Bug #6092
closedeve/alert: missing pgsql metadata
Added by Philippe Antoine almost 3 years ago. Updated about 2 years ago.
PA Updated by Philippe Antoine almost 3 years ago Actions #1
- Copied from Bug #5977: eve/alert: missing KRB5 metadata added
PA Updated by Philippe Antoine over 2 years ago Actions #2
- Related to Optimization #3827: output: clean up logging initialization code added
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #3
- Status changed from New to In Progress
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
- Target version changed from TBD to 8.0.0-beta1
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #4
- Status changed from In Progress to In Review
PR for review: https://github.com/OISF/suricata/pull/10830
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #5
- Status changed from In Review to Closed
Merged with PR https://github.com/OISF/suricata/pull/10856
PA Updated by Philippe Antoine about 2 years ago Actions #6
@Juliana Fajardini Reichow I do not see a SV test with an alert event and pgsql metadata
Is there one ?
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #7
Philippe Antoine wrote in #note-6:
@Juliana Fajardini Reichow I do not see a SV test with an alert event and pgsql metadata
Is there one ?
No, I haven't finished work on PGSQL events yet. I only followed the approach as seen for MQTT, for proposing a solution for this ticket. Should I reopen this ticket?
PA Updated by Philippe Antoine about 2 years ago Actions #8
Juliana Fajardini Reichow wrote in #note-7:
No, I haven't finished work on PGSQL events yet. I only followed the approach as seen for MQTT, for proposing a solution for this ticket. Should I reopen this ticket?
I think you do not need events for this.
You can see for instance commit 4d2bd8cc38bb8d78cb8c473e831cb41140e3a80c in SV, about test output-eve-tftp-01 adding a check for an alert event with some tftp details
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #9
Philippe Antoine wrote in #note-8:
Juliana Fajardini Reichow wrote in #note-7:
No, I haven't finished work on PGSQL events yet. I only followed the approach as seen for MQTT, for proposing a solution for this ticket. Should I reopen this ticket?
I think you do not need events for this.
You can see for instance commit 4d2bd8cc38bb8d78cb8c473e831cb41140e3a80c in SV, about test output-eve-tftp-01 adding a check for an alert event with some tftp details
But would that work without detection capabilities for pgsql? :/
PA Updated by Philippe Antoine about 2 years ago Actions #10
I guess so : there is no tftp keyword
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #11
Philippe Antoine wrote in #note-10:
I guess so : there is no tftp keyword
Thanks, I was trying and my tests were failing, but turns out that I (once again) had forgotten to add alert event types to my EVE logs ;_;
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #12
- Related to Bug #6983: eve/alert/metadata: no pgsql object encapsulation added
JF Updated by Juliana Fajardini Reichow about 2 years ago Actions #13
Philippe Antoine wrote in #note-10:
I guess so : there is no tftp keyword
Philippe Antoine wrote in #note-6:
@Juliana Fajardini Reichow I do not see a SV test with an alert event and pgsql metadata
Is there one ?
Does this work? https://github.com/OISF/suricata-verify/pull/1796
PA Updated by Philippe Antoine about 2 years ago Actions #14
Looking good, will review it there