Skip to content

Commit

Permalink
pgsql: update bug 6983 test
Browse files Browse the repository at this point in the history 
With the tracking of transaction completion per-direction, in IPS mode,
the engine will match on the rule before it sees the response message,
so it won't log the full transaction with the alert.

Update the checks for the alert to keep it simpler and thus compatible
with both Suri-7 and Suri-8.

Related to
Bug #7113
  • Loading branch information
@jufajardini @victorjulien
jufajardini authored and victorjulien committed Sep 20, 2024
1 parent 6eab6f9 commit 8b65014
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions tests/pgsql/pgsql-bug-6983-ips/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ checks:
match:
event_type: pgsql
- filter:
# in ips mode, as this rule inspects the stream only (no pgsql keywords), we end up getting two alerts instead of one
# in ips mode, as this rule inspects the stream only (no pgsql keywords),
# we end up getting two alerts instead of one
count: 2
match:
event_type: alert
Expand All @@ -24,4 +25,3 @@ checks:
event_type: alert
alert.signature_id: 1
pgsql.request.simple_query: "select * from rules where sid = 2021701;"
pgsql.response.field_count: 10

0 comments on commit 8b65014

Please sign in to comment.