Query filter - MSSQL

A Query filter is invoked for requests of type SQLBatch. It is convenient if you're only interested in SQL queries.

Note that this does not cover SQL statements executed with stored procedures like sp_executesql. For those, you'll want to use an RPC filter.

Parameters

None of the parameters are required.

The parameters that can take multiple values can be separated by commas or by newlines.

Query patterns

A list of strings or regular expressions that should match the SQL request. These can be comma-separated, or separated by new lines.

Client IPs

A list of IP addresses (IP4 and/or IP6) and/or regular expressions for IP addresses. If specified, only requests from matching IP addresses will cause execution of this filter.

Example:

12.34.56.78
1234:5678:90ab::01
regex:98\.76\..*
regex:9876:5432:.*

Users

A list of user names and/or regular expressions for user names. If specified, only queries executed by these users will cause execution of the filter.

Example

When connecting, it's not unusual for a database client to issue a command like select serverproperty('ProductVersion') ProductVersion. We could force it to a different value with the following filter defined for SQLBatch packets with a parameter set to catch this specific SQL command:

log.info("Faking SQL Server version");
context.packet.sql = "select '14.0.1887.2' ProductVersion";