diff --git a/tests/mysql-command/README.md b/tests/mysql-command/README.md new file mode 100644 index 000000000..b2703e415 --- /dev/null +++ b/tests/mysql-command/README.md @@ -0,0 +1,2 @@ +# Description +Test sql query statement like `select * from xxx where xxx = yyy` args contents. diff --git a/tests/mysql-command/input.pcap b/tests/mysql-command/input.pcap new file mode 100644 index 000000000..cfec35de2 Binary files /dev/null and b/tests/mysql-command/input.pcap differ diff --git a/tests/mysql-command/suricata.yaml b/tests/mysql-command/suricata.yaml new file mode 100644 index 000000000..4f6e6be34 --- /dev/null +++ b/tests/mysql-command/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-command/test.rules b/tests/mysql-command/test.rules new file mode 100644 index 000000000..1aa830fe2 --- /dev/null +++ b/tests/mysql-command/test.rules @@ -0,0 +1 @@ +alert mysql any any -> any any (msg:"test mysql";mysql.command; content:"33030219971120201X"; metadata: mysql command; sid:1;) diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml new file mode 100644 index 000000000..143306cf1 --- /dev/null +++ b/tests/mysql-command/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: + - filter: + count: 1 + match: + pcap_cnt: 40 + src_ip: 172.18.0.1 + src_port: 35316 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: "TCP" + direction: "to_server" + event_type: alert + alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 + alert.metadata.mysql[0]: "command" + mysql.command: "select * from test.identify where identify = 33030219971120201X" + mysql.rows[0]: "1,33030219971120201X" + diff --git a/tests/mysql-multi-queries/README.md b/tests/mysql-multi-queries/README.md new file mode 100644 index 000000000..a9bfb3ff7 --- /dev/null +++ b/tests/mysql-multi-queries/README.md @@ -0,0 +1,11 @@ +# Test Description + +TODO: Simple description of what this test is for. + +## PCAP + +TODO: What is the source of this PCAP. + +## Related issues + +TODO: Issue numbers or links to related issues. diff --git a/tests/mysql-multi-queries/input.pcap b/tests/mysql-multi-queries/input.pcap new file mode 100644 index 000000000..458bc25e8 Binary files /dev/null and b/tests/mysql-multi-queries/input.pcap differ diff --git a/tests/mysql-multi-queries/suricata.yaml b/tests/mysql-multi-queries/suricata.yaml new file mode 100644 index 000000000..070848120 --- /dev/null +++ b/tests/mysql-multi-queries/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-multi-queries/test.yaml b/tests/mysql-multi-queries/test.yaml new file mode 100644 index 000000000..cd83e99bf --- /dev/null +++ b/tests/mysql-multi-queries/test.yaml @@ -0,0 +1,61 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + pcap_cnt: 14 + event_type: mysql + mysql.affected_rows: 0 + mysql.command: SET NAMES utf8mb4 + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + event_type: mysql + mysql.command: SELECT VERSION() + mysql.rows[0]: 8.0.32 + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + pcap_cnt: 20 + event_type: mysql + mysql.affected_rows: 0 + mysql.command: ping + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + event_type: mysql + mysql.command: SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='sentinel_flow_admin' + mysql.rows[0]: sentinel_flow_admin + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 diff --git a/tests/mysql-prepare-statement/README.md b/tests/mysql-prepare-statement/README.md new file mode 100644 index 000000000..f3c46bf42 --- /dev/null +++ b/tests/mysql-prepare-statement/README.md @@ -0,0 +1,6 @@ +# Test Description + +Test mysql prepare statement like `select * from xxx where id = ?`. + +## PCAP +This PCAP was generated from flow in my workspace. diff --git a/tests/mysql-prepare-statement/input.pcap b/tests/mysql-prepare-statement/input.pcap new file mode 100644 index 000000000..b6367a427 Binary files /dev/null and b/tests/mysql-prepare-statement/input.pcap differ diff --git a/tests/mysql-prepare-statement/suricata.yaml b/tests/mysql-prepare-statement/suricata.yaml new file mode 100644 index 000000000..070848120 --- /dev/null +++ b/tests/mysql-prepare-statement/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-prepare-statement/test.yaml b/tests/mysql-prepare-statement/test.yaml new file mode 100644 index 000000000..38c69293f --- /dev/null +++ b/tests/mysql-prepare-statement/test.yaml @@ -0,0 +1,73 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =1 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =2 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=3 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =4 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =5 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =6 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id =7 limit 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=8 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 +- filter: + count: 1 + match: + event_type: mysql + mysql.command: select * from requests WHERE id=9 and client_code=client2 limit + 1 + mysql.tls: false + mysql.version: 8.4.0 diff --git a/tests/mysql-query/README.md b/tests/mysql-query/README.md new file mode 100644 index 000000000..1de54b6bc --- /dev/null +++ b/tests/mysql-query/README.md @@ -0,0 +1,6 @@ +# Test Description + +Test mysql normal sql statement. + +## PCAP +This PCAP was generated from flow in my workspace. diff --git a/tests/mysql-query/input.pcap b/tests/mysql-query/input.pcap new file mode 100644 index 000000000..458bc25e8 Binary files /dev/null and b/tests/mysql-query/input.pcap differ diff --git a/tests/mysql-query/suricata.yaml b/tests/mysql-query/suricata.yaml new file mode 100644 index 000000000..070848120 --- /dev/null +++ b/tests/mysql-query/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-query/test.yaml b/tests/mysql-query/test.yaml new file mode 100644 index 000000000..6ef841238 --- /dev/null +++ b/tests/mysql-query/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: mysql + mysql.version: 8.0.32 + mysql.tls: false + mysql.command: "SELECT VERSION()" + mysql.rows[0]: "8.0.32" +- filter: + count: 1 + match: + event_type: mysql + mysql.version: 8.0.32 + mysql.tls: false + mysql.command: "ping" diff --git a/tests/mysql-rows/README.md b/tests/mysql-rows/README.md new file mode 100644 index 000000000..d43c04e34 --- /dev/null +++ b/tests/mysql-rows/README.md @@ -0,0 +1,2 @@ +# Description +Test sql query 's result like `id,1,2,3,4,5` content diff --git a/tests/mysql-rows/input.pcap b/tests/mysql-rows/input.pcap new file mode 100644 index 000000000..cfec35de2 Binary files /dev/null and b/tests/mysql-rows/input.pcap differ diff --git a/tests/mysql-rows/suricata.yaml b/tests/mysql-rows/suricata.yaml new file mode 100644 index 000000000..4f6e6be34 --- /dev/null +++ b/tests/mysql-rows/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-rows/test.rules b/tests/mysql-rows/test.rules new file mode 100644 index 000000000..a7626282c --- /dev/null +++ b/tests/mysql-rows/test.rules @@ -0,0 +1 @@ +alert mysql any any -> any any (msg:"test mysql";mysql.rows; content:"33030219971120201X"; metadata: mysql rows; sid:1;) diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml new file mode 100644 index 000000000..a9d2e7e10 --- /dev/null +++ b/tests/mysql-rows/test.yaml @@ -0,0 +1,50 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: + - filter: + count: 1 + match: + tx_id: 1 + pcap_cnt: 41 + src_ip: 172.18.0.3 + src_port: 3306 + dest_port: 35318 + dest_ip: 172.18.0.1 + proto: "TCP" + event_type: alert + alert.action: "allowed" + alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 + direction: "to_client" + alert.metadata.mysql[0]: "rows" + mysql.version: "9.0.1" + mysql.tls: false + mysql.command: "select * from test.identify where id = 1" + mysql.rows[0]: "1,33030219971120201X" + - filter: + count: 1 + match: + tx_id: 3 + pcap_cnt: 43 + src_ip: 172.18.0.3 + src_port: 3306 + dest_port: 35316 + dest_ip: 172.18.0.1 + proto: "TCP" + direction: "to_client" + event_type: alert + alert.action: "allowed" + alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 + alert.metadata.mysql[0]: "rows" + mysql.version: "9.0.1" + mysql.tls: false + mysql.command: "select * from test.identify where identify = 33030219971120201X" + mysql.rows[0]: "1,33030219971120201X" + diff --git a/tests/mysql-tls/README.md b/tests/mysql-tls/README.md new file mode 100644 index 000000000..c5e1ba166 --- /dev/null +++ b/tests/mysql-tls/README.md @@ -0,0 +1,6 @@ +# Test Description + +Check MySQL protocol upgrade to TLS protocol. + +## PCAP +From my desktop's docker. diff --git a/tests/mysql-tls/input.pcap b/tests/mysql-tls/input.pcap new file mode 100644 index 000000000..c07b59921 Binary files /dev/null and b/tests/mysql-tls/input.pcap differ diff --git a/tests/mysql-tls/suricata.yaml b/tests/mysql-tls/suricata.yaml new file mode 100644 index 000000000..36b63fcb3 --- /dev/null +++ b/tests/mysql-tls/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + - tls + +app-layer: + protocols: + mysql: + enabled: yes + tls: + enabled: yes diff --git a/tests/mysql-tls/test.yaml b/tests/mysql-tls/test.yaml new file mode 100644 index 000000000..990f539bc --- /dev/null +++ b/tests/mysql-tls/test.yaml @@ -0,0 +1,28 @@ +# *** Add configuration here *** +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + src_ip: 172.18.0.1 + src_port: 36592 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: TCP + event_type: mysql + mysql.tls: true +- filter: + count: 1 + match: + src_ip: 172.18.0.1 + src_port: 36592 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: TCP + event_type: tls + tls.from_proto: mysql \ No newline at end of file