SBM Labs

Cyber Security Collaboration Project

MySQL Network Traffic Analysis
09 Mar 2017

How to perform MySQL network traffic analysis for malicious activity?

Let's look at tshark tool and its usage. More info about tshark you can find here.

1. Start tshark.

sudo tshark -i lo -f "port 3306" -E separator=";" -T fields -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e tcp.stream -e mysql.user -e mysql.query -e mysql.error_code -e mysql.error.message -e mysql.command

2. Start Wireshark.

This step is necessary for visibility of the performed activity.

3. Perform some MySQL activity.

Failed root logon attempt.

Success root logon attempt.

MySQL query.

Incorrect MySQL query.

Quit of user root.

4. Check tshark output.

...
Mar 6, 2017 10:29:05.758240514 +03;127.0.0.1;45742;127.0.0.1;3306;0;root;;;;
Mar 6, 2017 10:29:05.758248412 +03;127.0.0.1;3306;127.0.0.1;45742;0;;;;;
Mar 6, 2017 10:29:05.759151083 +03;127.0.0.1;3306;127.0.0.1;45742;0;;;1045;Access denied for user 'root'@'localhost' (using password: YES);
...
Mar 6, 2017 10:29:10.840620341 +03;127.0.0.1;45744;127.0.0.1;3306;1;root;;;;
Mar 6, 2017 10:29:10.840627437 +03;127.0.0.1;3306;127.0.0.1;45744;1;;;;;
Mar 6, 2017 10:29:10.840714507 +03;127.0.0.1;3306;127.0.0.1;45744;1;;;;;
Mar 6, 2017 10:29:10.841027922 +03;127.0.0.1;45744;127.0.0.1;3306;1;;select @@version_comment limit 1;;;3
...
Mar 6, 2017 10:29:15.856755861 +03;127.0.0.1;45744;127.0.0.1;3306;1;;select user,host, authentication_string from mysql.user;;;3
...
Mar 6, 2017 10:29:25.056755861 +03;127.0.0.1;45744;127.0.0.1;3306;1;;select user,host1, authentication_string from mysql.user;;;3
Mar 6, 2017 10:29:25.097680116 +03;127.0.0.1;3306;127.0.0.1;45744;1;;;1054;Unknown column 'host1' in 'field list';
...
Mar 6, 2017 10:29:28.964743691 +03;127.0.0.1;45744;127.0.0.1;3306;1;;;;;1
Mar 6, 2017 10:29:28.964789643 +03;127.0.0.1;45744;127.0.0.1;3306;1;;;;;
...

P.S. Wireshark reference to MySQL protocol.

Mirroring Network Traffic Using IPTables