tests: add pgsql tests

These tests cover an assortment of pgsql authentication methods,
simple queries, error response messages, as well as SSL handshakes,
both rejected and accepted (w/ start tls enabled). Non-verbose log style
is enabled.

Related to task #4241

diff --git a/tests/pgsql/pgsql-5000-query-results/README.md b/tests/pgsql/pgsql-5000-query-results/README.md
new file mode 100644 (file)
index 0000000..c5bf16d
--- /dev/null
+++ b/tests/pgsql/pgsql-5000-query-results/README.md
@@ -0,0 +1,9 @@
+Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with:
+
+- SSL Handshake (denied)
+- Startup phase with MD5 authentication (ok)
+- Simple Query
+- Row description, 5000 Data Row, Command Completed, Ready for Query 
+- Termination Message 
+
+pcap by Juliana Fajardini, with local dummy setup

diff --git a/tests/pgsql/pgsql-5000-query-results/input.pcap b/tests/pgsql/pgsql-5000-query-results/input.pcap
new file mode 100644 (file)
index 0000000..fdbe4b9
Binary files /dev/null and b/tests/pgsql/pgsql-5000-query-results/input.pcap differ

diff --git a/tests/pgsql/pgsql-5000-query-results/suricata.yaml b/tests/pgsql/pgsql-5000-query-results/suricata.yaml
new file mode 100644 (file)
index 0000000..8434a4f
--- /dev/null
+++ b/tests/pgsql/pgsql-5000-query-results/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+

diff --git a/tests/pgsql/pgsql-5000-query-results/test.yaml b/tests/pgsql/pgsql-5000-query-results/test.yaml
new file mode 100644 (file)
index 0000000..65cdb9a
--- /dev/null
+++ b/tests/pgsql/pgsql-5000-query-results/test.yaml
@@ -0,0 +1,115 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0 
+
+args:
+- -k none
+
+checks:
+# subtest 1
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.18.0.2
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 21
+      pgsql.request.message: SSL Request
+      pgsql.response.ssl_accepted: false
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 172.18.0.1
+      src_port: 54408
+# subtest 2
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.18.0.2
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 25
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: rules
+      pgsql.request.startup_parameters.optional_parameters[0].application_name: psql
+      pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8
+      pgsql.request.startup_parameters.user: rules
+      pgsql.response.authentication_md5_password: Z\xdc\xfdf
+      pgsql.tx_id: 2
+      proto: TCP
+      src_ip: 172.18.0.1
+      src_port: 54408
+# subtest 3
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.18.0.2
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 11
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: rules
+      pgsql.request.startup_parameters.optional_parameters[0].application_name: psql
+      pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8
+      pgsql.request.startup_parameters.user: rules
+      pgsql.response.authentication_md5_password: "\\xcaT\r'"
+      pgsql.tx_id: 2
+      proto: TCP
+      src_ip: 172.18.0.1
+      src_port: 54406
+# subtest 4
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.18.0.2
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 29
+      pgsql.request.password_message: password log disabled
+      pgsql.response.message: authentication_ok
+      pgsql.response.parameter_status[0].application_name: psql
+      pgsql.response.parameter_status[10].time_zone: Etc/UTC
+      pgsql.response.parameter_status[1].client_encoding: UTF8
+      pgsql.response.parameter_status[2].date_style: ISO, MDY
+      pgsql.response.parameter_status[3].integer_datetimes: 'on'
+      pgsql.response.parameter_status[4].interval_style: postgres
+      pgsql.response.parameter_status[5].is_superuser: 'on'
+      pgsql.response.parameter_status[6].server_encoding: UTF8
+      pgsql.response.parameter_status[7].server_version: 13.4 (Debian 13.4-1.pgdg100+1)
+      pgsql.response.parameter_status[8].session_authorization: rules
+      pgsql.response.parameter_status[9].standard_conforming_strings: 'on'
+      pgsql.response.process_id: 781
+      pgsql.response.secret_key: 2527955820
+      pgsql.tx_id: 3
+      proto: TCP
+      src_ip: 172.18.0.1
+      src_port: 54408
+# subtest 5
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.18.0.2
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 780
+      pgsql.request.simple_query: select * from rule limit 5000;
+      pgsql.response.command_completed: SELECT 5000
+      pgsql.response.data_rows: 5000
+      pgsql.response.data_size: 3035751
+      pgsql.response.field_count: 7
+      pgsql.tx_id: 4
+      proto: TCP
+      src_ip: 172.18.0.1
+      src_port: 54408
+# subtest 6
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.18.0.1
+      dest_port: 54408
+      event_type: pgsql
+      pcap_cnt: 782
+      pgsql.request.message: termination_message
+      pgsql.tx_id: 5
+      proto: TCP
+      src_ip: 172.18.0.2
+      src_port: 5432

diff --git a/tests/pgsql/pgsql-pwd-output-disabled/README.md b/tests/pgsql/pgsql-pwd-output-disabled/README.md
new file mode 100644 (file)
index 0000000..f11e0f6
--- /dev/null
+++ b/tests/pgsql/pgsql-pwd-output-disabled/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with:
+- SSL Handshake (denied)
+- Startup phase with cleartext password, password log disabled, and
+authentication (ok)
+- Termination message
+
+pcap by Juliana Fajardini, with local dummy setup

diff --git a/tests/pgsql/pgsql-pwd-output-disabled/input.pcap b/tests/pgsql/pgsql-pwd-output-disabled/input.pcap
new file mode 100644 (file)
index 0000000..9a513b1
Binary files /dev/null and b/tests/pgsql/pgsql-pwd-output-disabled/input.pcap differ

diff --git a/tests/pgsql/pgsql-pwd-output-disabled/suricata.yaml b/tests/pgsql/pgsql-pwd-output-disabled/suricata.yaml
new file mode 100755 (executable)
index 0000000..9c40cc9
--- /dev/null
+++ b/tests/pgsql/pgsql-pwd-output-disabled/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            #passwords: no         #disabled by default
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes

diff --git a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
new file mode 100644 (file)
index 0000000..6c1e526
--- /dev/null
+++ b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
@@ -0,0 +1,103 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0 
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 6
+      pgsql.request.message: SSL Request
+      pgsql.response.ssl_accepted: false
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 41662
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 9
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: Test
+      pgsql.request.startup_parameters.optional_parameters[0].application_name: psql
+      pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8
+      pgsql.request.startup_parameters.user: ju-Test
+      pgsql.response.message: authentication_cleartext_password
+      pgsql.tx_id: 2
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 41662
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 12
+      pgsql.request.password_message: password log disabled
+      pgsql.response.message: authentication_ok
+      pgsql.response.parameter_status[0].application_name: psql
+      pgsql.response.parameter_status[10].time_zone: Europe/London
+      pgsql.response.parameter_status[1].client_encoding: UTF8
+      pgsql.response.parameter_status[2].date_style: ISO, DMY
+      pgsql.response.parameter_status[3].integer_datetimes: 'on'
+      pgsql.response.parameter_status[4].interval_style: postgres
+      pgsql.response.parameter_status[5].is_superuser: 'on'
+      pgsql.response.parameter_status[6].server_encoding: UTF8
+      pgsql.response.parameter_status[7].server_version: '13.4'
+      pgsql.response.parameter_status[8].session_authorization: ju-Test
+      pgsql.response.parameter_status[9].standard_conforming_strings: 'on'
+      pgsql.response.process_id: 11828
+      pgsql.response.secret_key: 3666668912
+      pgsql.tx_id: 3
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 41662
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.102
+      dest_port: 41662
+      event_type: pgsql
+      pcap_cnt: 15
+      pgsql.request.message: termination_message
+      pgsql.tx_id: 4
+      proto: TCP
+      src_ip: 192.168.1.74
+      src_port: 5432
+- filter:
+    count: 1
+    match:
+      app_proto: pgsql
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: flow
+      flow.age: 24
+      flow.alerted: false
+      flow.bytes_toclient: 693
+      flow.bytes_toserver: 668
+      flow.pkts_toclient: 6
+      flow.pkts_toserver: 10
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 41662
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.rst: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1f
+      tcp.tcp_flags_tc: 1e
+      tcp.tcp_flags_ts: 1b

diff --git a/tests/pgsql/pgsql-simple-query-rollback/README.md b/tests/pgsql/pgsql-simple-query-rollback/README.md
new file mode 100644 (file)
index 0000000..dddc4c6
--- /dev/null
+++ b/tests/pgsql/pgsql-simple-query-rollback/README.md
@@ -0,0 +1,21 @@
+Tests pgsql output for a Frontend/Backend conversation in Simple Query PostgreSQL subprotocol where the simple query is split into several commands and where a rollback is issued by the backed.
+
+SimpleQuery messages shown:
+
+BEGIN;
+DELETE FROM new_table WHERE NAME='Remus';
+DELETE FROM new_table WHERE NAME='Londubat';
+DELETE FROM new_table WHERE NAME='Hermione';
+DELETE FROM new_table WHERE NAME='Maugre';
+COMMIT;
+
+BEGIN;
+INSERT INTO new_table VALUES('Hermione', 'prof_gramger@gmail.com');
+INSERT INTO new_table VALUES('Remus', 'prof_lupin@gmail.com');
+SELECT 1/0;
+INSERT INTO new_table VALUES('Maugre', 'prof_folloy@gmail.com');
+INSERT INTO new_table VALUES('Londubat', 'prof_londubat@gmail.com');
+SELECT * FROM new_table;
+COMMIT;
+
+pcap by Juliana Fajardini, with local dummy setup.

diff --git a/tests/pgsql/pgsql-simple-query-rollback/input.pcap b/tests/pgsql/pgsql-simple-query-rollback/input.pcap
new file mode 100644 (file)
index 0000000..aaffcc9
Binary files /dev/null and b/tests/pgsql/pgsql-simple-query-rollback/input.pcap differ

diff --git a/tests/pgsql/pgsql-simple-query-rollback/suricata.yaml b/tests/pgsql/pgsql-simple-query-rollback/suricata.yaml
new file mode 100644 (file)
index 0000000..bcf29fd
--- /dev/null
+++ b/tests/pgsql/pgsql-simple-query-rollback/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+

diff --git a/tests/pgsql/pgsql-simple-query-rollback/test.yaml b/tests/pgsql/pgsql-simple-query-rollback/test.yaml
new file mode 100644 (file)
index 0000000..e6069e8
--- /dev/null
+++ b/tests/pgsql/pgsql-simple-query-rollback/test.yaml
@@ -0,0 +1,440 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0 
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 6
+      pgsql.request.message: SSL Request
+      pgsql.response.ssl_accepted: false
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 9
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: Test
+      pgsql.request.startup_parameters.optional_parameters[0].application_name: psql
+      pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8
+      pgsql.request.startup_parameters.user: ju-Test
+      pgsql.response.message: authentication_sasl
+      pgsql.tx_id: 2
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 12
+      pgsql.request.sasl_authentication_mechanism: scram_SHA256
+      pgsql.request.sasl_param: n,,n=,r=ROtF8e2Fme8+eORLNHTwkZaK
+      pgsql.response.message: authentication_sasl_continue
+      pgsql.tx_id: 3
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 15
+      pgsql.request.sasl_response: c=biws,r=ROtF8e2Fme8+eORLNHTwkZaKtpbEaXYJOnd3qt6QNCsAv0wj,p=I4V0zdtQqrxum6B+QzprHHC0nBD+mVtBWpc+arfXa+c=
+      pgsql.response.authentication_sasl_final: v=axxpTzISTb0T/QA08F6tEsu25y8Ka0QVR/FOgvF5l78=
+      pgsql.response.message: authentication_ok
+      pgsql.response.parameter_status[0].application_name: psql
+      pgsql.response.parameter_status[10].time_zone: Europe/London
+      pgsql.response.parameter_status[1].client_encoding: UTF8
+      pgsql.response.parameter_status[2].date_style: ISO, DMY
+      pgsql.response.parameter_status[3].integer_datetimes: 'on'
+      pgsql.response.parameter_status[4].interval_style: postgres
+      pgsql.response.parameter_status[5].is_superuser: 'on'
+      pgsql.response.parameter_status[6].server_encoding: UTF8
+      pgsql.response.parameter_status[7].server_version: '13.4'
+      pgsql.response.parameter_status[8].session_authorization: ju-Test
+      pgsql.response.parameter_status[9].standard_conforming_strings: 'on'
+      pgsql.response.process_id: 5008
+      pgsql.response.secret_key: 2050730518
+      pgsql.tx_id: 4
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 18
+      pgsql.request.simple_query: BEGIN;
+      pgsql.response.command_completed: BEGIN
+      pgsql.tx_id: 5
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 21
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Remus';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 6
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 24
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Londubat';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 7
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 26
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Hermione';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 8
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 28
+      pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Maugre';
+      pgsql.response.command_completed: DELETE 1
+      pgsql.tx_id: 9
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 30
+      pgsql.request.simple_query: COMMIT;
+      pgsql.response.command_completed: COMMIT
+      pgsql.tx_id: 10
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 33
+      pgsql.request.simple_query: BEGIN;
+      pgsql.response.command_completed: BEGIN
+      pgsql.tx_id: 11
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 36
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Hermione', 'prof_gramger@gmail.com');
+      pgsql.response.command_completed: INSERT 0 1
+      pgsql.tx_id: 12
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 39
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Remus', 'prof_lupin@gmail.com');
+      pgsql.response.command_completed: INSERT 0 1
+      pgsql.tx_id: 13
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 44
+      pgsql.request.simple_query: SELECT 1/0;
+      pgsql.response.code: '22012'
+      pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\utils\adt\int.c
+      pgsql.response.line: '824'
+      pgsql.response.message: division by zero
+      pgsql.response.routine: int4div
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 14
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 49
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Maugre', 'prof_folloy@gmail.com');
+      pgsql.response.code: 25P02
+      pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\tcop\postgres.c
+      pgsql.response.line: '1105'
+      pgsql.response.message: current transaction is aborted, commands ignored until
+        end of transaction block
+      pgsql.response.routine: exec_simple_query
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 15
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 53
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Londubat', 'prof_londubat@gmail.com');
+      pgsql.response.code: 25P02
+      pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\tcop\postgres.c
+      pgsql.response.line: '1105'
+      pgsql.response.message: current transaction is aborted, commands ignored until
+        end of transaction block
+      pgsql.response.routine: exec_simple_query
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 16
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 57
+      pgsql.request.simple_query: SELECT * FROM new_table;
+      pgsql.response.code: 25P02
+      pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\tcop\postgres.c
+      pgsql.response.line: '1105'
+      pgsql.response.message: current transaction is aborted, commands ignored until
+        end of transaction block
+      pgsql.response.routine: exec_simple_query
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 17
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 60
+      pgsql.request.simple_query: COMMIT;
+      pgsql.response.command_completed: ROLLBACK
+      pgsql.tx_id: 18
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 63
+      pgsql.request.simple_query: BEGIN;
+      pgsql.response.command_completed: BEGIN
+      pgsql.tx_id: 19
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 66
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Hermione', 'prof_gramger@gmail.com');
+      pgsql.response.command_completed: INSERT 0 1
+      pgsql.tx_id: 20
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 69
+      pgsql.request.simple_query: COMMIT;
+      pgsql.response.command_completed: COMMIT
+      pgsql.tx_id: 21
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 72
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Remus', 'prof_lupin@gmail.com');
+      pgsql.response.command_completed: INSERT 0 1
+      pgsql.tx_id: 22
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 77
+      pgsql.request.simple_query: SELECT 1/0;
+      pgsql.response.code: '22012'
+      pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\utils\adt\int.c
+      pgsql.response.line: '824'
+      pgsql.response.message: division by zero
+      pgsql.response.routine: int4div
+      pgsql.response.severity_localizable: ERROR
+      pgsql.response.severity_non_localizable: ERROR
+      pgsql.tx_id: 23
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 80
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Maugre', 'prof_folloy@gmail.com');
+      pgsql.response.command_completed: INSERT 0 1
+      pgsql.tx_id: 24
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 82
+      pgsql.request.simple_query: INSERT INTO new_table VALUES('Londubat', 'prof_londubat@gmail.com');
+      pgsql.response.command_completed: INSERT 0 1
+      pgsql.tx_id: 25
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 84
+      pgsql.request.simple_query: SELECT * FROM new_table;
+      pgsql.response.command_completed: SELECT 8
+      pgsql.response.data_rows: 8
+      pgsql.response.data_size: 236
+      pgsql.response.field_count: 2
+      pgsql.tx_id: 26
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.1.102
+      dest_port: 44848
+      event_type: pgsql
+      pcap_cnt: 87
+      pgsql.request.message: termination_message
+      pgsql.tx_id: 27
+      proto: TCP
+      src_ip: 192.168.1.74
+      src_port: 5432
+- filter:
+    count: 1
+    match:
+      app_proto: pgsql
+      dest_ip: 192.168.1.74
+      dest_port: 5432
+      event_type: flow
+      flow.age: 93
+      flow.alerted: false
+      flow.bytes_toclient: 4029
+      flow.bytes_toserver: 4126
+      flow.pkts_toclient: 34
+      flow.pkts_toserver: 54
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 192.168.1.102
+      src_port: 44848
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.rst: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1f
+      tcp.tcp_flags_tc: 1e
+      tcp.tcp_flags_ts: 1b

diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/README.md b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/README.md
new file mode 100644 (file)
index 0000000..d74d90a
--- /dev/null
+++ b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/README.md
@@ -0,0 +1,14 @@
+# Description
+
+Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with:
+1st flow:
+- SSL Handshake (denied)
+- Startup Message with MD5 Authenticaion (ok)
+2nd 
+- SSL Handshake (denied)
+- Startup Message with MD5 Authenticaion (ok)
+- Simple Query
+- Row Description w/ 10 fields, 3 Data rows, Command Completed, Ready for Query
+- Termination Message
+
+pcap provided by Jason Ish

diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/input.pcap b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
new file mode 100644 (file)
index 0000000..e9d9eca
Binary files /dev/null and b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/input.pcap differ

diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/suricata.yaml b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/suricata.yaml
new file mode 100755 (executable)
index 0000000..91d300d
--- /dev/null
+++ b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            passwords: yes          # enable output of passwords
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes

diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/test.yaml b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/test.yaml
new file mode 100644 (file)
index 0000000..2ee6eea
--- /dev/null
+++ b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/test.yaml
@@ -0,0 +1,183 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0 
+
+args:
+- -k none
+
+checks:
+# subtest 1
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 7
+      pgsql.request.message: SSL Request
+      pgsql.response.ssl_accepted: false
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40784
+# subtest 2
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 11
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: indexer
+      pgsql.request.startup_parameters.optional_parameters[0].application_name: psql
+      pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8
+      pgsql.request.startup_parameters.user: indexer
+      pgsql.response.authentication_md5_password: \x88'N5
+      pgsql.tx_id: 2
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40784
+# subtest 3
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 21
+      pgsql.request.message: SSL Request
+      pgsql.response.ssl_accepted: false
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+# subtest 4
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 25
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: indexer
+      pgsql.request.startup_parameters.optional_parameters[0].application_name: psql
+      pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8
+      pgsql.request.startup_parameters.user: indexer
+      pgsql.response.authentication_md5_password: "\\x9fi\x1A\\x8e"
+      pgsql.tx_id: 2
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+# subtest 5
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 29
+      pgsql.request.password: md5e4cfa9552468cae5d48ca2822ca36e22 
+      pgsql.response.message: authentication_ok
+      pgsql.response.parameter_status[0].application_name: psql
+      pgsql.response.parameter_status[10].time_zone: Etc/UTC
+      pgsql.response.parameter_status[1].client_encoding: UTF8
+      pgsql.response.parameter_status[2].date_style: ISO, MDY
+      pgsql.response.parameter_status[3].integer_datetimes: 'on'
+      pgsql.response.parameter_status[4].interval_style: postgres
+      pgsql.response.parameter_status[5].is_superuser: 'on'
+      pgsql.response.parameter_status[6].server_encoding: UTF8
+      pgsql.response.parameter_status[7].server_version: 13.0 (Debian 13.0-1.pgdg100+1)
+      pgsql.response.parameter_status[8].session_authorization: indexer
+      pgsql.response.parameter_status[9].standard_conforming_strings: 'on'
+      pgsql.response.process_id: 61
+      pgsql.response.secret_key: 3152142766
+      pgsql.tx_id: 3
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+# subtest 6
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 35
+      pgsql.request.simple_query: select * from rules where sid = 2021701;
+      pgsql.response.command_completed: SELECT 3
+      pgsql.response.data_rows: 3
+      pgsql.response.data_size: 1104
+      pgsql.response.field_count: 10
+      pgsql.tx_id: 4
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+# subtest 7
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 41
+      pgsql.request.message: termination_message
+      pgsql.tx_id: 5
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+# subtest 8
+- filter:
+    count: 1
+    match:
+      app_proto: pgsql
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: flow
+      flow.age: 9
+      flow.alerted: false
+      flow.bytes_toclient: 2717
+      flow.bytes_toserver: 1180
+      flow.pkts_toclient: 12
+      flow.pkts_toserver: 15
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b
+# subtest 9
+- filter:
+    count: 1
+    match:
+      app_proto: pgsql
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 418
+      flow.bytes_toserver: 626
+      flow.pkts_toclient: 6
+      flow.pkts_toserver: 8
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40784
+      tcp.ack: true
+      tcp.fin: true
+      tcp.psh: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1b
+      tcp.tcp_flags_tc: 1b
+      tcp.tcp_flags_ts: 1b

diff --git a/tests/pgsql/pgsql-upgrade-tls/README.md b/tests/pgsql/pgsql-upgrade-tls/README.md
new file mode 100644 (file)
index 0000000..94d5950
--- /dev/null
+++ b/tests/pgsql/pgsql-upgrade-tls/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with:
+- SSL Handshake (accepted)
+- TLS Handshake
+- Startup phase
+- Error Message (Fatal)
+
+pcap extracted from capture found at https://www.researchgate.net/post/How_to_find_decode_PostgreSQL_query_from_Wireshark_File

diff --git a/tests/pgsql/pgsql-upgrade-tls/input.pcap b/tests/pgsql/pgsql-upgrade-tls/input.pcap
new file mode 100644 (file)
index 0000000..692647c
Binary files /dev/null and b/tests/pgsql/pgsql-upgrade-tls/input.pcap differ

diff --git a/tests/pgsql/pgsql-upgrade-tls/suricata.yaml b/tests/pgsql/pgsql-upgrade-tls/suricata.yaml
new file mode 100755 (executable)
index 0000000..e62ddce
--- /dev/null
+++ b/tests/pgsql/pgsql-upgrade-tls/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            extended: yes 
+        - pgsql
+        - flow
+
+app-layer:
+  protocols:
+    tls:
+      enabled: yes
+    pgsql:
+      enabled: yes

diff --git a/tests/pgsql/pgsql-upgrade-tls/test.yaml b/tests/pgsql/pgsql-upgrade-tls/test.yaml
new file mode 100644 (file)
index 0000000..4afe516
--- /dev/null
+++ b/tests/pgsql/pgsql-upgrade-tls/test.yaml
@@ -0,0 +1,112 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0 
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.50.11
+      dest_port: 60358
+      event_type: pgsql
+      pgsql.request.message: SSL Request
+      pgsql.response.ssl_accepted: true
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 192.168.50.12
+      src_port: 5432
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.50.12
+      dest_port: 5432
+      event_type: tls
+      pcap_cnt: 10
+      proto: TCP
+      src_ip: 192.168.50.11
+      src_port: 60358
+      tls.fingerprint: e4:9d:12:c5:f9:f3:40:41:06:c7:14:42:2c:d8:82:41:e9:6b:94:cd
+      tls.from_proto: pgsql
+      tls.issuerdn: CN=ubuntu
+      tls.notafter: '2027-02-21T05:13:52'
+      tls.notbefore: '2017-02-23T05:13:52'
+      tls.serial: 00:82:64:66:C3:07:A1:8F:80
+      tls.subject: CN=ubuntu
+      tls.version: TLS 1.2
+- filter:
+    count: 1
+    match:
+      app_proto: tls
+      app_proto_orig: pgsql
+      dest_ip: 192.168.50.12
+      dest_port: 5432
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 2220
+      flow.bytes_toserver: 1250
+      flow.pkts_toclient: 7
+      flow.pkts_toserver: 9
+      flow.reason: shutdown
+      flow.state: closed
+      proto: TCP
+      src_ip: 192.168.50.11
+      src_port: 60358
+      tcp.ack: true
+      tcp.psh: true
+      tcp.rst: true
+      tcp.state: closed
+      tcp.syn: true
+      tcp.tcp_flags: 1e
+      tcp.tcp_flags_tc: 1a
+      tcp.tcp_flags_ts: 1e
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.50.11
+      dest_port: 60359
+      event_type: pgsql
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.database: replication
+      pgsql.request.startup_parameters.optional_parameters[0].replication: 'true'
+      pgsql.request.startup_parameters.optional_parameters[1].application_name: walreceiver
+      pgsql.request.startup_parameters.user: rep
+      pgsql.response.code: '28000'
+      pgsql.response.file: auth.c
+      pgsql.response.line: '481'
+      pgsql.response.message: no pg_hba.conf entry for replication connection from
+        host "192.168.50.11", user "rep", SSL off
+      pgsql.response.routine: ClientAuthentication
+      pgsql.response.severity_localizable: FATAL
+      pgsql.tx_id: 1
+      proto: TCP
+      src_ip: 192.168.50.12
+      src_port: 5432
+- filter:
+    count: 1
+    match:
+      app_proto: pgsql
+      dest_ip: 192.168.50.12
+      dest_port: 5432
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 357
+      flow.bytes_toserver: 291
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 3
+      flow.reason: shutdown
+      flow.state: established
+      proto: TCP
+      src_ip: 192.168.50.11
+      src_port: 60359
+      tcp.ack: true
+      tcp.psh: true
+      tcp.state: established
+      tcp.syn: true
+      tcp.tcp_flags: 1a
+      tcp.tcp_flags_tc: 1a
+      tcp.tcp_flags_ts: 1a