diff --git a/tests/pgsql/pgsql-cancel-request/README.md b/tests/pgsql/pgsql-cancel-request/README.md new file mode 100644 index 000000000..b68ca556d --- /dev/null +++ b/tests/pgsql/pgsql-cancel-request/README.md @@ -0,0 +1,19 @@ +# Test Description + +Showcase Suricata output and behavior when it inspects PostgreSQL traffic where +a `CancelRequest` message is sent. + +A CancelRequest message is sent by the FrontEnd (client) when it wants to cancel +a Query. It is sent to a new port, so this creates a new transaction. No direct +message is sent to confirm that the CancelRequest was processed, but if it is, +the transaction/process waiting for the Query will receive an Error Message +indicating that the Query was canceled (cf +https://www.postgresql.org/docs/16/protocol-flow.html#PROTOCOL-FLOW-CANCELING-REQUESTS). + +## PCAP + +Shared by Jason Ish, sample of a local query to a sample local database. + +## Related issues + +Task for adding pgsql message: https://redmine.openinfosecfoundation.org/issues/6577 diff --git a/tests/pgsql/pgsql-cancel-request/input.pcap b/tests/pgsql/pgsql-cancel-request/input.pcap new file mode 100644 index 000000000..d00c7e5db Binary files /dev/null and b/tests/pgsql/pgsql-cancel-request/input.pcap differ diff --git a/tests/pgsql/pgsql-cancel-request/suricata.yaml b/tests/pgsql/pgsql-cancel-request/suricata.yaml new file mode 100644 index 000000000..ea8c9fa78 --- /dev/null +++ b/tests/pgsql/pgsql-cancel-request/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - pgsql + - flow + +app-layer: + protocols: + pgsql: + enabled: yes + diff --git a/tests/pgsql/pgsql-cancel-request/test.yaml b/tests/pgsql/pgsql-cancel-request/test.yaml new file mode 100644 index 000000000..91e283a29 --- /dev/null +++ b/tests/pgsql/pgsql-cancel-request/test.yaml @@ -0,0 +1,91 @@ +requires: + min-version: 8 +args: +- -k none +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.message: SSL Request + pgsql.response.ssl_accepted: false + pgsql.tx_id: 1 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.protocol_version: '3.0' + pgsql.request.startup_parameters.optional_parameters[0].database: rules + pgsql.request.startup_parameters.optional_parameters[1].application_name: psql + pgsql.request.startup_parameters.optional_parameters[2].client_encoding: UTF8 + pgsql.request.startup_parameters.user: rules + pgsql.tx_id: 2 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.response.message: authentication_ok + pgsql.response.parameter_status[0].application_name: psql + pgsql.response.process_id: 28954 + pgsql.response.secret_key: 889887985 + pgsql.tx_id: 3 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pcap_cnt: 23 + pgsql.request.simple_query: select pg_sleep(9) + pgsql.response.code: '57014' + pgsql.response.field_count: 1 + pgsql.response.file: postgres.c + pgsql.response.line: '3211' + pgsql.response.message: canceling statement due to user request + pgsql.response.routine: ProcessInterrupts + pgsql.response.severity_localizable: ERROR + pgsql.response.severity_non_localizable: ERROR + pgsql.tx_id: 4 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.message: termination_message + pgsql.tx_id: 5 + src_ip: 100.88.2.140 + src_port: 39704 +- filter: + count: 1 + match: + dest_ip: 100.96.199.113 + dest_port: 5432 + event_type: pgsql + pgsql.request.secret_key: 889887985 + pgsql.request.message: cancel_request + pgsql.request.process_id: 28954 + pgsql.tx_id: 1 + src_ip: 100.88.2.140 + src_port: 39706 +- filter: + count: 2 + match: + app_proto: pgsql + event_type: flow