From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 15 Apr 2024 23:19:54 +0000 (-0300)
Subject: tests/pgsql: add checks and test for bug 6092
X-Git-Tag: suricata-6.0.19~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1771%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests/pgsql: add checks and test for bug 6092

Ensure that pgsql metadata flags (for now, just setting whether
passwords should be logged or not) are properly processed by Suri and
logging functions.

Related to
Bug #6092
---

diff --git a/tests/pgsql/pgsql-5000-query-results/suricata.yaml b/tests/pgsql/pgsql-5000-query-results/suricata.yaml
index 8434a4ffa..bade98943 100644
--- a/tests/pgsql/pgsql-5000-query-results/suricata.yaml
+++ b/tests/pgsql/pgsql-5000-query-results/suricata.yaml
@@ -7,7 +7,8 @@ outputs:
       filetype: regular
       filename: eve.json
       types:
-        - pgsql
+        - pgsql:
+            passwords: false
 
 app-layer:
   protocols:
diff --git a/tests/pgsql/pgsql-5000-query-results/test.yaml b/tests/pgsql/pgsql-5000-query-results/test.yaml
index eac5cbc3b..4b8ecd7c0 100644
--- a/tests/pgsql/pgsql-5000-query-results/test.yaml
+++ b/tests/pgsql/pgsql-5000-query-results/test.yaml
@@ -64,6 +64,7 @@ checks:
       dest_port: 5432
       event_type: pgsql
       pcap_cnt: 29
+      not-has-key: pgsql.request.password
       pgsql.response.message: authentication_ok
       pgsql.response.parameter_status[0].application_name: psql
       pgsql.response.parameter_status[10].time_zone: Etc/UTC
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md
new file mode 100644
index 000000000..7b5412e4a
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Tests that when PostgreSQL (pgsql) EVE log config is set to not log out password
+messages, it doesn't.
+
+## PCAP
+
+Pcap file reused from pgsql-ssl-rejected-md5-auth-simple-query
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/6092
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml
new file mode 100755
index 000000000..7db5f7016
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            #passwords: no   # enable output of passwords Default is false
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml
new file mode 100644
index 000000000..1e1070068
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-01/test.yaml
@@ -0,0 +1,39 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0
+
+pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
+
+args:
+- -k none
+
+checks:
+# subtest 1
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 25
+      proto: TCP
+      src_ip: 10.16.1.10
+      src_port: 40816
+      pgsql.tx_id: 2
+      pgsql.request.protocol_version: '3.0'
+      pgsql.request.startup_parameters.optional_parameters[0].database: indexer
+      pgsql.request.startup_parameters.user: indexer
+      pgsql.response.authentication_md5_password: "\\x9fi\x1A\\x8e"
+# subtest 2
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 29
+      pgsql.tx_id: 3
+      not-has-key: pgsql.request.password
+      pgsql.response.message: authentication_ok
+      pgsql.response.process_id: 61
+      pgsql.response.secret_key: 3152142766
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md
new file mode 100644
index 000000000..d9e83f7fb
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Tests that when PostgreSQL (pgsql) EVE log config is set to log password
+messages, it does.
+
+## PCAP
+
+Pcap file reused from pgsql-ssl-rejected-md5-auth-simple-query
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/6092
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml
new file mode 100755
index 000000000..ea7b027ae
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            passwords: yes
+        - flow
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
diff --git a/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml
new file mode 100644
index 000000000..87865103d
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6092-log-flags-and-metadata-02/test.yaml
@@ -0,0 +1,19 @@
+requires:
+# Pgsql was released on version 7.0
+  min-version: 7.0
+
+pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 10.16.1.11
+      dest_port: 5432
+      event_type: pgsql
+      pcap_cnt: 29
+      has-key: pgsql.request.password
+      pgsql.response.message: authentication_ok
diff --git a/tests/pgsql/pgsql-cancel-request/test.yaml b/tests/pgsql/pgsql-cancel-request/test.yaml
index 040178b1d..9485dd365 100644
--- a/tests/pgsql/pgsql-cancel-request/test.yaml
+++ b/tests/pgsql/pgsql-cancel-request/test.yaml
@@ -36,6 +36,7 @@ checks:
       dest_ip: 100.96.199.113
       dest_port: 5432
       event_type: pgsql
+      not-has-key: pgsql.request.password
       pgsql.response.message: authentication_ok
       pgsql.response.parameter_status[0].application_name: psql
       pgsql.response.process_id: 28954
diff --git a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
index 3a4d57c7f..11f3442c6 100644
--- a/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
+++ b/tests/pgsql/pgsql-pwd-output-disabled/test.yaml
@@ -44,6 +44,7 @@ checks:
       event_type: pgsql
       pcap_cnt: 12
       pgsql.response.message: authentication_ok
+      not-has-key: pgsql.request.password
       pgsql.response.parameter_status[0].application_name: psql
       pgsql.response.parameter_status[10].time_zone: Europe/London
       pgsql.response.parameter_status[1].client_encoding: UTF8