diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-04-06 09:34:39 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-06 09:34:39 +0200 |
| commit | 06a63dcbaad807f50b28b8012f518b2243639470 (patch) | |
| tree | c8ed6035be17bacb0b6ce226beb325a1bf859a69 | |
| parent | 5c28dbbae24718aecd8ca36363059db81199b31b (diff) | |
MySql: improve detection (#1928)
Add support for flows with "caching_sha2_password" authentication plugin.
See #1924
| -rw-r--r-- | src/lib/protocols/mysql.c | 4 | ||||
| -rw-r--r-- | tests/pcap/mysql-8.pcap | bin | 455 -> 7656 bytes | |||
| -rw-r--r-- | tests/result/mysql-8.pcap.out | 15 |
3 files changed, 11 insertions, 8 deletions
diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index 58e3c8f51..1a0402ca1 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -65,7 +65,9 @@ static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_stru } #else if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22], - "mysql_", 6) == 0) { + "mysql_", 6) == 0 || + strncmp((const char*)&packet->payload[packet->payload_packet_len-22], + "caching_", 8) == 0) { NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; diff --git a/tests/pcap/mysql-8.pcap b/tests/pcap/mysql-8.pcap Binary files differindex 7cd92c7e0..d20e621eb 100644 --- a/tests/pcap/mysql-8.pcap +++ b/tests/pcap/mysql-8.pcap diff --git a/tests/result/mysql-8.pcap.out b/tests/result/mysql-8.pcap.out index df7e5a4cb..73b45dadc 100644 --- a/tests/result/mysql-8.pcap.out +++ b/tests/result/mysql-8.pcap.out @@ -1,8 +1,8 @@ Guessed flow protos: 0 -DPI Packets (TCP): 4 (4.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 1 (1.00 diss/flow) +DPI Packets (TCP): 8 (4.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -16,10 +16,11 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 4/0 (search/found) Patricia risk: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 4/0 (search/found) -MySQL 4 367 1 +MySQL 35 6224 2 - 1 TCP 192.168.1.105:8738 <-> 10.42.18.198:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][2 pkts/140 bytes <-> 2 pkts/227 bytes][Goodput ratio: 0/38][0.00 sec][PLAIN TEXT (DDDDDD)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.20.80:47044 <-> 192.168.20.108:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][15 pkts/1806 bytes <-> 16 pkts/4051 bytes][Goodput ratio: 45/74][2.86 sec][bytes ratio: -0.383 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/238 2778/2821 797/779][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/253 359/2251 88/522][PLAIN TEXT (8.0.32)][Plen Bins: 7,28,21,7,0,0,0,21,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7] + 2 TCP 192.168.1.105:8738 <-> 10.42.18.198:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][2 pkts/140 bytes <-> 2 pkts/227 bytes][Goodput ratio: 0/38][0.00 sec][PLAIN TEXT (DDDDDD)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |