pgsql: clearly indicate redacted password message

If a password message was seen while logging passwords was disabled for pgsql, this would lead to an empty request being logged. Instead of simply not logging anything when there is a password message and this is disabled, however, log instead that said password is redacted. Bug #7647
2 months ago · 6f81caf8d4
parent 11cef2980b
commit 6f81caf8d4
4 changed files with 10 additions and 0 deletions
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@ -2528,6 +2528,8 @@ flow. Some of the possible request messages are:
 * "startup_message": message sent to start a new PostgreSQL connection
 * "password_message": if password output for PGSQL is enabled in suricata.yaml,
  carries the password sent during Authentication phase
+* "password_redacted": set to true in case there is a password message, but its
+  logging is disabled
 * "simple_query": issued SQL command during simple query subprotocol. PostgreSQL
  identifies specific sets of commands that change the set of expected messages
  to be exchanged as subprotocols.
--- a/etc/schema.json
+++ b/etc/schema.json
@ -3663,6 +3663,10 @@
                        "password_message": {
                            "type": "string"
                        },
+                        "password_redacted": {
+                            "type": "boolean",
+                            "description": "indicates if a password message was received but not logged due to Suricata settings"
+                        },
                        "process_id": {
                            "type": "integer"
                        },
--- a/rust/src/pgsql/logger.rs
+++ b/rust/src/pgsql/logger.rs
@ -81,6 +81,8 @@ fn log_request(req: &PgsqlFEMessage, flags: u32) -> Result<JsonBuilder, JsonErro
        }) => {
            if flags & PGSQL_LOG_PASSWORDS != 0 {
                js.set_string_from_bytes("password", payload)?;
+            } else {
+                js.set_bool("password_redacted", true)?;
            }
        }
        PgsqlFEMessage::SASLResponse(RegularPacket {
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -360,6 +360,8 @@ outputs:
        - pgsql:
            enabled: no
            # passwords: yes           # enable output of passwords. Disabled by default
+                                       # If a password message is seen but this setting
+                                       # is disabled, "password_redacted": true is logged
        - stats:
            totals: yes       # stats for all threads merged together
            threads: no       # per thread stats