doc/userguide/rules/pgsql-keywords.rst
PGSQL Keywords ##############
.. role:: example-rule-emphasis
pgsql.query
This keyword is a sticky buffer that allows matching on the contents of
PostgreSQL's query request messages parsed by the engine. Note that this
buffer inspects only the string portion of the PostgreSQL message, skipping
other fields such as identifier and length, and focusing on the query itself.
Currently, it exposes the contents of the pgsql.request.simple_query field
from EVE output.
pgsql.query can be used as a fast_pattern
(see :ref:rules-keyword-fast_pattern).
Use nocase with this keyword to avoid case sensitivity for the matches.
.. container:: example-rule
alert pgsql any any -> any any (msg:"Simple SELECT rule";
:example-rule-emphasis:`pgsql.query; content:"SELECT \*";` sid:1;)
.. container:: example-rule
alert pgsql any any -> any any (msg:"Simple delete rule";
:example-rule-emphasis:`pgsql.query; content:"delete"; nocase` sid:2;)