Add initial MySQL banner support

[TomSellers]

Add initial MySQL banner support

[jhart-r7]

Here you are searching for Community or community, but in the previous one you are just looking for community. IMO, make both of these (and perhaps all of them) case insensitive

[TomSellers]

If i'm not mistaken there was a limited number of instances of Community, something around 40 or in the data set. I will try to mine the data and also see if there is a performance impact for doing case insensitivity.

[jhart-r7]

This is looking pretty good. To your pending commit comments:

• Community vs community metrics -- would be nice to know, but my suggestion for this wasn't necessarily that I think there may be a banner like this today, but that there may be one some day.
• Base generic regex for MySQL versions not matched so far -- the trouble with this is that it is then hard for you to tell if you have a new/unmatched/unknown banner because this generic regex would catch all mysql versions you hadn't seen before and might want to handle differently for whatever reason. I'm not totally opposed as I see some value in this. Perhaps post a sample of what you were thinking?
• fingerprint optimization based on sample data -- can you elaborate? do you mean modifying the existing fingerprints to match more banners based on what you see in the sample data, or do you mean modifying the existing fingerprints to match more efficiently?
• reviewing use of trailing terminator for regex -- this is probably worth a separate PR/ticket, but my thinking is that the regex anchors ^and $ as well as the common pattern of .*$ are perfectly fine and are in fact preferential provided there is sufficient data to prove that it is necessary. Put another way, something like ^foo version (\d+) .*$ is perfectly OK if you are sure that you do not care about anything that comes after the 1 or more digits. Note that this is distinctly different than not knowing about what comes after the 1 or more digits.

[jhart-r7]

You should add a matches attribute here to indicate what it should be matching.

That brings up something I think we discussed in email but I don't see addressed here. This single file matches against two different types of data -- version banners and error messages. IMO these should go in separate files and use different match attributes. Then, anyone/anything using these files can use the right file depending on the type of message received.

[TomSellers]

Thanks, I'll address both as well as all of the outstanding issues. I hope to have the final PR for review by the end of this coming weekend.

[TomSellers]

@jhart-r7

• I have left out the generic match. I had been leaning towards leaving it out, but wasn't sure of the best fit for your use case. Your comments cleared that up for me.
• Fingerprint optimization was a reference to changing the order of the fingerprints with the goal of having the most common earlier in the file so that matches occurred faster. The downside of this is that similar fingerprints would no longer be grouped which would complicate the effort of maintaining fingerprints. With 1 exception, testing indicate that the benefit across the 5.2 million banner test set was not significant enough to change the FP order. That change, in the mysql_errors, has been made.
• The review of the regex trailing terminator was at the request of HD. I prefer to use the $ anchor where possible when I am fairly certain that I have all the string accounted for. This reduces the chance of inadvertently matching and loosing an opportunity to gather more information about a target service.
  • The end of line anchor needs to be added to the 'MariaDB MariaDB' fingerprint around line 595 and retested. That is next on my list. It will allow us to add a few fingerprints for MariaDB on certain flavors of Ubuntu and Debian.

Current match metrics against the 2015.02.01 dataset:

MySQL records 5,258,834
MySQL match count 5,255,535 99.937%
Unmatched: 3,229

Additional metrics can be seen in this gits:
https://gist.github.com/TomSellers/d1749e7b993a1270a526

[TomSellers]

That last commit should say that removed 'a' fingerprint for Percona, There are still multiple fingerprints in place that are reliable for the related banners.

[jhart-r7]

Here and everywhere else where you are trying to match the numeric part of the version, would it make sense to make this more flexible such that version parts of arbitrary length are matched? For example, would 10.0.0 or 5.100.9999 ever be a valid version?

[gschneider-r7]

Not sure about MySQL proper, but MariaDB uses 10.x.x versions as they diverge from Oracle's implementation.

[TomSellers]

Perhaps, but isn't in our data set yet. MariaDB does use 10.x.x and that is accounted for in the matches starting at line 568. The 'MariaDB MariaDB on Debian Lenny' fingerprint is missing this.

I can adjust the regex as you requested. I keep falling back to my 'unknown service' mindset and forgetting that the assumption is that we already know its MySQL and just want to fingerprint it.

[TomSellers]

@jhart-r7 This morning's updates contain the changes to the regex to better handle future strings such as 10.xxx.xxx. There are also quite additions that identify the target's OS.

[TomSellers]

@jhart-r7 @gschneider-r7 The previous is likely my last commit tweaking fingerprints. Anything that follows will be bug fixes for issues that someone discovers.

[jhart-r7]

Thanks, @TomSellers! I should be able to land this today. My only last bit of feedback, which I'll address while landing, is to add some comments in these two files to indicate how these are to be used (IOW, what parts of the protocol are being fingerprinted).