pgsql: fix probing functions

Some non-pgsql traffic seen by Suricata is mistankenly identified as pgsql, as the probing function is too generic. Now, if the parser sees an unknown message type, even if it looks like pgsql, it will fail. Bug #6080
2 years ago · 4f85d06192
parent 1ac5d97259
commit 4f85d06192
1 changed files with 19 additions and 4 deletions
--- a/rust/src/pgsql/pgsql.rs
+++ b/rust/src/pgsql/pgsql.rs
@ -151,7 +151,7 @@ impl Default for PgsqlState {
        Self::new()
    }
 }
-    
+
 impl PgsqlState {
    pub fn new() -> Self {
        Self {
@ -563,8 +563,20 @@ pub unsafe extern "C" fn rs_pgsql_probing_parser_ts(
    if input_len >= 1 && !input.is_null() {

        let slice: &[u8] = build_slice!(input, input_len as usize);
-        if probe_ts(slice) {
-            return ALPROTO_PGSQL;
+
+        match parser::parse_request(slice) {
+            Ok((_, request)) => {
+                if let PgsqlFEMessage::UnknownMessageType(_) = request {
+                    return ALPROTO_FAILED;
+                }
+                return ALPROTO_PGSQL;
+            }
+            Err(Err::Incomplete(_)) => {
+                return ALPROTO_UNKNOWN;
+            }
+            Err(_e) => {
+                return ALPROTO_FAILED;
+            }
        }
    }
    return ALPROTO_UNKNOWN;
@ -584,7 +596,10 @@ pub unsafe extern "C" fn rs_pgsql_probing_parser_tc(
        }

        match parser::pgsql_parse_response(slice) {
-            Ok((_, _response)) => {
+            Ok((_, response)) => {
+                if let PgsqlBEMessage::UnknownMessageType(_) = response {
+                    return ALPROTO_FAILED;
+                }
                return ALPROTO_PGSQL;
            }
            Err(Err::Incomplete(_)) => {