aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pgsql: clearly indicate redacted password message

Browse Source 
If a password message was seen while logging passwords was disabled
for pgsql, this would lead to an empty request being logged.
Instead of simply not logging anything when there is a password message
and this is disabled, however, log instead that said password is
redacted.

Bug #7647
pull/13211/head
Juliana Fajardini 3 months ago committed by Victor Julien
parent 11cef2980b
commit 6f81caf8d4
4 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File

2
doc/userguide/output/eve/eve-json-format.rst
Unescape Escape View File

@ -2528,6 +2528,8 @@ flow. Some of the possible request messages are:
* "startup_message": message sent to start a new PostgreSQL connection * "startup_message": message sent to start a new PostgreSQL connection
* "password_message": if password output for PGSQL is enabled in suricata.yaml, * "password_message": if password output for PGSQL is enabled in suricata.yaml,
carries the password sent during Authentication phase carries the password sent during Authentication phase
* "password_redacted": set to true in case there is a password message, but its
logging is disabled
* "simple_query": issued SQL command during simple query subprotocol. PostgreSQL * "simple_query": issued SQL command during simple query subprotocol. PostgreSQL
identifies specific sets of commands that change the set of expected messages identifies specific sets of commands that change the set of expected messages
to be exchanged as subprotocols. to be exchanged as subprotocols.

4
etc/schema.json
Unescape Escape View File

@ -3663,6 +3663,10 @@
"password_message": { "password_message": {
"type": "string" "type": "string"
}, },
"password_redacted": {
"type": "boolean",
"description": "indicates if a password message was received but not logged due to Suricata settings"
},
"process_id": { "process_id": {
"type": "integer" "type": "integer"
}, },

2
rust/src/pgsql/logger.rs
Unescape Escape View File

@ -81,6 +81,8 @@ fn log_request(req: &PgsqlFEMessage, flags: u32) -> Result<JsonBuilder, JsonErro
}) => { }) => {
if flags & PGSQL_LOG_PASSWORDS != 0 { if flags & PGSQL_LOG_PASSWORDS != 0 {
js.set_string_from_bytes("password", payload)?; js.set_string_from_bytes("password", payload)?;
} else {
js.set_bool("password_redacted", true)?;
} }
} }
PgsqlFEMessage::SASLResponse(RegularPacket { PgsqlFEMessage::SASLResponse(RegularPacket {

2
suricata.yaml.in
Unescape Escape View File

@ -360,6 +360,8 @@ outputs:
- pgsql: - pgsql:
enabled: no enabled: no
# passwords: yes # enable output of passwords. Disabled by default # passwords: yes # enable output of passwords. Disabled by default
# If a password message is seen but this setting
# is disabled, "password_redacted": true is logged
- stats: - stats:
totals: yes # stats for all threads merged together totals: yes # stats for all threads merged together
threads: no # per thread stats threads: no # per thread stats

Write Preview
Loading…
Cancel
Save