From 218af4c1a548ada869b7af8187980858a2f00235 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@gmail.com>
Date: Tue, 27 Aug 2024 14:53:16 -0300
Subject: [PATCH] pgsql: update bug-6983 tests

Add app-layer fields to pgsql alerts.

Related to
Bug #7066
---
 tests/pgsql/pgsql-bug-6983-ids/README.md     | 3 ++-
 tests/pgsql/pgsql-bug-6983-ids/suricata.yaml | 4 +++-
 tests/pgsql/pgsql-bug-6983-ids/test.yaml     | 9 ++-------
 tests/pgsql/pgsql-bug-6983-ips/test.yaml     | 8 ++++++++
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/tests/pgsql/pgsql-bug-6983-ids/README.md b/tests/pgsql/pgsql-bug-6983-ids/README.md
index f626417ec..69a119f0d 100644
--- a/tests/pgsql/pgsql-bug-6983-ids/README.md
+++ b/tests/pgsql/pgsql-bug-6983-ids/README.md
@@ -1,6 +1,7 @@
 # Description
 
-Tests that alerts for the pgsql app-proto will include pgsql app-proto metadata.
+Tests that alerts for the pgsql app-proto will not include pgsql app-proto metadata
+if this setting is disabled in the configuration file.
 
 ## PCAP
 
diff --git a/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml b/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
index b1049819c..0103a7bd7 100755
--- a/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ids/suricata.yaml
@@ -10,7 +10,9 @@ outputs:
         - pgsql:
             enabled: yes
             passwords: yes
-        - alert
+        - alert:
+            enabled: yes
+            metadata: no
 
 app-layer:
   protocols:
diff --git a/tests/pgsql/pgsql-bug-6983-ids/test.yaml b/tests/pgsql/pgsql-bug-6983-ids/test.yaml
index f1c6c43d5..f9e8ddde0 100644
--- a/tests/pgsql/pgsql-bug-6983-ids/test.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ids/test.yaml
@@ -16,10 +16,5 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1
-- filter:
-    min-version: 8
-    count: 1
-    match:
-      event_type: alert
-      flow.pkts_toserver: 10
-      flow.pkts_toclient: 10
+      not-has-key: flow
+      not-has-key: pgsql
diff --git a/tests/pgsql/pgsql-bug-6983-ips/test.yaml b/tests/pgsql/pgsql-bug-6983-ips/test.yaml
index fd9277cc5..e7f22f068 100644
--- a/tests/pgsql/pgsql-bug-6983-ips/test.yaml
+++ b/tests/pgsql/pgsql-bug-6983-ips/test.yaml
@@ -13,7 +13,15 @@ checks:
     match:
       event_type: pgsql
 - filter:
+    # in ips mode, as this rule inspects the stream only (no pgsql keywords), we end up getting two alerts instead of one
     count: 2
     match:
       event_type: alert
       alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pgsql.request.simple_query: "select * from rules where sid = 2021701;"
+      pgsql.response.field_count: 10
-- 
2.47.2