Feature #4986
openFeature #4174: tracking: app-layer frame inspection support
Task #4871: tracking: implement frames for all parsers
pgsql: support frames
Updated by Juliana Fajardini Reichow almost 3 years ago
- Related to Feature #4241: Protocol support: PostgreSQL (pgsql) added
Updated by Juliana Fajardini Reichow almost 3 years ago
- Status changed from Assigned to In Progress
Updated by Victor Julien almost 3 years ago
- Tracker changed from Task to Feature
Updated by Juliana Fajardini Reichow almost 3 years ago
A proposal for pgsql frame rule keywords:
Introduction: postgreqsl app-layer protocol "header", when it is present, is basically a char (byte) to identify the message (sometimes its meaning is dependent of further message contents and/or state) and a length field to inform message length. With that in mind, we propose the following frame keywords for pgsql:
From the client:
- request: any message from the client
- startup: specific for when the client tries to connect to the server
- query: specific for query commands
- copy_data: specific for COPY subprotocol*
From the server:
- response: any message from the server
- data_row: specific for results of SELECT queries
- copy_data: specific for COPY subprotocol*
Usage: these work with keywords that go with sticky buffer. Example:
alert pgsql $EXTERNAL_NET any -> any any (msg: "pgsql: external select attempt"; frame:pgsql.query; content:"select"; sid:1; rev:1);
The query, data_row and copy_data keywords could be used to identify specific contents at risk of data breaches, as an example.
(*) Reference: https://www.postgresql.org/docs/14/protocol-flow.html#PROTOCOL-COPY
Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Updated by Victor Julien 5 months ago
- Subject changed from postgresql: support frames to pgsql: support frames