From 0a31d52710b51e4ba26734305d6eb2b643e7c2bc Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 28 Nov 2023 18:19:48 -0300
Subject: [PATCH] tests: add test for pgsql probe bug 6080

Add test for pgsql probing function bug 6080.
Crafted pcap.

Related to
Bug #6080
---
 tests/pgsql-bug-6080-probe-test-01/README.md  |  15 +++++++++
 tests/pgsql-bug-6080-probe-test-01/input.pcap | Bin 0 -> 733 bytes
 .../suricata.yaml                             |  18 ++++++++++
 tests/pgsql-bug-6080-probe-test-01/test.yaml  |  22 +++++++++++++
 .../pgsql-bug-6080-probe-test-01/writepcap.py |  31 ++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/README.md
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/input.pcap
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/suricata.yaml
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/test.yaml
 create mode 100644 tests/pgsql-bug-6080-probe-test-01/writepcap.py

diff --git a/tests/pgsql-bug-6080-probe-test-01/README.md b/tests/pgsql-bug-6080-probe-test-01/README.md
new file mode 100644
index 000000000..3cd229550
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/README.md
@@ -0,0 +1,15 @@
+# Test Description
+
+The probing function for PGSQL, in some scenarios, could identify any TCP message
+sent to the standard PGSQL port - 5432 - as PGSQL traffic, leading to false
+positives.
+
+## PCAP
+
+This pcap was created using the Scapy script included in the test directory,
+to reproduce a non-shareable traffic capture.
+
+## Related issues
+
+Bug report on Redmine:
+https://redmine.openinfosecfoundation.org/issues/6080
diff --git a/tests/pgsql-bug-6080-probe-test-01/input.pcap b/tests/pgsql-bug-6080-probe-test-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0238838f6a5f5eae8c7317d39448b1885c897436
GIT binary patch
literal 733
zcmca|c+)~A1{MYw`2U}Q;R%rQBqA+UeF_VM0gw&Ct{{q$fx&@IcJdklM#eP)EW#{O
zq82cH1x)|{^Uh*mU}9n2!omd6?=lUSeimVn8KM>}Qc(Sj1wvvMzU@HO|6n=`g9cCm
z2m|fcfZ9JB&3>S(7#ITt{{Of1f!I5JCSiT7H)ceD^-28yKU)N%@91n?`cT{pvQITY
zK<t7N&;(F8dCz5G&;$yCFwmWvP<PG(g%OfJA^If5F1+w#V6XydESZnXLX-do1}DhE
z|Nkt3Apz3&YXJ*`HBb<QffiarE$l$E5TXxg;p<|cg~mC?#wB{isYPX}MSA%~>5N<;
zqXHHa<pfm*2G-yJiC=3i6(CNyyo4xyreJ-NKz;lWeSXV`2`koMpwCVONJuI?;Dm<N
UtQACAcmil)NB}TGjrAB90ADqOp#T5?

literal 0
HcmV?d00001

diff --git a/tests/pgsql-bug-6080-probe-test-01/suricata.yaml b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml
new file mode 100644
index 000000000..b2aea2623
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+app-layer:
+  protocols:
+    pgsql:
+      enabled: yes
+      stream-depth: 0
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - pgsql
+        - flow
+
diff --git a/tests/pgsql-bug-6080-probe-test-01/test.yaml b/tests/pgsql-bug-6080-probe-test-01/test.yaml
new file mode 100644
index 000000000..73608589c
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      dest_port: 5432
+      event_type: pgsql
+      proto: TCP
+- filter:
+    count: 0
+    match:
+      app_proto: pgsql
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: flow
diff --git a/tests/pgsql-bug-6080-probe-test-01/writepcap.py b/tests/pgsql-bug-6080-probe-test-01/writepcap.py
new file mode 100644
index 000000000..b52a0ead5
--- /dev/null
+++ b/tests/pgsql-bug-6080-probe-test-01/writepcap.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+'''packet 1'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='S', window=65535, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 2'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432,
+                flags='S''A', ack=1, window=5840, seq=0, options=[('MSS', 1460), ('SAckOK', '')])
+'''packet 3'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=1, window=65535, seq=1)
+'''packet 4'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1, window=65535, seq=98080856)
+'''packet 5'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='A', ack=37, window=5840, seq=1)
+'''packet 6'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=1)/":"
+'''packet 7'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='A', ack=37, window=65534, seq=2)
+'''packet 8'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=37, window=5840, seq=2)/"p1r473.server.org\x01\n"
+'''packet 9'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='P''A', ack=1363, window=64173, seq=37)
+'''packet 10'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='F''P''A', ack=1363, window=64173, seq=53)
+'''packet 11'''
+pkts += IP(src='172.16.4.19', dst='172.16.1.1')/TCP(dport=1050, sport=5432, flags='P''A', ack=200, window=6432, seq=1363)/":"
+'''packet 12'''
+pkts += IP(dst='172.16.4.19', src='172.16.1.1')/TCP(sport=1050, dport=5432, flags='R''A', ack=1364, window=0, seq=200)
+
+wrpcap('input.pcap', pkts)