postgresql: add initial support (WIP) - checkpoint #6281
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rust/src/applayerpgsql/parser.rs: - add nom parsers for decoding most messages involved in Startup Phase - add more unittests src/Makefile.am fix formatting issue rust/src/applayerpgsql/pgsql.rs: - fix unused documentation comments warning output-json-pgsql.c: - update CreateEveHeader call.
pgsql: adapt decoder for multi-message transaction style (WIP)
- midway WIP, deciding if should keep this style or rollback
make sure PostgreSQL isn't enabled by default.
pgsql: Add directions to re-write parse_request and parse_response tests/fuzz: add PostgreSQL to confyaml.c pgsql: rewrite parse_request pgsql: rewrite parse_request (WIP) PostgreSQL: add debug to probe fn
PostgreSQL: parse SimpleQuery subprotocol (WIP) - parse Query request - WIP parse RowDescription message (nom parser) parser/pgsql: parse RowDescription messages (compiles) pgsql/pgsql: adjust unittest for probe_response probe_tc must check for ssl_responses, otherwise suricata misses some messages in case of gap. But that rendered some of the unittests bonky. parser/pgsql: add RowData nom parser (WIP) Pgsql: parse more Simple Query messages Pgsql: integrate new nom parsers (WIP) PostgreSQL: parse Simple Query (WIP)
rust/pgsql: - add PgsqlTransaction to cbindgen context - add postgresql messages to logger, with filterable fields - make fields and structs public so logger can access those src/output-json-pgsql: - convert logger to jsonbuilder
3 tasks
Codecov Report
@@ Coverage Diff @@
## master #6281 +/- ##
==========================================
- Coverage 76.97% 76.88% -0.10%
==========================================
Files 611 613 +2
Lines 186249 186330 +81
==========================================
- Hits 143368 143262 -106
- Misses 42881 43068 +187
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
the commit-check fail is, as far as I could understand, from a commit when the logger hadn't been converted into JsonBuilder yet... |
|
ERROR: QA failed on generic_collect. Pipeline 3639 |
| PgsqlErrorNoticeFieldType::TerminatorToken => { | ||
| // do nothing, as that's the terminator token ? | ||
| }, | ||
| PgsqlErrorNoticeFieldType::UnknownFieldType => { |
There was a problem hiding this comment.
is this unknown to suri, or unknown in the pgsql protocol spec?
There was a problem hiding this comment.
The specification lists existing field types, but states that more types can be added in the future - therefore, frontends should silently ignore unrecognized field types.
| } | ||
|
|
||
| impl PgsqlFEMessage { | ||
| pub fn get_message_type(&self) -> &str { |
There was a problem hiding this comment.
this method turns a type into a string, so its name should reflect that
| } | ||
| } | ||
|
|
||
| impl From<u8> for PgsqlErrorNoticeFieldType { |
There was a problem hiding this comment.
can these 2 funcs somehow be merged, or use a common util func?
There was a problem hiding this comment.
Checking this properly, now, those two cannot, as this From<u8> is for the ErrorMessages and NoticeMessages types, not the front end messages.
The From functions are also used by the nom parsers, in the cases where that makes sense, and return types compatible with said parsers. Whereas the get_message_type is used by the app-layer parsing the requests and responses and the logger. So I'm guessing that some documentation is needed here, to explain that (plus proper naming the get_message_typeone)...
| } | ||
| } | ||
| #[derive(Debug, PartialEq)] | ||
| pub enum PgsqlStateProgress { |
There was a problem hiding this comment.
this looks quite similar to PgsqlTransactionState, is there a need for both to exist?
There was a problem hiding this comment.
They're indeed similar, and I'm still trying to figure that out, to be honest. First, we thought that progress would be tracked per transaction, then, due to how postgresql protocol transactions work, we thought that maybe tracking it just in state would be enough. Currently, basically only PgsqlStateProgress is being used. But I would say I must investigate the logs a bit more, to understand if Suri can interpret the traffic correctly with StateProgress only.
| self.transactions.push(tx); | ||
| } | ||
| // If we don't have to create a new transaction, just return the current one | ||
| return self.transactions.last_mut().unwrap(); |
There was a problem hiding this comment.
is it possible that there is no tx yet, so this unwrap would fail?
| PgsqlStateProgress::CommandCompletedReceived => { | ||
| match parser::parse_request(start) { | ||
| // TODO Question should I also add "&& self.transactions.is_empty()" | ||
| Ok((rem, request)) => { |
There was a problem hiding this comment.
think it would be good to move this block into a util func to keep the main loop more readable
|
@jasonish can you have a look at the EVE output and see if that is what we'd want vs how verbose it is? |
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
- answer object - top level rrname and rrtype - header level details in answers Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
If multiple queries exist in a DNS request, Suricata would log a discrete DNS event for each request. However, in an alert on a DNS request, the DNS object would contain an array of query objects. This brings the "dns" object into alignment with respect to DNS requests in alerts and "dns" records. This introduces a new function for logging DNS messages that is common for requests and responses which should reduce code, but for this commit is only used for requests, so doesn't cover responses yet. As this is a breaking change, rename the "query" array in alerts to "queries" to be more in alignment with how we log "answers" and "authorities". Note that this is a breaking change. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
By using the same function for logging DNS requests and responses we can better ensure that the format stays consistent between. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
- answer object - top level rrname and rrtype - header level details in answers Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
By using the same function for logging DNS requests and responses we can better ensure that the format stays consistent between. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 21, 2024
- answer object - top level rrname and rrtype - header level details in answers Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 27, 2024
If multiple queries exist in a DNS request, Suricata would log a discrete DNS event for each request. However, in an alert on a DNS request, the DNS object would contain an array of query objects. This brings the "dns" object into alignment with respect to DNS requests in alerts and "dns" records. This introduces a new function for logging DNS messages that is common for requests and responses which should reduce code, but for this commit is only used for requests, so doesn't cover responses yet. As this is a breaking change, rename the "query" array in alerts to "queries" to be more in alignment with how we log "answers" and "authorities". Note that this is a breaking change. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 27, 2024
By using the same function for logging DNS requests and responses we can better ensure that the format stays consistent between. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 27, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 27, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 27, 2024
- answer object - top level rrname and rrtype - header level details in answers Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jun 27, 2024
V3 style DNS logging fixes the discrepancies between request and response logging better dns records and alert records. The main change is that queries and answers are always logged as arrays, and header fields are not logged in array items. For alerts this means that answers are now logged as arrays, queries already were. DNS records will get this new format as well, but with a configuration parameter. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
V3 style DNS logging fixes the discrepancies between request and response logging better dns records and alert records. The main change is that queries and answers are always logged as arrays, and header fields are not logged in array items. For alerts this means that answers are now logged as arrays, queries already were. DNS records will get this new format as well, but with a configuration parameter. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
DNS v3 logging fixes the discrepancies between request and response logging with the main difference being queries always being placed in an array. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
DNS v3 logging fixes the discrepancies between request and response logging with the main difference being queries always being placed in an array. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
V3 style DNS logging fixes the discrepancies between request and response logging better dns records and alert records. The main change is that queries and answers are always logged as arrays, and header fields are not logged in array items. For alerts this means that answers are now logged as arrays, queries already were. DNS records will get this new format as well, but with a configuration parameter. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
DNS v3 logging fixes the discrepancies between request and response logging with the main difference being queries always being placed in an array. Bug: OISF#6281
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
jasonish
added a commit
to jasonish/suricata
that referenced
this pull request
Jul 5, 2024
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Jul 9, 2024
V3 style DNS logging fixes the discrepancies between request and response logging better dns records and alert records. The main change is that queries and answers are always logged as arrays, and header fields are not logged in array items. For alerts this means that answers are now logged as arrays, queries already were. DNS records will get this new format as well, but with a configuration parameter. Bug: OISF#6281
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Jul 9, 2024
DNS v3 logging fixes the discrepancies between request and response logging with the main difference being queries always being placed in an array. Bug: OISF#6281
victorjulien
pushed a commit
to victorjulien/suricata
that referenced
this pull request
Jul 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/4241
Previous PR: #6062
Describe changes:
This version covers most of the messages related to startup phase and simple query, except for
NegotiateProtocolVersion- must understand how this happens, still.The logger has filterable fields (eve.json), but might be too verbose at this point.
Considerations:
TLS(STARTTLS) yet.Mostly tested with the pcaps available here:
https://drive.google.com/drive/folders/1BPJICt_ybkofDUPrMdGglvfQeefFCQF_?usp=sharing