Project

General

Profile

Actions
Copy link

Feature #8335

open

pgsql: add keywords for better detection and coverage

Added by Peter Manev about 10 hours ago. Updated about 8 hours ago.

Status:
Assigned
Priority:
Normal
Assignee:
Juliana Fajardini Reichow
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

We have PostgreSQL/pgsql protocol logging - it is great to have it in the SIEM and doing visualizations with it.
While i as doing that a few thing made an impression on me that we could add key words in order to trigger an alert (not just have it as protocol data being logged).

We could use some keywords for the below: 

pgsql.request.protocol_version
pgsql.response.parameter_status.is_superuser
pgsql.request.startup_parameters.user
pgsql.request.startup_parameters.optional_parameters.database
pgsql.response.authentication_md5_password

The idea is to highlight weak or clear text password , miscconfiguration also match on a field - if it exists or if it has specific content.
This is very valuable especially from the perspective if the communication is North/South.
Screenshot attached is simple list form Kibana for reference.

Would be great if this can be done in Suricata 8 , not just 9.

Files

pqsql-kibana.png (142 KB) pqsql-kibana.png Peter Manev, 02/27/2026 10:24 AM
Actions
Copy link
 #1

Updated by Juliana Fajardini Reichow about 8 hours ago

  • Subject changed from add keywords for better pgsql detection and coverage to pgsql: add keywords for better detection and coverage
  • Status changed from New to Assigned
  • Assignee set to Juliana Fajardini Reichow
  • Target version changed from TBD to 9.0.0-beta1
Actions
Copy link

Also available in: Atom PDF