-
Notifications
You must be signed in to change notification settings - Fork 94
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Qiankai Lin
committed
Sep 26, 2024
1 parent
f27b795
commit d2a6dc1
Showing
14 changed files
with
160 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| %YAML 1.1 | ||
| --- | ||
|
|
||
| outputs: | ||
| - eve-log: | ||
| enabled: yes | ||
| filetype: regular | ||
| filename: eve.json | ||
| types: | ||
| - alert | ||
|
|
||
| app-layer: | ||
| protocols: | ||
| mysql: | ||
| enabled: yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| alert mysql any any -> any any (msg:"test mysql";mysql.command; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| args: | ||
| - -k none | ||
|
|
||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature: "test mysql" | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # Test Description | ||
|
|
||
| Test mysql prepare statement like `select * from xxx where id = ?`. | ||
|
|
||
| ## PCAP | ||
| This PCAP was generated from flow in my workspace. |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id =1 limit 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id =2 limit 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id=3 and client_code=client2 limit | ||
| 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id =4 limit 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id =5 limit 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id =6 limit 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id =7 limit 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id=8 and client_code=client2 limit | ||
| 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.command: select * from requests WHERE id=9 and client_code=client2 limit | ||
| 1 | ||
| mysql.tls: false | ||
| mysql.version: 8.4.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # Test Description | ||
|
|
||
| Test mysql normal sql statement. | ||
|
|
||
| ## PCAP | ||
| This PCAP was generated from flow in my workspace. |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.version: 8.0.32 | ||
| mysql.tls: false | ||
| mysql.command: "SELECT VERSION()" | ||
| mysql.rows[0]: "8.0.32" | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: mysql | ||
| mysql.version: 8.0.32 | ||
| mysql.tls: false | ||
| mysql.command: "ping" |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| %YAML 1.1 | ||
| --- | ||
|
|
||
| outputs: | ||
| - eve-log: | ||
| enabled: yes | ||
| filetype: regular | ||
| filename: eve.json | ||
| types: | ||
| - alert | ||
|
|
||
| app-layer: | ||
| protocols: | ||
| mysql: | ||
| enabled: yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| alert mysql any any -> any any (msg:"test mysql";mysql.rows; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature: "test mysql" | ||
|
|