postgresql: Initial parser implementation

This adds a protocol parser for the PostgreSQL protocol and a new
postgresql.log similar to the existing mysql.log.

This should be considered preliminary and hopefully during 7.1 and 7.2
with feedback from the community, we can improve on the events and logs.
Even if most PostgreSQL communication is encrypted in the real-world, this
will minimally allow monitoring of the SSLRequest and hand off further
analysis to the SSL analyzer.

This originates from github.com/awelzel/spicy-postgresql, with lots of
polishing happening in the past two days.

testing/btest/scripts/base/protocols/postgresql/availability.zeek

@@ -0,0 +1,4 @@
+# @TEST-DOC: Check that the PostgreSQL analyzer is available.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -NN | grep -qi 'ANALYZER_POSTGRESQL'

testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Startup message triggering integer overflow
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-backend-message-1.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek

@@ -0,0 +1,11 @@
+# @TEST-DOC: Startup message triggering integer overflow
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-startup-message-1.pcap ${PACKAGE} %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/dump-events.zeek

@@ -0,0 +1,17 @@
+# @TEST-DOC: Test that misc/dump events works.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql/spicy-events.zeek
+@load misc/dump-events
+
+redef DumpEvents::dump_all_events = T;
+redef DumpEvents::include=/^(PostgreSQL|analyzer_)/;
+
+event zeek_init() {
+	Analyzer::register_for_port(Analyzer::ANALYZER_POSTGRESQL, 5432/tcp);
+}

testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Test rejecting wrong protocol.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
+# @TEST-EXEC: test ! -f postgresql.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Test rejecting wrong protocol.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
+# @TEST-EXEC: test ! -f postgresql.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test the parameter status event.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql
+
+event PostgreSQL::parameter_status(c: connection, name: string, value: string) {
+	print "parameter_status", c$uid, name, value;
+}

testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek

@@ -0,0 +1,20 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql
+
+event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) {
+	print "authentication_request", c$uid, identifier, data;
+}
+
+event PostgreSQL::authentication_response(c: connection, data: string) {
+	print "authentication_response", c$uid, data;
+}
+
+event PostgreSQL::authentication_ok(c: connection) {
+	print "authentication_ok", c$uid;
+}

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test that the dpd.sig picks up a plaintext connection on a non-standard port.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek

@@ -0,0 +1,14 @@
+# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+# @TEST-EXEC: test ! -f ssl.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek

@@ -0,0 +1,15 @@
+# @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff ssl.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek

@@ -0,0 +1,15 @@
+# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff ssl.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl

testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Trace with CREATE TABLE, INSERT, SELECT DELETE and DROP.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: The client does not start with SSLRequest. This pcap has two connections, attempting without password.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Event for name, value pairs in the startup message.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql
+
+event PostgreSQL::startup_parameter(c: connection, name: string, value: string) {
+	print "startup_parameter", c$uid, name, value;
+}