mysql: add more checks in test

QianKaiLin · QianKaiLin · commit 5f5682e6be8a · 2024-12-11T16:21:11.000+08:00
Task #3446
diff --git a/tests/mysql-command/test.yaml b/tests/mysql-command/test.yaml
@@ -8,7 +8,18 @@ checks:
   - filter:
       count: 1
       match:
+        pcap_cnt: 40
+        src_ip: 172.18.0.1
+        src_port: 35316
+        dest_ip: 172.18.0.3
+        dest_port: 3306
+        proto: "TCP"
+        direction: "to_server"
         event_type: alert
         alert.signature: "test mysql"
+        alert.signature_id: 1
+        alert.severity: 3
         alert.metadata.mysql[0]: "command"
+        mysql.command: "select * from test.identify where identify = 33030219971120201X"
+        mysql.rows[0]: "1,33030219971120201X"
         
diff --git a/tests/mysql-multi-queries/README.md b/tests/mysql-multi-queries/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+TODO: Simple description of what this test is for.
+
+## PCAP
+
+TODO: What is the source of this PCAP.
+
+## Related issues
+
+TODO: Issue numbers or links to related issues.
diff --git a/tests/mysql-multi-queries/input.pcap b/tests/mysql-multi-queries/input.pcap
diff --git a/tests/mysql-multi-queries/suricata.yaml b/tests/mysql-multi-queries/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mysql
+
+app-layer:
+  protocols:
+    mysql:
+      enabled: yes
diff --git a/tests/mysql-multi-queries/test.yaml b/tests/mysql-multi-queries/test.yaml
@@ -0,0 +1,61 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      pcap_cnt: 14
+      event_type: mysql
+      mysql.affected_rows: 0
+      mysql.command: SET NAMES utf8mb4
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      event_type: mysql
+      mysql.command: SELECT VERSION()
+      mysql.rows[0]: 8.0.32
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      pcap_cnt: 20
+      event_type: mysql
+      mysql.affected_rows: 0
+      mysql.command: ping
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.10.104
+      dest_port: 3306
+      event_type: mysql
+      mysql.command: SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='sentinel_flow_admin'
+      mysql.rows[0]: sentinel_flow_admin
+      mysql.tls: false
+      mysql.version: 8.0.32
+      proto: TCP
+      src_ip: 172.16.10.222
+      src_port: 42074
diff --git a/tests/mysql-rows/test.yaml b/tests/mysql-rows/test.yaml
@@ -6,9 +6,45 @@ args:
 
 checks:
   - filter:
-      count: 2
+      count: 1
       match:
+        tx_id: 1
+        pcap_cnt: 41
+        src_ip: 172.18.0.3
+        src_port: 3306
+        dest_port: 35318
+        dest_ip: 172.18.0.1
+        proto: "TCP"
         event_type: alert
+        alert.action: "allowed"
         alert.signature: "test mysql"
+        alert.signature_id: 1
+        alert.severity: 3
+        direction: "to_client"
         alert.metadata.mysql[0]: "rows"
+        mysql.version: "9.0.1"
+        mysql.tls: false
+        mysql.command: "select * from test.identify where id = 1"
+        mysql.rows[0]: "1,33030219971120201X"
+  - filter:
+      count: 1
+      match:
+        tx_id: 3
+        pcap_cnt: 43
+        src_ip: 172.18.0.3
+        src_port: 3306
+        dest_port: 35316
+        dest_ip: 172.18.0.1
+        proto: "TCP"
+        direction: "to_client"
+        event_type: alert
+        alert.action: "allowed"
+        alert.signature: "test mysql"
+        alert.signature_id: 1
+        alert.severity: 3
+        alert.metadata.mysql[0]: "rows"
+        mysql.version: "9.0.1"
+        mysql.tls: false
+        mysql.command: "select * from test.identify where identify = 33030219971120201X"
+        mysql.rows[0]: "1,33030219971120201X"
         
diff --git a/tests/mysql-tls/suricata.yaml b/tests/mysql-tls/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - mysql
+        - tls
+
+app-layer:
+  protocols:
+    mysql:
+      enabled: yes
+    tls:
+      enabled: yes
diff --git a/tests/mysql-tls/test.yaml b/tests/mysql-tls/test.yaml
@@ -9,11 +9,20 @@ checks:
 - filter:
     count: 1
     match:
+      src_ip: 172.18.0.1
+      src_port: 36592
+      dest_ip: 172.18.0.3
+      dest_port: 3306
+      proto: TCP
       event_type: mysql
       mysql.tls: true
 - filter:
     count: 1
     match:
-      app_proto: tls
-      app_proto_orig: mysql
-
+      src_ip: 172.18.0.1
+      src_port: 36592
+      dest_ip: 172.18.0.3
+      dest_port: 3306
+      proto: TCP
+      event_type: tls
+      tls.from_proto: mysql
