Open
Description
Currently, SQL Server packets that contain NTEXTTYPE parameters failed to be parsed, causing their contents to be audit logged as db.session.malformed_packet instead of proper db.session.query or db.session.sqlserver.rpc_request. This is mainly due to the go-mssql parsing expecting a different data format (tablename and ROW).
Here is an example of an RPC call (SP_ExecuteSql) from Azure Data Studio that has its SQL parameter as NTEXTTYPE:
03 04 10 00 00 00 01 00 // Packet headers
16 00 00 00 12 00 00 00 02 00 00 00 00 00 00 00 00 00 01 00 00 00 // ALL_HEADERS
ff ff // Proc length
0a 00 // ProcID (SP_ExecuteSql)
02 00 // Option flags
00 // Parameter name (empty)
00 // Status flags
63 // NTEXTTYPE type
66 23 00 00 // NTEXTTYPE length (LONGLEN)
09 04 d0 00 00 // Parameter collation
66 23 00 00 // NTEXTTYPE length
// NTEXT contents start...
53 00 45 00 4c 00 45 00 43 00 54 00 // "SELECT"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment