Refactored detection logic to include ports and a confidence score

protocol/detect_mysql.go

@@ -9,15 +9,19 @@ func init() {
 	Register(Server, "\x0a", detectMySQL)
 }
 
-func detectMySQL(dir Direction, data []byte) *Protocol {
+func detectMySQL(dir Direction, data []byte, srcPort, dstPort int) (proto *Protocol, confidence float64) {
 	if len(data) < 7 {
-		return nil
+		return nil, 0
 	}
 
 	// The first byte of the handshake packet is the protocol version.
 	// For MySQL, this is 10 (0x0A).
 	if data[0] != 0x0A {
-		return nil
+		return nil, 0
+	}
+
+	if srcPort == 3306 {
+		confidence = .1
 	}
 
 	// After the protocol version, there is a null-terminated server version string.
@@ -26,7 +30,7 @@ func detectMySQL(dir Direction, data []byte) *Protocol {
 
 	// If no null byte is found, it's not a valid banner.
 	if nullIndex == -1 {
-		return nil
+		return nil, 0
 	}
 
 	// The position of the null byte is relative to the start of the whole slice.
@@ -38,7 +42,7 @@ func detectMySQL(dir Direction, data []byte) *Protocol {
 	// We'll check for the 4-byte connection ID as a minimum requirement.
 	const connectionIDLength = 4
 	if len(data) < serverVersionEndPos+1+connectionIDLength {
-		return nil
+		return nil, 0
 	}
 
 	var version Version
@@ -47,5 +51,5 @@ func detectMySQL(dir Direction, data []byte) *Protocol {
 	return &Protocol{
 		Name:    ProtocolMySQL,
 		Version: version,
-	}
+	}, confidence + .75
 }