From: Juliana Fajardini Date: Tue, 28 Nov 2023 21:19:48 +0000 (-0300) Subject: tests: add test for pgsql probe bug 6080 X-Git-Tag: suricata-6.0.16~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a31d52710b51e4ba26734305d6eb2b643e7c2bc;p=thirdparty%2Fsuricata-verify.git tests: add test for pgsql probe bug 6080 Add test for pgsql probing function bug 6080. Crafted pcap. Related to Bug #6080 --- diff --git a/tests/pgsql-bug-6080-probe-test-01/README.md b/tests/pgsql-bug-6080-probe-test-01/README.md new file mode 100644 index 000000000..3cd229550 --- /dev/null +++ b/tests/pgsql-bug-6080-probe-test-01/README.md @@ -0,0 +1,15 @@ +# Test Description + +The probing function for PGSQL, in some scenarios, could identify any TCP message +sent to the standard PGSQL port - 5432 - as PGSQL traffic, leading to false +positives. + +## PCAP + +This pcap was created using the Scapy script included in the test directory, +to reproduce a non-shareable traffic capture. + +## Related issues + +Bug report on Redmine: +https://redmine.openinfosecfoundation.org/issues/6080 diff --git a/tests/pgsql-bug-6080-probe-test-01/input.pcap b/tests/pgsql-bug-6080-probe-test-01/input.pcap new file mode 100644 index 000000000..0238838f6 Binary files /dev/null and b/tests/pgsql-bug-6080-probe-test-01/input.pcap differ diff --git a/tests/pgsql-bug-6080-probe-test-01/suricata.yaml b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml new file mode 100644 index 000000000..b2aea2623 --- /dev/null +++ b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +app-layer: + protocols: + pgsql: + enabled: yes + stream-depth: 0 + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql + - flow + diff --git a/tests/pgsql-bug-6080-probe-test-01/test.yaml b/tests/pgsql-bug-6080-probe-test-01/test.yaml new file mode 100644 index 000000000..73608589c --- /dev/null +++ b/tests/pgsql-bug-6080-probe-test-01/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 0 + match: + dest_port: 5432 + event_type: pgsql + proto: TCP +- filter: + count: 0 + match: + app_proto: pgsql + event_type: flow +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/pgsql-bug-6080-probe-test-01/writepcap.py b/tests/pgsql-bug-6080-probe-test-01/writepcap.py new file mode 100644 index 000000000..b52a0ead5 --- /dev/null +++ b/tests/pgsql-bug-6080-probe-test-01/writepcap.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] +'''packet 1''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='S', window=65535, seq=0, options=[('MSS', 1460), ('SAckOK', '')]) +'''packet 2''' +pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, + flags='S''A', ack=1, window=5840, seq=0, options=[('MSS', 1460), ('SAckOK', '')]) +'''packet 3''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=1, window=65535, seq=1) +'''packet 4''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1, window=65535, seq=98080856) +'''packet 5''' +pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='A', ack=37, window=5840, seq=1) +'''packet 6''' +pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=1)/":" +'''packet 7''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=37, window=65534, seq=2) +'''packet 8''' +pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=2)/"p1r473.server.org\x01\n" +'''packet 9''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1363, window=64173, seq=37) +'''packet 10''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='F''P''A', ack=1363, window=64173, seq=53) +'''packet 11''' +pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=200, window=6432, seq=1363)/":" +'''packet 12''' +pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='R''A', ack=1364, window=0, seq=200) + +wrpcap('input.pcap', pkts)