diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml index 8f5b7f17c..143306cf1 100644 --- a/tests/mysql-command/test.yaml +++ b/tests/mysql-command/test.yaml @@ -8,7 +8,18 @@ checks: - filter: count: 1 match: + pcap_cnt: 40 + src_ip: 172.18.0.1 + src_port: 35316 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: "TCP" + direction: "to_server" event_type: alert alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 alert.metadata.mysql[0]: "command" + mysql.command: "select * from test.identify where identify = 33030219971120201X" + mysql.rows[0]: "1,33030219971120201X" diff --git a/tests/mysql-multi-queries/README.md b/tests/mysql-multi-queries/README.md new file mode 100644 index 000000000..a9bfb3ff7 --- /dev/null +++ b/tests/mysql-multi-queries/README.md @@ -0,0 +1,11 @@ +# Test Description + +TODO: Simple description of what this test is for. + +## PCAP + +TODO: What is the source of this PCAP. + +## Related issues + +TODO: Issue numbers or links to related issues. diff --git a/tests/mysql-multi-queries/input.pcap b/tests/mysql-multi-queries/input.pcap new file mode 100644 index 000000000..458bc25e8 Binary files /dev/null and b/tests/mysql-multi-queries/input.pcap differ diff --git a/tests/mysql-multi-queries/suricata.yaml b/tests/mysql-multi-queries/suricata.yaml new file mode 100644 index 000000000..070848120 --- /dev/null +++ b/tests/mysql-multi-queries/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + +app-layer: + protocols: + mysql: + enabled: yes diff --git a/tests/mysql-multi-queries/test.yaml b/tests/mysql-multi-queries/test.yaml new file mode 100644 index 000000000..cd83e99bf --- /dev/null +++ b/tests/mysql-multi-queries/test.yaml @@ -0,0 +1,61 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + pcap_cnt: 14 + event_type: mysql + mysql.affected_rows: 0 + mysql.command: SET NAMES utf8mb4 + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + event_type: mysql + mysql.command: SELECT VERSION() + mysql.rows[0]: 8.0.32 + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + pcap_cnt: 20 + event_type: mysql + mysql.affected_rows: 0 + mysql.command: ping + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 +- filter: + count: 1 + match: + dest_ip: 172.16.10.104 + dest_port: 3306 + event_type: mysql + mysql.command: SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='sentinel_flow_admin' + mysql.rows[0]: sentinel_flow_admin + mysql.tls: false + mysql.version: 8.0.32 + proto: TCP + src_ip: 172.16.10.222 + src_port: 42074 diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml index 371fe4bdd..a9d2e7e10 100644 --- a/tests/mysql-rows/test.yaml +++ b/tests/mysql-rows/test.yaml @@ -6,9 +6,45 @@ args: checks: - filter: - count: 2 + count: 1 match: + tx_id: 1 + pcap_cnt: 41 + src_ip: 172.18.0.3 + src_port: 3306 + dest_port: 35318 + dest_ip: 172.18.0.1 + proto: "TCP" event_type: alert + alert.action: "allowed" alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 + direction: "to_client" alert.metadata.mysql[0]: "rows" + mysql.version: "9.0.1" + mysql.tls: false + mysql.command: "select * from test.identify where id = 1" + mysql.rows[0]: "1,33030219971120201X" + - filter: + count: 1 + match: + tx_id: 3 + pcap_cnt: 43 + src_ip: 172.18.0.3 + src_port: 3306 + dest_port: 35316 + dest_ip: 172.18.0.1 + proto: "TCP" + direction: "to_client" + event_type: alert + alert.action: "allowed" + alert.signature: "test mysql" + alert.signature_id: 1 + alert.severity: 3 + alert.metadata.mysql[0]: "rows" + mysql.version: "9.0.1" + mysql.tls: false + mysql.command: "select * from test.identify where identify = 33030219971120201X" + mysql.rows[0]: "1,33030219971120201X" diff --git a/tests/mysql-tls/suricata.yaml b/tests/mysql-tls/suricata.yaml new file mode 100644 index 000000000..36b63fcb3 --- /dev/null +++ b/tests/mysql-tls/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mysql + - tls + +app-layer: + protocols: + mysql: + enabled: yes + tls: + enabled: yes diff --git a/tests/mysql-tls/test.yaml b/tests/mysql-tls/test.yaml index 76e72662d..990f539bc 100644 --- a/tests/mysql-tls/test.yaml +++ b/tests/mysql-tls/test.yaml @@ -9,11 +9,20 @@ checks: - filter: count: 1 match: + src_ip: 172.18.0.1 + src_port: 36592 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: TCP event_type: mysql mysql.tls: true - filter: count: 1 match: - app_proto: tls - app_proto_orig: mysql - + src_ip: 172.18.0.1 + src_port: 36592 + dest_ip: 172.18.0.3 + dest_port: 3306 + proto: TCP + event_type: tls + tls.from_proto: mysql \ No newline at end of file