suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

pgsql: add events to handle parser errors - v1

Open jufajardini opened this issue 1 year ago • 3 comments

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5524 https://redmine.openinfosecfoundation.org/issues/5566

Describe changes:

  • Add events to pgsql, so when there's a recoverable error the parser can offer insight into what's wrong, and still parse possible following pgsql messages

Sharing as a draft as I'm not sure I fully grasp how applayer events work, so not sure I'm doing the right thing here. So far, I wasn't able to create sv tests that will showcase if InvalidLength and MalformedData work, but the SV shows a simple case for TruncatedData with DataRow messages.

TODOs:

  • decide whether TruncatedMessage is actually needed - going with it, for now
  • add more SV tests (InvalidLength and MalformedMessage)
  • document
  • Add descriptions of each event to the commit message
  • clean up commit message

Provide values to any of the below to override the defaults.

SV_BRANCH=https://github.com/OISF/suricata-verify/pull/1356

jufajardini avatar Aug 22 '23 06:08 jufajardini

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.pgsql 0 55 -
.app_layer.tx.pgsql 55 106 192.73%
.app_layer.error.pgsql.parser 55 0 -

Pipeline 15679

suricata-qa avatar Aug 22 '23 09:08 suricata-qa

Sharing as a draft as I'm not sure I fully grasp how applayer events work, so not sure I'm doing the right thing here. So far, I wasn't able to create sv tests that will showcase if InvalidLength and MalformedData work, but the SV shows a simple case for TruncatedData with DataRow messages.

If you have one SV test with a triggering rule with an app-layer event, it looks good :-) It is just that you do not have a pcap that triggers the other events...

To complete this, I think you should also add a file rules/pgsql.rules (and reserve a sid space in the redmine wiki) as is done for other protocols

catenacyber avatar Aug 30 '23 07:08 catenacyber

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.pgsql 0 55 -
.app_layer.tx.pgsql 55 106 192.73%
.app_layer.error.pgsql.parser 55 0 -

Pipeline 15679

suricata-qa avatar Feb 15 '24 11:02 suricata-qa

This got stale due to higher priority things, but will get back to it soon, with a new PR.

jufajardini avatar Apr 17 '24 17:04 jufajardini