsTIm1%UJSjpb3rB`S-;Pg{BK0{j`|Qr$F7_~Vn=Otx#mQDTuOEjBJ73q3 z%^QOUMBK95xKCDo%sy4|G*0FAO{`Q1ixTtt*4$E|z+I$tiuoz`8PR-FVH;+l&tx>x zR=s_V5TDERaWb+(&trDLrYm(5?q6P5kN$*&-cqkj@2!%9_c$Ytbl~WB9;`5_u>Or@ z;UCM zX@GYB?qaW`$m7j5t?V{zHetMW0!+iomV37llEwvdYewPT3U%h(VIPK& zzw=dXajqrpWY_~dc|-Qa;X4>)owrLNRy z#AI?$P*uBaTo4@-dkQ~0b0wlSX)F3hrc`TfjfU-x+Uq!9-zd^fNySpgIT`9OU^qC~;XG@6_1DAFD zUWyl_o+=7$;0#0#+^pfQyMr-HO+~$%V*tYT=jcsa&xfnO;K z+43W6@LIC>n16l?S0;VHMC?9$WU;SF0!#FOTj(Ob)xz|h+3l(WpAFI&=1=G!t-rCf zS6WDX$7&TPAPorFF_#HsQN-5ptR*6@LL?lyi58^hdXSpfXt>1Uk47DOAc)_44qGP_ z9*{hl>u%r(zB^O5_U5zNy_P_EHh?sb7>|ZasQ78YjIh}2k_R_#;01kqd94Krt}BSX z)%*H@oRVyYVKDXG+^FHOPN;loq|hyy_f)i=d|xK?D=3lL4+@iV5i}bYbC2Oy4Z@FM{+n zI{(mGl@FW@Eug+|y1N2P{0v80wI9~q`R=M^1#}!68@)4$wJh?ue5jR$x18pC^6a$4 z9d9qgRXtbQJ@GN6{Ud?vGYtab-|eq3e0_tmwl%h^qwyULAtU_ovP=ZqZs;n~!n*ERSUNmL_c*biXw9NO-3%D&+@nG=SjH~~=KdF~i zY#MM!B$i3&p?7K9_VRYCSf2EBF}q|ig?TDjd%NS)t)>^=yP;+zpKla--qGE0r;<6I zgrOhb?#Aog8+|L%04&1z9m`K~&n*I638wNfmo~j^|!Ukp<1ZD`qr|;Tg;mm<6 z-}RhjH&=9Ls9(OaiSJdaJD@j2$eNb{^6E>?O5;-*GT6(mB8^ST7TV8wS;QZb_dgPR z+Oo?luCK~_gnyk%KOE_^|Tf> z64kj62S_8{Q#JDxrl_Kiq866zZT-#ko-T;EFAV4`3Ec6 zWHV@hHSQbe){|be8M3HFR%<>$lp?0%x{<8 z6+j*56UQt@0uHf(7{%0TluO+9i%9sJq!RMxLn0FNC(*OHC1U&CuE#`obS^V)I-&Y9 zQ@u21QNThU#=tqKW6;vQaZ1waFid|fb|Ol*v(O52$}+Yx%F-CF)1yTu_!GC;xa#>& z+j+j{m}O0tVX~J4`(0fMu=ySLX&B@TQ!v_tnjg|q7*n!oZd~8oSKg`?6^QSo@yekJ zx4q`0!}(Ttp;v54mp2u*t>%;7%*++5!4r_s_J#^o2JdzUt*k^3bn0#!!hk7oqC)Z8 zR2@K6o=sJ~U#F^nk)3+V3-Hu!7%ZJn)mCt-@}tTxn39}q90esD zq90Y=_QiQM-XE7p7KHEPeh3J^dc^4?t3vqA_N$}p>lew%<=Y&RM*Yc4NnbOy#@Y!x zsyPbA@#x21ZliP`H5Tn?p`Y$K`W^TvbYzHJ&(fJ8WHDZ@C2ntX@rq#xcX;d^(ED|x zt3JvvknmIUipSj~u4h4s_nUb5_XV#GWlkR--V*5lUPEv34By(bV5~HdP}>gKtCFTT z0e^8#KtC3BTuF|=B3tYw?c;YZ2b#Xy-(lffcCfXIE5WHy?kR9XASoOoz9a99Q?&)_K6q)hV7;0yu@J6FZ`j7dXUnyKmPUN3JX$NB<|PEE9J#z;a$lK7gxsM zd~JONB3iGZ04CrT3dO~V4QP~NpCNkv5fR$I9sb_sbfI0Y74!~3Dzz65u!oVE|Ij?y z_<$YvT%dd5+n6Mj%yb>)AJ>Mz{Xa_;l&oy+SEJsQ1dTcsL;&0P`yRai3}&;8r7kyw zxaEin7=ook@mu-VN^#E0_qkC16iA2^^oFB<^Spdb2o)-y=tXT+15y42PEUS%m9M&L rz0a#@C=<04Dj)=Af#TvJ11 Date: Wed, 9 Oct 2024 10:22:55 +0800 Subject: [PATCH 3/4] mysql: add suricata.yaml in tests Task #3446 --- tests/mysql-command/README.md | 2 ++ tests/mysql-command/test.rules | 2 +- tests/mysql-command/test.yaml | 5 ++++- tests/mysql-prepare-statement/suricata.yaml | 15 +++++++++++++++ tests/mysql-query/suricata.yaml | 15 +++++++++++++++ tests/mysql-rows/README.md | 2 ++ tests/mysql-rows/test.rules | 2 +- tests/mysql-rows/test.yaml | 6 +++++- 8 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 tests/mysql-command/README.md create mode 100644 tests/mysql-prepare-statement/suricata.yaml create mode 100644 tests/mysql-query/suricata.yaml create mode 100644 tests/mysql-rows/README.md diff --git a/tests/mysql-command/README.md b/tests/mysql-command/README.md new file mode 100644 index 000000000..b2703e415 --- /dev/null +++ b/tests/mysql-command/README.md @@ -0,0 +1,2 @@ +# Description +Test sql query statement like `select * from xxx where xxx = yyy` args contents. diff --git a/tests/mysql-command/test.rules b/tests/mysql-command/test.rules index a74b8ebd8..1aa830fe2 100644 --- a/tests/mysql-command/test.rules +++ b/tests/mysql-command/test.rules @@ -1 +1 @@ -alert mysql any any -> any any (msg:"test mysql";mysql.command; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) +alert mysql any any -> any any (msg:"test mysql";mysql.command; content:"33030219971120201X"; metadata: mysql command; sid:1;) diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml index 2a597e84c..8f5b7f17c 100644 --- a/tests/mysql-command/test.yaml +++ b/tests/mysql-command/test.yaml @@ -1,11 +1,14 @@ +requires: + min-version: 8 + args: - -k none - checks: - filter: count: 1 match: event_type: alert alert.signature: "test mysql" + alert.metadata.mysql[0]: "command" diff --git a/tests/mysql-prepare-statement/suricata.yaml b/tests/mysql-prepare-statement/suricata.yaml new file mode 100644 index 000000000..070848120 --- /dev/null +++ b/tests/mysql-prepare-statement/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-query/suricata.yaml b/tests/mysql-query/suricata.yaml new file mode 100644 index 000000000..070848120 --- /dev/null +++ b/tests/mysql-query/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-rows/README.md b/tests/mysql-rows/README.md new file mode 100644 index 000000000..d43c04e34 --- /dev/null +++ b/tests/mysql-rows/README.md @@ -0,0 +1,2 @@ +# Description +Test sql query 's result like `id,1,2,3,4,5` content diff --git a/tests/mysql-rows/test.rules b/tests/mysql-rows/test.rules index 075d8ba43..a7626282c 100644 --- a/tests/mysql-rows/test.rules +++ b/tests/mysql-rows/test.rules @@ -1 +1 @@ -alert mysql any any -> any any (msg:"test mysql";mysql.rows; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) +alert mysql any any -> any any (msg:"test mysql";mysql.rows; content:"33030219971120201X"; metadata: mysql rows; sid:1;) diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml index 2dea04e54..371fe4bdd 100644 --- a/tests/mysql-rows/test.yaml +++ b/tests/mysql-rows/test.yaml @@ -1,10 +1,14 @@ +requires: + min-version: 8 + args: - -k none checks: - filter: - count: 1 + count: 2 match: event_type: alert alert.signature: "test mysql" + alert.metadata.mysql[0]: "rows" From cc4a27559df2e2d515a4152885bed4ee25dfeb5c Mon Sep 17 00:00:00 2001 From: QianKai Lin Date: Thu, 17 Oct 2024 12:53:56 +0800 Subject: [PATCH 4/4] mysql: add more checks in test Task #3446 --- tests/mysql-command/test.yaml | 11 +++++ tests/mysql-multi-queries/README.md | 11 +++++ tests/mysql-multi-queries/input.pcap | Bin 0 -> 16189 bytes tests/mysql-multi-queries/suricata.yaml | 15 ++++++ tests/mysql-multi-queries/test.yaml | 61 ++++++++++++++++++++++++ tests/mysql-rows/test.yaml | 38 ++++++++++++++- tests/mysql-tls/suricata.yaml | 18 +++++++ tests/mysql-tls/test.yaml | 15 ++++-- 8 files changed, 165 insertions(+), 4 deletions(-) create mode 100644 tests/mysql-multi-queries/README.md create mode 100644 tests/mysql-multi-queries/input.pcap create mode 100644 tests/mysql-multi-queries/suricata.yaml create mode 100644 tests/mysql-multi-queries/test.yaml create mode 100644 tests/mysql-tls/suricata.yaml diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml index 8f5b7f17c..143306cf1 100644 --- a/tests/mysql-command/test.yaml +++ b/tests/mysql-command/test.yaml @@ -8,7 +8,18 @@ checks: - filter: count: 1 match: + pcap_cnt: 40 + src_ip: 172.18.0.1 + src_port: 35316 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: "TCP" + direction: "to_server" event_type: alert alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 alert.metadata.mysql[0]: "command" + mysql.command: "select * from test.identify where identify = 33030219971120201X" + mysql.rows[0]: "1,33030219971120201X" diff --git a/tests/mysql-multi-queries/README.md b/tests/mysql-multi-queries/README.md new file mode 100644 index 000000000..a9bfb3ff7 --- /dev/null +++ b/tests/mysql-multi-queries/README.md @@ -0,0 +1,11 @@ +# Test Description + +TODO: Simple description of what this test is for. + +## PCAP + +TODO: What is the source of this PCAP. + +## Related issues + +TODO: Issue numbers or links to related issues. diff --git a/tests/mysql-multi-queries/input.pcap b/tests/mysql-multi-queries/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..458bc25e8f0cff003ea45ed9091837cbb35edfe7 GIT binary patch literal 16189 zcmajm3tW};9mnzKa8m(qXlY&owZtomGQ4G|h^VAIN4zv`oe)7u;TVvlRGO}|nz^Lr z7M0CPQkf>2uIOT8CADpN2|MP$S|Ghe;W*^@F-}5}@ zdH8p#tF8WRh!tl2_(z!K!cRWjcs%c(eJ*P{eoQYbdSLnMFXFGie!f#%E6uX*aQB&D zO^A3nsj5@tmv}9CZGQB3JCY`yrr-QZ$RiIGJa1VcVd4A3LfS@lyCq{Y{kkhOv<;Py z?ib2vHusy$mNmgjiTLXrs!~1ryVvH|M!m2C_4-$08aF)o{*Ptcj0R~38zoZ-xni|^v6k8kV2YZ}_JH2H5uUT=vNH|43K7oUvy zOXRZ`Uv6Jj`bm_hYt^~b$NqL~Q`_lzKQyhqT|EO&v?pg-er{ojr!c!9w`00@=!}(F z?z@IgF3Mk#TNLW?7Kbm(FMRN!cAn+SvP<&3MFrv61&flC!aU3K7qv-DN={B5lNjwO z&Mm@k_bl-im$XkDH6kG~IU#X4{!F5Yy!d-z#^U*!bS0L~fiK2O=fFohl2R+zbaLI; zA0eCr~kSvB@b92b+7#qO>fZ(eYUopDx`htRzQvc(Oa&J@)=Mw^jmoaX9(UbFDQ$cO6ToPF$Txg(M?u&{K^fNg?}E7^)=G;FvhTm=66^8S~&k2v37mnveNO}>D6kUW84FH zo^(|N-N{mq)<#wI=Xv7Z)pA#O9`lT$Bh`Vja}H_ehqD*+lP={gZ-qf^NX>mdS%J}$V zynW{v<}UN(E%TOovKJNP7sk^#4t}T|Fpe9>K~Eq-Cul|Dj-<(>c)&OZ=(ypSb;0Sx z1CIa5Wz|AXuU04MTURgxoS@apA_iQt+9`IWBA=i$TTalJ{6f0BWS8W73q8d-OL7ac z+Xfcx{2(f5-N8S``Ao;^#$z^I&iULG=W`duaD8>P3M$%;8P!noQ^#ZU1l5mc0oST&5&?Y+X8V-udjnlFeNHa4Po=j!m_ zqHIiH<1phKdyK`gu5nXw&SOGRHe%H-?xvao)Q^Q8r@LFj7%z?C8vK z7te7VikE*9tuu~b<6xt)=OD~+mz#15oYTt23vXSo6 z`tz}89_CnYQ*r4kp(q=%Y8d7FzH?n~!J`mg*W3HeqW7NpWW3ZyH^(G44m2CL)%j7S zVvoy0Q8r@LFj7%D#|5_pj2=GL`6w0?w$~Yd!o~q+BXx5e%f^02WA8}J@o6^||D7)sWg}J%BNdg#i;nRy&+%gvN53RIrO0y} z$Hu;9;}jSV+f;mPt5B4UST&4PR2mNkjBkXp@iP?H_7v`1vhfZ!N;?mVXNulyeSTD_ z*uA$9ph3q zCZf3F7j1R#kCWKg(`@_>#-%nDPdpm8N+9zFrZZz6>|mpsQ* zHuf+YWBbEc>89e7?S-Oj#HwMWqSAN_|J8w?A9tK$qmAO*`aOWjY`n#6TnOVSHx)PN z_W-bJ7^$c}%&yOkHEBUTL~6_v(*j&TbcA4M@izXy=c#+!}CxSL_z zVpH*|Sd@)eHH=hL8tVh+<4zwNH=_9P4dE$8KGsv&c$3*U3r3$!#fgnVQ8r@LFj7%z z+!ZkH>d3~IP+Xzk1DM9fu4dyiK0m5doIX~2FT|>0q@vR3b&MHotU~edLE$Myp5t^j zb}<|O0%L|v#Z_+$MR|@`HH=hL8b>cc#z$dnvZ?q#u_zm{Y8a`gG_DR9tH!bMKPY;Ogzwm8<4iVoG#lTk z^P@_|``m+7!$?J? zv5hmweLTmuzr=r{9wOYi@d5+ys z{9eBY;AUgA*;t4qm#!Z1^{ky?D$9NPQz81b?m*+T(jZtRfPM;rD zDjqr|6y-T$)i6>~Y0Pqri`kfrVy1o%Ad8KWX5(oX7u!@UU#PtoV%0EGQEBYv7++=M z6cjV`djPZ9*v@F|*B8cDZ7SaOvi7+LtA>$^O5=&Z`S`n&Y@CDQ>{#K>B_HcKY;0>b z-dpEKm5Kx6gra<`v1%Bps5EZv+;YwA?#b88A{1-%djNCU*v4#p!RJSnikn~1?g3!c zFj7%z%n8hK_dK3s35t94djRv;7-2Sk4&ywViuZo5eeS`kVWgtc81ER%*|-kHYx+Ha zyV)3SG~N~iW4TSmx919XSNT|D)i6>~X*}Z`>rdFY8O7n^ckJ@{_)|89nT<1H{KTeW zFQ2fhARDo27^$c zy(kvy_W%~KF~n^A7{+v)iUT%k_W-bJ7^$cF=pQ2c!-vjs=8!fZ(P8dJ1shE?ly%%EDFj7%z{J=3@ zXX8l}FYEUJ?j>Vcli9cm#_Ki}_v-fmuxflngo;Yzx`6S`QEWVmVuOAUz{AEyv+;n> zk17@4!e>P^p98?EVWgtcnC=*h+1QAp;d21@vGIo4cmc*@n~FEB(S8m9tA>$^N@J8` z+{4E9&mPZvM85}+&Bp&3jr|i~++$PmUi}^bRt+N+mBvpxwp=rBo?&Be6u0U302Z?G zy4iR?jAv{rzO3H^z^Y-SqS9C%Fz$_K;}8_9^m_m~Y`kVRZuj|7rQ$2U*FN`P)i6>~ zX`JU6bJ#cz#UJ#a16ahyt7hZZFy`1){8+ySfK|gtMWwN)W8BKd3>3TS_W*L)_=C|H ze=CezZ7TNF?*U-dFj7%zJlUb;eB672jq_2wL;Q|iex}G{V}sc^AI1|l6|2u{pL?)s z7^$c6JN2If$Yr>LYC2g5ov(9>D!FB|`BHm-oN!KUI4{T={T z4I>qm#`OW?{*i3Fgkp_;4`4YPzc(AJeSTD__=A2A0IP8{xJr{vHCrLA~v2e8V3!+ z9Cx{?n4sSSz^Y-SqSEMdjP*Rnz9$^N@Hca7UO{~e82Xhcrr}*j$MB5d5Dew zHXAqB`BA0fBjG|(zGkp$7^$cTJB#wjo!wyC&PzXyO-!$?J?@nFDsFqDl|D88fL19+H?Uzv?-eSTD___%%# w0IP