From be095e1c4d4192c975462ddcd7e8bfdc2c79476b Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 23 Apr 2024 21:43:58 -0300
Subject: [PATCH] tests/pgsql: add test for bug 6983

Related to
Bug #6983
---
 tests/pgsql/pgsql-bug-6983-ids/README.md     | 12 ++++++++++
 tests/pgsql/pgsql-bug-6983-ids/suricata.yaml | 18 ++++++++++++++
 tests/pgsql/pgsql-bug-6983-ids/test.rules    |  1 +
 tests/pgsql/pgsql-bug-6983-ids/test.yaml     | 25 ++++++++++++++++++++
 tests/pgsql/pgsql-bug-6983-ips/README.md     | 16 +++++++++++++
 tests/pgsql/pgsql-bug-6983-ips/suricata.yaml | 18 ++++++++++++++
 tests/pgsql/pgsql-bug-6983-ips/test.rules    |  1 +
 tests/pgsql/pgsql-bug-6983-ips/test.yaml     | 19 +++++++++++++++
 8 files changed, 110 insertions(+)
 create mode 100644 tests/pgsql/pgsql-bug-6983-ids/README.md
 create mode 100755 tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
 create mode 100644 tests/pgsql/pgsql-bug-6983-ids/test.rules
 create mode 100644 tests/pgsql/pgsql-bug-6983-ids/test.yaml
 create mode 100644 tests/pgsql/pgsql-bug-6983-ips/README.md
 create mode 100755 tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
 create mode 100644 tests/pgsql/pgsql-bug-6983-ips/test.rules
 create mode 100644 tests/pgsql/pgsql-bug-6983-ips/test.yaml

diff --git a/tests/pgsql/pgsql-bug-6983-ids/README.md b/tests/pgsql/pgsql-bug-6983-ids/README.md
new file mode 100644
index 000000000..f626417ec
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ids/README.md
@@ -0,0 +1,12 @@
+# Description
+
+Tests that alerts for the pgsql app-proto will include pgsql app-proto metadata.
+
+## PCAP
+
+Pcap file reused from pgsql-ssl-rejected-md5-auth-simple-query
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/6983
+https://redmine.openinfosecfoundation.org/issues/7000
diff --git a/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml b/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
new file mode 100755
index 000000000..b1049819c
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            passwords: yes
+        - alert
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
diff --git a/tests/pgsql/pgsql-bug-6983-ids/test.rules b/tests/pgsql/pgsql-bug-6983-ids/test.rules
new file mode 100644
index 000000000..a90b15835
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ids/test.rules
@@ -0,0 +1 @@
+alert pgsql any any -> any any (msg:"PGSQL Test Rule"; content:"select * from"; sid:1; rev:1;)
diff --git a/tests/pgsql/pgsql-bug-6983-ids/test.yaml b/tests/pgsql/pgsql-bug-6983-ids/test.yaml
new file mode 100644
index 000000000..f1c6c43d5
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ids/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 7.0
+
+pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 7
+    match:
+      event_type: pgsql
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    min-version: 8
+    count: 1
+    match:
+      event_type: alert
+      flow.pkts_toserver: 10
+      flow.pkts_toclient: 10
diff --git a/tests/pgsql/pgsql-bug-6983-ips/README.md b/tests/pgsql/pgsql-bug-6983-ips/README.md
new file mode 100644
index 000000000..458515da7
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ips/README.md
@@ -0,0 +1,16 @@
+# Description
+
+Tests that alerts for the pgsql app-proto will include pgsql app-proto metadata,
+in IPS mode.
+
+As this test uses a stream rule, in IPS mode the engine generating two alerts is
+expected.
+
+## PCAP
+
+Pcap file reused from pgsql-ssl-rejected-md5-auth-simple-query
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/6983
+https://redmine.openinfosecfoundation.org/issues/7000
diff --git a/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml b/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
new file mode 100755
index 000000000..b1049819c
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql:
+            enabled: yes
+            passwords: yes
+        - alert
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
diff --git a/tests/pgsql/pgsql-bug-6983-ips/test.rules b/tests/pgsql/pgsql-bug-6983-ips/test.rules
new file mode 100644
index 000000000..a90b15835
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ips/test.rules
@@ -0,0 +1 @@
+alert pgsql any any -> any any (msg:"PGSQL Test Rule"; content:"select * from"; sid:1; rev:1;)
diff --git a/tests/pgsql/pgsql-bug-6983-ips/test.yaml b/tests/pgsql/pgsql-bug-6983-ips/test.yaml
new file mode 100644
index 000000000..fd9277cc5
--- /dev/null
+++ b/tests/pgsql/pgsql-bug-6983-ips/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 7.0
+
+pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 7
+    match:
+      event_type: pgsql
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1
-- 
2.47.2