pgsql: clearly indicate redacted password message

If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 710225aabc50bb5dc1f18737e8338085a9276a08..99f1b3f3a9f7e12cb372801267ac2e01a53c1781 100644 (file)
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -2528,6 +2528,8 @@ flow. Some of the possible request messages are:
 * "startup_message": message sent to start a new PostgreSQL connection
 * "password_message": if password output for PGSQL is enabled in suricata.yaml,
   carries the password sent during Authentication phase
+* "password_redacted": set to true in case there is a password message, but its
+  logging is disabled
 * "simple_query": issued SQL command during simple query subprotocol. PostgreSQL
   identifies specific sets of commands that change the set of expected messages
   to be exchanged as subprotocols.

diff --git a/etc/schema.json b/etc/schema.json
index 208ebc703009a8b3cb12cba8f95c507b26cbfdde..58252008f3ec81aae997ee93ac1907c0465bf76f 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -3663,6 +3663,10 @@
                         "password_message": {
                             "type": "string"
                         },
+                        "password_redacted": {
+                            "type": "boolean",
+                            "description": "indicates if a password message was received but not logged due to Suricata settings"
+                        },
                         "process_id": {
                             "type": "integer"
                         },

diff --git a/rust/src/pgsql/logger.rs b/rust/src/pgsql/logger.rs
index ae281014315694fce83d991890c07c59bd9be6f5..7bb5b4d8b3f652de5e0151e92dc40213c6a3d11b 100644 (file)
--- a/rust/src/pgsql/logger.rs
+++ b/rust/src/pgsql/logger.rs
@@ -81,6 +81,8 @@ fn log_request(req: &PgsqlFEMessage, flags: u32) -> Result<JsonBuilder, JsonErro
         }) => {
             if flags & PGSQL_LOG_PASSWORDS != 0 {
                 js.set_string_from_bytes("password", payload)?;
+            } else {
+                js.set_bool("password_redacted", true)?;
             }
         }
         PgsqlFEMessage::SASLResponse(RegularPacket {

diff --git a/suricata.yaml.in b/suricata.yaml.in
index 7794cf348f7ba1f46c09fcfc62243546818d2fe2..972de0687eeeed203d46f5dd8c5e676aa15bc0e6 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -360,6 +360,8 @@ outputs:
         - pgsql:
             enabled: no
             # passwords: yes           # enable output of passwords. Disabled by default
+                                       # If a password message is seen but this setting
+                                       # is disabled, "password_redacted": true is logged
         - stats:
             totals: yes       # stats for all threads merged together
             threads: no       # per thread stats