做好网站建设的重要性简单的网页设计源代码
suricata新增Mysql告警规则处理
- 协议解析后续处理内容
- 新增规则
- 规则解析关键字新增
- Setup用于初始化检测项
- Free用于资源释放
- AppLayerTxMatch用于协议解析完成后的规则检测
- 针对pcap文件进行检测
- 总结
协议解析后续处理内容
经过Mysql协议解析处理流程 介绍,我们在suricata中,新增加了Mysql协议处理相关的内容;
Mysql协议处理后,有两种方式进行处理,
一是将协议解析的内容,进行结果输出;(该内容相对比较简单,在协议框架生成包含了相关处理内容)
二是,将解析的内容与检测规则结合一起进行告警检测
新增规则
假设,我们需要检测Mysql sql语句中的所有truncate 语句,并进行告警。则规则形如:
alert mysql any any -> any 3306 (msg:"test mysql detect";mysql.sql:truncate;sid:10001;rev:1;)
规则解析关键字新增
如果,新增了以上规则,通过suricata进行引擎分析
suricata -c suricata.yaml --engine-analysis
会提示如下错误:
E: detect-parse: unknown rule keyword 'mysql.sql'.
E: detect: error parsing signature "alert mysql any any -> any 3306 (msg:"test mysql detect";mysql.sql:truncate;sid:10001;rev:1;)"
首先将mysql.sql加入到引擎检测关键字列表中;
在协议框架生成会生成detect-mysql-mysql.h及detect-mysql-mysql.c两个文件。
同时DetectMysqlmysqlRegister为注册关键字及检测函数的入口,
检测注册代码如下
void DetectMysqlmysqlRegister(void)
{sigmatch_table[DETECT_AL_MYSQL_MYSQL].name = "mysql.sql";sigmatch_table[DETECT_AL_MYSQL_MYSQL].desc ="Mysql content modifier to match on the mysql buffers";sigmatch_table[DETECT_AL_MYSQL_MYSQL].Setup = DetectMysqlmysqlSetup;sigmatch_table[DETECT_AL_MYSQL_MYSQL].Free = DetectMysqlmysqlFree;sigmatch_table[DETECT_AL_MYSQL_MYSQL].AppLayerTxMatch = DetectMysqlMatch;
#ifdef UNITTESTSsigmatch_table[DETECT_AL_MYSQL_MYSQL].RegisterTests = DetectMysqlmysqlRegisterTests;
#endifsigmatch_table[DETECT_AL_MYSQL_MYSQL].flags |= SIGMATCH_INFO_STICKY_BUFFER;/* register inspect engines */DetectAppLayerInspectEngineRegister2("mysql.sql", ALPROTO_MYSQL, SIG_FLAG_TOSERVER, 0,DetectEngineInspectGenericList, NULL);g_mysql_rust_id = DetectBufferTypeGetByName("mysql.sql");SCLogNotice("Mysql application layer detect registered.");
}
其中sigmatch_table,为注册各关键字的全局数组。
DETECT_AL_MYSQL_MYSQL为枚举值,在协议框架生成时自动生成在enum DetectKeywordId 中
enum DetectKeywordId {DETECT_SID,DETECT_PRIORITY,DETECT_REV,DETECT_CLASSTYPE,...,DETECT_TARGET,DETECT_AL_MYSQL_MYSQL,...DETECT_AL_TEMPLATE_BUFFER,DETECT_AL_DHCP_LEASETIME,
}
同时将DetectMysqlmysqlRegister的调用加入到SigTableSetup中
void SigTableSetup(void)
{memset(sigmatch_table, 0, sizeof(sigmatch_table));DetectSidRegister();DetectPriorityRegister();DetectPrefilterRegister();DetectRevRegister();DetectClasstypeRegister();DetectReferenceRegister();DetectTagRegister();DetectThresholdRegister();DetectMetadataRegister();...DetectMysqlmysqlRegister();/* close keyword registration */DetectBufferTypeCloseRegistration();
}
完成以上代码注册后,再次执行引擎分析,发现错误已经消失。
Setup用于初始化检测项
此例初始化中,对应mysql.sql:truncate,在执行Setup时,需要将truncate进行缓存,后续在规则检测时进行处理。其处理代码如下:
int DetectMysqlmysqlSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{uint8_t *de = NULL;SigMatch *sm = NULL;s->init_data->list = g_mysql_rust_id;if (DetectSignatureSetAppProto(s, ALPROTO_MYSQL) != 0)return -1;sm = SigMatchAlloc();if (sm == NULL)goto error;sm->type = DETECT_AL_MYSQL_MYSQL;char *value = SCMalloc(strlen(str) + 1);strcpy(value, str);sm->ctx = (SigMatchCtx *)value;SigMatchAppendSMToList(s, sm, g_mysql_rust_id);return 0;error:if (de != NULL)SCFree(de);if (sm != NULL)SCFree(sm);return -1;return 0;
}
从以上代码不难看出,此函数的处理,是把truncate进行了缓存处理。
Free用于资源释放
在上一节的,初始化过程中,存在SigMatchAlloc申请资源的情况,需要在程序退出前执行资源释放
void DetectMysqlmysqlFree(DetectEngineCtx *de_ctx, void *de_ptr)
{if (de_ptr != NULL)SCFree(de_ptr);
}
AppLayerTxMatch用于协议解析完成后的规则检测
sigmatch_table[DETECT_AL_MYSQL_MYSQL].AppLayerTxMatch = DetectMysqlMatch;
此处注册的函数DetectMysqlMatch,在Mysql协议解析过程中的每个Transaction都会执行一次检测;本例中,相当于每执行一条sql语句就会执行一遍。
函数定义如下
static int DetectMysqlMatch(DetectEngineThreadCtx *det_ctx,Flow *f, uint8_t flags, void *state,void *txv, const Signature *s,const SigMatchCtx *ctx) {uint8_t ret = 0;const uint8_t *data = NULL;uint32_t data_len = 0;SCLogDebug("DetectMysqlMatch: flags %d, txv %p, s %p, ctx %p", flags, txv, s, ctx);if (flags & STREAM_TOSERVER) {rs_mysql_get_request_buffer(txv, &data, &data_len);} else if (flags & STREAM_TOCLIENT) {rs_mysql_get_response_buffer(txv, &data, &data_len); }SCLogDebug("DetectMysqlMatch: flags %d, txv %p, s %p, ctx %p done", flags, txv, s, ctx);if (data != NULL) {char* de = (char *)ctx;char *stripped_data = strip((const char *)data);return startsWith((const char *)stripped_data, de) ;}return 0;
}
其中rs_mysql_get_request_buffer,rs_mysql_get_response_buffer是rust中根据解析的内容,并返回缓存的函数。
其定义如下:
pub unsafe extern "C" fn rs_mysql_get_request_buffer(tx: *mut c_void, buf: *mut *const u8, len: *mut u32,
) -> u8 {let tx = cast_pointer!(tx, MysqlTransaction);if let Some(ref request) = tx.request {match request {MysqlFEMessage::SimpleQuery(quey) => {// If we have a login request, we can return the request buffer.if !quey.is_empty() {*len = quey.len() as u32;*buf = quey.as_ptr();return 1; // success}}_ => {return 0;}}}return 0;
}
此处,我们只返回了SimpleQuery对应的sql语句,正好对应了mysql.sql,对于其他关键字,可以根据实际情况进行修改,比如,检测使用超级用户(root/admin)进行远程登录,其检测规则就需要修改成mysql.login_user:root;而后增加相应的规则处理即可。
此外,在检测之前,执行了strip操作,是因为;默认sql语句前面会增加一些注释,所以执行strip先去除注释内容,而后使用startsWith函数进行检测。(更严谨的做法,可能需要对sql语句进行语法分析后再检测;待完善–)
针对pcap文件进行检测
完成以上步骤后,使用pcap文件检验规则是否能产生告警
suricata -c suricata.yaml -k none -r mysql.pcap
打开eve.json后,查看alert情况
{"time":"2025-07-09T09:32:25.481582+0000","timestamp":1752053545481,"flow_id":"2036907348195717","pcap_cnt":54,"alarm_type":"alert","src_ip":"10.1.30.200","src_port":54366,"dest_ip":"10.1.1.3","dest_port":3306,"proto":"TCP","pkt_src":"wire/pcap","event_id":"ec830925-9c01-434c-9651-5e43c836da5f","tx_id":9,"alert":{"action":"allowed","gid":1,"signature_id":10001,"classification":"","rev":1,"signature":"test mysql detect","category":"","severity":3,"attack_result":"attempt","severity":3,"sid":10001},"tx_id":10,"request":{"message":"SimpleQuery","query":"/* ApplicationName=DBeaver 24.1.3 - SQLEditor <Script-17.sql> */ truncate tb_attack_20250111"},"protocol":"mysql","direction":"to_server","flow":{"pkts_toserver":35,"pkts_toclient":19,"bytes_toserver":5220,"bytes_toclient":11003,"start":"2025-07-09T09:31:27.146574+0000","src_ip":"10.1.30.200","dest_ip":"10.1.1.3","src_port":54366,"dest_port":3306}}
总结
通过以上操作,即完成了Mysql协议一条告警规则的新增及处理