<div dir="ltr"><div>So now that it's compiling, I'm able to work further on this. I was successful in generating ssl.log for SSL connections. However, I'm running into some logic issues where ALL connections are getting flagged as being SSL-enabled handshakes. I've narrowed it down to the logic where `msg.v10_response.client_ssl` is being set to true for both SSL-handshake and non-encrypted connections. This boolean is being generated from:</div><div><br></div><div>client_ssl: bool = $context.connection.set_client_ssl(cap_flags & CLIENT_SSL);<br></div><div><br></div><div><br></div><div>Looking at the MySQL documentation, I see that the CLIENT_DEPRECATE_EOF matches correctly: <a href="https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/mysql/mysql-protocol.pac#L156">https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/mysql/mysql-protocol.pac#L156</a></div><div>with the MySQL Documentation (0x01000000) (<a href="https://dev.mysql.com/doc/internals/en/capability-flags.html#packet-Protocol::CapabilityFlags">https://dev.mysql.com/doc/internals/en/capability-flags.html#packet-Protocol::CapabilityFlags</a>) </div><div><br></div><div>I've appended the CLIENT_SSL (Value 0x00000800) to the enum type, which is bitmasked against the Handshake_Response_Packet_v10.cap_flags (uint32) record. </div><div><br></div><div>When I printf() the msg.v10_response.client_ssl here::</div><div><br></div><div> function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool<br> %{<br>...<br><br> if ( mysql_handshake )<br> {<br> if ( ${msg.version} == 10 && ${msg.v10_response.client_ssl}) {<br> fprintf(stderr, "%u\n",${msg.v10_response.cap_flags});<br></div><div>...</div><div><br></div><div>I'm seeing the value of 4026597376 set for this variable when I use the zeek cli to parse my MySQL SSL-handshake PCAP. The value that is being returned for this field between Zeek and Wireshark are very different. This is for the same connection:</div><div><br></div>Zeek returns:<br>4026597376 (1111 0000 0000 0001 0000 0000 0000 0000)<br><br>Wireshark shows:<br>(Client Capabilities section)<br>1010 1010 10000 1101 <br><br>(Extended capabilities section)<br>0000 0001 1011 1111<br><div><br></div><div>I _think_ I'm comparing what should be the same fields. Let me know any of these steps don't seem right.<br></div><div><br></div><div>Thanks for the help!</div><div><br></div><div>Andrew</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 2, 2020 at 1:09 PM Jon Siwek <<a href="mailto:jsiwek@corelight.com">jsiwek@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Apr 2, 2020 at 11:11 AM Andrew Klaus <<a href="mailto:andrew@aklaus.ca" target="_blank">andrew@aklaus.ca</a>> wrote:<br>
<br>
> /home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc: In member function ‘bool binpac::MySQL::MySQL_Flow::proc_mysql_handshake_response_packet(binpac::MySQL::Handshake_Response_Packet*)’:<br>
> /home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc:3042:27: error: ‘MySQL’ in namespace ‘analyzer’ does not name a type<br>
> static_cast<analyzer::MySQL::MySQL_Analyzer>(connection()->bro_analyzer())->TLSHandshake();<br>
> ^~~~~<br>
<br>
You may need to shuffle some of the header includes around, see if the<br>
attached patch helps.<br>
<br>
I also had a typo in the example cast, it should have been casting to<br>
a pointer-type with '*', like:<br>
<br>
static_cast<analyzer::MySQL::MySQL_Analyzer*>(connection()->bro_analyzer());<br>
<br>
- Jon<br>
</blockquote></div>