Project

General

Profile

Actions

Feature #4986

open

Feature #4174: tracking: app-layer frame inspection support

Task #4871: tracking: implement frames for all parsers

postgresql: support frames

Added by Victor Julien about 2 years ago. Updated over 1 year ago.

Status:
In Progress
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #4241: Protocol support: PostgreSQL (pgsql)ClosedJuliana Fajardini ReichowActions
Actions #1

Updated by Juliana Fajardini Reichow about 2 years ago

  • Related to Feature #4241: Protocol support: PostgreSQL (pgsql) added
Actions #2

Updated by Juliana Fajardini Reichow about 2 years ago

  • Status changed from Assigned to In Progress
Actions #3

Updated by Victor Julien about 2 years ago

  • Tracker changed from Task to Feature
Actions #4

Updated by Juliana Fajardini Reichow about 2 years ago

A proposal for pgsql frame rule keywords:

Introduction: postgreqsl app-layer protocol "header", when it is present, is basically a char (byte) to identify the message (sometimes its meaning is dependent of further message contents and/or state) and a length field to inform message length. With that in mind, we propose the following frame keywords for pgsql:

From the client:
- request: any message from the client
- startup: specific for when the client tries to connect to the server
- query: specific for query commands
- copy_data: specific for COPY subprotocol*

From the server:
- response: any message from the server
- data_row: specific for results of SELECT queries
- copy_data: specific for COPY subprotocol*

Usage: these work with keywords that go with sticky buffer. Example:

alert pgsql $EXTERNAL_NET any -> any any (msg: "pgsql: external select attempt"; frame:pgsql.query; content:"select"; sid:1; rev:1); 

The query, data_row and copy_data keywords could be used to identify specific contents at risk of data breaches, as an example.

(*) Reference: https://www.postgresql.org/docs/14/protocol-flow.html#PROTOCOL-COPY

Actions #5

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions

Also available in: Atom PDF