From 1ddde47a98981c25f8e4c9fe8717b54c2c8b0545 Mon Sep 17 00:00:00 2001
From: QianKai Lin <linqiankai666@outlook.com>
Date: Thu, 17 Oct 2024 12:53:56 +0800
Subject: [PATCH] mysql: add more checks in test

Task #3446
---
 tests/mysql-command/test.yaml           |  11 +++++
 tests/mysql-multi-queries/README.md     |  11 +++++
 tests/mysql-multi-queries/input.pcap    | Bin 0 -> 16189 bytes
 tests/mysql-multi-queries/suricata.yaml |  15 ++++++
 tests/mysql-multi-queries/test.yaml     |  61 ++++++++++++++++++++++++
 tests/mysql-rows/test.yaml              |  38 ++++++++++++++-
 tests/mysql-tls/suricata.yaml           |  18 +++++++
 tests/mysql-tls/test.yaml               |  15 ++++--
 8 files changed, 165 insertions(+), 4 deletions(-)
 create mode 100644 tests/mysql-multi-queries/README.md
 create mode 100644 tests/mysql-multi-queries/input.pcap
 create mode 100644 tests/mysql-multi-queries/suricata.yaml
 create mode 100644 tests/mysql-multi-queries/test.yaml
 create mode 100644 tests/mysql-tls/suricata.yaml

diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml
index 8f5b7f17c..143306cf1 100644
--- a/tests/mysql-command/test.yaml
+++ b/tests/mysql-command/test.yaml
@@ -8,7 +8,18 @@ checks:
   - filter:
       count: 1
       match:
+        pcap_cnt: 40
+        src_ip: 172.18.0.1
+        src_port: 35316
+        dest_ip: 172.18.0.3
+        dest_port: 3306
+        proto: "TCP"
+        direction: "to_server"
         event_type: alert
         alert.signature: "test mysql"
+        alert.signature_id: 1
+        alert.severity: 3
         alert.metadata.mysql[0]: "command"
+        mysql.command: "select * from test.identify where identify = 33030219971120201X"
+        mysql.rows[0]: "1,33030219971120201X"
         
diff --git a/tests/mysql-multi-queries/README.md b/tests/mysql-multi-queries/README.md
new file mode 100644
index 000000000..a9bfb3ff7
--- /dev/null
+++ b/tests/mysql-multi-queries/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+TODO: Simple description of what this test is for.
+
+## PCAP
+
+TODO: What is the source of this PCAP.
+
+## Related issues
+
+TODO: Issue numbers or links to related issues.
diff --git a/tests/mysql-multi-queries/input.pcap b/tests/mysql-multi-queries/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..458bc25e8f0cff003ea45ed9091837cbb35edfe7
GIT binary patch
literal 16189
zcmajm3tW};9mnzKa8m(qXlY&owZtomGQ4G|h^VAIN4zv`oe)7u;TVvlRGO}|nz^Lr
z7M0CPQkf>2uIOT8<u+fh)jX6<w_Mqz<!Rm}b;7>CADpN2|MP$S|Ghe;W*^@F-}5}@
zdH8p#tF8WRh!tl2_(z!K!cRWjcs%c(eJ*P{eoQYbdSLnMFXFGie!f#%E6uX*aQB&D
zO^A3nsj5@tmv}9CZGQB3JCY`yrr-QZ$RiIGJa1VcVd4A3LfS@lyCq{Y{kkhOv<;Py
z?ib2vHusy$mNmgjiTLXrs!~1ryVvH|M!m2C_4-$08aF)o{*Pt<Yi&DHJy8B0<w^KT
z^lD{Ja`$EPILTa(dg+=@*7bsoFuIz(R3_`fgD&frh|#Ng{Xy2XS8gTiv2&8Ol&ovI
zyBfERX)dDHiJUac$k7SI6Go1(=C^ZMvnR!N4WBl)kJZ%F6k;`<yotU_^B*%G7?%3e
zCEfaToi#qf%E``Il3%#kQ@kX5glBnnadD})Xb~T!74T_R+>cj0R<Yubq!pKwkyd;a
z#SokX^lCN3OYYmKShiAG>~38zoZ-xni|^v6k8kV2YZ}_JH2H5uUT=vNH|43K7oUvy
zOXRZ`Uv6Jj`bm_hYt^~b$NqL~Q`_lzKQyhqT|EO&v?pg-er{ojr!c!9w`00@=!}(F
z?z@IgF3Mk#TNLW?7Kbm(FMRN!cAn+SvP<&3MFrv61&flC!aU3K7qv-DN={B5lNjwO
z&Mm@k_bl-im$XkDH6kG~IU#X4{!F5Yy!d-z#^U*!bS0L~fiK2O=fFohl2R+zbaLI;
zA0eCr<y7qcw#%A|G0>~kSvB@b92b+7#qO>fZ(eYUopDx`htR<arS22x;sEfgRX61d
zu31QjOWh+ZMYpP6?6$G2P{feuQ|%n$np5p|KGjBxCq`-|F0RiNr&?#?M!n;*?na$n
ztxmP+?*3ftqb%Z7D|oe;OC!L^+c^f2(5$rCaWf~*NXv?Quq1DE!9qTOjrcl2a`^!E
z<+0F368whqImYrH9l(8Gien*pO^tTYxa=_K1Z9y1{U@=ALDR(+7_|Ma%bJIu)2r23
zrn%#lV|fpQ{%Q@4Wt%gW=V&aQ5y4pQN=uy`H#coo*0ju-0|wF>zQvc(Oa&J@)<DNI
zcq(6EDo1%L?+I&oj*83Qb6M;0<>=Mw^jmoaX9(UbFDQ$cO6ToPF$Tx<IgG^Rip5w$
z7v<(5*v`>g(M?u&{K^fNg?}E7^)=G;FvhTm=66^8S~&k2v37mnveNO}>D6kUW84FH
zo^(|N-N{mq)<#wI=Xv7Z)pA#O9`lT$Bh`Vja}H_ehqD*+lP=<l{+Qn}p5Ft)YM-a#
z3n*$XUmSQ82Z{4*DbiWBKrCV$!DrP~#BplytJM^qa}T5`l+{U7IEE=C@)W)or*IES
zfwL+rb!ys-i5|M_;-<{XoDnx|=9J7?GbYZ)spe_^hY8Jpn>{gZ-qf^NX>mdS%J}$V
zynW{v<}UN(E%TOovKJNP7sk^#4t}T|Fpe9>K~Eq-Cul|Dj-<(>c)&OZ=(ypSb;0Sx
z1CIa5Wz|AXuU04MTURgxoS@apA_iQt+9`IWBA=i$TTalJ{6f0BWS8W73q8d-OL7ac
z+Xfcx{2(f5-N8S``Ao;^#$z^I&iULG=W`duaD<aPIWHvmDi$BplH7y%<Q^#=*2$xA
zSgY}_d@bma=MV<f^;3*}&y+A-aWEH0NX6vV#V34$;@TNPQGWl05eJfr!3VNBa3D*2
z1;(CgW9)}c!uZcWwbL1gurbkW{6n4pwN#smAO2Y=%0{djMk*?e<9Y^+tKDQgi{b@5
zR|mbn%134>8>P3M$%;8P!noQ^#ZU1l5mc0oST&5&?Y+X8V-udjnlFeNHa4Po=j!m_
zqHIiH<1phKdyK`gu5nXw&SOGRHe%H<Qc*d_T4#<8e5~6)b3AXhD@tb^#zwl=2EBbN
z=GbEe=Gb6U@z0?`Q8r@LFiLmtALqC}Fvr(N@*I1kxM7U&Rwd7II2(tWjnzIss#JV-
zyik;lST&4PRL(IYFvr)uJjWp@R@6l3=9tLFA!g%$>-?xvao)Q^Q8r@LFj7%z?C8vK
z7te7VikE*9tuu~b<6xt)=OD~+mz#<wl7*sd#HwMWqSEMdjP*Rn3>15oYTt23vXSo6
z`tz}89_CnYQ*r4kp(q=%Y8d7FzH?n~!J`mg*W3HeqW7NpWW3ZyH^(G44m2CL)%j7S
zVvoy0Q8r@LFj7%D#|5_pj2=GL`6w0?w$~Yd!o~q+<Ci}Fc8{Bi6%PtU*@#ucNJXVF
z)-hJFaV3gnJ41EGWH!bdjlFunSmCDP`5K`p8?kB_si-uba*p*eHf}(1_W<F}CBOHK
zVq<@^aW0I<+*JI{K%pobv1%Bps5Djv=2+Q<ubC|<UfSM4H^<RzyxnZv?DL~a#oRZ9
zqHM&fVWgtcxYRLbvau4y&rS<ZDe@f0u<<st@vn9M%1oPz57!Gt*@#ucNJXV_Sm0P!
zKF!Da0E%O>BXx5e%f^02WA8}J@o6^||D7)sWg}J%BNdg#i;nRy&+%gvN53RIrO0y}
z$Hu;9;}jSV+f;mPt5B4UST&4PR2mNkjBkXp@iP?H_7v`1vhfZ!N;?mVXNulyeSTD_
z*uA$<l#N(5j8s$_%N%108^1wu_iu!!6xleQjdA8Vz7J!HO~v%z3Pst7Rl`U{r7^`Z
zma*{?itm0VJf+CSJJ}d(HeQ3V%%<YtFNC6O#HwMWqS6@Z7!R^Bbkp&?b6LWjOE#vk
z@m8bp)?^qD+El!6j!=}1ST&4PR2mO=Yq=M`agmKND2_TRJf+CS32f|bHWtBn(Wc@l
zu_zm{Y8a`gG(H_L?ij|#z9=Sj5bj*EaUvUgnT@-BepIPAu#-@fjaW5|R8$%>9ph3q
zCZf3F7j1R#kCWKg(`@_>#-%nDPdp<OWg}J%BNdg#E;qLv>m8N+9zFrZZz6>|mpsQ*
zHuf+YWBbEc>89e7?S-Oj#HwMWqSAN_|J8w?A9tK$qmAO*`aOWjY`n#6TnOVSHx)PN
z_W-bJ7^$c<Rs`m_GnS9F2gNgg6rNJ#Ii|6(yV>}%&yOk<Yd;c-@*J^h7^$c<dK}{d
zHhNLSzK-sEoWjO#X5(=f7uZxh9U>HEBUTL~6_v(*j&TbcA4M@izXy=c#+!}CxSL_z
zVpH*|Sd@)eHH=hL8tVh+<4zwNH=_9P4dE$8KGsv&c$3*U3r3$!#fgnVQ8r@LFj7%z
z+!ZkH>d3~IP+Xzk1DM9fu4dyiK0m5doIX~2FT|>0q@vR3b&MHotU~edLE$Myp5t^j
zb}<|O0%L|v#Z_+$MR|@`HH=hL8b><D^=zy`@h0&*cG;N0#u%fqPXvtXZ7SXni?R``
zhLMU&V*~bK`TcQMEgO%Z*rrJMj$Jn1#m3HN<0KesZ7QZ03q{$8Rl`U{rLo2_HnH(I
ziizihrxe*ZgN>cc#z$dnvZ?q#u_zm{Y8a`gG_DR9tH!bMKPY;Ogzwm8<4iVoG#lTk
z^P@_|<YJ*H8?kB_si-ujc4;}*Ri%6{yozFxeh(m%jUCL!D?UG}RGhg>``m+7!$?J?
zv5hmweLTmuzr=r{9wOYi<T=`GY;QF79f3LSv#Gdos8E#Wh*iT#MWyjbOkj>@d5+ys
z{9eBY;AUgA*;t4<qDsa}?Q;)S4I>qm#!Z1^{ky?D$9NPQz81b?m*+T(jZtRfPM;rD
zDjqr|6y-T$)i6>~Y0Pqri`kfrVy1o%Ad8KWX5(oX7u!@UU#PtoV%0EGQEBYv7++=M
z6cjV`djPZ9*v@F|*B8cDZ7SaOvi7+LtA>$^O5=&Z`S`n&Y@CDQ>{#K>B_HcKY;0>b
z-dpEKm5Kx6gra<`v1%Bps5EZv+;YwA?#b88A{1-%djNCU*v4#p!RJSnikn~1?g3!c
zFj7%z%n8hK_dK3s35t94djRv;7-2Sk4&ywViuZo5eeS`kVWgtc81ER%*|-kHYx+Ha
zyV)3SG~N~iW4TSmx919XSNT|D)i6>~X*}Z`>rdFY8O7n^ckJ@{_)|89nT<1H{KTeW
zFQ2fhARDo27^$c<?g<$8M6q!jilg;=0Q1=xYBoOQ^P@_|u#Vb$Ayy3|6_v(f$C%E>
zy(kvy_W%~KF~n^A7{+v)iUT%k_W-bJ7^$c<j&h9a*mwxVqxwC7d)VkQ8gCDQah*-Y
z`=Yh?LaZ7_Dk_cFJGH#`?D>F=pQ2c!-vjs=8!fZ(P8dJ1shE?ly%%EDFj7%z{J=3@
zXX8l}FYEUJ?j>Vcli9cm#_Ki}_v-fmuxflngo;Yzx`6S`QEWVmVuOAUz{AEyv+;n>
zk17@4!e>P^p98?EVWgtcnC=*h+1QAp;d21@vGIo4cmc*@n~FEB(S8m9tA>$^N@J8`
z+{4E9&mPZvM85}+&Bp&3jr|i~++$PmUi}^bRt+N+mBvpxwp=rBo?&Be6u0U302Z?G
zy4iR?jAv{rzO3H^z^Y-SqS9C%Fz$_K;}8_9^m_m~Y`kVRZuj|7rQ$2U*FN`P)i6>~
zX`JU6bJ#cz#UJ#a16ahyt7hZZFy`1){8+ySfK|gtMWwN)W8BKd3>3TS_W*L)_=C|H
ze=CezZ7TNF?*U-dFj7%zJlUb;eB672jq_2wL;Q|iex}G{V}sc^AI1|l6|2u{pL?)s
z7^$c<z8WxAcVlBdiktMG16a()D`w-be124^_z$mk4*;u%k%~&=V#k=p#+4|p)$ai;
zVdG`9@hFU0HWlyJ?*U-dFj7%z9PAi3v2g>6JN2If$Y<jvqj5k77&qBeT&VvX09Fkn
z6_v)b?OV>r>LYC2g5ov(9>D!<yl6H~hw+F_#dq|309ZAQR8$)G1&sUJu(1-wFZ7=S
zSjxr=X5$leepIR0<y-A@4^|B$6_v))=$1L|OXcqi51=?+zX!04jpxnAKluEpQqj`y
z0btcIQc-Cf=ge_6&+%gv@6hi76tMA}+1Lo<YMY7~`aJ-w8b&HAjZMxRYuNZ1icji4
z2T;hyvqs~<u`t%yRBY&_y%%EDFj7%ztaXeHZ2Shrz4|=>FB|`BHm-oN!KUI4{T={T
z4I>qm#`OW?{*i3Fgkp_;4`4YPzc(AJeSTD__=A2A0IP<Pib`XKWAw5ybTdBRGf%j4
z$@jts*yuMK@%hL7UYm+<-Ypd6@2|0H7^$c<c8qGduJ<>8{xJr{vHCrLA~v2e8V3!+
z9Cx{?n4sSSz^Y-SqSEMdjP*Rnz9<gU?*SCE@jJ6I55{_%ikHQrJV&e=Mk*?eTLQ+n
z`mr$)#Z~$}fD$(T$86l@^P@_|a{V3vRt+N+mBs~*(Zj|GDAwrr03KxHw`Sv)FnVk%
zPSo!KVAU{EQE7~Ij1_FOQT$N92e5*T^+x019xzteRCG_(-V3p67^$c<o{DU_X5Ko+
zMh}XA*Z;o&rEENHHqNc{qe{i|`u`UItA>$^N@Hca7UO{~e82Xhcrr}*j$MB5d5Dew
zHXAqB`BA0fBjG|(zGkp$7^$c<E_IBVY<v{O&g+El*k$8NHhyC^;`5IOGTl_%A{J#M
zRt+N+mBwL?vHA0l8&UkZeh*+38&4UHLn3|t15dlDc(;BJ0IP<Pib~@}$9R~}$Cpri
zO1}qC#>TJB#wjo!wyC&PzXyO-!$?J?@nFDsFqDl|D88fL19+H?Uzv?-eSTD___%%#
w0IP<Pib`XdV@zRV4T|UWdjOBH@n2@+`!J^1R5a`XVAU{EQE5zZjAd;6KQngxR{#J2

literal 0
HcmV?d00001

diff --git a/tests/mysql-multi-queries/suricata.yaml b/tests/mysql-multi-queries/suricata.yaml
new file mode 100644
index 000000000..070848120
--- /dev/null
+++ b/tests/mysql-multi-queries/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mysql
+
+app-layer:
+  protocols:
+    mysql:
+      enabled: yes
diff --git a/tests/mysql-multi-queries/test.yaml b/tests/mysql-multi-queries/test.yaml
new file mode 100644
index 000000000..cd83e99bf
--- /dev/null
+++ b/tests/mysql-multi-queries/test.yaml
@@ -0,0 +1,61 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      pcap_cnt: 14
+      event_type: mysql
+      mysql.affected_rows: 0
+      mysql.command: SET NAMES utf8mb4
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      event_type: mysql
+      mysql.command: SELECT VERSION()
+      mysql.rows[0]: 8.0.32
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      pcap_cnt: 20
+      event_type: mysql
+      mysql.affected_rows: 0
+      mysql.command: ping
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      event_type: mysql
+      mysql.command: SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='sentinel_flow_admin'
+      mysql.rows[0]: sentinel_flow_admin
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml
index 371fe4bdd..a9d2e7e10 100644
--- a/tests/mysql-rows/test.yaml
+++ b/tests/mysql-rows/test.yaml
@@ -6,9 +6,45 @@ args:
 
 checks:
   - filter:
-      count: 2
+      count: 1
       match:
+        tx_id: 1
+        pcap_cnt: 41
+        src_ip: 172.18.0.3
+        src_port: 3306
+        dest_port: 35318
+        dest_ip: 172.18.0.1
+        proto: "TCP"
         event_type: alert
+        alert.action: "allowed"
         alert.signature: "test mysql"
+        alert.signature_id: 1
+        alert.severity: 3
+        direction: "to_client"
         alert.metadata.mysql[0]: "rows"
+        mysql.version: "9.0.1"
+        mysql.tls: false
+        mysql.command: "select * from test.identify where id = 1"
+        mysql.rows[0]: "1,33030219971120201X"
+  - filter:
+      count: 1
+      match:
+        tx_id: 3
+        pcap_cnt: 43
+        src_ip: 172.18.0.3
+        src_port: 3306
+        dest_port: 35316
+        dest_ip: 172.18.0.1
+        proto: "TCP"
+        direction: "to_client"
+        event_type: alert
+        alert.action: "allowed"
+        alert.signature: "test mysql"
+        alert.signature_id: 1
+        alert.severity: 3
+        alert.metadata.mysql[0]: "rows"
+        mysql.version: "9.0.1"
+        mysql.tls: false
+        mysql.command: "select * from test.identify where identify = 33030219971120201X"
+        mysql.rows[0]: "1,33030219971120201X"
         
diff --git a/tests/mysql-tls/suricata.yaml b/tests/mysql-tls/suricata.yaml
new file mode 100644
index 000000000..36b63fcb3
--- /dev/null
+++ b/tests/mysql-tls/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mysql
+        - tls
+
+app-layer:
+  protocols:
+    mysql:
+      enabled: yes
+    tls:
+      enabled: yes
diff --git a/tests/mysql-tls/test.yaml b/tests/mysql-tls/test.yaml
index 76e72662d..990f539bc 100644
--- a/tests/mysql-tls/test.yaml
+++ b/tests/mysql-tls/test.yaml
@@ -9,11 +9,20 @@ checks:
 - filter:
     count: 1
     match:
+      src_ip: 172.18.0.1
+      src_port: 36592
+      dest_ip: 172.18.0.3
+      dest_port: 3306
+      proto: TCP
       event_type: mysql
       mysql.tls: true
 - filter:
     count: 1
     match:
-      app_proto: tls
-      app_proto_orig: mysql
-
+      src_ip: 172.18.0.1
+      src_port: 36592
+      dest_ip: 172.18.0.3
+      dest_port: 3306
+      proto: TCP
+      event_type: tls
+      tls.from_proto: mysql
\ No newline at end of file