From: Juliana Fajardini <jufajardini@oisf.net>
Date: Sun, 25 May 2025 20:23:00 +0000 (-0300)
Subject: pgsql: add tests for `query` keyword
X-Git-Tag: suricata-7.0.11~51
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2526%2Fhead;p=thirdparty%2Fsuricata-verify.git

pgsql: add tests for `query` keyword

Related to
Task #6259
---

diff --git a/tests/pgsql/pgsql-query-keyword-01/README.md b/tests/pgsql/pgsql-query-keyword-01/README.md
new file mode 100644
index 000000000..bf757dbc5
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Test `pgsql` `query` rule keyword, with content checks for `SELECT` and `LISTEN`.
+
+## Pcap
+
+Shared by Jason Ish.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/6259
diff --git a/tests/pgsql/pgsql-query-keyword-01/input.pcap b/tests/pgsql/pgsql-query-keyword-01/input.pcap
new file mode 100644
index 000000000..f75451164
Binary files /dev/null and b/tests/pgsql/pgsql-query-keyword-01/input.pcap differ
diff --git a/tests/pgsql/pgsql-query-keyword-01/suricata.yaml b/tests/pgsql/pgsql-query-keyword-01/suricata.yaml
new file mode 100644
index 000000000..8bbe08685
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - pgsql:
+            passwords: false
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
diff --git a/tests/pgsql/pgsql-query-keyword-01/test.rules b/tests/pgsql/pgsql-query-keyword-01/test.rules
new file mode 100644
index 000000000..207a427ae
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/test.rules
@@ -0,0 +1,2 @@
+alert pgsql any any -> any any (msg:"Query keyword check - SELECT"; pgsql.query; content:"SELECT"; sid: 1;)
+alert pgsql any any -> any any (msg: "Query keyword check - listen"; pgsql.query; content:"listen"; fast_pattern; nocase; sid: 2;)
diff --git a/tests/pgsql/pgsql-query-keyword-01/test.yaml b/tests/pgsql/pgsql-query-keyword-01/test.yaml
new file mode 100644
index 000000000..c1e76908c
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-01/test.yaml
@@ -0,0 +1,32 @@
+requires:
+   min-version: 8.0
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - listen
+      alert.signature_id: 2
+      app_proto: pgsql
+      pcap_cnt: 18
+      pgsql.request.simple_query: LISTEN rules;
+      pgsql.response.command_completed: LISTEN
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - SELECT
+      alert.signature_id: 1
+      app_proto: pgsql
+      pcap_cnt: 24
+      pgsql.request.simple_query: SELECT 1;
+      pgsql.response.command_completed: SELECT 1
+      pgsql.response.data_rows: 1
+      pgsql.response.data_size: 1
+      pgsql.response.field_count: 1
+      pgsql.tx_id: 5
diff --git a/tests/pgsql/pgsql-query-keyword-02/README.md b/tests/pgsql/pgsql-query-keyword-02/README.md
new file mode 100644
index 000000000..fcb7b331f
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/README.md
@@ -0,0 +1,11 @@
+# Test
+
+Test `pgsql` `query` rule keyword, with content checks for `SELECT` and `delete`.
+
+## Pcap
+
+Reused from test `pgsql-simple-query-rollback`.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/6259
diff --git a/tests/pgsql/pgsql-query-keyword-02/suricata.yaml b/tests/pgsql/pgsql-query-keyword-02/suricata.yaml
new file mode 100644
index 000000000..8bbe08685
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - pgsql:
+            passwords: false
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
diff --git a/tests/pgsql/pgsql-query-keyword-02/test.rules b/tests/pgsql/pgsql-query-keyword-02/test.rules
new file mode 100644
index 000000000..f753580d0
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/test.rules
@@ -0,0 +1,2 @@
+alert pgsql any any -> any any (msg:"Query keyword check - select"; pgsql.query; content:"select *"; nocase; sid: 1;)
+alert pgsql any any -> any any (msg:"Query keyword check - delete"; pgsql.query; content:"delete"; nocase; sid: 2;)
diff --git a/tests/pgsql/pgsql-query-keyword-02/test.yaml b/tests/pgsql/pgsql-query-keyword-02/test.yaml
new file mode 100644
index 000000000..be743db43
--- /dev/null
+++ b/tests/pgsql/pgsql-query-keyword-02/test.yaml
@@ -0,0 +1,91 @@
+requires:
+   min-version: 8.0
+args:
+- -k none
+
+pcap: ../pgsql-simple-query-rollback/input.pcap
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      app_proto: pgsql
+      direction: to_server
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      pcap_cnt: 21
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Remus';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      app_proto: pgsql
+      pcap_cnt: 24
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Londubat';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      app_proto: pgsql
+      direction: to_server
+      pcap_cnt: 26
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Hermione';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.action: allowed
+      alert.signature: Query keyword check - delete
+      alert.signature_id: 2
+      app_proto: pgsql
+      pcap_cnt: 28
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Maugre';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 9
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      direction: to_server
+      alert.signature: Query keyword check - select
+      alert.signature_id: 1
+      app_proto: pgsql
+      pcap_cnt: 57
+      pgsql.request.simple_query: SELECT * FROM new_table;
+      pgsql.response.code: 25P02
+      pgsql.response.file: "d:\\pginstaller_13.auto\\postgres.windows-x64\\src\\backend\\tcop\\postgres.c"
+      pgsql.response.line: '1105'
+      pgsql.response.message: "current transaction is aborted, commands ignored until
+        end of transaction block"
+      pgsql.response.routine: exec_simple_query
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 17
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature: Query keyword check - select
+      alert.signature_id: 1
+      app_proto: pgsql
+      direction: to_server
+      pcap_cnt: 84
+      pgsql.request.simple_query: SELECT * FROM new_table;
+      pgsql.response.command_completed: SELECT 8
+      pgsql.response.data_rows: 8
+      pgsql.response.data_size: 236
+      pgsql.response.field_count: 2
+      pgsql.tx_id: 26