1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
PGSQL Keywords
##############
.. role:: example-rule-emphasis
pgsql.query
***********
This keyword is a sticky buffer that allows matching on the contents of
PostgreSQL's `query` request messages parsed by the engine. Note that this
buffer inspects only the `string` portion of the PostgreSQL message, skipping
other fields such as identifier and length, and focusing on the query itself.
Currently, it exposes the contents of the ``pgsql.request.simple_query`` field
from EVE output.
``pgsql.query`` can be used as a ``fast_pattern``
(see :ref:`rules-keyword-fast_pattern`).
Use ``nocase`` with this keyword to avoid case sensitivity for the matches.
Examples
========
.. container:: example-rule
alert pgsql any any -> any any (msg:"Simple SELECT rule";
:example-rule-emphasis:`pgsql.query; content:"SELECT \*";` sid:1;)
.. container:: example-rule
alert pgsql any any -> any any (msg:"Simple delete rule";
:example-rule-emphasis:`pgsql.query; content:"delete"; nocase` sid:2;)
|
