diff options
| -rw-r--r-- | src/lib/protocols/mysql.c | 64 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/mysql-8.pcap | bin | 7656 -> 0 bytes | |||
| -rw-r--r-- | tests/cfgs/default/pcap/mysql.pcapng | bin | 0 -> 8544 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/mysql-8.pcap.out | 29 | ||||
| -rw-r--r-- | tests/cfgs/default/result/mysql.pcapng.out | 29 |
5 files changed, 50 insertions, 72 deletions
diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index c3e04ef8b..7560f6030 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -2,7 +2,8 @@ * mysql.c * * Copyright (C) 2009-11 - ipoque GmbH - * Copyright (C) 2011-22 - ntop.org + * Copyright (C) 2011-24 - ntop.org + * Copyright (C) 2024 - V.G <jacendi@protonmail.com> * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -30,50 +31,27 @@ #include "ndpi_api.h" #include "ndpi_private.h" -static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; +static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; - NDPI_LOG_DBG(ndpi_struct, "search MySQL\n"); - - if(packet->tcp) { - if(packet->payload_packet_len > 38) { //min length - u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0]; + if(packet->payload_packet_len > 70 && packet->payload_packet_len < 120) { + u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0]; - if(length == (u_int32_t)packet->payload_packet_len - 4 //first 3 bytes are length - && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length - && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet - && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 - && get_u_int8_t(packet->payload, 5) < 0x39 //server version < 9 - && get_u_int8_t(packet->payload, 6) == 0x2e //dot - ) { -#if 0 - /* Old code */ - u_int32_t a; - - for(a = 7; a + 31 < packet->payload_packet_len; a++) { - if(packet->payload[a] == 0x00) { - if(get_u_int8_t(packet->payload, a + 13) == 0x00 // filler byte - && get_u_int64_t(packet->payload, a + 19) == 0x0ULL // 13 more - && get_u_int32_t(packet->payload, a + 27) == 0x0 // filler bytes - && get_u_int8_t(packet->payload, a + 31) == 0x0) { - NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - return; - } - - break; - } - } -#else - if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22], - "mysql_", 6) == 0 || - strncmp((const char*)&packet->payload[packet->payload_packet_len-22], - "caching_", 8) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - return; - } -#endif + if ((u_int32_t)(packet->payload_packet_len-4) == length && + packet->payload[4] == 0x0A && ((memcmp(&packet->payload[5], "5.5.5-", 6) == 0) || + (packet->payload[5] > 0x33 && packet->payload[5] < 0x39))) + { + if ((memcmp(&packet->payload[packet->payload_packet_len-10], "_password", 9) == 0) || + (memcmp(&packet->payload[packet->payload_packet_len-10], "_kerberos", 9) == 0) || + (memcmp(&packet->payload[packet->payload_packet_len-9], "_windows", 8) == 0) || + (memcmp(&packet->payload[packet->payload_packet_len-8], "_simple", 7) == 0) || + (memcmp(&packet->payload[packet->payload_packet_len-8], "_gssapi", 7) == 0) || + (memcmp(&packet->payload[packet->payload_packet_len-5], "_pam", 4) == 0)) + { + NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; } } } diff --git a/tests/cfgs/default/pcap/mysql-8.pcap b/tests/cfgs/default/pcap/mysql-8.pcap Binary files differdeleted file mode 100644 index d20e621eb..000000000 --- a/tests/cfgs/default/pcap/mysql-8.pcap +++ /dev/null diff --git a/tests/cfgs/default/pcap/mysql.pcapng b/tests/cfgs/default/pcap/mysql.pcapng Binary files differnew file mode 100644 index 000000000..26a633f72 --- /dev/null +++ b/tests/cfgs/default/pcap/mysql.pcapng diff --git a/tests/cfgs/default/result/mysql-8.pcap.out b/tests/cfgs/default/result/mysql-8.pcap.out deleted file mode 100644 index 0d47e05f1..000000000 --- a/tests/cfgs/default/result/mysql-8.pcap.out +++ /dev/null @@ -1,29 +0,0 @@ -DPI Packets (TCP): 8 (4.00 pkts/flow) -Confidence DPI : 2 (flows) -Num dissector calls: 2 (1.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) -Automa domain: 0/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) -Patricia risk mask IPv6: 0/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 4/0 (search/found) -Patricia protocols IPv6: 0/0 (search/found) - -MySQL 35 6224 2 - -Acceptable 35 6224 2 - - 1 TCP 192.168.20.80:47044 <-> 192.168.20.108:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][15 pkts/1806 bytes <-> 16 pkts/4051 bytes][Goodput ratio: 45/74][2.86 sec][bytes ratio: -0.383 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/238 2778/2821 797/779][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/253 359/2251 88/522][PLAIN TEXT (8.0.32)][Plen Bins: 7,28,21,7,0,0,0,21,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7] - 2 TCP 192.168.1.105:8738 <-> 10.42.18.198:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][2 pkts/140 bytes <-> 2 pkts/227 bytes][Goodput ratio: 0/38][0.00 sec][PLAIN TEXT (DDDDDD)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/mysql.pcapng.out b/tests/cfgs/default/result/mysql.pcapng.out new file mode 100644 index 000000000..113f39ead --- /dev/null +++ b/tests/cfgs/default/result/mysql.pcapng.out @@ -0,0 +1,29 @@ +DPI Packets (TCP): 8 (4.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 2 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +MySQL 41 7009 2 + +Acceptable 41 7009 2 + + 1 TCP 192.168.88.231:36272 <-> 192.168.88.200:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][15 pkts/1822 bytes <-> 11 pkts/3715 bytes][Goodput ratio: 45/80][2.47 sec][bytes ratio: -0.342 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 202/6 2386/24 659/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 121/338 388/2284 94/622][PLAIN TEXT (8.0.36)][Plen Bins: 21,21,7,14,0,0,0,21,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7] + 2 TCP 192.168.88.231:36732 <-> 192.168.88.201:3306 [proto: 20/MySQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Database/11][9 pkts/862 bytes <-> 6 pkts/610 bytes][Goodput ratio: 30/34][2.27 sec][bytes ratio: 0.171 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 318/0 2222/1 777/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 96/102 284/176 67/44][PLAIN TEXT (10.6.12)][Plen Bins: 34,16,16,16,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |