8.55. PGSQL Keywords

8.55.1. pgsql.query

This keyword is a sticky buffer that allows matching on the contents of PostgreSQL's query request messages parsed by the engine. Note that this buffer inspects only the string portion of the PostgreSQL message, skipping other fields such as identifier and length, and focusing on the query itself.

Currently, it exposes the contents of the pgsql.request.simple_query field from EVE output.

pgsql.query can be used as a fast_pattern (see fast_pattern).

Use nocase with this keyword to avoid case sensitivity for the matches.

8.55.1.1. Examples

alert pgsql any any -> any any (msg:"Simple SELECT rule"; pgsql.query; content:"SELECT *"; sid:1;)

alert pgsql any any -> any any (msg:"Simple delete rule"; pgsql.query; content:"delete"; nocase sid:2;)