tests: add test for pgsql probe bug 6080

Add test for pgsql probing function bug 6080. Crafted pcap. Related to Bug #6080
OISF · Dec 4, 2023 · 0a31d52 · 0a31d52
1 parent 4de2a8c
commit 0a31d52
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 0 deletions.
diff --git a/tests/pgsql-bug-6080-probe-test-01/README.md b/tests/pgsql-bug-6080-probe-test-01/README.md
@@ -0,0 +1,15 @@
+# Test Description
+
+The probing function for PGSQL, in some scenarios, could identify any TCP message
+sent to the standard PGSQL port - 5432 - as PGSQL traffic, leading to false
+positives.
+
+## PCAP
+
+This pcap was created using the Scapy script included in the test directory,
+to reproduce a non-shareable traffic capture.
+
+## Related issues
+
+Bug report on Redmine:
+https://redmine.openinfosecfoundation.org/issues/6080
diff --git a/tests/pgsql-bug-6080-probe-test-01/input.pcap b/tests/pgsql-bug-6080-probe-test-01/input.pcap
diff --git a/tests/pgsql-bug-6080-probe-test-01/suricata.yaml b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql
+        - flow
+
diff --git a/tests/pgsql-bug-6080-probe-test-01/test.yaml b/tests/pgsql-bug-6080-probe-test-01/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      dest_port: 5432
+      event_type: pgsql
+      proto: TCP
+- filter:
+    count: 0
+    match:
+      app_proto: pgsql
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: flow
diff --git a/tests/pgsql-bug-6080-probe-test-01/writepcap.py b/tests/pgsql-bug-6080-probe-test-01/writepcap.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+'''packet 1'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='S', window=65535, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 2'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432,
+                flags='S''A', ack=1, window=5840, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 3'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=1, window=65535, seq=1)
+'''packet 4'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1, window=65535, seq=98080856)
+'''packet 5'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='A', ack=37, window=5840, seq=1)
+'''packet 6'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=1)/":"
+'''packet 7'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=37, window=65534, seq=2)
+'''packet 8'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=2)/"p1r473.server.org\x01\n"
+'''packet 9'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1363, window=64173, seq=37)
+'''packet 10'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='F''P''A', ack=1363, window=64173, seq=53)
+'''packet 11'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=200, window=6432, seq=1363)/":"
+'''packet 12'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='R''A', ack=1364, window=0, seq=200)
+
+wrpcap('input.pcap', pkts)