[Zeek] Adding MySQL TLS Functionality
Andrew Klaus
andrew at aklaus.ca
Thu Apr 2 15:34:49 PDT 2020
So now that it's compiling, I'm able to work further on this. I was
successful in generating ssl.log for SSL connections. However, I'm running
into some logic issues where ALL connections are getting flagged as being
SSL-enabled handshakes. I've narrowed it down to the logic where
`msg.v10_response.client_ssl` is being set to true for both SSL-handshake
and non-encrypted connections. This boolean is being generated from:
client_ssl: bool = $context.connection.set_client_ssl(cap_flags &
CLIENT_SSL);
Looking at the MySQL documentation, I see that the CLIENT_DEPRECATE_EOF
matches correctly:
https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/mysql/mysql-protocol.pac#L156
with the MySQL Documentation (0x01000000) (
https://dev.mysql.com/doc/internals/en/capability-flags.html#packet-Protocol::CapabilityFlags
)
I've appended the CLIENT_SSL (Value 0x00000800) to the enum type, which is
bitmasked against the Handshake_Response_Packet_v10.cap_flags (uint32)
record.
When I printf() the msg.v10_response.client_ssl here::
function proc_mysql_handshake_response_packet(msg:
Handshake_Response_Packet): bool
%{
...
if ( mysql_handshake )
{
if ( ${msg.version} == 10 &&
${msg.v10_response.client_ssl}) {
fprintf(stderr,
"%u\n",${msg.v10_response.cap_flags});
...
I'm seeing the value of 4026597376 set for this variable when I use the
zeek cli to parse my MySQL SSL-handshake PCAP. The value that is being
returned for this field between Zeek and Wireshark are very different. This
is for the same connection:
Zeek returns:
4026597376 (1111 0000 0000 0001 0000 0000 0000 0000)
Wireshark shows:
(Client Capabilities section)
1010 1010 10000 1101
(Extended capabilities section)
0000 0001 1011 1111
I _think_ I'm comparing what should be the same fields. Let me know any of
these steps don't seem right.
Thanks for the help!
Andrew
On Thu, Apr 2, 2020 at 1:09 PM Jon Siwek <jsiwek at corelight.com> wrote:
> On Thu, Apr 2, 2020 at 11:11 AM Andrew Klaus <andrew at aklaus.ca> wrote:
>
> > /home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc: In member
> function ‘bool
> binpac::MySQL::MySQL_Flow::proc_mysql_handshake_response_packet(binpac::MySQL::Handshake_Response_Packet*)’:
> > /home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc:3042:27:
> error: ‘MySQL’ in namespace ‘analyzer’ does not name a type
> >
> static_cast<analyzer::MySQL::MySQL_Analyzer>(connection()->bro_analyzer())->TLSHandshake();
> > ^~~~~
>
> You may need to shuffle some of the header includes around, see if the
> attached patch helps.
>
> I also had a typo in the example cast, it should have been casting to
> a pointer-type with '*', like:
>
>
> static_cast<analyzer::MySQL::MySQL_Analyzer*>(connection()->bro_analyzer());
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200402/7ac99074/attachment-0001.html
More information about the Zeek
mailing list