--- /dev/null
+# Test Description
+
+Showcase Suricata output and behavior when it inspects PostgreSQL traffic where
+a `CancelRequest` message is sent.
+
+A CancelRequest message is sent by the FrontEnd (client) when it wants to cancel
+a Query. It is sent to a new port, so this creates a new transaction. No direct
+message is sent to confirm that the CancelRequest was processed, but if it is,
+the transaction/process waiting for the Query will receive an Error Message
+indicating that the Query was canceled (cf
+https://www.postgresql.org/docs/16/protocol-flow.html#PROTOCOL-FLOW-CANCELING-REQUESTS).
+
+## PCAP
+
+Shared by Jason Ish, sample of a local query to a sample local database.
+
+## Related issues
+
+Task for adding pgsql message: https://redmine.openinfosecfoundation.org/issues/6577
--- /dev/null
+requires:
+ min-version: 8
+args:
+- -k none
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ dest_ip: 100.96.199.113
+ dest_port: 5432
+ event_type: pgsql
+ pgsql.request.message: SSL Request
+ pgsql.response.ssl_accepted: false
+ pgsql.tx_id: 1
+ src_ip: 100.88.2.140
+ src_port: 39704
+- filter:
+ count: 1
+ match:
+ dest_ip: 100.96.199.113
+ dest_port: 5432
+ event_type: pgsql
+ pgsql.request.protocol_version: '3.0'
+ pgsql.request.startup_parameters.optional_parameters[0].database: rules
+ pgsql.request.startup_parameters.optional_parameters[1].application_name: psql
+ pgsql.request.startup_parameters.optional_parameters[2].client_encoding: UTF8
+ pgsql.request.startup_parameters.user: rules
+ pgsql.tx_id: 2
+ src_ip: 100.88.2.140
+ src_port: 39704
+- filter:
+ count: 1
+ match:
+ dest_ip: 100.96.199.113
+ dest_port: 5432
+ event_type: pgsql
+ pgsql.response.message: authentication_ok
+ pgsql.response.parameter_status[0].application_name: psql
+ pgsql.response.process_id: 28954
+ pgsql.response.secret_key: 889887985
+ pgsql.tx_id: 3
+ src_ip: 100.88.2.140
+ src_port: 39704
+- filter:
+ count: 1
+ match:
+ dest_ip: 100.96.199.113
+ dest_port: 5432
+ event_type: pgsql
+ pcap_cnt: 23
+ pgsql.request.simple_query: select pg_sleep(9)
+ pgsql.response.code: '57014'
+ pgsql.response.field_count: 1
+ pgsql.response.file: postgres.c
+ pgsql.response.line: '3211'
+ pgsql.response.message: canceling statement due to user request
+ pgsql.response.routine: ProcessInterrupts
+ pgsql.response.severity_localizable: ERROR
+ pgsql.response.severity_non_localizable: ERROR
+ pgsql.tx_id: 4
+ src_ip: 100.88.2.140
+ src_port: 39704
+- filter:
+ count: 1
+ match:
+ dest_ip: 100.96.199.113
+ dest_port: 5432
+ event_type: pgsql
+ pgsql.request.message: termination_message
+ pgsql.tx_id: 5
+ src_ip: 100.88.2.140
+ src_port: 39704
+- filter:
+ count: 1
+ match:
+ dest_ip: 100.96.199.113
+ dest_port: 5432
+ event_type: pgsql
+ pgsql.request.secret_key: 889887985
+ pgsql.request.message: cancel_request
+ pgsql.request.process_id: 28954
+ pgsql.tx_id: 1
+ src_ip: 100.88.2.140
+ src_port: 39706
+- filter:
+ count: 2
+ match:
+ app_proto: pgsql
+ event_type: flow
projects / thirdparty / suricata-verify.git / commitdiff
