postgresql: Initial parser implementation

This adds a protocol parser for the PostgreSQL protocol and a new
postgresql.log similar to the existing mysql.log.

This should be considered preliminary and hopefully during 7.1 and 7.2
with feedback from the community, we can improve on the events and logs.
Even if most PostgreSQL communication is encrypted in the real-world, this
will minimally allow monitoring of the SSLRequest and hand off further
analysis to the SSL analyzer.

This originates from github.com/awelzel/spicy-postgresql, with lots of
polishing happening in the past two days.

scripts/base/protocols/postgresql/dpd.sig

@@ -0,0 +1,29 @@
+# Enable the analyzer if we see the SSLRequest message and a S|N reply from the server.
+signature dpd_postgresql_client_sslrequest {
+  ip-proto == tcp
+  payload /^\x00\x00\x00\x08\x04\xd2\x16\x2f/
+}
+
+signature dpd_postgresql_server_ssl_confirm {
+  requires-reverse-signature dpd_postgresql_client_sslrequest
+  payload /^[SN]/
+  enable "PostgreSQL"
+}
+
+signature dpd_postgresql_client_startup_3_x {
+  ip-proto == tcp
+  # 4 byte length, then protocol version major, minor (16bit each),
+  # then expect the "user\x00" parameter to follow. Not sure about
+  # other versions, but we likely wouldn't properly parse them anyway.
+  payload /^....\x00\x03\x00.{0,256}user\x00/
+}
+
+signature dpd_postgresql_server_any_response {
+  requires-reverse-signature dpd_postgresql_client_startup_3_x
+
+  # One byte printable message type 4 bytes length. Assumes the first
+  # server message is not larger 64k(2^16) so match on \x00\x00 after
+  # the first byte.
+  payload /^[a-zA-Z0-9]\x00\x00../
+  enable "PostgreSQL"
+}