From 0a31d52710b51e4ba26734305d6eb2b643e7c2bc Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 28 Nov 2023 18:19:48 -0300
Subject: [PATCH] tests: add test for pgsql probe bug 6080

Add test for pgsql probing function bug 6080.
Crafted pcap.

Related to
Bug #6080
---
 tests/pgsql-bug-6080-probe-test-01/README.md  |  15 +++++++++
 tests/pgsql-bug-6080-probe-test-01/input.pcap | Bin 0 -> 733 bytes
 .../suricata.yaml                             |  18 ++++++++++
 tests/pgsql-bug-6080-probe-test-01/test.yaml  |  22 +++++++++++++
 .../pgsql-bug-6080-probe-test-01/writepcap.py |  31 ++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/README.md
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/input.pcap
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/suricata.yaml
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/test.yaml
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/writepcap.py

diff --git a/tests/pgsql-bug-6080-probe-test-01/README.md b/tests/pgsql-bug-6080-probe-test-01/README.md
new file mode 100644
index 000000000..3cd229550
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/README.md
@@ -0,0 +1,15 @@
+# Test Description
+
+The probing function for PGSQL, in some scenarios, could identify any TCP message
+sent to the standard PGSQL port - 5432 - as PGSQL traffic, leading to false
+positives.
+
+## PCAP
+
+This pcap was created using the Scapy script included in the test directory,
+to reproduce a non-shareable traffic capture.
+
+## Related issues
+
+Bug report on Redmine:
+https://redmine.openinfosecfoundation.org/issues/6080
diff --git a/tests/pgsql-bug-6080-probe-test-01/input.pcap b/tests/pgsql-bug-6080-probe-test-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0238838f6a5f5eae8c7317d39448b1885c897436
GIT binary patch
literal 733
zc-p&ic+)~A1{MYw`2U}Q;R%p_5|NgwK81zB0LTVmR}jU>z~I0pJ9&)&BjXwY7GV}C
zQ45&90;d1}d1o;&FtM<1VPS&kcbSGuKZ`KP3{eXfDX4bF0wJ*r-*%wte=wbeK?5kM
z0nx7k)ju1}ent=u5cvP!(g&h%`b@(5SZ~aT0PB<Z|9`d!MBmZbxb&g87i6DmfPmNq
zr3i>V@3|}tnm|EKh(1lIzFAoHNr+u|;m5#W1=3hDpC}J9K`i|L&r$<o;jaZO4AwwF
zYluE;sJ;#~3z=XRzAgq@Xq;ngT%uQ;T2z)=q?ccm&d3EaDqt~DPEciFU=0qC__fwj
z0pf(qONi2E3f3nH)W;9e=eLZQuwo4cN}mXjkW_fU2@R`RD~Pi21W<EG05C$0^%xic
DUp0fF

literal 0
Hc-jL100001

diff --git a/tests/pgsql-bug-6080-probe-test-01/suricata.yaml b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml
new file mode 100644
index 000000000..b2aea2623
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql
+        - flow
+
diff --git a/tests/pgsql-bug-6080-probe-test-01/test.yaml b/tests/pgsql-bug-6080-probe-test-01/test.yaml
new file mode 100644
index 000000000..73608589c
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      dest_port: 5432
+      event_type: pgsql
+      proto: TCP
+- filter:
+    count: 0
+    match:
+      app_proto: pgsql
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: flow
diff --git a/tests/pgsql-bug-6080-probe-test-01/writepcap.py b/tests/pgsql-bug-6080-probe-test-01/writepcap.py
new file mode 100644
index 000000000..b52a0ead5
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/writepcap.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+'''packet 1'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='S', window=65535, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 2'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432,
+                flags='S''A', ack=1, window=5840, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 3'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=1, window=65535, seq=1)
+'''packet 4'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1, window=65535, seq=98080856)
+'''packet 5'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='A', ack=37, window=5840, seq=1)
+'''packet 6'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=1)/":"
+'''packet 7'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=37, window=65534, seq=2)
+'''packet 8'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=2)/"p1r473.server.org\x01\n"
+'''packet 9'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1363, window=64173, seq=37)
+'''packet 10'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='F''P''A', ack=1363, window=64173, seq=53)
+'''packet 11'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=200, window=6432, seq=1363)/":"
+'''packet 12'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='R''A', ack=1364, window=0, seq=200)
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2