A proposal for pgsql frame rule keywords:
Introduction: postgreqsl app-layer protocol "header", when it is present, is basically a char (byte) to identify the message (sometimes its meaning is dependent of further message contents and/or state) and a length field to inform message length. With that in mind, we propose the following frame keywords for pgsql:
From the client:
- request: any message from the client
- startup: specific for when the client tries to connect to the server
- query: specific for query commands
- copy_data: specific for COPY subprotocol*
From the server:
- response: any message from the server
- data_row: specific for results of SELECT queries
- copy_data: specific for COPY subprotocol*
Usage: these work with keywords that go with sticky buffer. Example:
alert pgsql $EXTERNAL_NET any -> any any (msg: "pgsql: external select attempt"; frame:pgsql.query; content:"select"; sid:1; rev:1);
The query, data_row and copy_data keywords could be used to identify specific contents at risk of data breaches, as an example.
(*) Reference: https://www.postgresql.org/docs/14/protocol-flow.html#PROTOCOL-COPY