pgsql: add tests for `query` keyword

Related to
Task #6259

diff --git a/tests/pgsql/pgsql-query-keyword-01/README.md b/tests/pgsql/pgsql-query-keyword-01/README.md
new file mode 100644 (file)
index 0000000..bf757db
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Test `pgsql` `query` rule keyword, with content checks for `SELECT` and `LISTEN`.
+
+## Pcap
+
+Shared by Jason Ish.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/6259

diff --git a/tests/pgsql/pgsql-query-keyword-01/input.pcap b/tests/pgsql/pgsql-query-keyword-01/input.pcap
new file mode 100644 (file)
index 0000000..f754511
Binary files /dev/null and b/tests/pgsql/pgsql-query-keyword-01/input.pcap differ

diff --git a/tests/pgsql/pgsql-query-keyword-01/suricata.yaml b/tests/pgsql/pgsql-query-keyword-01/suricata.yaml
new file mode 100644 (file)
index 0000000..8bbe086
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - pgsql:
+            passwords: false
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+

diff --git a/tests/pgsql/pgsql-query-keyword-01/test.rules b/tests/pgsql/pgsql-query-keyword-01/test.rules
new file mode 100644 (file)
index 0000000..207a427
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/test.rules
@@ -0,0 +1,2 @@
+alert pgsql any any -> any any (msg:"Query keyword check - SELECT"; pgsql.query; content:"SELECT"; sid: 1;)
+alert pgsql any any -> any any (msg: "Query keyword check - listen"; pgsql.query; content:"listen"; fast_pattern; nocase; sid: 2;)

diff --git a/tests/pgsql/pgsql-query-keyword-01/test.yaml b/tests/pgsql/pgsql-query-keyword-01/test.yaml
new file mode 100644 (file)
index 0000000..c1e7690
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/test.yaml
@@ -0,0 +1,32 @@
+requires:
+   min-version: 8.0
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - listen
+      alert.signature_id: 2
+      app_proto: pgsql
+      pcap_cnt: 18
+      pgsql.request.simple_query: LISTEN rules;
+      pgsql.response.command_completed: LISTEN
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - SELECT
+      alert.signature_id: 1
+      app_proto: pgsql
+      pcap_cnt: 24
+      pgsql.request.simple_query: SELECT 1;
+      pgsql.response.command_completed: SELECT 1
+      pgsql.response.data_rows: 1
+      pgsql.response.data_size: 1
+      pgsql.response.field_count: 1
+      pgsql.tx_id: 5

diff --git a/tests/pgsql/pgsql-query-keyword-02/README.md b/tests/pgsql/pgsql-query-keyword-02/README.md
new file mode 100644 (file)
index 0000000..fcb7b33
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Test `pgsql` `query` rule keyword, with content checks for `SELECT` and `delete`.
+
+## Pcap
+
+Reused from test `pgsql-simple-query-rollback`.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/6259

diff --git a/tests/pgsql/pgsql-query-keyword-02/suricata.yaml b/tests/pgsql/pgsql-query-keyword-02/suricata.yaml
new file mode 100644 (file)
index 0000000..8bbe086
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - pgsql:
+            passwords: false
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+

diff --git a/tests/pgsql/pgsql-query-keyword-02/test.rules b/tests/pgsql/pgsql-query-keyword-02/test.rules
new file mode 100644 (file)
index 0000000..f753580
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/test.rules
@@ -0,0 +1,2 @@
+alert pgsql any any -> any any (msg:"Query keyword check - select"; pgsql.query; content:"select *"; nocase; sid: 1;)
+alert pgsql any any -> any any (msg:"Query keyword check - delete"; pgsql.query; content:"delete"; nocase; sid: 2;)

diff --git a/tests/pgsql/pgsql-query-keyword-02/test.yaml b/tests/pgsql/pgsql-query-keyword-02/test.yaml
new file mode 100644 (file)
index 0000000..be743db
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/test.yaml
@@ -0,0 +1,91 @@
+requires:
+   min-version: 8.0
+args:
+- -k none
+
+pcap: ../pgsql-simple-query-rollback/input.pcap
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      app_proto: pgsql
+      direction: to_server
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      pcap_cnt: 21
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Remus';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      app_proto: pgsql
+      pcap_cnt: 24
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Londubat';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      app_proto: pgsql
+      direction: to_server
+      pcap_cnt: 26
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Hermione';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.action: allowed
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      app_proto: pgsql
+      pcap_cnt: 28
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Maugre';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 9
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - select
+      alert.signature_id: 1
+      app_proto: pgsql
+      pcap_cnt: 57
+      pgsql.request.simple_query: SELECT * FROM new_table;
+      pgsql.response.code: 25P02
+      pgsql.response.file: "d:\\pginstaller_13.auto\\postgres.windows-x64\\src\\backend\\tcop\\postgres.c"
+      pgsql.response.line: '1105'
+      pgsql.response.message: "current transaction is aborted, commands ignored until
+        end of transaction block"
+      pgsql.response.routine: exec_simple_query
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 17
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature: Query keyword check - select
+      alert.signature_id: 1
+      app_proto: pgsql
+      direction: to_server
+      pcap_cnt: 84
+      pgsql.request.simple_query: SELECT * FROM new_table;
+      pgsql.response.command_completed: SELECT 8
+      pgsql.response.data_rows: 8
+      pgsql.response.data_size: 236
+      pgsql.response.field_count: 2
+      pgsql.tx_id: 26