From: Juliana Fajardini <jufajardini@gmail.com>
Date: Tue, 27 Aug 2024 17:53:16 +0000 (-0300)
Subject: pgsql: update bug-6983 tests
X-Git-Tag: suricata-7.0.7~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2027%2Fhead;p=thirdparty%2Fsuricata-verify.git

pgsql: update bug-6983 tests

Add app-layer fields to pgsql alerts.

Related to
Bug #7066
---

diff --git a/tests/pgsql/pgsql-bug-6983-ids/README.md b/tests/pgsql/pgsql-bug-6983-ids/README.md
index f626417ec..69a119f0d 100644
--- a/tests/pgsql/pgsql-bug-6983-ids/README.md
+++ b/tests/pgsql/pgsql-bug-6983-ids/README.md
@@ -1,6 +1,7 @@
 # Description
 
-Tests that alerts for the pgsql app-proto will include pgsql app-proto metadata.
+Tests that alerts for the pgsql app-proto will not include pgsql app-proto metadata
+if this setting is disabled in the configuration file.
 
 ## PCAP
 
diff --git a/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml b/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
index b1049819c..0103a7bd7 100755
--- a/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
@@ -10,7 +10,9 @@ outputs:
         - pgsql:
             enabled: yes
             passwords: yes
-        - alert
+        - alert:
+            enabled: yes
+            metadata: no
 
 app-layer:
   protocols:
diff --git a/tests/pgsql/pgsql-bug-6983-ids/test.yaml b/tests/pgsql/pgsql-bug-6983-ids/test.yaml
index f1c6c43d5..f9e8ddde0 100644
--- a/tests/pgsql/pgsql-bug-6983-ids/test.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ids/test.yaml
@@ -16,10 +16,5 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1
-- filter:
-    min-version: 8
-    count: 1
-    match:
-      event_type: alert
-      flow.pkts_toserver: 10
-      flow.pkts_toclient: 10
+      not-has-key: flow
+      not-has-key: pgsql
diff --git a/tests/pgsql/pgsql-bug-6983-ips/test.yaml b/tests/pgsql/pgsql-bug-6983-ips/test.yaml
index fd9277cc5..e7f22f068 100644
--- a/tests/pgsql/pgsql-bug-6983-ips/test.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ips/test.yaml
@@ -13,7 +13,15 @@ checks:
     match:
       event_type: pgsql
 - filter:
+    # in ips mode, as this rule inspects the stream only (no pgsql keywords), we end up getting two alerts instead of one
     count: 2
     match:
       event_type: alert
       alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pgsql.request.simple_query: "select * from rules where sid = 2021701;"
+      pgsql.response.field_count: 10