From: Juliana Fajardini Date: Thu, 23 Nov 2023 11:14:24 +0000 (-0300) Subject: pgsql: fix probing functions X-Git-Tag: suricata-8.0.0-beta1~1978 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f85d061926e870a48aeaf13bdbb4666ad7fc07e;p=thirdparty%2Fsuricata.git pgsql: fix probing functions Some non-pgsql traffic seen by Suricata is mistankenly identified as pgsql, as the probing function is too generic. Now, if the parser sees an unknown message type, even if it looks like pgsql, it will fail. Bug #6080 --- diff --git a/rust/src/pgsql/pgsql.rs b/rust/src/pgsql/pgsql.rs index fa19785ff9..94e26d8481 100644 --- a/rust/src/pgsql/pgsql.rs +++ b/rust/src/pgsql/pgsql.rs @@ -151,7 +151,7 @@ impl Default for PgsqlState { Self::new() } } - + impl PgsqlState { pub fn new() -> Self { Self { @@ -563,8 +563,20 @@ pub unsafe extern "C" fn rs_pgsql_probing_parser_ts( if input_len >= 1 && !input.is_null() { let slice: &[u8] = build_slice!(input, input_len as usize); - if probe_ts(slice) { - return ALPROTO_PGSQL; + + match parser::parse_request(slice) { + Ok((_, request)) => { + if let PgsqlFEMessage::UnknownMessageType(_) = request { + return ALPROTO_FAILED; + } + return ALPROTO_PGSQL; + } + Err(Err::Incomplete(_)) => { + return ALPROTO_UNKNOWN; + } + Err(_e) => { + return ALPROTO_FAILED; + } } } return ALPROTO_UNKNOWN; @@ -584,7 +596,10 @@ pub unsafe extern "C" fn rs_pgsql_probing_parser_tc( } match parser::pgsql_parse_response(slice) { - Ok((_, _response)) => { + Ok((_, response)) => { + if let PgsqlBEMessage::UnknownMessageType(_) = response { + return ALPROTO_FAILED; + } return ALPROTO_PGSQL; } Err(Err::Incomplete(_)) => {