From: Juliana Fajardini Date: Wed, 7 Sep 2022 19:38:12 +0000 (-0300) Subject: tests: add test for pgsql out of order params bug X-Git-Tag: suricata-6.0.9~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20ac8b95770bccff45c8b1dc1730544f57c398a5;p=thirdparty%2Fsuricata-verify.git tests: add test for pgsql out of order params bug StartupMessages for pgsql have a series of parameters that may show up in any order, so let's make sure we can indeed parse them if, for instance, user, which is a mandatory parameter, isn't the first to be seen in the list. Related to Bug #5524 --- diff --git a/tests/pgsql/pgsql-bug-5579/README.md b/tests/pgsql/pgsql-bug-5579/README.md new file mode 100644 index 000000000..0244426da --- /dev/null +++ b/tests/pgsql/pgsql-bug-5579/README.md @@ -0,0 +1,21 @@ +Test +==== + +This shows a postgresql traffic where the StartupMessage does not show the +'user' as the first parameter seen. This should be accepted, as while this is a +mandatory field, parameters may be sent in any order. + +Related to bug 5524 - postgresql appproto should not error out in such a case of +parsing error. + +Expected behavior +----------------- + +The parser should be able to parse the StartupMessage with all its parameters. +Moreover, if it receives a complete message but sees an unkown parameter, it +should still be able to parse the following PDU. + +Pcap +---- + +Pcap was shared by Philippe Antoine. diff --git a/tests/pgsql/pgsql-bug-5579/input.pcap b/tests/pgsql/pgsql-bug-5579/input.pcap new file mode 100644 index 000000000..ac98ac2f4 Binary files /dev/null and b/tests/pgsql/pgsql-bug-5579/input.pcap differ diff --git a/tests/pgsql/pgsql-bug-5579/suricata.yaml b/tests/pgsql/pgsql-bug-5579/suricata.yaml new file mode 100644 index 000000000..6c4f45627 --- /dev/null +++ b/tests/pgsql/pgsql-bug-5579/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +app-layer: + protocols: + pgsql: + enabled: yes + stream-depth: 0 + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql + - anomaly + diff --git a/tests/pgsql/pgsql-bug-5579/test.yaml b/tests/pgsql/pgsql-bug-5579/test.yaml new file mode 100644 index 000000000..ab30848d5 --- /dev/null +++ b/tests/pgsql/pgsql-bug-5579/test.yaml @@ -0,0 +1,60 @@ +requires: +# Pgsql was released on version 7.0 + min-version: 7.0 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 8 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.optional_parameters[0].datestyle: ISO, MDY + pgsql.request.startup_parameters.optional_parameters[1].extra_float_digits: '2' + pgsql.request.startup_parameters.optional_parameters[2].client_encoding: UTF8 + pgsql.request.startup_parameters.optional_parameters[3].database: ctfbase + pgsql.request.startup_parameters.user: ctfpost + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: '' + pgsql.response.parameter_status[10].session_authorization: ctfpost + pgsql.response.parameter_status[11].standard_conforming_strings: 'on' + pgsql.response.parameter_status[12].time_zone: Europe/Paris + pgsql.response.parameter_status[1].client_encoding: UTF8 + pgsql.response.parameter_status[2].date_style: ISO, MDY + pgsql.response.parameter_status[3].default_transaction_read_only: 'off' + pgsql.response.parameter_status[4].in_hot_standby: 'off' + pgsql.response.parameter_status[5].integer_datetimes: 'on' + pgsql.response.parameter_status[6].interval_style: postgres + pgsql.response.parameter_status[7].is_superuser: 'off' + pgsql.response.parameter_status[8].server_encoding: UTF8 + pgsql.response.parameter_status[9].server_version: '14.5' + pgsql.response.process_id: 2957 + pgsql.response.secret_key: 3478107855 + pgsql.tx_id: 1 + pkt_src: wire/pcap + proto: TCP + src_ip: 127.0.0.1 + src_port: 55824 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 12 + pgsql.request.simple_query: SELECT password FROM accounts WHERE username = 'test' + OR 1 = '1' UNION SELECT username FROM accounts + pgsql.response.command_completed: SELECT 4 + pgsql.response.data_rows: 4 + pgsql.response.data_size: 73 + pgsql.response.field_count: 1 + pgsql.tx_id: 2 + pkt_src: wire/pcap + proto: TCP + src_ip: 127.0.0.1 + src_port: 55824