tests: add test for pgsql probe bug 6080

author Juliana Fajardini <jufajardini@oisf.net>

Tue, 28 Nov 2023 21:19:48 +0000 (18:19 -0300)

committer Juliana Fajardini <jufajardini@oisf.net>

Mon, 4 Dec 2023 22:48:58 +0000 (19:48 -0300)
author Juliana Fajardini <jufajardini@oisf.net>
Tue, 28 Nov 2023 21:19:48 +0000 (18:19 -0300)
committer Juliana Fajardini <jufajardini@oisf.net>
Mon, 4 Dec 2023 22:48:58 +0000 (19:48 -0300)
diff --git a/tests/pgsql-bug-6080-probe-test-01/README.md b/tests/pgsql-bug-6080-probe-test-01/README.md

new file mode 100644 (file)

index 0000000..3cd2295
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/README.md
@@ -0,0 +1,15 @@
+# Test Description
+
+The probing function for PGSQL, in some scenarios, could identify any TCP message
+sent to the standard PGSQL port - 5432 - as PGSQL traffic, leading to false
+positives.
+
+## PCAP
+
+This pcap was created using the Scapy script included in the test directory,
+to reproduce a non-shareable traffic capture.
+
+## Related issues
+
+Bug report on Redmine:
+https://redmine.openinfosecfoundation.org/issues/6080
diff --git a/tests/pgsql-bug-6080-probe-test-01/input.pcap b/tests/pgsql-bug-6080-probe-test-01/input.pcap

new file mode 100644 (file)

index 0000000..0238838

Binary files /dev/null and b/tests/pgsql-bug-6080-probe-test-01/input.pcap differ
diff --git a/tests/pgsql-bug-6080-probe-test-01/suricata.yaml b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml

new file mode 100644 (file)

index 0000000..b2aea26
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql
+        - flow
+
diff --git a/tests/pgsql-bug-6080-probe-test-01/test.yaml b/tests/pgsql-bug-6080-probe-test-01/test.yaml

new file mode 100644 (file)

index 0000000..7360858
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      dest_port: 5432
+      event_type: pgsql
+      proto: TCP
+- filter:
+    count: 0
+    match:
+      app_proto: pgsql
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: flow
diff --git a/tests/pgsql-bug-6080-probe-test-01/writepcap.py b/tests/pgsql-bug-6080-probe-test-01/writepcap.py

new file mode 100644 (file)

index 0000000..b52a0ea
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/writepcap.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+'''packet 1'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='S', window=65535, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 2'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432,
+                flags='S''A', ack=1, window=5840, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 3'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=1, window=65535, seq=1)
+'''packet 4'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1, window=65535, seq=98080856)
+'''packet 5'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='A', ack=37, window=5840, seq=1)
+'''packet 6'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=1)/":"
+'''packet 7'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=37, window=65534, seq=2)
+'''packet 8'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=2)/"p1r473.server.org\x01\n"
+'''packet 9'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1363, window=64173, seq=37)
+'''packet 10'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='F''P''A', ack=1363, window=64173, seq=53)
+'''packet 11'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=200, window=6432, seq=1363)/":"
+'''packet 12'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='R''A', ack=1364, window=0, seq=200)
+
+wrpcap('input.pcap', pkts)
author	Juliana Fajardini <jufajardini@oisf.net>
	Tue, 28 Nov 2023 21:19:48 +0000 (18:19 -0300)
committer	Juliana Fajardini <jufajardini@oisf.net>
	Mon, 4 Dec 2023 22:48:58 +0000 (19:48 -0300)
tests/pgsql-bug-6080-probe-test-01/README.md	[new file with mode: 0644]	patch \| blob
tests/pgsql-bug-6080-probe-test-01/input.pcap	[new file with mode: 0644]	patch \| blob
tests/pgsql-bug-6080-probe-test-01/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/pgsql-bug-6080-probe-test-01/test.yaml	[new file with mode: 0644]	patch \| blob
tests/pgsql-bug-6080-probe-test-01/writepcap.py	[new file with mode: 0644]	patch \| blob