Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgsql: add tests with alert metadata - v6 #2039

Closed
wants to merge 2 commits into from
Closed

pgsql: add tests with alert metadata - v6 #2039

wants to merge 2 commits into from

Conversation

jufajardini
Copy link
Contributor

@jufajardini jufajardini commented Sep 13, 2024
edited
Loading

Check for transaction metadata in PGSQL alerts.
Add engine-analysis tests for the used rules, as well, to better describe them and compare with expected behavior.

Related to
Task #7000

Suricata PR: OISF/suricata#11776

Previous PR: #2025

Updates:

  • Rebase
  • add a disclaimer to the pgsql rules, as they're not good real-life rule examples
  • Update pgsql-bug-6983-ips test as one of the checks would now fail due to better transaction completion tracking (the per-direction factor means that when we log the first alert, in ips, now, we don't have the response part of the transaction available)

Expectation:

  • all tests should pass with master, except pgsql-bug-6983-ips. The other tests pass because, as far as I understand, tracking tx completion per direction results in a similar behavior to what we used to see with where we were previously triggering raw stream reassembly.

Ticket

If your pull request is related to a Suricata ticket, please provide
the full URL to the ticket here so this pull request can monitor
changes to the ticket status:

Redmine ticket:

jufajardini and others added 2 commits September 13, 2024 12:47
@jufajardini
pgsql: add tests with alert metadata
eddd563 
Check for transaction metadata in PGSQL alerts.
Add `engine-analysis` tests for the used rules, as well, to better
describe them and compare with expected behavior.

Related to
Task #7000
@jufajardini
pgsql: update bug 6983 test
e88fdb5 
With the tracking of transaction completion per-direction, in IPS mode,
the engine will match on the rule before it sees the response message,
so it won't log the full transaction with the alert.

Related to
Bug #7113
This was referenced Sep 13, 2024
Closed
Closed
catenacyber
catenacyber reviewed Sep 15, 2024
View reviewed changes
tests/pgsql/pgsql-bug-6983-ips/test.yaml
match:
event_type: alert
alert.signature_id: 1
pgsql.request.simple_query: "select * from rules where sid = 2021701;"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose we keep simply this check without pgsql.response.field_count for all versions

@catenacyber catenacyber added the prerequisite prerequisite before Suricata PR label Sep 15, 2024
@jufajardini jufajardini mentioned this pull request Sep 19, 2024
Closed
@jufajardini
Copy link
Contributor Author

followed by: #2048

@jufajardini jufajardini deleted the sv-pgsql-7113/v6 branch September 20, 2024 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees
No one assigned
Labels
prerequisite prerequisite before Suricata PR
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jufajardini @catenacyber