From 879f6e2f1952a9f8641c95555373fd1c23d09cb2 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Fri, 8 Dec 2023 17:47:19 -0300 Subject: [PATCH] tests: add pgsql cancel request tests Showcase CancelRequest postgresql message output. Related to Task #6577 --- tests/pgsql/pgsql-cancel-request/README.md | 19 ++++ tests/pgsql/pgsql-cancel-request/input.pcap | Bin 0 -> 2707 bytes .../pgsql/pgsql-cancel-request/suricata.yaml | 17 ++++ tests/pgsql/pgsql-cancel-request/test.yaml | 91 ++++++++++++++++++ 4 files changed, 127 insertions(+) create mode 100644 tests/pgsql/pgsql-cancel-request/README.md create mode 100644 tests/pgsql/pgsql-cancel-request/input.pcap create mode 100644 tests/pgsql/pgsql-cancel-request/suricata.yaml create mode 100644 tests/pgsql/pgsql-cancel-request/test.yaml diff --git a/tests/pgsql/pgsql-cancel-request/README.md b/tests/pgsql/pgsql-cancel-request/README.md new file mode 100644 index 000000000..b68ca556d --- /dev/null +++ b/tests/pgsql/pgsql-cancel-request/README.md @@ -0,0 +1,19 @@ +# Test Description + +Showcase Suricata output and behavior when it inspects PostgreSQL traffic where +a `CancelRequest` message is sent. + +A CancelRequest message is sent by the FrontEnd (client) when it wants to cancel +a Query. It is sent to a new port, so this creates a new transaction. No direct +message is sent to confirm that the CancelRequest was processed, but if it is, +the transaction/process waiting for the Query will receive an Error Message +indicating that the Query was canceled (cf +https://www.postgresql.org/docs/16/protocol-flow.html#PROTOCOL-FLOW-CANCELING-REQUESTS). + +## PCAP + +Shared by Jason Ish, sample of a local query to a sample local database. + +## Related issues + +Task for adding pgsql message: https://redmine.openinfosecfoundation.org/issues/6577 diff --git a/tests/pgsql/pgsql-cancel-request/input.pcap b/tests/pgsql/pgsql-cancel-request/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d00c7e5dba9a2c1120cdb7a1d677d2db7f83fef2 GIT binary patch literal 2707 zc-n=Qe@q)?7{}j2f3YqGoH%|-YBUkH$y#WUGR+DU9FF~vA7;ama&2Ern5;Vz;P)om+fb!%c0Sg1Rmd)P5vJG z33M1x)6E}|g^Z#uwI16vV?3hE$OFb~nsFW(5N0)gfB!~gS$;RE^dxIBx62cn+<4$k z^kp0FymU-qow;@7DDsf81sHCKcPk8cvW_uM>oW2TcN`z88QT#O)(El9u%yZ~NlgGK zsy61YClG{;j5!nOhxmSl(QmtmjFD+w1{m||IyD2rwv$Xk5)u`OnBb{ILY&M6IEgOb za`8AH3375ICin#|N=aPm=1Gu`P(k)nAs7oqgfMAqZKxsy6?wBPqz14xilUmNk6H7X z#+s;bz?+ZO48NAL=I9z!)eLc~;V}Ji)jW(q<7x}(fDbwpV2AAzvnf-ZqBkF)y(~pj zI>iBm#v!gG8gf?zDjb|Mz=b#$4Fp^PPbFLiD_u@UdB7d?c$oTEimYVNK-f`F41>vf zR6omW)c3*zYf=5s)wKHE_&`)|#Yt*`qd?y~T*}uq5LedvIGMJ{FY=T$w(Qto-{#w` zL_`FchN`cOF%h0??Xwo=##D`F4FD^c;7B!@*<#3EiUV`yNVdrDpVbCbYt$Bm))<8n{QwKad> zwEiZ1yD+s0BP%>+{=ZGQ;Mn3jpDBc_hs!!@9LX+=IlBYKQbstMv*o zF2RdYNmomKbMua7@{Dq-b3f*Ay2!R5Cj==Ey=;dzmuVD++8#p-b*sb<)I)%$DZ?F3GjrZ_Xm`4=(`j3NL4 literal 0 Hc-jL100001 diff --git a/tests/pgsql/pgsql-cancel-request/suricata.yaml b/tests/pgsql/pgsql-cancel-request/suricata.yaml new file mode 100644 index 000000000..ea8c9fa78 --- /dev/null +++ b/tests/pgsql/pgsql-cancel-request/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql + - flow + +app-layer: + protocols: + pgsql: + enabled: yes + diff --git a/tests/pgsql/pgsql-cancel-request/test.yaml b/tests/pgsql/pgsql-cancel-request/test.yaml new file mode 100644 index 000000000..91e283a29 --- /dev/null +++ b/tests/pgsql/pgsql-cancel-request/test.yaml @@ -0,0 +1,91 @@ +requires: + min-version: 8 +args: +- -k none +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.optional_parameters[0].database: rules + pgsql.request.startup_parameters.optional_parameters[1].application_name: psql + pgsql.request.startup_parameters.optional_parameters[2].client_encoding: UTF8 + pgsql.request.startup_parameters.user: rules + pgsql.tx_id: 2 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: psql + pgsql.response.process_id: 28954 + pgsql.response.secret_key: 889887985 + pgsql.tx_id: 3 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 23 + pgsql.request.simple_query: select pg_sleep(9) + pgsql.response.code: '57014' + pgsql.response.field_count: 1 + pgsql.response.file: postgres.c + pgsql.response.line: '3211' + pgsql.response.message: canceling statement due to user request + pgsql.response.routine: ProcessInterrupts + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 4 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.message: termination_message + pgsql.tx_id: 5 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.secret_key: 889887985 + pgsql.request.message: cancel_request + pgsql.request.process_id: 28954 + pgsql.tx_id: 1 + src_ip: 100.88.2.140 + src_port: 39706 +- filter: + count: 2 + match: + app_proto: pgsql + event_type: flow -- 2.47.2