RPC filter - MSSQL

This type of filter is invoked when the client invokes a stored procedure using an RPC packet.

The call can be filtered by the usual means, and also by the name of the stored procedure being called, as well as the value of the parameters being passed to the stored procedure.

Parameters

None of the parameters are required. If no parameter is specified, this filter will be invoked for every call to a stored procedure.

The parameters that can take multiple values can be separated by commas or by newlines.


Stored procedure name

The name(s) or regular expression(s) determining for which stored procedure calls to invoke this filter. They can be separated by commas or newlines.

Examples:

sp_executesql

sp_dosomething, regex:finance_.*, regex:payments_delete.+


Parameter patterns

Zero or more name=regular expression entries specifying for which values of which parameters this filter should get invoked. In addition to all the usual regular expression syntax, if a regular expression contains equal signs, they must be escaped with a backslash (e.g. \=).


Client IPs

A list of IP addresses (IP4 and/or IP6) and/or regular expressions for IP addresses.

Example:

12.34.56.78
1234:5678:90ab::01
regex:98\.76\..*
regex:9876:5432:.*


Users

A list of user names and/or regular expressions for user names. If specified, only calls from these users will cause execution of the filter.


Example

We can change the SQL being executed by a call to sp_executesql with:

context.packet.parameters[0].value =
"select * from gallium_demo.products where status is null or status <> 'discontinued'";