From: Juliana Fajardini Date: Tue, 21 Sep 2021 10:51:42 +0000 (+0100) Subject: tests: add pgsql tests X-Git-Tag: suricata-6.0.5~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffc015ab257c14024048e5611a303bb8c733fb91;p=thirdparty%2Fsuricata-verify.git tests: add pgsql tests These tests cover an assortment of pgsql authentication methods, simple queries, error response messages, as well as SSL handshakes, both rejected and accepted (w/ start tls enabled). Non-verbose log style is enabled. Related to task #4241 --- diff --git a/tests/pgsql/pgsql-5000-query-results/README.md b/tests/pgsql/pgsql-5000-query-results/README.md new file mode 100644 index 000000000..c5bf16d4e --- /dev/null +++ b/tests/pgsql/pgsql-5000-query-results/README.md @@ -0,0 +1,9 @@ +Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with: + +- SSL Handshake (denied) +- Startup phase with MD5 authentication (ok) +- Simple Query +- Row description, 5000 Data Row, Command Completed, Ready for Query +- Termination Message + +pcap by Juliana Fajardini, with local dummy setup diff --git a/tests/pgsql/pgsql-5000-query-results/input.pcap b/tests/pgsql/pgsql-5000-query-results/input.pcap new file mode 100644 index 000000000..fdbe4b98b Binary files /dev/null and b/tests/pgsql/pgsql-5000-query-results/input.pcap differ diff --git a/tests/pgsql/pgsql-5000-query-results/suricata.yaml b/tests/pgsql/pgsql-5000-query-results/suricata.yaml new file mode 100644 index 000000000..8434a4ffa --- /dev/null +++ b/tests/pgsql/pgsql-5000-query-results/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql + +app-layer: + protocols: + pgsql: + enabled: yes + stream-depth: 0 + diff --git a/tests/pgsql/pgsql-5000-query-results/test.yaml b/tests/pgsql/pgsql-5000-query-results/test.yaml new file mode 100644 index 000000000..65cdb9ae1 --- /dev/null +++ b/tests/pgsql/pgsql-5000-query-results/test.yaml @@ -0,0 +1,115 @@ +requires: +# Pgsql was released on version 7.0 + min-version: 7.0 + +args: +- -k none + +checks: +# subtest 1 +- filter: + count: 1 + match: + dest_ip: 172.18.0.2 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 21 + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + proto: TCP + src_ip: 172.18.0.1 + src_port: 54408 +# subtest 2 +- filter: + count: 1 + match: + dest_ip: 172.18.0.2 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 25 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: rules + pgsql.request.startup_parameters.optional_parameters[0].application_name: psql + pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8 + pgsql.request.startup_parameters.user: rules + pgsql.response.authentication_md5_password: Z\xdc\xfdf + pgsql.tx_id: 2 + proto: TCP + src_ip: 172.18.0.1 + src_port: 54408 +# subtest 3 +- filter: + count: 1 + match: + dest_ip: 172.18.0.2 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 11 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: rules + pgsql.request.startup_parameters.optional_parameters[0].application_name: psql + pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8 + pgsql.request.startup_parameters.user: rules + pgsql.response.authentication_md5_password: "\\xcaT\r'" + pgsql.tx_id: 2 + proto: TCP + src_ip: 172.18.0.1 + src_port: 54406 +# subtest 4 +- filter: + count: 1 + match: + dest_ip: 172.18.0.2 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 29 + pgsql.request.password_message: password log disabled + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: psql + pgsql.response.parameter_status[10].time_zone: Etc/UTC + pgsql.response.parameter_status[1].client_encoding: UTF8 + pgsql.response.parameter_status[2].date_style: ISO, MDY + pgsql.response.parameter_status[3].integer_datetimes: 'on' + pgsql.response.parameter_status[4].interval_style: postgres + pgsql.response.parameter_status[5].is_superuser: 'on' + pgsql.response.parameter_status[6].server_encoding: UTF8 + pgsql.response.parameter_status[7].server_version: 13.4 (Debian 13.4-1.pgdg100+1) + pgsql.response.parameter_status[8].session_authorization: rules + pgsql.response.parameter_status[9].standard_conforming_strings: 'on' + pgsql.response.process_id: 781 + pgsql.response.secret_key: 2527955820 + pgsql.tx_id: 3 + proto: TCP + src_ip: 172.18.0.1 + src_port: 54408 +# subtest 5 +- filter: + count: 1 + match: + dest_ip: 172.18.0.2 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 780 + pgsql.request.simple_query: select * from rule limit 5000; + pgsql.response.command_completed: SELECT 5000 + pgsql.response.data_rows: 5000 + pgsql.response.data_size: 3035751 + pgsql.response.field_count: 7 + pgsql.tx_id: 4 + proto: TCP + src_ip: 172.18.0.1 + src_port: 54408 +# subtest 6 +- filter: + count: 1 + match: + dest_ip: 172.18.0.1 + dest_port: 54408 + event_type: pgsql + pcap_cnt: 782 + pgsql.request.message: termination_message + pgsql.tx_id: 5 + proto: TCP + src_ip: 172.18.0.2 + src_port: 5432 diff --git a/tests/pgsql/pgsql-pwd-output-disabled/README.md b/tests/pgsql/pgsql-pwd-output-disabled/README.md new file mode 100644 index 000000000..f11e0f6f7 --- /dev/null +++ b/tests/pgsql/pgsql-pwd-output-disabled/README.md @@ -0,0 +1,9 @@ +# Description + +Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with: +- SSL Handshake (denied) +- Startup phase with cleartext password, password log disabled, and +authentication (ok) +- Termination message + +pcap by Juliana Fajardini, with local dummy setup diff --git a/tests/pgsql/pgsql-pwd-output-disabled/input.pcap b/tests/pgsql/pgsql-pwd-output-disabled/input.pcap new file mode 100644 index 000000000..9a513b1df Binary files /dev/null and b/tests/pgsql/pgsql-pwd-output-disabled/input.pcap differ diff --git a/tests/pgsql/pgsql-pwd-output-disabled/suricata.yaml b/tests/pgsql/pgsql-pwd-output-disabled/suricata.yaml new file mode 100755 index 000000000..9c40cc984 --- /dev/null +++ b/tests/pgsql/pgsql-pwd-output-disabled/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql: + enabled: yes + #passwords: no #disabled by default + - flow + +app-layer: + protocols: + pgsql: + enabled: yes diff --git a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml new file mode 100644 index 000000000..6c1e52603 --- /dev/null +++ b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml @@ -0,0 +1,103 @@ +requires: +# Pgsql was released on version 7.0 + min-version: 7.0 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 6 + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + proto: TCP + src_ip: 192.168.1.102 + src_port: 41662 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 9 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: Test + pgsql.request.startup_parameters.optional_parameters[0].application_name: psql + pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8 + pgsql.request.startup_parameters.user: ju-Test + pgsql.response.message: authentication_cleartext_password + pgsql.tx_id: 2 + proto: TCP + src_ip: 192.168.1.102 + src_port: 41662 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 12 + pgsql.request.password_message: password log disabled + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: psql + pgsql.response.parameter_status[10].time_zone: Europe/London + pgsql.response.parameter_status[1].client_encoding: UTF8 + pgsql.response.parameter_status[2].date_style: ISO, DMY + pgsql.response.parameter_status[3].integer_datetimes: 'on' + pgsql.response.parameter_status[4].interval_style: postgres + pgsql.response.parameter_status[5].is_superuser: 'on' + pgsql.response.parameter_status[6].server_encoding: UTF8 + pgsql.response.parameter_status[7].server_version: '13.4' + pgsql.response.parameter_status[8].session_authorization: ju-Test + pgsql.response.parameter_status[9].standard_conforming_strings: 'on' + pgsql.response.process_id: 11828 + pgsql.response.secret_key: 3666668912 + pgsql.tx_id: 3 + proto: TCP + src_ip: 192.168.1.102 + src_port: 41662 +- filter: + count: 1 + match: + dest_ip: 192.168.1.102 + dest_port: 41662 + event_type: pgsql + pcap_cnt: 15 + pgsql.request.message: termination_message + pgsql.tx_id: 4 + proto: TCP + src_ip: 192.168.1.74 + src_port: 5432 +- filter: + count: 1 + match: + app_proto: pgsql + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: flow + flow.age: 24 + flow.alerted: false + flow.bytes_toclient: 693 + flow.bytes_toserver: 668 + flow.pkts_toclient: 6 + flow.pkts_toserver: 10 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 192.168.1.102 + src_port: 41662 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.rst: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1f + tcp.tcp_flags_tc: 1e + tcp.tcp_flags_ts: 1b diff --git a/tests/pgsql/pgsql-simple-query-rollback/README.md b/tests/pgsql/pgsql-simple-query-rollback/README.md new file mode 100644 index 000000000..dddc4c6bc --- /dev/null +++ b/tests/pgsql/pgsql-simple-query-rollback/README.md @@ -0,0 +1,21 @@ +Tests pgsql output for a Frontend/Backend conversation in Simple Query PostgreSQL subprotocol where the simple query is split into several commands and where a rollback is issued by the backed. + +SimpleQuery messages shown: + +BEGIN; +DELETE FROM new_table WHERE NAME='Remus'; +DELETE FROM new_table WHERE NAME='Londubat'; +DELETE FROM new_table WHERE NAME='Hermione'; +DELETE FROM new_table WHERE NAME='Maugre'; +COMMIT; + +BEGIN; +INSERT INTO new_table VALUES('Hermione', 'prof_gramger@gmail.com'); +INSERT INTO new_table VALUES('Remus', 'prof_lupin@gmail.com'); +SELECT 1/0; +INSERT INTO new_table VALUES('Maugre', 'prof_folloy@gmail.com'); +INSERT INTO new_table VALUES('Londubat', 'prof_londubat@gmail.com'); +SELECT * FROM new_table; +COMMIT; + +pcap by Juliana Fajardini, with local dummy setup. diff --git a/tests/pgsql/pgsql-simple-query-rollback/input.pcap b/tests/pgsql/pgsql-simple-query-rollback/input.pcap new file mode 100644 index 000000000..aaffcc99d Binary files /dev/null and b/tests/pgsql/pgsql-simple-query-rollback/input.pcap differ diff --git a/tests/pgsql/pgsql-simple-query-rollback/suricata.yaml b/tests/pgsql/pgsql-simple-query-rollback/suricata.yaml new file mode 100644 index 000000000..bcf29fdb2 --- /dev/null +++ b/tests/pgsql/pgsql-simple-query-rollback/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql + - flow + +app-layer: + protocols: + pgsql: + enabled: yes + stream-depth: 0 + diff --git a/tests/pgsql/pgsql-simple-query-rollback/test.yaml b/tests/pgsql/pgsql-simple-query-rollback/test.yaml new file mode 100644 index 000000000..e6069e8e6 --- /dev/null +++ b/tests/pgsql/pgsql-simple-query-rollback/test.yaml @@ -0,0 +1,440 @@ +requires: +# Pgsql was released on version 7.0 + min-version: 7.0 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 6 + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 9 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: Test + pgsql.request.startup_parameters.optional_parameters[0].application_name: psql + pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8 + pgsql.request.startup_parameters.user: ju-Test + pgsql.response.message: authentication_sasl + pgsql.tx_id: 2 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 12 + pgsql.request.sasl_authentication_mechanism: scram_SHA256 + pgsql.request.sasl_param: n,,n=,r=ROtF8e2Fme8+eORLNHTwkZaK + pgsql.response.message: authentication_sasl_continue + pgsql.tx_id: 3 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 15 + pgsql.request.sasl_response: c=biws,r=ROtF8e2Fme8+eORLNHTwkZaKtpbEaXYJOnd3qt6QNCsAv0wj,p=I4V0zdtQqrxum6B+QzprHHC0nBD+mVtBWpc+arfXa+c= + pgsql.response.authentication_sasl_final: v=axxpTzISTb0T/QA08F6tEsu25y8Ka0QVR/FOgvF5l78= + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: psql + pgsql.response.parameter_status[10].time_zone: Europe/London + pgsql.response.parameter_status[1].client_encoding: UTF8 + pgsql.response.parameter_status[2].date_style: ISO, DMY + pgsql.response.parameter_status[3].integer_datetimes: 'on' + pgsql.response.parameter_status[4].interval_style: postgres + pgsql.response.parameter_status[5].is_superuser: 'on' + pgsql.response.parameter_status[6].server_encoding: UTF8 + pgsql.response.parameter_status[7].server_version: '13.4' + pgsql.response.parameter_status[8].session_authorization: ju-Test + pgsql.response.parameter_status[9].standard_conforming_strings: 'on' + pgsql.response.process_id: 5008 + pgsql.response.secret_key: 2050730518 + pgsql.tx_id: 4 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 18 + pgsql.request.simple_query: BEGIN; + pgsql.response.command_completed: BEGIN + pgsql.tx_id: 5 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 21 + pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Remus'; + pgsql.response.command_completed: DELETE 1 + pgsql.tx_id: 6 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 24 + pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Londubat'; + pgsql.response.command_completed: DELETE 1 + pgsql.tx_id: 7 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 26 + pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Hermione'; + pgsql.response.command_completed: DELETE 1 + pgsql.tx_id: 8 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 28 + pgsql.request.simple_query: DELETE FROM new_table WHERE NAME='Maugre'; + pgsql.response.command_completed: DELETE 1 + pgsql.tx_id: 9 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 30 + pgsql.request.simple_query: COMMIT; + pgsql.response.command_completed: COMMIT + pgsql.tx_id: 10 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 33 + pgsql.request.simple_query: BEGIN; + pgsql.response.command_completed: BEGIN + pgsql.tx_id: 11 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 36 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Hermione', 'prof_gramger@gmail.com'); + pgsql.response.command_completed: INSERT 0 1 + pgsql.tx_id: 12 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 39 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Remus', 'prof_lupin@gmail.com'); + pgsql.response.command_completed: INSERT 0 1 + pgsql.tx_id: 13 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 44 + pgsql.request.simple_query: SELECT 1/0; + pgsql.response.code: '22012' + pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\utils\adt\int.c + pgsql.response.line: '824' + pgsql.response.message: division by zero + pgsql.response.routine: int4div + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 14 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 49 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Maugre', 'prof_folloy@gmail.com'); + pgsql.response.code: 25P02 + pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\tcop\postgres.c + pgsql.response.line: '1105' + pgsql.response.message: current transaction is aborted, commands ignored until + end of transaction block + pgsql.response.routine: exec_simple_query + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 15 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 53 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Londubat', 'prof_londubat@gmail.com'); + pgsql.response.code: 25P02 + pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\tcop\postgres.c + pgsql.response.line: '1105' + pgsql.response.message: current transaction is aborted, commands ignored until + end of transaction block + pgsql.response.routine: exec_simple_query + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 16 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 57 + pgsql.request.simple_query: SELECT * FROM new_table; + pgsql.response.code: 25P02 + pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\tcop\postgres.c + pgsql.response.line: '1105' + pgsql.response.message: current transaction is aborted, commands ignored until + end of transaction block + pgsql.response.routine: exec_simple_query + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 17 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 60 + pgsql.request.simple_query: COMMIT; + pgsql.response.command_completed: ROLLBACK + pgsql.tx_id: 18 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 63 + pgsql.request.simple_query: BEGIN; + pgsql.response.command_completed: BEGIN + pgsql.tx_id: 19 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 66 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Hermione', 'prof_gramger@gmail.com'); + pgsql.response.command_completed: INSERT 0 1 + pgsql.tx_id: 20 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 69 + pgsql.request.simple_query: COMMIT; + pgsql.response.command_completed: COMMIT + pgsql.tx_id: 21 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 72 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Remus', 'prof_lupin@gmail.com'); + pgsql.response.command_completed: INSERT 0 1 + pgsql.tx_id: 22 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 77 + pgsql.request.simple_query: SELECT 1/0; + pgsql.response.code: '22012' + pgsql.response.file: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\utils\adt\int.c + pgsql.response.line: '824' + pgsql.response.message: division by zero + pgsql.response.routine: int4div + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 23 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 80 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Maugre', 'prof_folloy@gmail.com'); + pgsql.response.command_completed: INSERT 0 1 + pgsql.tx_id: 24 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 82 + pgsql.request.simple_query: INSERT INTO new_table VALUES('Londubat', 'prof_londubat@gmail.com'); + pgsql.response.command_completed: INSERT 0 1 + pgsql.tx_id: 25 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 84 + pgsql.request.simple_query: SELECT * FROM new_table; + pgsql.response.command_completed: SELECT 8 + pgsql.response.data_rows: 8 + pgsql.response.data_size: 236 + pgsql.response.field_count: 2 + pgsql.tx_id: 26 + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 +- filter: + count: 1 + match: + dest_ip: 192.168.1.102 + dest_port: 44848 + event_type: pgsql + pcap_cnt: 87 + pgsql.request.message: termination_message + pgsql.tx_id: 27 + proto: TCP + src_ip: 192.168.1.74 + src_port: 5432 +- filter: + count: 1 + match: + app_proto: pgsql + dest_ip: 192.168.1.74 + dest_port: 5432 + event_type: flow + flow.age: 93 + flow.alerted: false + flow.bytes_toclient: 4029 + flow.bytes_toserver: 4126 + flow.pkts_toclient: 34 + flow.pkts_toserver: 54 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 192.168.1.102 + src_port: 44848 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.rst: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1f + tcp.tcp_flags_tc: 1e + tcp.tcp_flags_ts: 1b diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/README.md b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/README.md new file mode 100644 index 000000000..d74d90a0a --- /dev/null +++ b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/README.md @@ -0,0 +1,14 @@ +# Description + +Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with: +1st flow: +- SSL Handshake (denied) +- Startup Message with MD5 Authenticaion (ok) +2nd +- SSL Handshake (denied) +- Startup Message with MD5 Authenticaion (ok) +- Simple Query +- Row Description w/ 10 fields, 3 Data rows, Command Completed, Ready for Query +- Termination Message + +pcap provided by Jason Ish diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/input.pcap b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/input.pcap new file mode 100644 index 000000000..e9d9eca75 Binary files /dev/null and b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/input.pcap differ diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/suricata.yaml b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/suricata.yaml new file mode 100755 index 000000000..91d300d7e --- /dev/null +++ b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql: + enabled: yes + passwords: yes # enable output of passwords + - flow + +app-layer: + protocols: + pgsql: + enabled: yes diff --git a/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/test.yaml b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/test.yaml new file mode 100644 index 000000000..2ee6eea61 --- /dev/null +++ b/tests/pgsql/pgsql-ssl-rejected-md5-auth-simple-query/test.yaml @@ -0,0 +1,183 @@ +requires: +# Pgsql was released on version 7.0 + min-version: 7.0 + +args: +- -k none + +checks: +# subtest 1 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 7 + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40784 +# subtest 2 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 11 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: indexer + pgsql.request.startup_parameters.optional_parameters[0].application_name: psql + pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8 + pgsql.request.startup_parameters.user: indexer + pgsql.response.authentication_md5_password: \x88'N5 + pgsql.tx_id: 2 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40784 +# subtest 3 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 21 + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40816 +# subtest 4 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 25 + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: indexer + pgsql.request.startup_parameters.optional_parameters[0].application_name: psql + pgsql.request.startup_parameters.optional_parameters[1].client_encoding: UTF8 + pgsql.request.startup_parameters.user: indexer + pgsql.response.authentication_md5_password: "\\x9fi\x1A\\x8e" + pgsql.tx_id: 2 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40816 +# subtest 5 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 29 + pgsql.request.password: md5e4cfa9552468cae5d48ca2822ca36e22 + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: psql + pgsql.response.parameter_status[10].time_zone: Etc/UTC + pgsql.response.parameter_status[1].client_encoding: UTF8 + pgsql.response.parameter_status[2].date_style: ISO, MDY + pgsql.response.parameter_status[3].integer_datetimes: 'on' + pgsql.response.parameter_status[4].interval_style: postgres + pgsql.response.parameter_status[5].is_superuser: 'on' + pgsql.response.parameter_status[6].server_encoding: UTF8 + pgsql.response.parameter_status[7].server_version: 13.0 (Debian 13.0-1.pgdg100+1) + pgsql.response.parameter_status[8].session_authorization: indexer + pgsql.response.parameter_status[9].standard_conforming_strings: 'on' + pgsql.response.process_id: 61 + pgsql.response.secret_key: 3152142766 + pgsql.tx_id: 3 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40816 +# subtest 6 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 35 + pgsql.request.simple_query: select * from rules where sid = 2021701; + pgsql.response.command_completed: SELECT 3 + pgsql.response.data_rows: 3 + pgsql.response.data_size: 1104 + pgsql.response.field_count: 10 + pgsql.tx_id: 4 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40816 +# subtest 7 +- filter: + count: 1 + match: + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 41 + pgsql.request.message: termination_message + pgsql.tx_id: 5 + proto: TCP + src_ip: 10.16.1.10 + src_port: 40816 +# subtest 8 +- filter: + count: 1 + match: + app_proto: pgsql + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: flow + flow.age: 9 + flow.alerted: false + flow.bytes_toclient: 2717 + flow.bytes_toserver: 1180 + flow.pkts_toclient: 12 + flow.pkts_toserver: 15 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 10.16.1.10 + src_port: 40816 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b +# subtest 9 +- filter: + count: 1 + match: + app_proto: pgsql + dest_ip: 10.16.1.11 + dest_port: 5432 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 418 + flow.bytes_toserver: 626 + flow.pkts_toclient: 6 + flow.pkts_toserver: 8 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 10.16.1.10 + src_port: 40784 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b diff --git a/tests/pgsql/pgsql-upgrade-tls/README.md b/tests/pgsql/pgsql-upgrade-tls/README.md new file mode 100644 index 000000000..94d595052 --- /dev/null +++ b/tests/pgsql/pgsql-upgrade-tls/README.md @@ -0,0 +1,9 @@ +# Description + +Tests PostgreSQL (pgsql) output for Frontend/Backend conversation with: +- SSL Handshake (accepted) +- TLS Handshake +- Startup phase +- Error Message (Fatal) + +pcap extracted from capture found at https://www.researchgate.net/post/How_to_find_decode_PostgreSQL_query_from_Wireshark_File diff --git a/tests/pgsql/pgsql-upgrade-tls/input.pcap b/tests/pgsql/pgsql-upgrade-tls/input.pcap new file mode 100644 index 000000000..692647caf Binary files /dev/null and b/tests/pgsql/pgsql-upgrade-tls/input.pcap differ diff --git a/tests/pgsql/pgsql-upgrade-tls/suricata.yaml b/tests/pgsql/pgsql-upgrade-tls/suricata.yaml new file mode 100755 index 000000000..e62ddcece --- /dev/null +++ b/tests/pgsql/pgsql-upgrade-tls/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - tls: + extended: yes + - pgsql + - flow + +app-layer: + protocols: + tls: + enabled: yes + pgsql: + enabled: yes diff --git a/tests/pgsql/pgsql-upgrade-tls/test.yaml b/tests/pgsql/pgsql-upgrade-tls/test.yaml new file mode 100644 index 000000000..4afe51655 --- /dev/null +++ b/tests/pgsql/pgsql-upgrade-tls/test.yaml @@ -0,0 +1,112 @@ +requires: +# Pgsql was released on version 7.0 + min-version: 7.0 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 192.168.50.11 + dest_port: 60358 + event_type: pgsql + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: true + pgsql.tx_id: 1 + proto: TCP + src_ip: 192.168.50.12 + src_port: 5432 +- filter: + count: 1 + match: + dest_ip: 192.168.50.12 + dest_port: 5432 + event_type: tls + pcap_cnt: 10 + proto: TCP + src_ip: 192.168.50.11 + src_port: 60358 + tls.fingerprint: e4:9d:12:c5:f9:f3:40:41:06:c7:14:42:2c:d8:82:41:e9:6b:94:cd + tls.from_proto: pgsql + tls.issuerdn: CN=ubuntu + tls.notafter: '2027-02-21T05:13:52' + tls.notbefore: '2017-02-23T05:13:52' + tls.serial: 00:82:64:66:C3:07:A1:8F:80 + tls.subject: CN=ubuntu + tls.version: TLS 1.2 +- filter: + count: 1 + match: + app_proto: tls + app_proto_orig: pgsql + dest_ip: 192.168.50.12 + dest_port: 5432 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 2220 + flow.bytes_toserver: 1250 + flow.pkts_toclient: 7 + flow.pkts_toserver: 9 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 192.168.50.11 + src_port: 60358 + tcp.ack: true + tcp.psh: true + tcp.rst: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1e + tcp.tcp_flags_tc: 1a + tcp.tcp_flags_ts: 1e +- filter: + count: 1 + match: + dest_ip: 192.168.50.11 + dest_port: 60359 + event_type: pgsql + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.database: replication + pgsql.request.startup_parameters.optional_parameters[0].replication: 'true' + pgsql.request.startup_parameters.optional_parameters[1].application_name: walreceiver + pgsql.request.startup_parameters.user: rep + pgsql.response.code: '28000' + pgsql.response.file: auth.c + pgsql.response.line: '481' + pgsql.response.message: no pg_hba.conf entry for replication connection from + host "192.168.50.11", user "rep", SSL off + pgsql.response.routine: ClientAuthentication + pgsql.response.severity_localizable: FATAL + pgsql.tx_id: 1 + proto: TCP + src_ip: 192.168.50.12 + src_port: 5432 +- filter: + count: 1 + match: + app_proto: pgsql + dest_ip: 192.168.50.12 + dest_port: 5432 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 357 + flow.bytes_toserver: 291 + flow.pkts_toclient: 3 + flow.pkts_toserver: 3 + flow.reason: shutdown + flow.state: established + proto: TCP + src_ip: 192.168.50.11 + src_port: 60359 + tcp.ack: true + tcp.psh: true + tcp.state: established + tcp.syn: true + tcp.tcp_flags: 1a + tcp.tcp_flags_tc: 1a + tcp.tcp_flags_ts: 1a