diff --git a/tests/mysql-command/input.pcap b/tests/mysql-command/input.pcap new file mode 100644 index 000000000..cfec35de2 Binary files /dev/null and b/tests/mysql-command/input.pcap differ diff --git a/tests/mysql-command/suricata.yaml b/tests/mysql-command/suricata.yaml new file mode 100644 index 000000000..4f6e6be34 --- /dev/null +++ b/tests/mysql-command/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-command/test.rules b/tests/mysql-command/test.rules new file mode 100644 index 000000000..a74b8ebd8 --- /dev/null +++ b/tests/mysql-command/test.rules @@ -0,0 +1 @@ +alert mysql any any -> any any (msg:"test mysql";mysql.command; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml new file mode 100644 index 000000000..2a597e84c --- /dev/null +++ b/tests/mysql-command/test.yaml @@ -0,0 +1,11 @@ +args: +- -k none + + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature: "test mysql" + diff --git a/tests/mysql-prepare-statement/README.md b/tests/mysql-prepare-statement/README.md new file mode 100644 index 000000000..f3c46bf42 --- /dev/null +++ b/tests/mysql-prepare-statement/README.md @@ -0,0 +1,6 @@ +# Test Description + +Test mysql prepare statement like `select * from xxx where id = ?`. + +## PCAP +This PCAP was generated from flow in my workspace. diff --git a/tests/mysql-prepare-statement/input.pcap b/tests/mysql-prepare-statement/input.pcap new file mode 100644 index 000000000..b6367a427 Binary files /dev/null and b/tests/mysql-prepare-statement/input.pcap differ diff --git a/tests/mysql-prepare-statement/test.yaml b/tests/mysql-prepare-statement/test.yaml new file mode 100644 index 000000000..38c69293f --- /dev/null +++ b/tests/mysql-prepare-statement/test.yaml @@ -0,0 +1,73 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =1 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =2 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=3 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =4 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =5 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =6 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =7 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=8 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=9 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 diff --git a/tests/mysql-query/README.md b/tests/mysql-query/README.md new file mode 100644 index 000000000..1de54b6bc --- /dev/null +++ b/tests/mysql-query/README.md @@ -0,0 +1,6 @@ +# Test Description + +Test mysql normal sql statement. + +## PCAP +This PCAP was generated from flow in my workspace. diff --git a/tests/mysql-query/input.pcap b/tests/mysql-query/input.pcap new file mode 100644 index 000000000..458bc25e8 Binary files /dev/null and b/tests/mysql-query/input.pcap differ diff --git a/tests/mysql-query/test.yaml b/tests/mysql-query/test.yaml new file mode 100644 index 000000000..6ef841238 --- /dev/null +++ b/tests/mysql-query/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: mysql + mysql.version: 8.0.32 + mysql.tls: false + mysql.command: "SELECT VERSION()" + mysql.rows[0]: "8.0.32" +- filter: + count: 1 + match: + event_type: mysql + mysql.version: 8.0.32 + mysql.tls: false + mysql.command: "ping" diff --git a/tests/mysql-rows/input.pcap b/tests/mysql-rows/input.pcap new file mode 100644 index 000000000..cfec35de2 Binary files /dev/null and b/tests/mysql-rows/input.pcap differ diff --git a/tests/mysql-rows/suricata.yaml b/tests/mysql-rows/suricata.yaml new file mode 100644 index 000000000..4f6e6be34 --- /dev/null +++ b/tests/mysql-rows/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-rows/test.rules b/tests/mysql-rows/test.rules new file mode 100644 index 000000000..075d8ba43 --- /dev/null +++ b/tests/mysql-rows/test.rules @@ -0,0 +1 @@ +alert mysql any any -> any any (msg:"test mysql";mysql.rows; pcre:"/(?:[1-9]\d{5})(?:(?:1[89]\d{2}|2\d{3})(?:0[1-9]|1[012])(?:0[1-9]|[12][0-9]|3[01]))\d{2}(?:\d)(?:[0-9xX])/i""; sid:1;) diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml new file mode 100644 index 000000000..2dea04e54 --- /dev/null +++ b/tests/mysql-rows/test.yaml @@ -0,0 +1,10 @@ +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature: "test mysql" +