postgresql: Initial parser implementation

This adds a protocol parser for the PostgreSQL protocol and a new postgresql.log similar to the existing mysql.log. This should be considered preliminary and hopefully during 7.1 and 7.2 with feedback from the community, we can improve on the events and logs. Even if most PostgreSQL communication is encrypted in the real-world, this will minimally allow monitoring of the SSLRequest and hand off further analysis to the SSL analyzer. This originates from github.com/awelzel/spicy-postgresql, with lots of polishing happening in the past two days.
2025-10-02 14:48:21 +00:00 · 2024-09-04 16:59:30 +02:00 · 2024-09-04 16:59:30 +02:00 · 85ca59484b
commit 85ca59484b
parent 2907d9feee
82 changed files with 1803 additions and 10 deletions
--- a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek
+++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek
@ -0,0 +1,15 @@
+# @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff ssl.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl