postgresql: Initial parser implementation

This adds a protocol parser for the PostgreSQL protocol and a new
postgresql.log similar to the existing mysql.log.

This should be considered preliminary and hopefully during 7.1 and 7.2
with feedback from the community, we can improve on the events and logs.
Even if most PostgreSQL communication is encrypted in the real-world, this
will minimally allow monitoring of the SSLRequest and hand off further
analysis to the SSL analyzer.

This originates from github.com/awelzel/spicy-postgresql, with lots of
polishing happening in the past two days.

NEWS

@@ -28,6 +28,22 @@ Breaking Changes
 New Functionality
 -----------------
 
+- Zeek now includes a PostgreSQL protocol analyzer. This analyzer is enabled
+  by default. The analyzer's events and its ``postgresql.log`` should be
+  considered preliminary and experimental until the arrival of Zeek's next
+  long-term-stable release (8.0).
+
+  If you observe unusually high CPU consumption or other issues due to this
+  analyzer being enabled by default, the easiest way to disable it is via the
+  ``Analyzer::disabled_analyzers`` const as follows:
+
+	redef Analyzer::disabled_analyzers += {
+		Analyzer::ANALYZER_POSTGRESQL,
+	};
+
+  If you observe PostgreSQL traffic in your environment, please provide feedback
+  about the analyzer and structure of the new log.
+
 * The LDAP analyzer now supports handling of non-sealed GSS-API WRAP tokens.
 
 * StartTLS support was added to the LDAP analyzer. The SSL analyzer is enabled

scripts/base/init-default.zeek

@@ -67,6 +67,7 @@
 @load base/protocols/ntlm
 @load base/protocols/ntp
 @load base/protocols/pop3
+@load base/protocols/postgresql
 @load base/protocols/quic
 @load base/protocols/radius
 @load base/protocols/rdp

scripts/base/protocols/postgresql/__load__.zeek

@@ -0,0 +1,6 @@
+@if ( have_spicy_analyzers() )
+@load ./consts
+@load ./spicy-events
+@load ./main
+@load-sigs ./dpd
+@endif

scripts/base/protocols/postgresql/consts.zeek

@@ -0,0 +1,37 @@
+module PostgreSQL;
+
+export {
+	# https://www.postgresql.org/docs/current/protocol-error-fields.html
+	global error_ids: table[string] of string = {
+		["S"] = "SeverityLocalized",
+		["V"] = "Severity",  # non-localized
+		["C"] = "Code",
+		["M"] = "Message",
+		["D"] = "Detail",
+		["H"] = "Hint",
+		["P"] = "Position",
+		["p"] = "InternalPosition",
+		["q"] = "InternalQuery",
+		["W"] = "Where",
+		["s"] = "Schema",
+		["t"] = "Table",
+		["c"] = "Column",
+		["d"] = "Data",
+		["n"] = "Constraint",
+		["F"] = "File",
+		["L"] = "Line",
+		["R"] = "Routine",
+	} &default=function(c: string): string { return fmt("UnknownErrorId%s", c); } &redef;
+
+	global auth_ids: table[count] of string = {
+		[2] = "KerberosV5",
+		[3] = "CleartextPassword",
+		[5] = "MD5Password",
+		[7] = "GSSAPI",
+		[8] = "GSSAPIContinue",
+		[9] = "SSPI",
+		[10] = "SASL",
+		[11] = "SASLContinue",
+		[12] = "SASLFinal",
+	} &default=function(id: count): string { return fmt("UnknownAuthId%s", id); } &redef;
+}

scripts/base/protocols/postgresql/dpd.sig

@@ -0,0 +1,29 @@
+# Enable the analyzer if we see the SSLRequest message and a S|N reply from the server.
+signature dpd_postgresql_client_sslrequest {
+  ip-proto == tcp
+  payload /^\x00\x00\x00\x08\x04\xd2\x16\x2f/
+}
+
+signature dpd_postgresql_server_ssl_confirm {
+  requires-reverse-signature dpd_postgresql_client_sslrequest
+  payload /^[SN]/
+  enable "PostgreSQL"
+}
+
+signature dpd_postgresql_client_startup_3_x {
+  ip-proto == tcp
+  # 4 byte length, then protocol version major, minor (16bit each),
+  # then expect the "user\x00" parameter to follow. Not sure about
+  # other versions, but we likely wouldn't properly parse them anyway.
+  payload /^....\x00\x03\x00.{0,256}user\x00/
+}
+
+signature dpd_postgresql_server_any_response {
+  requires-reverse-signature dpd_postgresql_client_startup_3_x
+
+  # One byte printable message type 4 bytes length. Assumes the first
+  # server message is not larger 64k(2^16) so match on \x00\x00 after
+  # the first byte.
+  payload /^[a-zA-Z0-9]\x00\x00../
+  enable "PostgreSQL"
+}

scripts/base/protocols/postgresql/main.zeek

@@ -0,0 +1,245 @@
+##! Implements base functionality for PostgreSQL analysis.
+
+@load ./consts
+@load ./spicy-events
+
+@load base/protocols/conn/removal-hooks
+
+module PostgreSQL;
+
+export {
+	## Log stream identifier.
+	redef enum Log::ID += { LOG };
+
+	type Version: record {
+		major: count;
+		minor: count;
+	};
+
+	## Record type containing the column fields of the PostgreSQL log.
+	type Info: record {
+		## Timestamp for when the activity happened.
+		ts: time &log;
+		## Unique ID for the connection.
+		uid: string &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id: conn_id &log;
+
+		## The user as found in the StartupMessage.
+		user: string &optional &log;
+		## The database as found in the StartupMessage.
+		database: string &optional &log;
+		## The application name as found in the StartupMessage.
+		application_name: string &optional &log;
+
+		# The command or message from the frontend.
+		frontend: string &optional &log;
+		# Arguments for the command.
+		frontend_arg: string &optional &log;
+		# The reply from the backend.
+		backend: string &optional &log;
+		# Arguments for the reply from the backend.
+		backend_arg: string &optional &log;
+
+		# Whether the login/query was successful.
+		success: bool &optional &log;
+
+		# The number of rows returned or affectd.
+		rows: count &optional &log;
+	};
+
+	type State: record {
+		version: Version &optional;
+		user: string &optional;
+		database: string &optional;
+		application_name: string &optional;
+		rows: count &default=0;
+		errors: vector of string;
+	};
+
+	## Default hook into PostgreSQL logging.
+	global log_postgresql: event(rec: Info);
+
+	global finalize_postgresql: Conn::RemovalHook;
+
+	global ports: set[port] = { 5432/tcp } &redef;
+}
+
+redef record connection += {
+	postgresql: Info &optional;
+	postgresql_state: State &optional;
+};
+
+redef likely_server_ports += { ports };
+
+event zeek_init() {
+	Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports);
+
+	Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]);
+}
+
+hook set_session(c: connection) {
+	if ( ! c?$postgresql )
+		c$postgresql = Info($ts=network_time(), $uid=c$uid, $id=c$id);
+
+	if ( ! c?$postgresql_state ) {
+		c$postgresql_state = State();
+		Conn::register_removal_hook(c, finalize_postgresql);
+	}
+}
+
+function emit_log(c: connection) {
+	if ( ! c?$postgresql )
+		return;
+
+	if ( c$postgresql_state?$user )
+		c$postgresql$user = c$postgresql_state$user;
+
+	if ( c$postgresql_state?$database )
+		c$postgresql$database = c$postgresql_state$database;
+
+	if ( c$postgresql_state?$application_name )
+		c$postgresql$application_name = c$postgresql_state$application_name;
+
+	Log::write(PostgreSQL::LOG, c$postgresql);
+	delete c$postgresql;
+}
+
+event PostgreSQL::ssl_request(c: connection) {
+	hook set_session(c);
+
+	c$postgresql$frontend = "ssl_request";
+}
+
+event PostgreSQL::ssl_reply(c: connection, b: string) {
+	hook set_session(c);
+
+	c$postgresql$backend = "ssl_reply";
+	c$postgresql$backend_arg = b;
+	c$postgresql$success = b == "S";
+
+	emit_log(c);
+}
+
+event PostgreSQL::startup_parameter(c: connection, name: string, value: string) {
+	hook set_session(c);
+
+	if ( name == "user" ) {
+		c$postgresql_state$user = value;
+	} else if ( name == "database" ) {
+		c$postgresql_state$database = value;
+	} else if ( name== "application_name" ) {
+		c$postgresql_state$application_name = value;
+	}
+}
+
+event PostgreSQL::startup_message(c: connection, major: count, minor: count) {
+	hook set_session(c);
+
+	c$postgresql_state$version = Version($major=major, $minor=minor);
+	c$postgresql$frontend = "startup";
+}
+
+event PostgreSQL::error_response_identified_field(c: connection, code: string, value: string) {
+	hook set_session(c);
+
+	local errors = c$postgresql_state$errors;
+	errors += fmt("%s=%s", error_ids[code], value);
+}
+
+event PostgreSQL::notice_response_identified_field(c: connection, code: string, value: string) {
+	hook set_session(c);
+
+	local notice = fmt("%s=%s", error_ids[code], value);
+	if ( c$postgresql?$backend_arg )
+		c$postgresql$backend_arg += "," + notice;
+	else
+		c$postgresql$backend_arg = notice;
+}
+
+event PostgreSQL::error_response(c: connection) {
+	hook set_session(c);
+
+	if ( c$postgresql?$backend )
+		c$postgresql$backend += ",error";
+	else
+		c$postgresql$backend = "error";
+
+	local errors = join_string_vec(c$postgresql_state$errors, ",");
+	c$postgresql_state$errors = vector();
+
+	if ( c$postgresql?$backend_arg )
+		c$postgresql$backend_arg += "," + errors;
+	else
+		c$postgresql$backend_arg = errors;
+
+	c$postgresql$success = F;
+
+	emit_log(c);
+}
+
+event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) {
+	hook set_session(c);
+
+	if ( c$postgresql?$backend && ! ends_with(c$postgresql$backend, "auth") )
+		c$postgresql$backend += ",auth_request";
+	else
+		c$postgresql$backend = "auth_request";
+
+	if ( c$postgresql?$backend_arg )
+		c$postgresql$backend_arg += "," + auth_ids[identifier];
+	else
+		c$postgresql$backend_arg = auth_ids[identifier];
+}
+
+event PostgreSQL::authentication_ok(c: connection) {
+	hook set_session(c);
+
+	c$postgresql$backend = "auth_ok";
+	c$postgresql$success = T;
+
+	emit_log(c);
+}
+
+event PostgreSQL::terminate(c: connection) {
+	if ( c?$postgresql )
+		emit_log(c);
+
+	hook set_session(c);
+	c$postgresql$frontend = "terminate";
+	emit_log(c);
+}
+
+event PostgreSQL::simple_query(c: connection, query: string) {
+	if ( c?$postgresql )
+		emit_log(c);
+
+	hook set_session(c);
+
+	c$postgresql$frontend = "simple_query";
+	c$postgresql$frontend_arg = query;
+	c$postgresql_state$rows = 0;
+}
+
+event PostgreSQL::data_row(c: connection, column_values: count) {
+	hook set_session(c);
+
+	++c$postgresql_state$rows;
+}
+
+event PostgreSQL::ready_for_query(c: connection, transaction_status: string) {
+	# Log a query (if there was one).
+	if ( ! c?$postgresql )
+		return;
+
+	# If no one said otherwise, the last action was successful.
+	if ( ! c$postgresql?$success )
+		c$postgresql$success = transaction_status == "I" || transaction_status == "T";
+
+	c$postgresql$rows = c$postgresql_state$rows;
+	emit_log(c);
+}
+
+hook finalize_postgresql(c: connection) &priority=-5 {
+	emit_log(c);
+}

scripts/base/protocols/postgresql/spicy-events.zeek

@@ -0,0 +1,147 @@
+##! Events generated by the PostgreSQL analyzer.
+
+## Event generated for frontend SSLRequest messages.
+##
+## c: The connection.
+global PostgreSQL::ssl_request: event(c: connection);
+
+## Event generated for backend SSL reply.
+##
+## c: The connection.
+##
+## data: The server's reply: S for secure, N for unencrypted.
+global PostgreSQL::ssl_reply: event(c: connection, data: string);
+
+## Event generated for backend authentication requests.
+##
+## c: The connection.
+##
+## identifier: The identifier in the request.
+##
+## data: The request data, if any.
+##
+## .. zeek:see:: PostgreSQL::authentication_response
+## .. zeek:see:: PostgreSQL::authentication_ok
+global PostgreSQL::authentication_request: event(c: connection, identifier: count, data: string);
+
+## Event generated for backend authentication requests indicating successful
+## authentication.
+##
+## c: The connection.
+##
+## .. zeek:see:: PostgreSQL::authentication_request
+## .. zeek:see:: PostgreSQL::authentication_response
+global PostgreSQL::authentication_ok: event(c: connection);
+
+## Event generated for frontend authentication responses.
+##
+## c: The connection.
+##
+## data: The response data, if any.
+##
+## .. zeek:see:: PostgreSQL::authentication_request
+## .. zeek:see:: PostgreSQL::authentication_ok
+global PostgreSQL::authentication_response: event(c: connection, data: string);
+
+
+## Event generated for every parameter in a StartupMessage.
+##
+## c: The connection.
+##
+## name: The name of the parameter.
+##
+## value: The value of the parameter.
+global PostgreSQL::startup_parameter: event(c: connection, name: string, value: string);
+
+## Event generated for a StartupMessage.
+##
+## c: The connection.
+##
+## major: The major protocol version.
+##
+## minor: The minor protocol version.
+global PostgreSQL::startup_message: event(c: connection, major: count, minor: count);
+
+## Event generated for every backed ReadyForQuery message.
+##
+## c: The connection.
+##
+## transaction_status: I (idle), T (in transaction block), E (error).
+global PostgreSQL::ready_for_query: event(c: connection, transaction_status: string);
+
+## Event generated for every frontend SimpleQuery message.
+##
+## c: The connection.
+##
+## query: The query string.
+global PostgreSQL::simple_query: event(c: connection, query: string);
+
+## Event generated for identified field within an ErrorResponse.
+##
+## c: The connection.
+##
+## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
+##
+## value: The field value.
+##
+## .. zeek:see:: PostgreSQL::error_response
+global PostgreSQL::error_response_identified_field: event(c: connection, code: string, value: string);
+
+## Event generated for a ErrorResponse.
+##
+## c: The connection.
+##
+## .. zeek:see:: PostgreSQL::error_response_identified_field
+global PostgreSQL::error_response: event(c: connection);
+
+## Event generated for identified field within a NoticeResponse.
+##
+## c: The connection.
+##
+## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
+##
+## value: The field value.
+##
+## .. zeek:see:: PostgreSQL::notice_response
+global PostgreSQL::notice_response_identified_field: event(c: connection, code: string, value: string);
+
+## Event generated for a NoticeResponse.
+##
+## c: The connection.
+##
+## .. zeek:see:: PostgreSQL::notice_response_identified_field
+global PostgreSQL::notice_response: event(c: connection);
+
+## Event generated for every backend DataRow message.
+##
+## c: The connection.
+##
+## column_values: The number of columns in this row.
+global PostgreSQL::data_row: event(c: connection, column_values: count);
+
+## Event generated for backend runtime parameter status reports.
+##
+## c: The connection.
+##
+## name: The name of the runtime parameter.
+##
+## value: The current value of the parameter.
+##
+global PostgreSQL::parameter_status: event(c: connection, name: string, value: string);
+
+## Generated for a BackendKeyData message for cancellation.
+##
+## c: The connection.
+##
+## process_id: The process ID of the backend.
+##
+## secret_key: The secret key of the backend.
+global PostgreSQL::backend_key_data: event(c: connection, process_id: count, secret_key: count);
+
+## Event generated For a frontend Terminate message.
+##
+## c: The connection.
+global PostgreSQL::terminate: event(c: connection);
+
+## Event generated for not implemented messages.
+global PostgreSQL::not_implemented: event(c: connection, is_orig: bool, typ: string, chunk: string);

src/analyzer/protocol/CMakeLists.txt

@@ -28,6 +28,7 @@ add_subdirectory(ntlm)
 add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
+add_subdirectory(postgresql)
 add_subdirectory(quic)
 add_subdirectory(radius)
 add_subdirectory(rdp)

src/analyzer/protocol/postgresql/CMakeLists.txt

@@ -0,0 +1,5 @@
+spicy_add_analyzer(
+    NAME PostgreSQL
+    PACKAGE_NAME spicy-postgresql
+    SOURCES postgresql.spicy postgresql.evt postgresql_zeek.spicy
+    MODULES PostgreSQL PostgreSQL_Zeek)

src/analyzer/protocol/postgresql/postgresql.evt

@@ -0,0 +1,42 @@
+import PostgreSQL;
+import PostgreSQL_Zeek;
+
+protocol analyzer PostgreSQL over TCP:
+    parse originator with PostgreSQL::FrontendMessages,
+    parse responder with PostgreSQL::BackendMessages;
+
+on PostgreSQL::NotImplemented -> event PostgreSQL::not_implemented($conn, $is_orig, ("%c" % typ), self.chunk);
+
+on PostgreSQL::AuthenticationRequest if ( self.identifier != 0 )-> event PostgreSQL::authentication_request($conn, self.identifier, self.data);
+
+on PostgreSQL::AuthenticationRequest if ( self.identifier == 0 ) -> event PostgreSQL::authentication_ok($conn);
+
+on PostgreSQL::AuthenticationResponse -> event PostgreSQL::authentication_response($conn, self.data);
+
+on PostgreSQL::FrontendMessages::ssl_request -> event PostgreSQL::ssl_request($conn);
+
+on PostgreSQL::MaybeBackendSSL::ssl_byte -> event PostgreSQL::ssl_reply($conn, ("%c" % self.ssl_byte));
+
+on PostgreSQL::StartupParameter -> event PostgreSQL::startup_parameter($conn, self.name, self.value);
+
+on PostgreSQL::StartupMessage -> event PostgreSQL::startup_message($conn, self.version.major, self.version.minor);
+
+on PostgreSQL::ErrorIdentifiedField -> event PostgreSQL::error_response_identified_field($conn, ("%c" % self.code), self.value);
+
+on PostgreSQL::ErrorResponse -> event PostgreSQL::error_response($conn);
+
+on PostgreSQL::SimpleQuery -> event PostgreSQL::simple_query($conn, self.query);
+
+on PostgreSQL::ReadyForQuery -> event PostgreSQL::ready_for_query($conn, "%c" % self.transaction_status);
+
+on PostgreSQL::NoticeIdentifiedField -> event PostgreSQL::notice_response_identified_field($conn, ("%c" % self.code), self.value);
+
+on PostgreSQL::NoticeResponse -> event PostgreSQL::notice_response($conn);
+
+on PostgreSQL::Terminate -> event PostgreSQL::terminate($conn);
+
+on PostgreSQL::DataRow -> event PostgreSQL::data_row($conn, self.column_values);
+
+on PostgreSQL::ParameterStatus -> event PostgreSQL::parameter_status($conn, self.name, self.value);
+
+on PostgreSQL::BackendKeyData -> event PostgreSQL::backend_key_data($conn, self.process_id, self.secret_key);

src/analyzer/protocol/postgresql/postgresql.spicy

@@ -0,0 +1,337 @@
+# A PostgreSQL analyzer.
+#
+# https://www.postgresql.org/docs/current/protocol.html
+#
+# Protocol version 3.0
+
+module PostgreSQL;
+
+import spicy;
+
+type SSLFrontendState = enum {
+    Requested,
+    NotRequested,
+};
+
+type SSLBackendState = enum {
+    S,
+    N,
+};
+
+# How many chunks to buffer initially when seeing a backend message
+# before a frontend or vice versa.
+const MAX_BUFFERED = 4;
+
+# When a connection switches to SSL, this consumes all the SSL chunks.
+# In zeek_postgres.spicy, SSLSink%init calls zeek::protocol_begin() and
+# then zeek::protocol_data_in()
+#
+# There's a single SSLSink shared between backend and frontend.
+type SSLSink = unit {
+    chunk: bytes &chunked &eod;
+};
+
+# Used as context for synchronization between frontend/backend.
+type Context = struct {
+    ssl_frontend_state: SSLFrontendState;
+    ssl_backend_state: SSLBackendState;
+    ssl_sink: sink&;
+    ssl_sink_connected: bool;
+};
+
+type ProtocolVersion = unit {
+    major: uint16;
+    minor: uint16;
+};
+
+type StartupParameter = unit {
+    name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0);
+    : uint8 &requires=($$ == 0);
+    value: /[\x20-\x7e]+/ &requires=(|$$| > 0);
+    : uint8 &requires=($$ == 0);
+};
+
+type StartupMessage = unit {
+    length: uint32 &requires=(self.length >= 9);
+    version: ProtocolVersion &requires=($$.major == 3);
+    parameters: StartupParameter[] &size=self.length - 9;
+    : skip b"\x00";
+};
+
+# Top-level entry for the client.
+public type FrontendMessages = unit {
+    %context = Context;
+    on %init {
+        # Until the first FrontendMessages are initialized, ssl_sink in the
+        # context is a Null reference. Also, we want to use a single sink
+        # for both, frontend and backend by calling beg
+        self.context().ssl_sink = self.s1;
+    }
+
+    var buffered: vector<bytes>;
+    var s1_connected: bool;
+    var ssl_requested: bool;
+    sink s1;
+
+    # Peek at the client data.
+    length: uint32 &requires=(self.length >= 8);
+    version_or_magic: uint32 {
+        self.ssl_requested = self.length == 8 && $$ == 80877103;
+
+        if (self.ssl_requested) {
+            self.context().ssl_frontend_state = SSLFrontendState::Requested;
+        } else {
+            self.context().ssl_frontend_state = SSLFrontendState::NotRequested;
+            self.context().ssl_backend_state = SSLBackendState::N;
+
+            # Pre-check the supported major version here.
+            local major = $$ >> 16;
+            if (major != 3)
+                throw "unsupported PostgreSQL major version %s" % major;
+
+            # Put length and version back into the buffer so PlainFrontendMessages
+            # can re-parse it.
+            #
+            # This explicitly avoids using random access functionality like
+            # `self.input()` and `self.set_input()` which would disable automatic
+            # trimming in this unit (which is top-level unit parsing unbounded
+            # amounts of data).
+            self.buffered.push_back(pack(self.length, spicy::ByteOrder::Network));
+            self.buffered.push_back(pack(self.version_or_magic, spicy::ByteOrder::Network));
+        }
+    }
+
+    # void field for raising an event.
+    ssl_request: void if(self.ssl_requested == True);
+
+    # print "frontend ssl", self.context();
+
+    # If the client requested SSL, we do not know how to continue parsing
+    # until the server confirmed SSL usage via 'S' or 'N' responses. As long
+    # as it hasn't responded, stall the parsing here and buffer bytes until
+    # the context() is populated.
+    #
+    # In normal operations, Zeek should see the server's response before
+    # attempting to parse more data, but Robin was concerned it that in
+    # some circumstances (out-of-order packets, reassembly artifacts) we
+    # may see the client's data before the server's.
+    #
+    # In the future, barrier: https://github.com/zeek/spicy/pull/1373
+    : bytes &chunked &eod {
+        if (!self.context().ssl_backend_state) {
+            self.buffered.push_back($$);
+
+            if (|self.buffered| > MAX_BUFFERED)
+                throw "too many frontend messages buffered";
+        } else {
+            # print "frontend ssl_state backend set!", self.context();
+            if (!self.s1_connected) {
+                if (self.context().ssl_backend_state == SSLBackendState::S) {
+                    if (!self.context().ssl_sink_connected) {
+                        self.context().ssl_sink.connect(new SSLSink());
+                        self.context().ssl_sink_connected = True;
+                    }
+                } else {
+                    # print "connecting plain frontend messages";
+                    self.s1.connect(new PlainFrontendMessages());
+                }
+
+                self.s1_connected = True;
+
+                if (|self.buffered| > 0) {
+                    for (b in self.buffered)
+                        self.s1.write(b);
+                }
+
+                self.buffered.resize(0);
+            }
+
+            self.s1.write($$);
+        }
+    }
+};
+
+type PlainFrontendMessages = unit {
+    startup_message: StartupMessage;
+    : FrontendMessage[];
+};
+
+type FrontendMessage = unit {
+    typ: uint8;
+    length: uint32 &requires=(self.length >= 4);
+
+    switch (self.typ) {
+        'p' -> : AuthenticationResponse;
+        'X' -> : Terminate;
+        'Q' -> : SimpleQuery;
+        * -> not_implemented: NotImplemented(self.typ);
+    } &size=self.length - 4;
+};
+
+type AuthenticationResponse = unit {
+    # This is PasswordMessage, SASLInitialMessage, etc. based on context.
+    # For now, just thread it through.
+    data: bytes &eod;
+};
+
+type Terminate = unit {};
+
+type SimpleQuery = unit {
+    query: bytes &until=b"\x00";
+};
+
+# The client has requested SSL, the server either confirms (S) or
+# stays in plaintext (N) mode. Depending on the result, we connect
+# our sink to the SSL sink, or to a PlainBackendMessages unit.
+#
+type MaybeBackendSSL = unit(ctx: Context&) {
+
+    # Connected SSL, or plaintext.
+    sink s1;
+
+    ssl_byte: uint8 &requires=($$ == 'S' || $$ == 'N') {
+        # print "backend ssl_byte", $$;
+        if ($$ == 'S') {
+            ctx.ssl_backend_state = SSLBackendState::S;
+            if (!ctx.ssl_sink_connected) {
+                ctx.ssl_sink.connect(new SSLSink());
+                ctx.ssl_sink_connected = True;
+            }
+
+            # Share the SSL sink with the frontend.
+            self.s1 = ctx.ssl_sink;
+        } else {
+            ctx.ssl_backend_state = SSLBackendState::N;
+            self.s1.connect(new PlainBackendMessages());
+        }
+    }
+
+    # Now that s1 is connected, forward the rest of the connection to it.
+    : bytes &chunked &eod -> self.s1;
+};
+
+# Top-level entry for the server.
+public type BackendMessages = unit {
+    %context = Context;
+
+    var buffered: vector<bytes>;
+    var s1_connected: bool;
+    sink s1;
+
+    # Buffer until the SSL frontend state was populated.
+    : bytes &chunked &eod {
+        if (!self.context().ssl_frontend_state) {
+            # print "backend buffering ", |$$|;
+            self.buffered.push_back($$);
+
+            if (|self.buffered| > MAX_BUFFERED)
+                throw "too many backend messages buffered";
+        } else {
+            # The ssl_frontend_state has been set. If The client requested SSL,
+            # connect to an SSLMaybe instance. If it did not, connect
+            # directly to PlainBackendMessages.
+            # print "backend", self.context(), |self.buffered|, self.s1, self.s1_connected;
+            if (!self.s1_connected) {
+
+                if (self.context().ssl_frontend_state == SSLFrontendState::Requested) {
+                    self.s1.connect(new MaybeBackendSSL(self.context()));
+                } else {
+                    self.s1.connect(new PlainBackendMessages());
+                }
+
+                self.s1_connected = True;
+
+                if (|self.buffered| > 0) {
+                    for (b in self.buffered)
+                        self.s1.write(b);
+                }
+                self.buffered.resize(0);
+            }
+
+            # print "backend writing to sink", $$, |self.s1|;
+            self.s1.write($$);
+        }
+    }
+};
+
+type PlainBackendMessages = unit {
+    : BackendMessage[];
+};
+
+type BackendMessage = unit {
+    typ: uint8;
+    length: uint32 &requires=(self.length >= 4);
+
+    switch (self.typ) {
+        'K' -> backend_key_data: BackendKeyData;
+        'E' -> error: ErrorResponse;
+        'R' -> auth: AuthenticationRequest(self.length - 4);
+        'S' -> parameter_status: ParameterStatus;
+        'D' -> data_row: DataRow;
+        'Z' -> ready_for_query: ReadyForQuery;
+        'N' -> notice: NoticeResponse;
+        * -> not_implemented: NotImplemented(self.typ);
+    } &size=self.length - 4;
+};
+
+type ParameterStatus = unit {
+    name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0);
+    : uint8 &requires=($$ == 0);
+    value: /[\x20-\x7e]+/ &requires=(|$$| > 0);
+    : uint8 &requires=($$ == 0);
+};
+
+# Possible values are 'I' if idle (not in a transaction block);
+# 'T' if in a transaction block; or 'E' if in a failed transaction block
+# (queries will be rejected until block is ended).
+type ReadyForQuery = unit {
+    transaction_status: uint8 &requires=($$ == 'I' || $$ == 'T' || $$ == 'E');
+};
+
+type NoticeIdentifiedField = unit {
+    code: uint8;
+    value: bytes &until=b"\x00";
+};
+
+type NoticeResponse = unit {
+    : NoticeIdentifiedField[];
+    : skip b"\x00";
+};
+
+# Just for counting right now.
+type DataRow = unit {
+    column_values: uint16;
+    : skip bytes &eod;
+};
+
+# Fields with a 1 byte field as documented here:
+# https://www.postgresql.org/docs/current/protocol-error-fields.html
+type ErrorIdentifiedField = unit {
+    code: uint8;
+    value: bytes &until=b"\x00";
+};
+
+type ErrorResponse = unit {
+    : ErrorIdentifiedField[];
+    : skip b"\x00";
+};
+
+type AuthenticationRequest = unit(length: uint32) {
+    identifier: uint32 &requires=($$ <= 12) {
+        if (self.identifier == 0 && length != 4)
+            throw "AuthenticationOK with wrong length: %s" % length;
+    }
+
+    # There's more structure (GSS-API, SASL, cleartext), but for now
+    # just thread through the raw data.
+    data: bytes &eod;
+};
+
+type BackendKeyData = unit {
+    process_id: uint32;
+    secret_key: uint32;
+};
+
+type NotImplemented = unit(typ: uint8) {
+    chunk: bytes &eod;
+};

src/analyzer/protocol/postgresql/postgresql_zeek.spicy

@@ -0,0 +1,43 @@
+# Set up protocol confirmation/rejection for analyzers, as well as any further
+# Zeek-specific analysis.
+
+module PostgreSQL_Zeek;
+
+import PostgreSQL;
+import zeek;
+
+# If we see a client StartupMessage, that's pretty good.
+on PostgreSQL::StartupMessage::%done {
+    zeek::confirm_protocol();
+}
+
+# If the server replied with an ssl_byte and we let it through,
+# that's also pretty good.
+on PostgreSQL::MaybeBackendSSL::ssl_byte {
+    zeek::confirm_protocol();
+}
+
+on PostgreSQL::SSLSink::%init {
+    zeek::protocol_begin("SSL");
+}
+
+on PostgreSQL::SSLSink::%done {
+    zeek::protocol_end();
+}
+
+on PostgreSQL::SSLSink::chunk {
+    # print "ssl_chunk", zeek::is_orig(), self;
+    zeek::protocol_data_in(zeek::is_orig(), self.chunk);
+}
+
+on PostgreSQL::StartupMessage::%error(msg: string) {
+    zeek::reject_protocol("error while parsing PostgreSQL StartupMessage: %s" % msg);
+}
+
+on PostgreSQL::FrontendMessage::%error(msg: string) {
+    zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
+}
+
+on PostgreSQL::BackendMessage::%error(msg: string) {
+    zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
+}

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -38,6 +38,7 @@
 2 53
 1 5353
 1 5355
+1 5432
 1 563
 1 585
 1 587
@@ -65,8 +66,8 @@
 1 992
 1 993
 1 995
-74 and
-73 or
-74 port
-46 tcp
+75 and
+74 or
+75 port
+47 tcp
 28 udp

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -435,6 +435,10 @@ scripts/base/init-default.zeek
     scripts/base/protocols/ntp/main.zeek
     scripts/base/protocols/ntp/consts.zeek
   scripts/base/protocols/pop3/__load__.zeek
+  scripts/base/protocols/postgresql/__load__.zeek
+    scripts/base/protocols/postgresql/consts.zeek
+    scripts/base/protocols/postgresql/spicy-events.zeek
+    scripts/base/protocols/postgresql/main.zeek
   scripts/base/protocols/quic/__load__.zeek
     scripts/base/protocols/quic/spicy-events.zeek
     scripts/base/protocols/quic/consts.zeek

testing/btest/Baseline/coverage.find-bro-logs/out

@@ -41,6 +41,7 @@ ocsp
 openflow
 packet_filter
 pe
+postgresql
 print_log_path
 quic
 radius

testing/btest/Baseline/coverage.record-fields/out.default

@@ -509,6 +509,35 @@ connection {
         * size: count, log=F, optional=F
         * state: count, log=F, optional=F
        }
+  * postgresql: record PostgreSQL::Info, log=F, optional=T
+      PostgreSQL::Info {
+        * application_name: string, log=T, optional=T
+        * backend: string, log=T, optional=T
+        * backend_arg: string, log=T, optional=T
+        * database: string, log=T, optional=T
+        * frontend: string, log=T, optional=T
+        * frontend_arg: string, log=T, optional=T
+        * id: record conn_id, log=T, optional=F
+            conn_id { ... }
+        * rows: count, log=T, optional=T
+        * success: bool, log=T, optional=T
+        * ts: time, log=T, optional=F
+        * uid: string, log=T, optional=F
+        * user: string, log=T, optional=T
+       }
+  * postgresql_state: record PostgreSQL::State, log=F, optional=T
+      PostgreSQL::State {
+        * application_name: string, log=F, optional=T
+        * database: string, log=F, optional=T
+        * errors: vector of string, log=F, optional=F
+        * rows: count, log=F, optional=T
+        * user: string, log=F, optional=T
+        * version: record PostgreSQL::Version, log=F, optional=T
+            PostgreSQL::Version {
+              * major: count, log=F, optional=F
+              * minor: count, log=F, optional=F
+             }
+       }
   * quic: record QUIC::Info, log=F, optional=T
       QUIC::Info {
         * client_initial_dcid: string, log=T, optional=T

testing/btest/Baseline/scripts.base.files.x509.files/files.log

@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+1673270800.189652	violation	protocol	POSTGRESQL	CHhAvVGS1DHFjwGM9	-	127.0.0.1	54958	127.0.0.1	5432	error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...)	-

testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54958	127.0.0.1	5432	-

testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54906	127.0.0.1	5432	-

testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output

@@ -0,0 +1,483 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+XXXXXXXXXX.XXXXXX PostgreSQL::ssl_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 613.140106 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX analyzer_confirmation_info
+                  [0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL
+                  [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}], f=<uninitialized>, aid=3]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ssl_reply
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] data: string       = N
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = user
+                  [2] value: string      = zeek
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = database
+                  [2] value: string      = zeek
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = application_name
+                  [2] value: string      = psql
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = client_encoding
+                  [2] value: string      = UTF8
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_message
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] major: count       = 3
+                  [2] minor: count       = 0
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=5, num_bytes_ip=352, flow_label=0, l2_addr=<uninitialized>], resp=[size=25, state=4, num_pkts=4, num_bytes_ip=217, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 738.019943 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] identifier: count  = 10
+                  [2] data: string       = SCRAM-SHA-256\x00\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=6, num_bytes_ip=404, flow_label=0, l2_addr=<uninitialized>], resp=[size=25, state=4, num_pkts=5, num_bytes_ip=293, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 98.031998 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] data: string       = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=7, num_bytes_ip=511, flow_label=0, l2_addr=<uninitialized>], resp=[size=118, state=4, num_pkts=6, num_bytes_ip=345, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 646.156311 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] identifier: count  = 11
+                  [2] data: string       = r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=8, num_bytes_ip=563, flow_label=0, l2_addr=<uninitialized>], resp=[size=118, state=4, num_pkts=7, num_bytes_ip=490, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 935.058594 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] data: string       = c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M=
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] identifier: count  = 12
+                  [2] data: string       = v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4=
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = application_name
+                  [2] value: string      = psql
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = client_encoding
+                  [2] value: string      = UTF8
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = DateStyle
+                  [2] value: string      = ISO, MDY
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = default_transaction_read_only
+                  [2] value: string      = off
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = in_hot_standby
+                  [2] value: string      = off
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = integer_datetimes
+                  [2] value: string      = on
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = IntervalStyle
+                  [2] value: string      = postgres
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = is_superuser
+                  [2] value: string      = on
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = server_encoding
+                  [2] value: string      = UTF8
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = server_version
+                  [2] value: string      = 14.5 (Debian 14.5-1.pgdg110+1)
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = session_authorization
+                  [2] value: string      = zeek
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = standard_conforming_strings
+                  [2] value: string      = on
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = TimeZone
+                  [2] value: string      = Etc/UTC
+
+XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] process_id: count  = 96
+                  [2] secret_key: count  = 590994220
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=10, num_bytes_ip=776, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=9, num_bytes_ip=1059, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=25.0 msecs 581.121445 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] query: string      = select now()
+
+XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] is_orig: bool      = F
+                  [2] typ: string        = T
+                  [3] chunk: string      = \x00\x01now\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\xa0\x00\x08\xff\xff\xff\xff\x00\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::data_row
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] column_values: count = 1
+
+XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] is_orig: bool      = F
+                  [2] typ: string        = C
+                  [3] chunk: string      = SELECT 1\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::terminate
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=271, state=4, num_pkts=12, num_bytes_ip=898, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=11, num_bytes_ip=1252, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=27.0 msecs 49.064636 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = user
+                  [2] value: string      = postgres
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = database
+                  [2] value: string      = postgres
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = application_name
+                  [2] value: string      = psql
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = client_encoding
+                  [2] value: string      = UTF8
+
+XXXXXXXXXX.XXXXXX analyzer_confirmation_info
+                  [0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL
+                  [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}], f=<uninitialized>, aid=3]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::startup_message
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] major: count       = 3
+                  [2] minor: count       = 0
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=3, num_bytes_ip=248, flow_label=0, l2_addr=<uninitialized>], resp=[size=24, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 885.890961 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] identifier: count  = 10
+                  [2] data: string       = SCRAM-SHA-256\x00\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=4, num_bytes_ip=300, flow_label=0, l2_addr=<uninitialized>], resp=[size=24, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 msecs 925.872803 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] data: string       = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=TwGbAdrgxcvfe7FNe0iWJfSf
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=<uninitialized>], resp=[size=117, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 165.006638 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] identifier: count  = 11
+                  [2] data: string       = r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,s=iKUi26lwqA6spIkddhe7hw==,i=4096
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=<uninitialized>], resp=[size=117, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 603.790283 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] data: string       = c=biws,r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,p=Y0VuiVVs4GDpPeMPkQcE0ADRvkq3Njc1mpCIrK1m/1Q=
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] identifier: count  = 12
+                  [2] data: string       = v=na9OnyjI3MkvsAm3C8I8BoeiU4I6QL3HPaMCcLTOgfA=
+
+XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = in_hot_standby
+                  [2] value: string      = off
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = integer_datetimes
+                  [2] value: string      = on
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = TimeZone
+                  [2] value: string      = Etc/UTC
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = IntervalStyle
+                  [2] value: string      = postgres
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = is_superuser
+                  [2] value: string      = on
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = application_name
+                  [2] value: string      = psql
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = default_transaction_read_only
+                  [2] value: string      = off
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = scram_iterations
+                  [2] value: string      = 4096
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = DateStyle
+                  [2] value: string      = ISO, MDY
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = standard_conforming_strings
+                  [2] value: string      = on
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = session_authorization
+                  [2] value: string      = postgres
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = client_encoding
+                  [2] value: string      = UTF8
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = server_version
+                  [2] value: string      = 16.4 (Debian 16.4-1.pgdg120+1)
+
+XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] name: string       = server_encoding
+                  [2] value: string      = UTF8
+
+XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] process_id: count  = 876
+                  [2] secret_key: count  = 4268530428
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 889.820099 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] query: string      = DROP TABLE IF EXISTS t;
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = S
+                  [2] value: string      = NOTICE
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = V
+                  [2] value: string      = NOTICE
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = C
+                  [2] value: string      = 00000
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = M
+                  [2] value: string      = table "t" does not exist, skipping
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = F
+                  [2] value: string      = tablecmds.c
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = L
+                  [2] value: string      = 1300
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = R
+                  [2] value: string      = DropErrorMsgNonExistent
+
+XXXXXXXXXX.XXXXXX PostgreSQL::notice_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] is_orig: bool      = F
+                  [2] typ: string        = C
+                  [3] chunk: string      = DROP TABLE\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 164.001465 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] query: string      = CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);
+
+XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] is_orig: bool      = F
+                  [2] typ: string        = C
+                  [3] chunk: string      = CREATE TABLE\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 734.786987 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] query: string      = INSERT INTO t VALUES (now(), now(), now());
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = S
+                  [2] value: string      = ERROR
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = V
+                  [2] value: string      = ERROR
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = C
+                  [2] value: string      = 42804
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = M
+                  [2] value: string      = column "i" is of type integer but expression is of type timestamp with time zone
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = H
+                  [2] value: string      = You will need to rewrite or cast the expression.
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = P
+                  [2] value: string      = 23
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = F
+                  [2] value: string      = parse_target.c
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = L
+                  [2] value: string      = 586
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = R
+                  [2] value: string      = transformAssignedExpr
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=21.0 msecs 95.991135 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] query: string      = DROP TABLE t;
+
+XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] is_orig: bool      = F
+                  [2] typ: string        = C
+                  [3] chunk: string      = DROP TABLE\x00
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 620.843887 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] query: string      = DROP TABLE t;
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = S
+                  [2] value: string      = ERROR
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = V
+                  [2] value: string      = ERROR
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = C
+                  [2] value: string      = 42P01
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = M
+                  [2] value: string      = table "t" does not exist
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = F
+                  [2] value: string      = tablecmds.c
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = L
+                  [2] value: string      = 1294
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] code: string       = R
+                  [2] value: string      = DropErrorMsgNonExistent
+
+XXXXXXXXXX.XXXXXX PostgreSQL::error_response
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+
+XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1106, state=4, num_pkts=10, num_bytes_ip=1628, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 727.893829 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+                  [1] transaction_status: string = I
+
+XXXXXXXXXX.XXXXXX PostgreSQL::terminate
+                  [0] c: connection      = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=431, state=4, num_pkts=12, num_bytes_ip=1058, flow_label=0, l2_addr=<uninitialized>], resp=[size=1106, state=4, num_pkts=11, num_bytes_ip=1686, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 757.93457 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
+

testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+1362692526.939527	violation	protocol	POSTGRESQL	CHhAvVGS1DHFjwGM9	-	141.142.228.5	59856	192.150.187.43	5432	unsupported PostgreSQL major version 12132 (...)	GET /download/CHANGES.bro-aux.txt HTTP/1

testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	history	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	5432	ShADadFf	-

testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+1723562242.888659	violation	protocol	POSTGRESQL	CHhAvVGS1DHFjwGM9	-	127.0.0.1	43330	127.0.0.1	5432	unsupported PostgreSQL major version 3490 (...)	\xf4\x00\x00\x01\x0d\xa2\x1b\x18\x00\x00\x00@\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root

testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	history	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	5432	ShAdDaFf	-

testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output

@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+parameter_status, ClEkJM2Vm5giqnMf4h, application_name, psql
+parameter_status, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8
+parameter_status, ClEkJM2Vm5giqnMf4h, DateStyle, ISO, MDY
+parameter_status, ClEkJM2Vm5giqnMf4h, default_transaction_read_only, off
+parameter_status, ClEkJM2Vm5giqnMf4h, in_hot_standby, off
+parameter_status, ClEkJM2Vm5giqnMf4h, integer_datetimes, on
+parameter_status, ClEkJM2Vm5giqnMf4h, IntervalStyle, postgres
+parameter_status, ClEkJM2Vm5giqnMf4h, is_superuser, on
+parameter_status, ClEkJM2Vm5giqnMf4h, server_encoding, UTF8
+parameter_status, ClEkJM2Vm5giqnMf4h, server_version, 14.5 (Debian 14.5-1.pgdg110+1)
+parameter_status, ClEkJM2Vm5giqnMf4h, session_authorization, zeek
+parameter_status, ClEkJM2Vm5giqnMf4h, standard_conforming_strings, on
+parameter_status, ClEkJM2Vm5giqnMf4h, TimeZone, Etc/UTC

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output

@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+authentication_request, CHhAvVGS1DHFjwGM9, 10, SCRAM-SHA-256\x00\x00
+authentication_response, CHhAvVGS1DHFjwGM9, SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi
+authentication_request, CHhAvVGS1DHFjwGM9, 11, r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096
+authentication_response, CHhAvVGS1DHFjwGM9, c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M=
+authentication_request, CHhAvVGS1DHFjwGM9, 12, v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4=
+authentication_ok, CHhAvVGS1DHFjwGM9

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	15432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut

@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	15432	zeek	zeek	psql	startup	-	auth_ok	MD5Password	T	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	15432	zeek	zeek	psql	simple_query	select now()	-	-	T	1
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	15432	zeek	zeek	psql	terminate	-	-	-	-	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	5432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut

@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	5432	zeek	zeek	psql	startup	-	auth_ok	MD5Password	T	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	5432	zeek	zeek	psql	simple_query	select now()	-	-	T	1
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36060	52.200.36.167	5432	zeek	zeek	psql	terminate	-	-	-	-	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36934	52.200.36.167	15432	ssl,postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36934	52.200.36.167	15432	-	-	-	ssl_request	-	ssl_reply	S	T	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36934	52.200.36.167	15432	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36934	52.200.36.167	5432	ssl,postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36934	52.200.36.167	5432	-	-	-	ssl_request	-	ssl_reply	S	T	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.123.132	36934	52.200.36.167	5432	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	startup	-	auth_ok	SASL,SASLContinue,SASLFinal	T	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	DROP TABLE IF EXISTS t;	-	SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	INSERT INTO t VALUES (42, 'forty-two', now());	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	INSERT INTO t VALUES (86, 'eighty-six', now());	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	SELECT * from t;	-	-	T	2
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	DELETE FROM t;	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	simple_query	DROP TABLE t;	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	40190	127.0.0.1	5432	postgres	postgres	psql	terminate	-	-	-	-	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut

@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	startup	-	auth_ok	SASL,SASLContinue,SASLFinal	T	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	simple_query	DROP TABLE IF EXISTS t;	-	SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	simple_query	CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	simple_query	INSERT INTO t VALUES (now(), now(), now());	error	SeverityLocalized=ERROR,Severity=ERROR,Code=42804,Message=column "i" is of type integer but expression is of type timestamp with time zone,Hint=You will need to rewrite or cast the expression.,Position=23,File=parse_target.c,Line=586,Routine=transformAssignedExpr	F	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	simple_query	DROP TABLE t;	-	-	T	0
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	simple_query	DROP TABLE t;	error	SeverityLocalized=ERROR,Severity=ERROR,Code=42P01,Message=table "t" does not exist,File=tablecmds.c,Line=1294,Routine=DropErrorMsgNonExistent	F	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	56698	127.0.0.1	5432	postgres	postgres	psql	terminate	-	-	-	-	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51732	127.0.0.1	5432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51732	127.0.0.1	5432	postgres	postgres	psql	startup	-	auth_request,auth_request,error	SASL,SASLContinue,SeverityLocalized=FATAL,Severity=FATAL,Code=28P01,Message=password authentication failed for user "postgres",File=auth.c,Line=323,Routine=auth_failed	F	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut

@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37268	127.0.0.1	5432	postgresql
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	37272	127.0.0.1	5432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut

@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	37272	127.0.0.1	5432	zeek	zeek	psql	startup	-	auth_ok	SASL,SASLContinue,SASLFinal	T	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	127.0.0.1	37272	127.0.0.1	5432	zeek	zeek	psql	terminate	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37268	127.0.0.1	5432	zeek	zeek	psql	startup	-	auth_request	SASL	-	-

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	35336	127.0.0.1	5432	postgresql

testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut

@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	database	application_name	frontend	frontend_arg	backend	backend_arg	success	rows
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	35336	127.0.0.1	5432	-	-	-	ssl_request	-	ssl_reply	N	F	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	35336	127.0.0.1	5432	zeek	zeek	psql	startup	-	auth_ok	SASL,SASLContinue,SASLFinal	T	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	35336	127.0.0.1	5432	zeek	zeek	psql	simple_query	select now()	-	-	T	1
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	35336	127.0.0.1	5432	zeek	zeek	psql	terminate	-	-	-	-	-

testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output

@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+startup_parameter, CHhAvVGS1DHFjwGM9, user, zeek
+startup_parameter, CHhAvVGS1DHFjwGM9, database, zeek
+startup_parameter, CHhAvVGS1DHFjwGM9, application_name, psql
+startup_parameter, CHhAvVGS1DHFjwGM9, client_encoding, UTF8
+startup_parameter, ClEkJM2Vm5giqnMf4h, user, zeek
+startup_parameter, ClEkJM2Vm5giqnMf4h, database, zeek
+startup_parameter, ClEkJM2Vm5giqnMf4h, application_name, psql
+startup_parameter, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8

testing/btest/scripts/base/protocols/postgresql/availability.zeek

@@ -0,0 +1,4 @@
+# @TEST-DOC: Check that the PostgreSQL analyzer is available.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -NN | grep -qi 'ANALYZER_POSTGRESQL'

testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Startup message triggering integer overflow
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-backend-message-1.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek

@@ -0,0 +1,11 @@
+# @TEST-DOC: Startup message triggering integer overflow
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-startup-message-1.pcap ${PACKAGE} %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: test ! -f reporter.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/dump-events.zeek

@@ -0,0 +1,17 @@
+# @TEST-DOC: Test that misc/dump events works.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql/spicy-events.zeek
+@load misc/dump-events
+
+redef DumpEvents::dump_all_events = T;
+redef DumpEvents::include=/^(PostgreSQL|analyzer_)/;
+
+event zeek_init() {
+	Analyzer::register_for_port(Analyzer::ANALYZER_POSTGRESQL, 5432/tcp);
+}

testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Test rejecting wrong protocol.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
+# @TEST-EXEC: test ! -f postgresql.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Test rejecting wrong protocol.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
+# @TEST-EXEC: test ! -f postgresql.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test the parameter status event.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql
+
+event PostgreSQL::parameter_status(c: connection, name: string, value: string) {
+	print "parameter_status", c$uid, name, value;
+}

testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek

@@ -0,0 +1,20 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql
+
+event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) {
+	print "authentication_request", c$uid, identifier, data;
+}
+
+event PostgreSQL::authentication_response(c: connection, data: string) {
+	print "authentication_response", c$uid, data;
+}
+
+event PostgreSQL::authentication_ok(c: connection) {
+	print "authentication_ok", c$uid;
+}

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test that the dpd.sig picks up a plaintext connection on a non-standard port.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek

@@ -0,0 +1,14 @@
+# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+# @TEST-EXEC: test ! -f ssl.log
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek

@@ -0,0 +1,15 @@
+# @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff ssl.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl

testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek

@@ -0,0 +1,15 @@
+# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff ssl.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql
+@load base/protocols/ssl

testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Trace with CREATE TABLE, INSERT, SELECT DELETE and DROP.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: The client does not start with SSLRequest. This pcap has two connections, attempting without password.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
+# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service  < conn.log > conn.cut
+# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
+#
+# @TEST-EXEC: btest-diff conn.cut
+# @TEST-EXEC: btest-diff postgresql.cut
+
+@load base/protocols/conn
+@load base/protocols/postgresql

testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek

@@ -0,0 +1,12 @@
+# @TEST-DOC: Event for name, value pairs in the startup message.
+#
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
+#
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/postgresql
+
+event PostgreSQL::startup_parameter(c: connection, name: string, value: string) {
+	print "startup_parameter", c$uid, name, value;
+}