[Zeek] Adding MySQL TLS Functionality
Andrew Klaus
andrew at aklaus.ca
Thu Apr 2 09:29:30 PDT 2020
Hello,
I'm working on adding TLS support for MySQL in the Zeek master branch. Our
mysql.log is filling up with a lot of encrypted TLS traffic which isn't
overly helpful to us. Rather than ignore this log entirely, I'd like to
just add TLS handshake functionality to the analyzer.
I found that there' a `Client_Capabilities` enum type within the MySQL
Analyzer that I've added the `CLIENT_SSL` bitmask to, which seems to
compare against the right bits in the initial handshake.
However, when I try to create a new TLSHandshake() function in MySQL.cc to
call when this type of handshake is detected, similar to how the IMAP
analyzer's StartTLS function, I can't quite get it to compile:
Error:
------------------
/home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc: In member
function ‘bool
binpac::MySQL::MySQL_Flow::proc_mysql_handshake_response_packet(binpac::MySQL::Handshake_Response_Packet*)’:
/home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc:3042:35: error:
‘class analyzer::Analyzer’ has no member named ‘TLSHandshake’
connection()->bro_analyzer()->TLSHandshake();
^~~~~~~~~~~~
src/analyzer/protocol/mysql/CMakeFiles/plugin-Zeek-MySQL.dir/build.make:190:
recipe for target
'src/analyzer/protocol/mysql/CMakeFiles/plugin-Zeek-MySQL.dir/mysql_pac.cc.o'
failed
make[3]: ***
[src/analyzer/protocol/mysql/CMakeFiles/plugin-Zeek-MySQL.dir/mysql_pac.cc.o]
Error 1
-----------------
I know it's probably trivial, but I can't quite figure it out. From what I
can tell, I've added the necessary function declaration to the MySQL.h
header file, as well as the function to MySQL.cc.
This is the branch I'm working off, with the diff of Zeek master here:
https://github.com/zeek/zeek/compare/master...precurse:mysql-ssl
Any help would be really appreciated. I haven't written an analyzer, so if
there's anything that I could do better please let me know.
Thanks!
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200402/5e08ad61/attachment-0001.html
More information about the Zeek
mailing list