[Zeek] Adding MySQL TLS Functionality

Andrew Klaus andrew at aklaus.ca
Thu Apr 2 15:34:49 PDT 2020

So now that it's compiling, I'm able to work further on this. I was
successful in generating ssl.log for SSL connections. However, I'm running
into some logic issues where ALL connections are getting flagged as being
SSL-enabled handshakes. I've narrowed it down to the logic where
`msg.v10_response.client_ssl` is being set to true for both SSL-handshake
and non-encrypted connections.  This boolean is being generated from:

client_ssl: bool = $context.connection.set_client_ssl(cap_flags &

Looking at the MySQL documentation, I see that the CLIENT_DEPRECATE_EOF
matches correctly:
with the MySQL Documentation (0x01000000)  (

I've appended the CLIENT_SSL  (Value 0x00000800) to the enum type, which is
bitmasked against the Handshake_Response_Packet_v10.cap_flags (uint32)

When I printf() the msg.v10_response.client_ssl here::

       function proc_mysql_handshake_response_packet(msg:
Handshake_Response_Packet): bool

                if ( mysql_handshake )
                        if ( ${msg.version} == 10 &&
${msg.v10_response.client_ssl}) {

I'm seeing the value of 4026597376 set for this variable when I use the
zeek cli to parse my MySQL SSL-handshake PCAP. The value that is being
returned for this field between Zeek and Wireshark are very different. This
is for the same connection:

Zeek returns:
4026597376  (1111 0000 0000 0001 0000 0000 0000 0000)

Wireshark shows:
(Client Capabilities section)
1010 1010 10000 1101

(Extended capabilities section)
0000 0001 1011 1111

I _think_ I'm comparing what should be the same fields. Let me know any of
these steps don't seem right.

Thanks for the help!


On Thu, Apr 2, 2020 at 1:09 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Thu, Apr 2, 2020 at 11:11 AM Andrew Klaus <andrew at aklaus.ca> wrote:
> > /home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc: In member
> function ‘bool
> binpac::MySQL::MySQL_Flow::proc_mysql_handshake_response_packet(binpac::MySQL::Handshake_Response_Packet*)’:
> > /home/zeek/build/src/analyzer/protocol/mysql/mysql_pac.cc:3042:27:
> error: ‘MySQL’ in namespace ‘analyzer’ does not name a type
> >
> static_cast<analyzer::MySQL::MySQL_Analyzer>(connection()->bro_analyzer())->TLSHandshake();
> >                            ^~~~~
> You may need to shuffle some of the header includes around, see if the
> attached patch helps.
> I also had a typo in the example cast, it should have been casting to
> a pointer-type with '*', like:
>  static_cast<analyzer::MySQL::MySQL_Analyzer*>(connection()->bro_analyzer());
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200402/7ac99074/attachment-0001.html 

More information about the Zeek mailing list