Skip to content

Commit

Permalink
mysql: add more checks in test
Browse files Browse the repository at this point in the history
Task #3446
  • Loading branch information
QianKaiLin committed Oct 26, 2024
1 parent fbcefeb commit cc4a275
Show file tree
Hide file tree
Showing 8 changed files with 165 additions and 4 deletions.
11 changes: 11 additions & 0 deletions tests/mysql-command/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,18 @@ checks:
- filter:
count: 1
match:
pcap_cnt: 40
src_ip: 172.18.0.1
src_port: 35316
dest_ip: 172.18.0.3
dest_port: 3306
proto: "TCP"
direction: "to_server"
event_type: alert
alert.signature: "test mysql"
alert.signature_id: 1
alert.severity: 3
alert.metadata.mysql[0]: "command"
mysql.command: "select * from test.identify where identify = 33030219971120201X"
mysql.rows[0]: "1,33030219971120201X"

11 changes: 11 additions & 0 deletions tests/mysql-multi-queries/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Test Description

TODO: Simple description of what this test is for.

## PCAP

TODO: What is the source of this PCAP.

## Related issues

TODO: Issue numbers or links to related issues.
Binary file added tests/mysql-multi-queries/input.pcap
Binary file not shown.
15 changes: 15 additions & 0 deletions tests/mysql-multi-queries/suricata.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
%YAML 1.1
---

outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- mysql

app-layer:
protocols:
mysql:
enabled: yes
61 changes: 61 additions & 0 deletions tests/mysql-multi-queries/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
requires:
min-version: 8

args:
- -k none

checks:
- filter:
count: 1
match:
dest_ip: 172.16.10.104
dest_port: 3306
pcap_cnt: 14
event_type: mysql
mysql.affected_rows: 0
mysql.command: SET NAMES utf8mb4
mysql.tls: false
mysql.version: 8.0.32
proto: TCP
src_ip: 172.16.10.222
src_port: 42074
- filter:
count: 1
match:
dest_ip: 172.16.10.104
dest_port: 3306
event_type: mysql
mysql.command: SELECT VERSION()
mysql.rows[0]: 8.0.32
mysql.tls: false
mysql.version: 8.0.32
proto: TCP
src_ip: 172.16.10.222
src_port: 42074
- filter:
count: 1
match:
dest_ip: 172.16.10.104
dest_port: 3306
pcap_cnt: 20
event_type: mysql
mysql.affected_rows: 0
mysql.command: ping
mysql.tls: false
mysql.version: 8.0.32
proto: TCP
src_ip: 172.16.10.222
src_port: 42074
- filter:
count: 1
match:
dest_ip: 172.16.10.104
dest_port: 3306
event_type: mysql
mysql.command: SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='sentinel_flow_admin'
mysql.rows[0]: sentinel_flow_admin
mysql.tls: false
mysql.version: 8.0.32
proto: TCP
src_ip: 172.16.10.222
src_port: 42074
38 changes: 37 additions & 1 deletion tests/mysql-rows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,45 @@ args:

checks:
- filter:
count: 2
count: 1
match:
tx_id: 1
pcap_cnt: 41
src_ip: 172.18.0.3
src_port: 3306
dest_port: 35318
dest_ip: 172.18.0.1
proto: "TCP"
event_type: alert
alert.action: "allowed"
alert.signature: "test mysql"
alert.signature_id: 1
alert.severity: 3
direction: "to_client"
alert.metadata.mysql[0]: "rows"
mysql.version: "9.0.1"
mysql.tls: false
mysql.command: "select * from test.identify where id = 1"
mysql.rows[0]: "1,33030219971120201X"
- filter:
count: 1
match:
tx_id: 3
pcap_cnt: 43
src_ip: 172.18.0.3
src_port: 3306
dest_port: 35316
dest_ip: 172.18.0.1
proto: "TCP"
direction: "to_client"
event_type: alert
alert.action: "allowed"
alert.signature: "test mysql"
alert.signature_id: 1
alert.severity: 3
alert.metadata.mysql[0]: "rows"
mysql.version: "9.0.1"
mysql.tls: false
mysql.command: "select * from test.identify where identify = 33030219971120201X"
mysql.rows[0]: "1,33030219971120201X"

18 changes: 18 additions & 0 deletions tests/mysql-tls/suricata.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
%YAML 1.1
---

outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- mysql
- tls

app-layer:
protocols:
mysql:
enabled: yes
tls:
enabled: yes
15 changes: 12 additions & 3 deletions tests/mysql-tls/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,20 @@ checks:
- filter:
count: 1
match:
src_ip: 172.18.0.1
src_port: 36592
dest_ip: 172.18.0.3
dest_port: 3306
proto: TCP
event_type: mysql
mysql.tls: true
- filter:
count: 1
match:
app_proto: tls
app_proto_orig: mysql

src_ip: 172.18.0.1
src_port: 36592
dest_ip: 172.18.0.3
dest_port: 3306
proto: TCP
event_type: tls
tls.from_proto: mysql

0 comments on commit cc4a275

Please sign in to comment.