Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/johanna/spicy-tls

Browse source 
* origin/master: (27 commits)
  Update doc submodule [nomail] [skip ci]
  btest/ldap: Add regression test for #3919
  postgresql: Simplify SSL buffering and forwarding
  postgresql: Initial parser implementation
  testing/external: Update private baselines
  analyzer/syslog: Reformat with spicy-format
  analyzer/finger: Reformat with spicy-format
  scripts/spicy: Reformat with spicy-format
  pre-commit: Add spicy-format
  Check for netbios to avoid reporting extra bad DNS opcodes
  Add weird for unhandled opcodes in DNS analyzer
  Bump zeek-aux for zeek/zeek-aux#57
  Remove pre-commit exclusions for clang-format
  Bump clang-format
  Bump auxil/spicy to latest development snapshot
  RunState: Drop broker_mgr->Active() usage
  script_opt/ZAM/IterInfo.h: Add missing Dict.h dependency
  script_opt/ZAM: ZBody.h / Support.h: Cleanup includes, use forward declarations
  script_opt/ZAM/Profile: Remove Zeek header includes
  script_opt: Extend Support.h to break include dependencies
  ...
This commit is contained in:
Johanna Amann 2024-09-11 14:13:19 +02:00
commit 94f93d0704
138 changed files with 2653 additions and 405 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.pre-commit-config.yaml
View file

@ -3,7 +3,7 @@
#
repos:
- repo: https://github.com/pre-commit/mirrors-clang-format
rev: 'v17.0.3'
rev: 'v18.1.8'
hooks:
- id: clang-format
types_or:
@ -26,10 +26,16 @@ repos:
rev: v0.6.13
hooks:
- id: cmake-format
exclude: '^auxil/.*$'
- repo: https://github.com/crate-ci/typos
rev: v1.16.21
hooks:
- id: typos
exclude: '^(.typos.toml|src/SmithWaterman.cc|testing/.*|auxil/.*|scripts/base/frameworks/files/magic/.*|CHANGES)$'
- repo: https://github.com/bbannier/spicy-format
rev: v0.15.0
hooks:
- id: spicy-format
# TODO: Reformat existing large analyzers just before 8.0.
exclude: '(^testing/.*)|(protocol/ldap/.*)|(protocol/quic/.*)|(protocol/websocket/.*)'

155
CHANGES
View file

@ -1,3 +1,158 @@
7.1.0-dev.259 | 2024-09-09 13:24:45 +0200
* script_opt/ZAM/IterInfo.h: Add missing Dict.h dependency (Arne Welzel, Corelight)
Triggered when trying to remove some other includes elsewhere.
* script_opt/ZAM: ZBody.h / Support.h: Cleanup includes, use forward declarations (Arne Welzel, Corelight)
Not sure the IsAny() convenience functions were really worth the
include zeek/Expr.h.
* script_opt/ZAM/Profile: Remove Zeek header includes (Arne Welzel, Corelight)
This can stand by itself.
* script_opt: Extend Support.h to break include dependencies (Arne Welzel, Corelight)
Rebuilding ZBody.cc is annoyingly slow with UBSAN or ASAN enabled. A rebuild
is currently triggered when touching Manager.h files like logging/Manager.h,
broker/Manager.h or file_analysis/Manager.h and various other headers that are
included from there or directly in ZBody.h.
Add tiny wrapper functions to Support.h that encapsulate the actual Zeek
functionality and move the includes to Support.cc instead. This will
cause frequent Support.cc rebuilds, but that is decently fast.
This comes at the expense of one indirect function call for some ops, but
its overhead should be negligible in comparison to a lookup for a
connection or component or a log_mgr->Write() call.
* script_opt: Do not include ZBody.h in ZAM/Validate.cc (Arne Welzel, Corelight)
Touching broker/Manager.h or logging/Manager.h or anything that's
included in ZBody.h results in a rebuild of a bunch of files in ZAM.
Particularly, ZAM/Validate.cc takes much too long to recompile for
me (45+ seconds) and apparently that's mostly by accident.
Clean up the ZAM/Validate.cc includes to prevent this.
7.1.0-dev.252 | 2024-09-06 19:17:29 +0200
* btest/ldap: Add regression test for #3919 (Arne Welzel, Corelight)
This works as expected in master, it's just that we forgot to backport
PR #3845 to 7.0.1. Add the PCAP from Martin anyhow.
Closes #3919.
7.1.0-dev.250 | 2024-09-06 17:47:36 +0200
* postgresql: Simplify SSL buffering and forwarding (Arne Welzel, Corelight)
The ssl_sink can only be connected form the backend side, so don't
overcomplicate it.
* postgresql: Initial parser implementation (Arne Welzel, Corelight)
This adds a protocol parser for the PostgreSQL protocol and a new
postgresql.log similar to the existing mysql.log.
This should be considered preliminary and hopefully during 7.1 and 7.2
with feedback from the community, we can improve on the events and logs.
Even if most PostgreSQL communication is encrypted in the real-world, this
will minimally allow monitoring of the SSLRequest and hand off further
analysis to the SSL analyzer.
This originates from github.com/awelzel/spicy-postgresql, with lots of
polishing happening in the past two days.
7.1.0-dev.247 | 2024-09-05 19:19:31 +0200
* testing/external: Update private baselines (Arne Welzel, Corelight)
* analyzer/syslog: Reformat with spicy-format (Arne Welzel, Corelight)
* analyzer/finger: Reformat with spicy-format (Arne Welzel, Corelight)
* scripts/spicy: Reformat with spicy-format (Arne Welzel, Corelight)
* pre-commit: Add spicy-format (Arne Welzel, Corelight)
This excludes the larger protocol analyzers. These should be formatted
during the 7.2 cycle, shortly before 8.0.
7.1.0-dev.241 | 2024-09-04 14:53:19 -0700
* Check for netbios to avoid reporting extra bad DNS opcodes (Tim Wojtulewicz, Corelight)
* Add weird for unhandled opcodes in DNS analyzer (Tim Wojtulewicz, Corelight)
7.1.0-dev.238 | 2024-09-03 09:03:24 -0700
* Bump auxil/spicy to latest development snapshot (Benjamin Bannier, Corelight)
7.1.0-dev.236 | 2024-09-03 10:18:32 +0200
* Remove pre-commit exclusions for clang-format (Benjamin Bannier, Corelight)
We previously would ignore any files under `auxil/`. Since pre-commit
only formats files tracked in this repo, and `auxil/` today contains
only submodules this exclusion did not exclude anything; if however we
ever end up adding C++ files under `auxil/` we would like them to be
formatted consistently.
* Bump clang-format (Benjamin Bannier, Corelight)
This patch contains a bump of the configured clang-format version from
17.0.3 to 18.1.8 and automatically generated C++ source updates. The
main difference we are seeing from this is fixes for previously
incomplete reformats.
7.1.0-dev.233 | 2024-09-03 10:02:59 +0200
* Bump zeek-aux for zeek/zeek-aux#57 (Arne Welzel, Corelight)
7.1.0-dev.232 | 2024-08-30 18:56:24 +0200
* http: fix password capture when enabled (Pierre Lalet)
The current implementation would only log, if the password contains a
colon, the part before the first colon (e.g., the password
`password:password` would be logged as `password`).
A test has been added to confirm the expected behaviour.
7.1.0-dev.230 | 2024-08-30 15:38:52 +0200
* RunState: Drop broker_mgr->Active() usage (Arne Welzel, Corelight)
...and deprecate it. The communication_enabled flag doesn't really
make a difference in how the IO loop works.
* logging/WriterFrontend: No need for explicit CleanupWriteBuffer() (Arne Welzel, Corelight)
Any pending records will be cleaned in the destructor of WriterFrontend
and WriteBuffer, no need to do this explicitly.
* logging: Switch index-assignment of raw pointers to emplace_back() (Arne Welzel, Corelight)
* broker/logging: Change threading::Value** usage std::vector instead (Arne Welzel, Corelight)
This allows to leverage automatic memory management, less allocations
and using move semantics for expressing ownership.
This breaks the existing logging and broker API, but keeps the plugin
DoWrite() and HookLogWrite() methods functioning.
It further changes ValToLogVal to return a threading::Value rather than
a threading::Value*. The vector_val and set_val fields unfortunately
use the same pointer-to-array-of-pointers approach. this can'tbe changed
as it'd break backwards compatibility for plugin provided input readers
and log writers.
* threading/Value: Support move and copy constructors (Arne Welzel, Corelight)
7.1.0-dev.222 | 2024-08-27 13:29:12 +0100
* Fix parsing of version field in SSLv2 client hello (Johanna Amann, Corelight)

25
NEWS
View file

@ -16,9 +16,34 @@ Breaking Changes
new ``OpaqueVal::DoSerializeData`` and ``OpaqueVal::DoUnserializeData``
methods.
* Certain internal methods on the broker and logging classes have been changed to
accept std::vector<threading::Value> parameters instead of threading::Value**
to leverage automatic memory management, reduce the number of allocations
and use move semantics to express ownership.
The DoWrite() and HookLogWrite() methods which can be provided by plugins
are not affected by this change, so we keep backwards compatibility with
existing log writers.
New Functionality
-----------------
- Zeek now includes a PostgreSQL protocol analyzer. This analyzer is enabled
by default. The analyzer's events and its ``postgresql.log`` should be
considered preliminary and experimental until the arrival of Zeek's next
long-term-stable release (8.0).
If you observe unusually high CPU consumption or other issues due to this
analyzer being enabled by default, the easiest way to disable it is via the
``Analyzer::disabled_analyzers`` const as follows:
redef Analyzer::disabled_analyzers += {
Analyzer::ANALYZER_POSTGRESQL,
};
If you observe PostgreSQL traffic in your environment, please provide feedback
about the analyzer and structure of the new log.
* The LDAP analyzer now supports handling of non-sealed GSS-API WRAP tokens.
* StartTLS support was added to the LDAP analyzer. The SSL analyzer is enabled

2
VERSION
View file

@ -1 +1 @@
7.1.0-dev.222
7.1.0-dev.259

2
auxil/spicy

@ -1 +1 @@
Subproject commit 7cddc357ff83175984e19037f1f8062a69cf2030
Subproject commit 64c0000c2a9385020e7f357711c0da3de4b03517

2
auxil/zeek-aux

@ -1 +1 @@
Subproject commit 8a66cd60fb29a1237b5070854cb194f43a3f7a30
Subproject commit e850412ab5dea10ee2ebb98e42527d80fcf9a7ed

2
doc

@ -1 +1 @@
Subproject commit fc15fea160a40c88ca9868a21203097b3a2b9b71
Subproject commit dd08d097c0a5763ad7231f64b71915e15c2e2a25

1
scripts/base/init-default.zeek
View file

@ -67,6 +67,7 @@
@load base/protocols/ntlm
@load base/protocols/ntp
@load base/protocols/pop3
@load base/protocols/postgresql
@load base/protocols/quic
@load base/protocols/radius
@load base/protocols/rdp

4
scripts/base/protocols/http/main.zeek
View file

@ -338,8 +338,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
if ( /^[bB][aA][sS][iI][cC] / in value )
{
local userpass = decode_base64_conn(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]+/, ""));
local up = split_string(userpass, /:/);
if ( |up| >= 2 )
local up = split_string1(userpass, /:/);
if ( |up| == 2 )
{
c$http$username = up[0];
if ( c$http$capture_password )

6
scripts/base/protocols/postgresql/__load__.zeek Normal file
View file

@ -0,0 +1,6 @@
@if ( have_spicy_analyzers() )
@load ./consts
@load ./spicy-events
@load ./main
@load-sigs ./dpd
@endif

37
scripts/base/protocols/postgresql/consts.zeek Normal file
View file

@ -0,0 +1,37 @@
module PostgreSQL;
export {
# https://www.postgresql.org/docs/current/protocol-error-fields.html
global error_ids: table[string] of string = {
["S"] = "SeverityLocalized",
["V"] = "Severity", # non-localized
["C"] = "Code",
["M"] = "Message",
["D"] = "Detail",
["H"] = "Hint",
["P"] = "Position",
["p"] = "InternalPosition",
["q"] = "InternalQuery",
["W"] = "Where",
["s"] = "Schema",
["t"] = "Table",
["c"] = "Column",
["d"] = "Data",
["n"] = "Constraint",
["F"] = "File",
["L"] = "Line",
["R"] = "Routine",
} &default=function(c: string): string { return fmt("UnknownErrorId%s", c); } &redef;
global auth_ids: table[count] of string = {
[2] = "KerberosV5",
[3] = "CleartextPassword",
[5] = "MD5Password",
[7] = "GSSAPI",
[8] = "GSSAPIContinue",
[9] = "SSPI",
[10] = "SASL",
[11] = "SASLContinue",
[12] = "SASLFinal",
} &default=function(id: count): string { return fmt("UnknownAuthId%s", id); } &redef;
}

29
scripts/base/protocols/postgresql/dpd.sig Normal file
View file

@ -0,0 +1,29 @@
# Enable the analyzer if we see the SSLRequest message and a S|N reply from the server.
signature dpd_postgresql_client_sslrequest {
ip-proto == tcp
payload /^\x00\x00\x00\x08\x04\xd2\x16\x2f/
}
signature dpd_postgresql_server_ssl_confirm {
requires-reverse-signature dpd_postgresql_client_sslrequest
payload /^[SN]/
enable "PostgreSQL"
}
signature dpd_postgresql_client_startup_3_x {
ip-proto == tcp
# 4 byte length, then protocol version major, minor (16bit each),
# then expect the "user\x00" parameter to follow. Not sure about
# other versions, but we likely wouldn't properly parse them anyway.
payload /^....\x00\x03\x00.{0,256}user\x00/
}
signature dpd_postgresql_server_any_response {
requires-reverse-signature dpd_postgresql_client_startup_3_x
# One byte printable message type 4 bytes length. Assumes the first
# server message is not larger 64k(2^16) so match on \x00\x00 after
# the first byte.
payload /^[a-zA-Z0-9]\x00\x00../
enable "PostgreSQL"
}

245
scripts/base/protocols/postgresql/main.zeek Normal file
View file

@ -0,0 +1,245 @@
##! Implements base functionality for PostgreSQL analysis.
@load ./consts
@load ./spicy-events
@load base/protocols/conn/removal-hooks
module PostgreSQL;
export {
## Log stream identifier.
redef enum Log::ID += { LOG };
type Version: record {
major: count;
minor: count;
};
## Record type containing the column fields of the PostgreSQL log.
type Info: record {
## Timestamp for when the activity happened.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## The user as found in the StartupMessage.
user: string &optional &log;
## The database as found in the StartupMessage.
database: string &optional &log;
## The application name as found in the StartupMessage.
application_name: string &optional &log;
# The command or message from the frontend.
frontend: string &optional &log;
# Arguments for the command.
frontend_arg: string &optional &log;
# The reply from the backend.
backend: string &optional &log;
# Arguments for the reply from the backend.
backend_arg: string &optional &log;
# Whether the login/query was successful.
success: bool &optional &log;
# The number of rows returned or affectd.
rows: count &optional &log;
};
type State: record {
version: Version &optional;
user: string &optional;
database: string &optional;
application_name: string &optional;
rows: count &default=0;
errors: vector of string;
};
## Default hook into PostgreSQL logging.
global log_postgresql: event(rec: Info);
global finalize_postgresql: Conn::RemovalHook;
global ports: set[port] = { 5432/tcp } &redef;
}
redef record connection += {
postgresql: Info &optional;
postgresql_state: State &optional;
};
redef likely_server_ports += { ports };
event zeek_init() {
Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports);
Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]);
}
hook set_session(c: connection) {
if ( ! c?$postgresql )
c$postgresql = Info($ts=network_time(), $uid=c$uid, $id=c$id);
if ( ! c?$postgresql_state ) {
c$postgresql_state = State();
Conn::register_removal_hook(c, finalize_postgresql);
}
}
function emit_log(c: connection) {
if ( ! c?$postgresql )
return;
if ( c$postgresql_state?$user )
c$postgresql$user = c$postgresql_state$user;
if ( c$postgresql_state?$database )
c$postgresql$database = c$postgresql_state$database;
if ( c$postgresql_state?$application_name )
c$postgresql$application_name = c$postgresql_state$application_name;
Log::write(PostgreSQL::LOG, c$postgresql);
delete c$postgresql;
}
event PostgreSQL::ssl_request(c: connection) {
hook set_session(c);
c$postgresql$frontend = "ssl_request";
}
event PostgreSQL::ssl_reply(c: connection, b: string) {
hook set_session(c);
c$postgresql$backend = "ssl_reply";
c$postgresql$backend_arg = b;
c$postgresql$success = b == "S";
emit_log(c);
}
event PostgreSQL::startup_parameter(c: connection, name: string, value: string) {
hook set_session(c);
if ( name == "user" ) {
c$postgresql_state$user = value;
} else if ( name == "database" ) {
c$postgresql_state$database = value;
} else if ( name== "application_name" ) {
c$postgresql_state$application_name = value;
}
}
event PostgreSQL::startup_message(c: connection, major: count, minor: count) {
hook set_session(c);
c$postgresql_state$version = Version($major=major, $minor=minor);
c$postgresql$frontend = "startup";
}
event PostgreSQL::error_response_identified_field(c: connection, code: string, value: string) {
hook set_session(c);
local errors = c$postgresql_state$errors;
errors += fmt("%s=%s", error_ids[code], value);
}
event PostgreSQL::notice_response_identified_field(c: connection, code: string, value: string) {
hook set_session(c);
local notice = fmt("%s=%s", error_ids[code], value);
if ( c$postgresql?$backend_arg )
c$postgresql$backend_arg += "," + notice;
else
c$postgresql$backend_arg = notice;
}
event PostgreSQL::error_response(c: connection) {
hook set_session(c);
if ( c$postgresql?$backend )
c$postgresql$backend += ",error";
else
c$postgresql$backend = "error";
local errors = join_string_vec(c$postgresql_state$errors, ",");
c$postgresql_state$errors = vector();
if ( c$postgresql?$backend_arg )
c$postgresql$backend_arg += "," + errors;
else
c$postgresql$backend_arg = errors;
c$postgresql$success = F;
emit_log(c);
}
event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) {
hook set_session(c);
if ( c$postgresql?$backend && ! ends_with(c$postgresql$backend, "auth") )
c$postgresql$backend += ",auth_request";
else
c$postgresql$backend = "auth_request";
if ( c$postgresql?$backend_arg )
c$postgresql$backend_arg += "," + auth_ids[identifier];
else
c$postgresql$backend_arg = auth_ids[identifier];
}
event PostgreSQL::authentication_ok(c: connection) {
hook set_session(c);
c$postgresql$backend = "auth_ok";
c$postgresql$success = T;
emit_log(c);
}
event PostgreSQL::terminate(c: connection) {
if ( c?$postgresql )
emit_log(c);
hook set_session(c);
c$postgresql$frontend = "terminate";
emit_log(c);
}
event PostgreSQL::simple_query(c: connection, query: string) {
if ( c?$postgresql )
emit_log(c);
hook set_session(c);
c$postgresql$frontend = "simple_query";
c$postgresql$frontend_arg = query;
c$postgresql_state$rows = 0;
}
event PostgreSQL::data_row(c: connection, column_values: count) {
hook set_session(c);
++c$postgresql_state$rows;
}
event PostgreSQL::ready_for_query(c: connection, transaction_status: string) {
# Log a query (if there was one).
if ( ! c?$postgresql )
return;
# If no one said otherwise, the last action was successful.
if ( ! c$postgresql?$success )
c$postgresql$success = transaction_status == "I" || transaction_status == "T";
c$postgresql$rows = c$postgresql_state$rows;
emit_log(c);
}
hook finalize_postgresql(c: connection) &priority=-5 {
emit_log(c);
}

147
scripts/base/protocols/postgresql/spicy-events.zeek Normal file
View file

@ -0,0 +1,147 @@
##! Events generated by the PostgreSQL analyzer.
## Event generated for frontend SSLRequest messages.
##
## c: The connection.
global PostgreSQL::ssl_request: event(c: connection);
## Event generated for backend SSL reply.
##
## c: The connection.
##
## data: The server's reply: S for secure, N for unencrypted.
global PostgreSQL::ssl_reply: event(c: connection, data: string);
## Event generated for backend authentication requests.
##
## c: The connection.
##
## identifier: The identifier in the request.
##
## data: The request data, if any.
##
## .. zeek:see:: PostgreSQL::authentication_response
## .. zeek:see:: PostgreSQL::authentication_ok
global PostgreSQL::authentication_request: event(c: connection, identifier: count, data: string);
## Event generated for backend authentication requests indicating successful
## authentication.
##
## c: The connection.
##
## .. zeek:see:: PostgreSQL::authentication_request
## .. zeek:see:: PostgreSQL::authentication_response
global PostgreSQL::authentication_ok: event(c: connection);
## Event generated for frontend authentication responses.
##
## c: The connection.
##
## data: The response data, if any.
##
## .. zeek:see:: PostgreSQL::authentication_request
## .. zeek:see:: PostgreSQL::authentication_ok
global PostgreSQL::authentication_response: event(c: connection, data: string);
## Event generated for every parameter in a StartupMessage.
##
## c: The connection.
##
## name: The name of the parameter.
##
## value: The value of the parameter.
global PostgreSQL::startup_parameter: event(c: connection, name: string, value: string);
## Event generated for a StartupMessage.
##
## c: The connection.
##
## major: The major protocol version.
##
## minor: The minor protocol version.
global PostgreSQL::startup_message: event(c: connection, major: count, minor: count);
## Event generated for every backed ReadyForQuery message.
##
## c: The connection.
##
## transaction_status: I (idle), T (in transaction block), E (error).
global PostgreSQL::ready_for_query: event(c: connection, transaction_status: string);
## Event generated for every frontend SimpleQuery message.
##
## c: The connection.
##
## query: The query string.
global PostgreSQL::simple_query: event(c: connection, query: string);
## Event generated for identified field within an ErrorResponse.
##
## c: The connection.
##
## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
##
## value: The field value.
##
## .. zeek:see:: PostgreSQL::error_response
global PostgreSQL::error_response_identified_field: event(c: connection, code: string, value: string);
## Event generated for a ErrorResponse.
##
## c: The connection.
##
## .. zeek:see:: PostgreSQL::error_response_identified_field
global PostgreSQL::error_response: event(c: connection);
## Event generated for identified field within a NoticeResponse.
##
## c: The connection.
##
## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
##
## value: The field value.
##
## .. zeek:see:: PostgreSQL::notice_response
global PostgreSQL::notice_response_identified_field: event(c: connection, code: string, value: string);
## Event generated for a NoticeResponse.
##
## c: The connection.
##
## .. zeek:see:: PostgreSQL::notice_response_identified_field
global PostgreSQL::notice_response: event(c: connection);
## Event generated for every backend DataRow message.
##
## c: The connection.
##
## column_values: The number of columns in this row.
global PostgreSQL::data_row: event(c: connection, column_values: count);
## Event generated for backend runtime parameter status reports.
##
## c: The connection.
##
## name: The name of the runtime parameter.
##
## value: The current value of the parameter.
##
global PostgreSQL::parameter_status: event(c: connection, name: string, value: string);
## Generated for a BackendKeyData message for cancellation.
##
## c: The connection.
##
## process_id: The process ID of the backend.
##
## secret_key: The secret key of the backend.
global PostgreSQL::backend_key_data: event(c: connection, process_id: count, secret_key: count);
## Event generated For a frontend Terminate message.
##
## c: The connection.
global PostgreSQL::terminate: event(c: connection);
## Event generated for not implemented messages.
global PostgreSQL::not_implemented: event(c: connection, is_orig: bool, typ: string, chunk: string);

1
scripts/spicy/zeek.spicy
View file

@ -507,4 +507,3 @@ public function vector_size(id: string): uint64 &cxxname="zeek::spicy::rt::vecto
##
## v: opaque handle to the Zeek vector, as returned by other functions
public function vector_size(v: ZeekVector): uint64 &cxxname="zeek::spicy::rt::vector_size";

8
scripts/spicy/zeek_file.spicy
View file

@ -22,9 +22,13 @@ public type File = unit(mime_type: optional<string> = Null, size: optional<uint6
zeek::file_set_size(*size, self.fid);
}
: bytes &chunked &eod { zeek::file_data_in($$, self.fid); }
: bytes &chunked &eod {
zeek::file_data_in($$, self.fid);
}
on %finally { zeek::file_end(self.fid); }
on %finally {
zeek::file_end(self.fid);
}
## Zeek-side file ID
var fid: string;

8
src/RunState.cc
View file

@ -31,7 +31,6 @@ extern "C" {
#include "zeek/Reporter.h"
#include "zeek/Scope.h"
#include "zeek/Timer.h"
#include "zeek/broker/Manager.h"
#include "zeek/iosource/Manager.h"
#include "zeek/iosource/PktDumper.h"
#include "zeek/iosource/PktSrc.h"
@ -275,8 +274,6 @@ void run_loop() {
}
#endif
current_iosrc = nullptr;
auto communication_enabled = broker_mgr->Active();
if ( ! ready.empty() ) {
for ( const auto& src : ready ) {
auto* iosrc = src.src;
@ -289,8 +286,7 @@ void run_loop() {
iosrc->Process();
}
}
else if ( (have_pending_timers || communication_enabled || BifConst::exit_only_after_terminate) &&
! pseudo_realtime ) {
else if ( (have_pending_timers || BifConst::exit_only_after_terminate) && pseudo_realtime == 0.0 ) {
// Take advantage of the lull to get up to
// date on timers and events. Because we only
// have timers as sources, going to sleep here
@ -330,7 +326,7 @@ void run_loop() {
// Terminate if we're running pseudo_realtime and
// the interface has been closed.
if ( pseudo_realtime && communication_enabled ) {
if ( pseudo_realtime != 0.0 ) {
iosource::PktSrc* ps = iosource_mgr->GetPktSrc();
if ( ps && ! ps->IsOpen() )
iosource_mgr->Terminate();

1
src/analyzer/protocol/CMakeLists.txt
View file

@ -28,6 +28,7 @@ add_subdirectory(ntlm)
add_subdirectory(ntp)
add_subdirectory(pia)
add_subdirectory(pop3)
add_subdirectory(postgresql)
add_subdirectory(quic)
add_subdirectory(radius)
add_subdirectory(rdp)

27
src/analyzer/protocol/dns/DNS.cc
View file

@ -21,12 +21,19 @@ namespace zeek::analyzer::dns {
namespace detail {
// Used for checking whether the connection being parsed comes from NetBIOS,
// since it's similar to DNS but does some things differently.
constexpr int NETBIOS_PORT = 137;
DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer) {
analyzer = arg_analyzer;
first_message = true;
is_netbios =
ntohs(analyzer->Conn()->OrigPort()) == NETBIOS_PORT || ntohs(analyzer->Conn()->RespPort()) == NETBIOS_PORT;
}
void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
// Every packet for every opcode starts with same size header.
int hdr_len = sizeof(detail::DNS_RawMsgHdr);
if ( len < hdr_len ) {
@ -34,7 +41,21 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
return;
}
detail::DNS_MsgInfo msg((detail::DNS_RawMsgHdr*)data, is_query);
// The flags section may be different between the different opcodes, but the
// opcode is always in the same location. Parse out just that part of it here
// even though it will probably be reparsed later.
auto* hdr = (detail::DNS_RawMsgHdr*)data;
unsigned short flags = ntohs(hdr->flags);
int opcode = (flags & 0x7800) >> 11;
// NetBIOS registration and release messages look like regular DNS requests, so parse them as such
if ( opcode != DNS_OP_QUERY && ! is_netbios ) {
analyzer->Weird("DNS_unknown_opcode", util::fmt("%d", opcode));
analyzer->Conn()->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X');
return;
}
detail::DNS_MsgInfo msg(hdr, is_query);
if ( first_message && msg.QR && is_query == 1 ) {
is_query = msg.is_query = 0;
@ -242,7 +263,7 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
case detail::TYPE_NBS: status = ParseRR_NBS(msg, data, len, rdlength, msg_start); break;
case detail::TYPE_SRV:
if ( ntohs(analyzer->Conn()->RespPort()) == 137 ) {
if ( ntohs(analyzer->Conn()->RespPort()) == NETBIOS_PORT ) {
// This is an NBSTAT (NetBIOS NODE STATUS) record.
// The SRV RFC reused the value that was already being
// used for this.
@ -385,7 +406,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
if ( label_len > 63 &&
// NetBIOS name service look ups can use longer labels.
ntohs(analyzer->Conn()->RespPort()) != 137 ) {
ntohs(analyzer->Conn()->RespPort()) != NETBIOS_PORT ) {
analyzer->Weird("DNS_label_too_long");
return false;
}

3
src/analyzer/protocol/dns/DNS.h
View file

@ -328,7 +328,7 @@ public:
///< for forward lookups
};
class DNS_Interpreter {
class DNS_Interpreter final {
public:
explicit DNS_Interpreter(analyzer::Analyzer* analyzer);
@ -390,6 +390,7 @@ protected:
analyzer::Analyzer* analyzer;
bool first_message;
bool is_netbios;
};
enum TCP_DNS_state {

4
src/analyzer/protocol/finger/finger.spicy
View file

@ -14,7 +14,9 @@ public type Request = unit {
: OptionalWhiteSpace;
switch {
-> : /\/W/ { self.whois = True; }
-> : /\/W/ {
self.whois = True;
}
-> : void;
};

5
src/analyzer/protocol/postgresql/CMakeLists.txt Normal file
View file

@ -0,0 +1,5 @@
spicy_add_analyzer(
NAME PostgreSQL
PACKAGE_NAME spicy-postgresql
SOURCES postgresql.spicy postgresql.evt postgresql_zeek.spicy
MODULES PostgreSQL PostgreSQL_Zeek)

42
src/analyzer/protocol/postgresql/postgresql.evt Normal file
View file

@ -0,0 +1,42 @@
import PostgreSQL;
import PostgreSQL_Zeek;
protocol analyzer PostgreSQL over TCP:
parse originator with PostgreSQL::FrontendMessages,
parse responder with PostgreSQL::BackendMessages;
on PostgreSQL::NotImplemented -> event PostgreSQL::not_implemented($conn, $is_orig, ("%c" % typ), self.chunk);
on PostgreSQL::AuthenticationRequest if ( self.identifier != 0 )-> event PostgreSQL::authentication_request($conn, self.identifier, self.data);
on PostgreSQL::AuthenticationRequest if ( self.identifier == 0 ) -> event PostgreSQL::authentication_ok($conn);
on PostgreSQL::AuthenticationResponse -> event PostgreSQL::authentication_response($conn, self.data);
on PostgreSQL::FrontendMessages::ssl_request -> event PostgreSQL::ssl_request($conn);
on PostgreSQL::MaybeBackendSSL::ssl_byte -> event PostgreSQL::ssl_reply($conn, ("%c" % self.ssl_byte));
on PostgreSQL::StartupParameter -> event PostgreSQL::startup_parameter($conn, self.name, self.value);
on PostgreSQL::StartupMessage -> event PostgreSQL::startup_message($conn, self.version.major, self.version.minor);
on PostgreSQL::ErrorIdentifiedField -> event PostgreSQL::error_response_identified_field($conn, ("%c" % self.code), self.value);
on PostgreSQL::ErrorResponse -> event PostgreSQL::error_response($conn);
on PostgreSQL::SimpleQuery -> event PostgreSQL::simple_query($conn, self.query);
on PostgreSQL::ReadyForQuery -> event PostgreSQL::ready_for_query($conn, "%c" % self.transaction_status);
on PostgreSQL::NoticeIdentifiedField -> event PostgreSQL::notice_response_identified_field($conn, ("%c" % self.code), self.value);
on PostgreSQL::NoticeResponse -> event PostgreSQL::notice_response($conn);
on PostgreSQL::Terminate -> event PostgreSQL::terminate($conn);
on PostgreSQL::DataRow -> event PostgreSQL::data_row($conn, self.column_values);
on PostgreSQL::ParameterStatus -> event PostgreSQL::parameter_status($conn, self.name, self.value);
on PostgreSQL::BackendKeyData -> event PostgreSQL::backend_key_data($conn, self.process_id, self.secret_key);

333
src/analyzer/protocol/postgresql/postgresql.spicy Normal file
View file

@ -0,0 +1,333 @@
# A PostgreSQL analyzer.
#
# https://www.postgresql.org/docs/current/protocol.html
#
# Protocol version 3.0
module PostgreSQL;
import spicy;
type SSLFrontendState = enum {
Requested,
NotRequested,
};
type SSLBackendState = enum {
S,
N,
};
# How many chunks to buffer initially when seeing a backend message
# before a frontend or vice versa.
const MAX_BUFFERED = 4;
# When a connection switches to SSL, this consumes all the SSL chunks.
# In zeek_postgres.spicy, SSLSink%init calls zeek::protocol_begin() and
# then zeek::protocol_data_in()
#
# There's a single SSLSink shared between backend and frontend.
type SSLSink = unit {
chunk: bytes &chunked &eod;
};
# Used as context for synchronization between frontend/backend.
type Context = struct {
ssl_frontend_state: SSLFrontendState;
ssl_backend_state: SSLBackendState;
ssl_sink: sink&;
ssl_sink_connected: bool;
};
type ProtocolVersion = unit {
major: uint16;
minor: uint16;
};
type StartupParameter = unit {
name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
value: /[\x20-\x7e]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
};
type StartupMessage = unit {
length: uint32 &requires=(self.length >= 9);
version: ProtocolVersion &requires=($$.major == 3);
parameters: StartupParameter[] &size=self.length - 9;
: skip b"\x00";
};
# Top-level entry for the client.
public type FrontendMessages = unit {
%context = Context;
on %init {
# Until the first FrontendMessages are initialized, ssl_sink in the
# context is a Null reference. Also, we want to use a single sink
# for both, frontend and backend by calling begin_protocol() within
# the SSLSink's %init hook (see postgresql_zeek.spicy).
self.context().ssl_sink = self.s1;
}
var buffered: vector<bytes>;
var s1_connected: bool;
var ssl_requested: bool;
sink s1;
# Peek at the client data.
length: uint32 &requires=(self.length >= 8);
version_or_magic: uint32 {
self.ssl_requested = self.length == 8 && $$ == 80877103;
if (self.ssl_requested) {
self.context().ssl_frontend_state = SSLFrontendState::Requested;
} else {
self.context().ssl_frontend_state = SSLFrontendState::NotRequested;
self.context().ssl_backend_state = SSLBackendState::N;
# Pre-check the supported major version here.
local major = $$ >> 16;
if (major != 3)
throw "unsupported PostgreSQL major version %s" % major;
# Put length and version back into the buffer so PlainFrontendMessages
# can re-parse it.
#
# This explicitly avoids using random access functionality like
# `self.input()` and `self.set_input()` which would disable automatic
# trimming in this unit (which is top-level unit parsing unbounded
# amounts of data).
self.buffered.push_back(pack(self.length, spicy::ByteOrder::Network));
self.buffered.push_back(pack(self.version_or_magic, spicy::ByteOrder::Network));
}
}
# void field for raising an event.
ssl_request: void if(self.ssl_requested == True);
# print "frontend ssl", self.context();
# If the client requested SSL, we do not know how to continue parsing
# until the server confirmed SSL usage via 'S' or 'N' responses. As long
# as it hasn't responded, stall the parsing here and buffer bytes until
# the context() is populated.
#
# In normal operations, Zeek should see the server's response before
# attempting to parse more data, but Robin was concerned that in some
# circumstances (out-of-order packets, reassembly artifacts) we may
# see the client's data before the server's.
#
# In the future, barrier: https://github.com/zeek/spicy/pull/1373
: bytes &chunked &eod {
if (!self.context().ssl_backend_state) {
self.buffered.push_back($$);
if (|self.buffered| > MAX_BUFFERED)
throw "too many frontend messages buffered";
} else {
# print "frontend ssl_state backend set!", self.context();
if (!self.s1_connected) {
if (self.context().ssl_backend_state == SSLBackendState::N) {
self.s1.connect(new PlainFrontendMessages());
} else {
assert (self.context().ssl_sink_connected);
assert (self.context().ssl_backend_state == SSLBackendState::S);
}
self.s1_connected = True;
if (|self.buffered| > 0) {
for (b in self.buffered)
self.s1.write(b);
}
self.buffered.resize(0);
}
self.s1.write($$);
}
}
};
type PlainFrontendMessages = unit {
startup_message: StartupMessage;
: FrontendMessage[];
};
type FrontendMessage = unit {
typ: uint8;
length: uint32 &requires=(self.length >= 4);
switch (self.typ) {
'p' -> : AuthenticationResponse;
'X' -> : Terminate;
'Q' -> : SimpleQuery;
* -> not_implemented: NotImplemented(self.typ);
} &size=self.length - 4;
};
type AuthenticationResponse = unit {
# This is PasswordMessage, SASLInitialMessage, etc. based on context.
# For now, just thread it through.
data: bytes &eod;
};
type Terminate = unit {};
type SimpleQuery = unit {
query: bytes &until=b"\x00";
};
# The client has requested SSL, the server either confirms (S) or
# denies (N). Depending on the result, the ssl_sink in the context
# is connected with a SSLUnit and used, or a sink connected with the
# PlainBackendMessages unit.
#
type MaybeBackendSSL = unit(ctx: Context&) {
# Connected to SSLSink or plaintext messages.
sink s1;
ssl_byte: uint8 &requires=($$ == 'S' || $$ == 'N') {
# print "backend ssl_byte", $$;
if ($$ == 'S') {
ctx.ssl_backend_state = SSLBackendState::S;
ctx.ssl_sink.connect(new SSLSink());
ctx.ssl_sink_connected = True;
# Share the SSL sink with the frontend.
self.s1 = ctx.ssl_sink;
} else {
ctx.ssl_backend_state = SSLBackendState::N;
self.s1.connect(new PlainBackendMessages());
}
}
# Now that s1 is connected, forward the rest of the connection to it.
: bytes &chunked &eod -> self.s1;
};
# Top-level entry for the server.
public type BackendMessages = unit {
%context = Context;
var buffered: vector<bytes>;
var s1_connected: bool;
sink s1;
# Buffer until the SSL frontend state was populated.
: bytes &chunked &eod {
if (!self.context().ssl_frontend_state) {
# print "backend buffering ", |$$|;
self.buffered.push_back($$);
if (|self.buffered| > MAX_BUFFERED)
throw "too many backend messages buffered";
} else {
# The ssl_frontend_state has been set. If The client requested SSL,
# connect to an SSLMaybe instance. If it did not, connect
# directly to PlainBackendMessages.
# print "backend", self.context(), |self.buffered|, self.s1, self.s1_connected;
if (!self.s1_connected) {
if (self.context().ssl_frontend_state == SSLFrontendState::Requested) {
self.s1.connect(new MaybeBackendSSL(self.context()));
} else {
self.s1.connect(new PlainBackendMessages());
}
self.s1_connected = True;
if (|self.buffered| > 0) {
for (b in self.buffered)
self.s1.write(b);
}
self.buffered.resize(0);
}
# print "backend writing to sink", $$, |self.s1|;
self.s1.write($$);
}
}
};
type PlainBackendMessages = unit {
: BackendMessage[];
};
type BackendMessage = unit {
typ: uint8;
length: uint32 &requires=(self.length >= 4);
switch (self.typ) {
'K' -> backend_key_data: BackendKeyData;
'E' -> error: ErrorResponse;
'R' -> auth: AuthenticationRequest(self.length - 4);
'S' -> parameter_status: ParameterStatus;
'D' -> data_row: DataRow;
'Z' -> ready_for_query: ReadyForQuery;
'N' -> notice: NoticeResponse;
* -> not_implemented: NotImplemented(self.typ);
} &size=self.length - 4;
};
type ParameterStatus = unit {
name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
value: /[\x20-\x7e]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
};
# Possible values are 'I' if idle (not in a transaction block);
# 'T' if in a transaction block; or 'E' if in a failed transaction block
# (queries will be rejected until block is ended).
type ReadyForQuery = unit {
transaction_status: uint8 &requires=($$ == 'I' || $$ == 'T' || $$ == 'E');
};
type NoticeIdentifiedField = unit {
code: uint8;
value: bytes &until=b"\x00";
};
type NoticeResponse = unit {
: NoticeIdentifiedField[];
: skip b"\x00";
};
# Just for counting right now.
type DataRow = unit {
column_values: uint16;
: skip bytes &eod;
};
# Fields with a 1 byte field as documented here:
# https://www.postgresql.org/docs/current/protocol-error-fields.html
type ErrorIdentifiedField = unit {
code: uint8;
value: bytes &until=b"\x00";
};
type ErrorResponse = unit {
: ErrorIdentifiedField[];
: skip b"\x00";
};
type AuthenticationRequest = unit(length: uint32) {
identifier: uint32 &requires=($$ <= 12) {
if (self.identifier == 0 && length != 4)
throw "AuthenticationOK with wrong length: %s" % length;
}
# There's more structure (GSS-API, SASL, cleartext), but for now
# just thread through the raw data.
data: bytes &eod;
};
type BackendKeyData = unit {
process_id: uint32;
secret_key: uint32;
};
type NotImplemented = unit(typ: uint8) {
chunk: bytes &eod;
};

43
src/analyzer/protocol/postgresql/postgresql_zeek.spicy Normal file
View file

@ -0,0 +1,43 @@
# Set up protocol confirmation/rejection for analyzers, as well as any further
# Zeek-specific analysis.
module PostgreSQL_Zeek;
import PostgreSQL;
import zeek;
# If we see a client StartupMessage, that's pretty good.
on PostgreSQL::StartupMessage::%done {
zeek::confirm_protocol();
}
# If the server replied with an ssl_byte and we let it through,
# that's also pretty good.
on PostgreSQL::MaybeBackendSSL::ssl_byte {
zeek::confirm_protocol();
}
on PostgreSQL::SSLSink::%init {
zeek::protocol_begin("SSL");
}
on PostgreSQL::SSLSink::%done {
zeek::protocol_end();
}
on PostgreSQL::SSLSink::chunk {
# print "ssl_chunk", zeek::is_orig(), self;
zeek::protocol_data_in(zeek::is_orig(), self.chunk);
}
on PostgreSQL::StartupMessage::%error(msg: string) {
zeek::reject_protocol("error while parsing PostgreSQL StartupMessage: %s" % msg);
}
on PostgreSQL::FrontendMessage::%error(msg: string) {
zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
}
on PostgreSQL::BackendMessage::%error(msg: string) {
zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
}

25
src/broker/Manager.cc
View file

@ -680,8 +680,8 @@ bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer, const logging::
return true;
}
bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int num_fields,
const threading::Value* const* vals) {
bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, const string& path,
const logging::detail::LogRecord& rec) {
if ( bstate->endpoint.is_shutdown() )
return true;
@ -709,16 +709,17 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
fmt.StartWrite();
bool success = fmt.Write(num_fields, "num_fields");
// Cast to int for binary compatibility.
bool success = fmt.Write(static_cast<int>(rec.size()), "num_fields");
if ( ! success ) {
reporter->Error("Failed to remotely log stream %s: num_fields serialization failed", stream_id);
return false;
}
for ( int i = 0; i < num_fields; ++i ) {
if ( ! vals[i]->Write(&fmt) ) {
reporter->Error("Failed to remotely log stream %s: field %d serialization failed", stream_id, i);
for ( size_t i = 0; i < rec.size(); ++i ) {
if ( ! rec[i].Write(&fmt) ) {
reporter->Error("Failed to remotely log stream %s: field %zu serialization failed", stream_id, i);
return false;
}
}
@ -1375,16 +1376,10 @@ bool Manager::ProcessMessage(std::string_view, broker::zeek::LogWrite& lw) {
return false;
}
auto vals = new threading::Value*[num_fields];
logging::detail::LogRecord rec(num_fields);
for ( int i = 0; i < num_fields; ++i ) {
vals[i] = new threading::Value;
if ( ! vals[i]->Read(&fmt) ) {
for ( int j = 0; j <= i; ++j )
delete vals[j];
delete[] vals;
if ( ! rec[i].Read(&fmt) ) {
reporter->Warning("failed to unserialize remote log field %d for stream: %s", i,
c_str_safe(stream_id_name).c_str());
@ -1392,7 +1387,7 @@ bool Manager::ProcessMessage(std::string_view, broker::zeek::LogWrite& lw) {
}
}
log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), path, num_fields, vals);
log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), path, std::move(rec));
fmt.EndRead();
return true;
}

14
src/broker/Manager.h
View file

@ -109,7 +109,7 @@ public:
/**
* Returns true if any Broker communication is currently active.
*/
bool Active();
[[deprecated("Remove with v8.1 - unused")]] bool Active();
/**
* Advances time. Broker data store expiration is driven by this
@ -223,18 +223,16 @@ public:
const broker::endpoint_info& peer = NoPeer);
/**
* Send a log entry to any interested peers. The topic name used is
* implicitly "bro/log/<stream-name>".
* Send a log entry to any interested peers.
*
* @param stream the stream to which the log entry belongs.
* @param writer the writer to use for outputting this log entry.
* @param path the log path to output the log entry to.
* @param num_vals the number of fields to log.
* @param vals the log values to log, of size num_vals.
* See the Broker::SendFlags record type.
* @param rec the log record.
* @return true if the message is sent successfully.
*/
bool PublishLogWrite(EnumVal* stream, EnumVal* writer, std::string path, int num_vals,
const threading::Value* const* vals);
bool PublishLogWrite(EnumVal* stream, EnumVal* writer, const std::string& path,
const logging::detail::LogRecord& rec);
/**
* Automatically send an event to any interested peers whenever it is

116
src/logging/Manager.cc
View file

@ -1153,29 +1153,34 @@ bool Manager::WriteToFilters(const Manager::Stream* stream, zeek::RecordValPtr c
}
// Alright, can do the write now.
auto rec = RecordToLogRecord(stream, filter, columns.get());
threading::Value** vals = RecordToFilterVals(stream, filter, columns.get());
if ( zeek::plugin_mgr->HavePluginForHook(zeek::plugin::HOOK_LOG_WRITE) ) {
// The current HookLogWrite API takes a threading::Value**.
// Fabricate the pointer array on the fly. Mutation is allowed.
std::vector<threading::Value*> vals;
vals.reserve(rec.size());
for ( auto& v : rec )
vals.emplace_back(&v);
if ( ! PLUGIN_HOOK_WITH_RESULT(HOOK_LOG_WRITE,
HookLogWrite(filter->writer->GetType()->AsEnumType()->Lookup(
bool res =
zeek::plugin_mgr->HookLogWrite(filter->writer->GetType()->AsEnumType()->Lookup(
filter->writer->InternalInt()),
filter->name, *info, filter->num_fields, filter->fields, vals),
true) ) {
DeleteVals(filter->num_fields, vals);
#ifdef DEBUG
filter->name, *info, filter->num_fields, filter->fields, &vals[0]);
if ( ! res ) {
DBG_LOG(DBG_LOGGING, "Hook prevented writing to filter '%s' on stream '%s'", filter->name.c_str(),
stream->name.c_str());
#endif
return true;
}
}
assert(w != stream->writers.end());
w->second->total_writes->Inc();
// Write takes ownership of vals.
assert(writer);
writer->Write(filter->num_fields, vals);
writer->Write(std::move(rec));
#ifdef DEBUG
DBG_LOG(DBG_LOGGING, "Wrote record to filter '%s' on stream '%s'", filter->name.c_str(), stream->name.c_str());
@ -1385,35 +1390,38 @@ bool Manager::SetMaxDelayQueueSize(const EnumValPtr& id, zeek_uint_t queue_size)
return true;
}
threading::Value* Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
threading::Value Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
if ( ! val )
return new threading::Value(ty->Tag(), false);
return {ty->Tag(), false};
threading::Value* lval = new threading::Value(ty->Tag());
threading::Value lval{ty->Tag()};
switch ( lval->type ) {
switch ( lval.type ) {
case TYPE_BOOL:
case TYPE_INT: lval->val.int_val = val->AsInt(); break;
case TYPE_INT: lval.val.int_val = val->AsInt(); break;
case TYPE_ENUM: {
const char* s = ty->AsEnumType()->Lookup(val->AsInt());
if ( s ) {
auto len = strlen(s);
lval->val.string_val.data = util::copy_string(s, len);
lval->val.string_val.length = len;
lval.val.string_val.data = util::copy_string(s, len);
lval.val.string_val.length = len;
}
else {
auto err_msg = "enum type does not contain value:" + std::to_string(val->AsInt());
ty->Error(err_msg.c_str());
lval->val.string_val.data = util::copy_string("", 0);
lval->val.string_val.length = 0;
lval.val.string_val.data = util::copy_string("", 0);
lval.val.string_val.length = 0;
}
break;
}
case TYPE_COUNT: lval->val.uint_val = val->AsCount(); break;
case TYPE_COUNT: {
lval.val.uint_val = val->AsCount();
break;
}
case TYPE_PORT: {
auto p = val->AsCount();
@ -1427,26 +1435,26 @@ threading::Value* Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
else if ( pm == ICMP_PORT_MASK )
pt = TRANSPORT_ICMP;
lval->val.port_val.port = p & ~PORT_SPACE_MASK;
lval->val.port_val.proto = pt;
lval.val.port_val.port = p & ~PORT_SPACE_MASK;
lval.val.port_val.proto = pt;
break;
}
case TYPE_SUBNET: val->AsSubNet()->Get().ConvertToThreadingValue(&lval->val.subnet_val); break;
case TYPE_SUBNET: val->AsSubNet()->Get().ConvertToThreadingValue(&lval.val.subnet_val); break;
case TYPE_ADDR: val->AsAddr()->Get().ConvertToThreadingValue(&lval->val.addr_val); break;
case TYPE_ADDR: val->AsAddr()->Get().ConvertToThreadingValue(&lval.val.addr_val); break;
case TYPE_DOUBLE:
case TYPE_TIME:
case TYPE_INTERVAL: lval->val.double_val = val->AsDouble(); break;
case TYPE_INTERVAL: lval.val.double_val = val->AsDouble(); break;
case TYPE_STRING: {
const String* s = val->AsString()->AsString();
char* buf = new char[s->Len()];
memcpy(buf, s->Bytes(), s->Len());
lval->val.string_val.data = buf;
lval->val.string_val.length = s->Len();
lval.val.string_val.data = buf;
lval.val.string_val.length = s->Len();
break;
}
@ -1454,8 +1462,8 @@ threading::Value* Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
const File* f = val->AsFile();
const char* s = f->Name();
auto len = strlen(s);
lval->val.string_val.data = util::copy_string(s, len);
lval->val.string_val.length = len;
lval.val.string_val.data = util::copy_string(s, len);
lval.val.string_val.length = len;
break;
}
@ -1465,8 +1473,8 @@ threading::Value* Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
f->Describe(&d);
const char* s = d.Description();
auto len = strlen(s);
lval->val.string_val.data = util::copy_string(s, len);
lval->val.string_val.length = len;
lval.val.string_val.data = util::copy_string(s, len);
lval.val.string_val.length = len;
break;
}
@ -1483,12 +1491,12 @@ threading::Value* Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
auto& set_t = tbl_t->GetIndexTypes()[0];
bool is_managed = ZVal::IsManagedType(set_t);
lval->val.set_val.size = set->Length();
lval->val.set_val.vals = new threading::Value*[lval->val.set_val.size];
lval.val.set_val.size = set->Length();
lval.val.set_val.vals = new threading::Value*[lval.val.set_val.size];
for ( zeek_int_t i = 0; i < lval->val.set_val.size; i++ ) {
for ( zeek_int_t i = 0; i < lval.val.set_val.size; i++ ) {
std::optional<ZVal> s_i = ZVal(set->Idx(i), set_t);
lval->val.set_val.vals[i] = ValToLogVal(s_i, set_t.get());
lval.val.set_val.vals[i] = new threading::Value(ValToLogVal(s_i, set_t.get()));
if ( is_managed )
ZVal::DeleteManagedType(*s_i);
}
@ -1498,26 +1506,26 @@ threading::Value* Manager::ValToLogVal(std::optional<ZVal>& val, Type* ty) {
case TYPE_VECTOR: {
VectorVal* vec = val->AsVector();
lval->val.vector_val.size = vec->Size();
lval->val.vector_val.vals = new threading::Value*[lval->val.vector_val.size];
lval.val.vector_val.size = vec->Size();
lval.val.vector_val.vals = new threading::Value*[lval.val.vector_val.size];
auto& vv = vec->RawVec();
auto& vt = vec->GetType()->Yield();
for ( zeek_int_t i = 0; i < lval->val.vector_val.size; i++ ) {
lval->val.vector_val.vals[i] = ValToLogVal(vv[i], vt.get());
for ( zeek_int_t i = 0; i < lval.val.vector_val.size; i++ ) {
lval.val.vector_val.vals[i] = new threading::Value(ValToLogVal(vv[i], vt.get()));
}
break;
}
default: reporter->InternalError("unsupported type %s for log_write", type_name(lval->type));
default: reporter->InternalError("unsupported type %s for log_write", type_name(lval.type));
}
return lval;
}
threading::Value** Manager::RecordToFilterVals(const Stream* stream, Filter* filter, RecordVal* columns) {
detail::LogRecord Manager::RecordToLogRecord(const Stream* stream, Filter* filter, RecordVal* columns) {
RecordValPtr ext_rec;
if ( filter->num_ext_fields > 0 ) {
@ -1527,7 +1535,9 @@ threading::Value** Manager::RecordToFilterVals(const Stream* stream, Filter* fil
ext_rec = {AdoptRef{}, res.release()->AsRecordVal()};
}
threading::Value** vals = new threading::Value*[filter->num_fields];
// Allocate storage for all vals.
detail::LogRecord vals;
vals.reserve(filter->num_fields);
for ( int i = 0; i < filter->num_fields; ++i ) {
std::optional<ZVal> val;
@ -1535,7 +1545,7 @@ threading::Value** Manager::RecordToFilterVals(const Stream* stream, Filter* fil
if ( i < filter->num_ext_fields ) {
if ( ! ext_rec ) {
// executing function did not return record. Send empty for all vals.
vals[i] = new threading::Value(filter->fields[i]->type, false);
vals.emplace_back(filter->fields[i]->type, false);
continue;
}
@ -1557,7 +1567,7 @@ threading::Value** Manager::RecordToFilterVals(const Stream* stream, Filter* fil
if ( ! val ) {
// Value, or any of its parents, is not set.
vals[i] = new threading::Value(filter->fields[i]->type, false);
vals.emplace_back(filter->fields[i]->type, false);
break;
}
@ -1565,7 +1575,7 @@ threading::Value** Manager::RecordToFilterVals(const Stream* stream, Filter* fil
}
if ( val )
vals[i] = ValToLogVal(val, vt);
vals.emplace_back(ValToLogVal(val, vt));
}
return vals;
@ -1688,16 +1698,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
return winfo->writer;
}
void Manager::DeleteVals(int num_fields, threading::Value** vals) {
// Note this code is duplicated in WriterBackend::DeleteVals().
for ( int i = 0; i < num_fields; i++ )
delete vals[i];
delete[] vals;
}
bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, const string& path, int num_fields,
threading::Value** vals) {
bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, const string& path, detail::LogRecord&& rec) {
Stream* stream = FindStream(id);
if ( ! stream ) {
@ -1707,12 +1708,10 @@ bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, const string& path,
id->Describe(&desc);
DBG_LOG(DBG_LOGGING, "unknown stream %s in Manager::Write()", desc.Description());
#endif
DeleteVals(num_fields, vals);
return false;
}
if ( ! stream->enabled ) {
DeleteVals(num_fields, vals);
return true;
}
@ -1725,11 +1724,10 @@ bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, const string& path,
id->Describe(&desc);
DBG_LOG(DBG_LOGGING, "unknown writer %s in Manager::Write()", desc.Description());
#endif
DeleteVals(num_fields, vals);
return false;
}
w->second->writer->Write(num_fields, vals);
w->second->writer->Write(std::move(rec));
DBG_LOG(DBG_LOGGING, "Wrote pre-filtered record to path '%s' on stream '%s'", path.c_str(), stream->name.c_str());

24
src/logging/Manager.h
View file

@ -268,9 +268,10 @@ public:
const threading::Field* const* fields);
/**
* Writes out log entries that have already passed through all
* filters (and have raised any events). This is meant called for logs
* received already processed from remote.
* Writes out log entries received from remote nodes.
*
* The given record has passed through all policy filters and raised events
* on the sending node. It's only meant to be written out.
*
* @param stream The enum value corresponding to the log stream.
*
@ -278,13 +279,11 @@ public:
*
* @param path The path of the target log stream to write to.
*
* @param num_fields The number of log values to write.
*
* @param vals An array of log values to write, of size num_fields.
* The method takes ownership of the array.
* @param rec Representation of the log record to write.
* @return Returns true if the record was processed successfully.
*/
bool WriteFromRemote(EnumVal* stream, EnumVal* writer, const std::string& path, int num_fields,
threading::Value** vals);
bool WriteFromRemote(EnumVal* id, EnumVal* writer, const std::string& path, detail::LogRecord&& rec);
/**
* Announces all instantiated writers to a given Broker peer.
@ -365,9 +364,6 @@ protected:
bool FinishedRotation(WriterFrontend* writer, const char* new_name, const char* old_name, double open, double close,
bool success, bool terminating);
// Deletes the values as passed into Write().
void DeleteVals(int num_fields, threading::Value** vals);
private:
struct Filter;
struct Stream;
@ -376,9 +372,9 @@ private:
bool TraverseRecord(Stream* stream, Filter* filter, RecordType* rt, TableVal* include, TableVal* exclude,
const std::string& path, const std::list<int>& indices);
threading::Value** RecordToFilterVals(const Stream* stream, Filter* filter, RecordVal* columns);
detail::LogRecord RecordToLogRecord(const Stream* stream, Filter* filter, RecordVal* columns);
threading::Value ValToLogVal(std::optional<ZVal>& val, Type* ty);
threading::Value* ValToLogVal(std::optional<ZVal>& val, Type* ty);
Stream* FindStream(EnumVal* id);
void RemoveDisabledWriters(Stream* stream);
void InstallRotationTimer(WriterInfo* winfo);

32
src/logging/WriterBackend.cc
View file

@ -181,7 +181,7 @@ bool WriterBackend::Init(int arg_num_fields, const Field* const* arg_fields) {
return true;
}
bool WriterBackend::Write(int arg_num_fields, int num_writes, Value*** vals) {
bool WriterBackend::Write(int arg_num_fields, zeek::Span<detail::LogRecord> records) {
// Double-check that the arguments match. If we get this from remote,
// something might be mixed up.
if ( num_fields != arg_num_fields ) {
@ -191,22 +191,20 @@ bool WriterBackend::Write(int arg_num_fields, int num_writes, Value*** vals) {
Debug(DBG_LOGGING, msg);
#endif
DeleteVals(num_writes, vals);
DisableFrontend();
return false;
}
// Double-check all the types match.
for ( int j = 0; j < num_writes; j++ ) {
for ( size_t j = 0; j < records.size(); j++ ) {
for ( int i = 0; i < num_fields; ++i ) {
if ( vals[j][i]->type != fields[i]->type ) {
if ( records[j][i].type != fields[i]->type ) {
#ifdef DEBUG
const char* msg = Fmt("Field #%d type doesn't match in WriterBackend::Write() (%d vs. %d)", i,
vals[j][i]->type, fields[i]->type);
records[j][i].type, fields[i]->type);
Debug(DBG_LOGGING, msg);
#endif
DisableFrontend();
DeleteVals(num_writes, vals);
return false;
}
}
@ -215,16 +213,30 @@ bool WriterBackend::Write(int arg_num_fields, int num_writes, Value*** vals) {
bool success = true;
if ( ! Failed() ) {
for ( int j = 0; j < num_writes; j++ ) {
success = DoWrite(num_fields, fields, vals[j]);
// Populate a Value* array for backwards compat with plugin
// provided WriterBackend implementations that expect to
// receive a threading::Value**.
//
// We keep the raw pointer for this API, as threading::Value
// itself manages strings, sets and vectors using raw pointers,
// so this is more consistent than mixing.
std::vector<Value*> valps;
valps.reserve(num_fields);
for ( size_t j = 0; j < records.size(); j++ ) {
auto& write_vals = records[j];
for ( int f = 0; f < num_fields; f++ )
valps.emplace_back(&write_vals[f]);
success = DoWrite(num_fields, fields, &valps[0]);
valps.clear();
if ( ! success )
break;
}
}
DeleteVals(num_writes, vals);
if ( ! success )
DisableFrontend();

18
src/logging/WriterBackend.h
View file

@ -4,6 +4,7 @@
#pragma once
#include "zeek/Span.h"
#include "zeek/logging/Component.h"
#include "zeek/threading/MsgThread.h"
@ -13,6 +14,12 @@ class data;
namespace zeek::logging {
namespace detail {
using LogRecord = std::vector<threading::Value>;
}
class WriterFrontend;
/**
@ -137,21 +144,16 @@ public:
bool Init(int num_fields, const threading::Field* const* fields);
/**
* Writes one log entry.
* Write a batch of log records.
*
* @param num_fields: The number of log fields for this stream. The
* value must match what was passed to Init().
*
* @param An array of size \a num_fields with the log values. Their
* types must match with the field passed to Init(). The method
* takes ownership of \a vals..
*
* Returns false if an error occurred, in which case the writer must
* not be used any further.
* @param records Span of LogRecord instances to write out.
*
* @return False if an error occurred.
*/
bool Write(int num_fields, int num_writes, threading::Value*** vals);
bool Write(int arg_num_fields, zeek::Span<detail::LogRecord> records);
/**
* Sets the buffering status for the writer, assuming the writer

82
src/logging/WriterFrontend.cc
View file

@ -1,6 +1,7 @@
#include "zeek/logging/WriterFrontend.h"
#include "zeek/RunState.h"
#include "zeek/Span.h"
#include "zeek/broker/Manager.h"
#include "zeek/logging/Manager.h"
#include "zeek/logging/WriterBackend.h"
@ -50,18 +51,16 @@ private:
class WriteMessage final : public threading::InputMessage<WriterBackend> {
public:
WriteMessage(WriterBackend* backend, int num_fields, int num_writes, Value*** vals)
WriteMessage(WriterBackend* backend, int num_fields, std::vector<detail::LogRecord>&& records)
: threading::InputMessage<WriterBackend>("Write", backend),
num_fields(num_fields),
num_writes(num_writes),
vals(vals) {}
records(std::move(records)) {}
bool Process() override { return Object()->Write(num_fields, num_writes, vals); }
bool Process() override { return Object()->Write(num_fields, zeek::Span{records}); }
private:
int num_fields;
int num_writes;
Value*** vals;
std::vector<detail::LogRecord> records;
};
class SetBufMessage final : public threading::InputMessage<WriterBackend> {
@ -89,7 +88,8 @@ private:
// Frontend methods.
WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer,
bool arg_local, bool arg_remote) {
bool arg_local, bool arg_remote)
: write_buffer(detail::WriteBuffer(WRITER_BUFFER_SIZE)) {
stream = arg_stream;
writer = arg_writer;
Ref(stream);
@ -99,8 +99,6 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa
buf = true;
local = arg_local;
remote = arg_remote;
write_buffer = nullptr;
write_buffer_pos = 0;
info = new WriterBackend::WriterInfo(arg_info);
num_fields = 0;
@ -134,7 +132,6 @@ WriterFrontend::~WriterFrontend() {
void WriterFrontend::Stop() {
if ( disabled ) {
CleanupWriteBuffer();
return;
}
@ -173,57 +170,42 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const* arg_fields) {
}
}
void WriterFrontend::Write(int arg_num_fields, Value** vals) {
if ( disabled ) {
DeleteVals(arg_num_fields, vals);
return;
}
void WriterFrontend::Write(detail::LogRecord&& arg_vals) {
std::vector<threading::Value> vals = std::move(arg_vals);
if ( arg_num_fields != num_fields ) {
reporter->Warning("WriterFrontend %s expected %d fields in write, got %d. Skipping line.", name, num_fields,
arg_num_fields);
DeleteVals(arg_num_fields, vals);
if ( disabled )
return;
if ( vals.size() != static_cast<size_t>(num_fields) ) {
reporter->Warning("WriterFrontend %s expected %d fields in write, got %zu. Skipping line.", name, num_fields,
vals.size());
return;
}
if ( remote ) {
broker_mgr->PublishLogWrite(stream, writer, info->path, num_fields, vals);
broker_mgr->PublishLogWrite(stream, writer, info->path, vals);
}
if ( ! backend ) {
DeleteVals(arg_num_fields, vals);
if ( ! backend )
return;
}
if ( ! write_buffer ) {
// Need new buffer.
write_buffer = new Value**[WRITER_BUFFER_SIZE];
write_buffer_pos = 0;
}
write_buffer.WriteRecord(std::move(vals));
write_buffer[write_buffer_pos++] = vals;
if ( write_buffer_pos >= WRITER_BUFFER_SIZE || ! buf || run_state::terminating )
if ( write_buffer.Full() || ! buf || run_state::terminating )
// Buffer full (or no buffering desired or terminating).
FlushWriteBuffer();
}
void WriterFrontend::FlushWriteBuffer() {
if ( disabled ) {
CleanupWriteBuffer();
if ( disabled )
return;
}
if ( ! write_buffer_pos )
if ( write_buffer.Empty() )
// Nothing to do.
return;
if ( backend )
backend->SendIn(new WriteMessage(backend, num_fields, write_buffer_pos, write_buffer));
// Clear buffer (no delete, we pass ownership to child thread.)
write_buffer = nullptr;
write_buffer_pos = 0;
backend->SendIn(new WriteMessage(backend, num_fields, std::move(write_buffer).TakeRecords()));
}
void WriterFrontend::SetBuf(bool enabled) {
@ -263,24 +245,4 @@ void WriterFrontend::Rotate(const char* rotated_path, double open, double close,
log_mgr->FinishedRotation(this, nullptr, nullptr, 0, 0, false, terminating);
}
void WriterFrontend::DeleteVals(int num_fields, Value** vals) {
// Note this code is duplicated in Manager::DeleteVals().
for ( int i = 0; i < num_fields; i++ )
delete vals[i];
delete[] vals;
}
void WriterFrontend::CleanupWriteBuffer() {
if ( ! write_buffer || write_buffer_pos == 0 )
return;
for ( int j = 0; j < write_buffer_pos; j++ )
DeleteVals(num_fields, write_buffer[j]);
delete[] write_buffer;
write_buffer = nullptr;
write_buffer_pos = 0;
}
} // namespace zeek::logging

77
src/logging/WriterFrontend.h
View file

@ -8,6 +8,66 @@ namespace zeek::logging {
class Manager;
namespace detail {
/**
* Implements a buffer accumulating log records in \a WriterFrontend instance
* before passing them to \a WriterBackend instances.
*
* \see WriterFrontend::Write
*/
class WriteBuffer {
public:
/**
* Constructor.
*/
explicit WriteBuffer(size_t buffer_size) : buffer_size(buffer_size) {}
/**
* Push a record to the buffer.
*
* @param record The records vals.
*/
void WriteRecord(LogRecord&& record) { records.emplace_back(std::move(record)); }
/**
* Moves the records out of the buffer and resets it.
*
* @return The currently buffered log records.
*/
std::vector<LogRecord> TakeRecords() && {
auto tmp = std::move(records);
// Re-initialize the buffer.
records.clear();
records.reserve(buffer_size);
return tmp;
}
/**
* @return The size of the buffer.
*/
size_t Size() const { return records.size(); }
/**
* @return True if buffer is empty.
*/
size_t Empty() const { return records.empty(); }
/**
* @return True if size equals or exceeds configured buffer size.
*/
bool Full() const { return records.size() >= buffer_size; }
private:
size_t buffer_size;
std::vector<LogRecord> records;
};
} // namespace detail
/**
* Bridge class between the logging::Manager and backend writer threads. The
* Manager instantiates one \a WriterFrontend for each open logging filter.
@ -84,13 +144,14 @@ public:
* FlushWriteBuffer(). The backend writer triggers this with a
* message at every heartbeat.
*
* See WriterBackend::Writer() for arguments (except that this method
* takes only a single record, not an array). The method takes
* ownership of \a vals.
* If the frontend has remote logging enabled, the record is also
* published to interested peers.
*
* @param rec Representation of the log record. Callee takes ownership.
* This method must only be called from the main thread.
*/
void Write(int num_fields, threading::Value** vals);
void Write(detail::LogRecord&& rec);
/**
* Sets the buffering state.
@ -185,8 +246,6 @@ public:
protected:
friend class Manager;
void DeleteVals(int num_fields, threading::Value** vals);
EnumVal* stream;
EnumVal* writer;
@ -204,11 +263,7 @@ protected:
// Buffer for bulk writes.
static const int WRITER_BUFFER_SIZE = 1000;
int write_buffer_pos; // Position of next write in buffer.
threading::Value*** write_buffer; // Buffer of size WRITER_BUFFER_SIZE.
private:
void CleanupWriteBuffer();
detail::WriteBuffer write_buffer; // Buffer of size WRITER_BUFFER_SIZE.
};
} // namespace zeek::logging

1
src/script_opt/ZAM/IterInfo.h
View file

@ -4,6 +4,7 @@
#pragma once
#include "zeek/Dict.h"
#include "zeek/Val.h"
#include "zeek/ZeekString.h"
#include "zeek/script_opt/ZAM/ZInst.h"

124
src/script_opt/ZAM/OPs/ZBI.op
View file

@ -4,56 +4,33 @@ internal-op Remove-Teredo
op1-read
class V
op-types R
eval auto teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
if ( teredo )
{
zeek::detail::ConnKey conn_key($1);
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
}
eval ZAM::packet_mgr_remove_teredo($1);
internal-op Remove-Teredo
side-effects OP_REMOVE_TEREDO_V OP_V
class VV
op-types I R
eval auto teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
if ( teredo )
{
zeek::detail::ConnKey conn_key($1);
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
}
eval ZAM::packet_mgr_remove_teredo($1);
$$ = 1;
internal-op Remove-GTPv1
op1-read
class V
op-types R
eval auto gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
if ( gtpv1 )
{
zeek::detail::ConnKey conn_key($1);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
}
eval ZAM::packet_mgr_remove_gtpv1($1);
internal-op Remove-GTPv1
side-effects OP_REMOVE_GTPV1_V OP_V
class VV
op-types I R
eval auto gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
if ( gtpv1 )
{
zeek::detail::ConnKey conn_key($1);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
}
eval ZAM::packet_mgr_remove_gtpv1($1);
$$ = 1;
internal-op Set-File-Handle
op1-read
class V
op-types S
eval auto handle = $1;
auto bytes = reinterpret_cast<const char*>(handle->Bytes());
auto h = std::string(bytes, handle->Len());
zeek::file_mgr->SetHandle(h);
eval ZAM::file_mgr_set_handle($1);
internal-op Subnet-To-Addr
class VV
@ -113,7 +90,7 @@ macro LogWritePre(id_val, columns_val)
auto columns = columns_val;
macro LogWriteResPost(lhs)
bool result = log_mgr->Write(id->AsEnumVal(), columns->AsRecordVal());
bool result = ZAM::log_mgr_write(id->AsEnumVal(), columns->AsRecordVal());
lhs = result;
internal-op Log-Write
@ -138,18 +115,18 @@ op1-read
classes VV CV
op-types X R
eval LogWritePre(LogEnum($1), $2)
(void) log_mgr->Write(id->AsEnumVal(), columns->AsRecordVal());
(void) ZAM::log_mgr_write(id->AsEnumVal(), columns->AsRecordVal());
internal-op Broker-Flush-Logs
side-effects OP_BROKER_FLUSH_LOGS_X OP_X
class V
op-types U
eval $$ = broker_mgr->FlushLogBuffers();
eval $$ = ZAM::broker_mgr_flush_log_buffers();
internal-op Broker-Flush-Logs
side-effects
class X
eval (void) broker_mgr->FlushLogBuffers();
eval (void) ZAM::broker_mgr_flush_log_buffers();
internal-op Get-Port-Transport-Proto
class VV
@ -167,13 +144,13 @@ eval auto mask = $1 & PORT_SPACE_MASK;
predicate-op Conn-Exists
class V
op-types R
eval session_mgr->FindConnection($1) != nullptr
eval ZAM::session_mgr_find_connection($1) != nullptr
internal-op Lookup-Conn
class VV
op-types X R
eval auto cid = $1;
Connection* conn = session_mgr->FindConnection(cid);
Connection* conn = ZAM::session_mgr_find_connection(cid);
ValPtr res;
if ( conn )
res = conn->GetVal();
@ -453,92 +430,61 @@ eval CatNPre()
internal-op Analyzer-Name
classes VV VC
op-types S X
eval auto atype = $1.ToVal(Z_TYPE);
auto val = atype->AsEnumVal();
Unref($$);
plugin::Component* component = zeek::analyzer_mgr->Lookup(val);
if ( ! component )
component = zeek::packet_mgr->Lookup(val);
if ( ! component )
component = zeek::file_mgr->Lookup(val);
if ( component )
$$ = new StringVal(component->CanonicalName());
else
$$ = new StringVal("<error>");
macro FilesAddOrRemoveAnalyzer(file_id_val, tag, args_val, METHOD)
auto file_id = file_id_val;
using zeek::BifType::Record::Files::AnalyzerArgs;
auto rv = args_val->CoerceTo(AnalyzerArgs);
bool result = zeek::file_mgr->METHOD(
file_id->CheckString(),
zeek::file_mgr->GetComponentTag(tag.ToVal(Z_TYPE).get()),
std::move(rv));
macro FilesAddAnalyzer(file_id_val, tag, args_val)
FilesAddOrRemoveAnalyzer(file_id_val, tag, args_val, AddAnalyzer)
eval Unref($$);
$$ = ZAM::analyzer_name($1.ToVal(Z_TYPE)->AsEnumVal());
internal-op Files-Add-Analyzer
op1-read
classes VVV VCV
op-types S X R
eval FilesAddAnalyzer($1, $2, $3)
eval ZAM::file_mgr_add_analyzer($1, $2.ToVal(Z_TYPE)->AsEnumVal(), $3);
internal-op Files-Add-Analyzer
class VVVV
side-effects OP_FILES_ADD_ANALYZER_VVV OP_VVV
op-types I S X R
eval FilesAddAnalyzer($1, $2, $3)
$$ = result;
eval $$ = ZAM::file_mgr_add_analyzer($1, $2.ToVal(Z_TYPE)->AsEnumVal(), $3);
internal-op Files-Add-Analyzer
class VVCV
op-types I S X R
side-effects OP_FILES_ADD_ANALYZER_VCV OP_VVC
eval FilesAddAnalyzer($1, $2, $3)
$$ = result;
macro FilesRemoveAnalyzer(file_id_val, tag, args_slot)
FilesAddOrRemoveAnalyzer(file_id_val, tag, args_slot, RemoveAnalyzer)
eval $$ = ZAM::file_mgr_add_analyzer($1, $2.ToVal(Z_TYPE)->AsEnumVal(), $3);
internal-op Files-Remove-Analyzer
op1-read
classes VVV VCV
op-types S X R
eval FilesRemoveAnalyzer($1, $2, $3)
eval ZAM::file_mgr_remove_analyzer($1, $2.ToVal(Z_TYPE)->AsEnumVal(), $3);
internal-op Files-Remove-Analyzer
class VVVV
op-types I S X R
side-effects OP_FILES_REMOVE_ANALYZER_VVV OP_VVV
eval FilesRemoveAnalyzer($1, $2, $3)
$$ = result;
eval $$ = ZAM::file_mgr_remove_analyzer($1, $2.ToVal(Z_TYPE)->AsEnumVal(), $3);
internal-op Files-Remove-Analyzer
class VVCV
op-types I S X R
side-effects OP_FILES_REMOVE_ANALYZER_VCV OP_VVC
eval FilesRemoveAnalyzer($1, $2, $3)
$$ = result;
eval $$ = ZAM::file_mgr_remove_analyzer($1, $2.ToVal(Z_TYPE)->AsEnumVal(), $3);
internal-op Analyzer-Enabled
classes VV VC
op-types I X
eval auto atype = $1.ToVal(Z_TYPE);
auto c = zeek::file_mgr->Lookup(atype->AsEnumVal());
$$ = c && c->Enabled();
eval $$ = ZAM::file_mgr_analyzer_enabled($1.ToVal(Z_TYPE)->AsEnumVal());
internal-op File-Analyzer-Name
classes VV VC
eval auto atype = $1.ToVal(Z_TYPE);
Unref($$.AsString());
$$ = ZVal(file_mgr->GetComponentNameVal({NewRef{}, atype->AsEnumVal()}));
$$ = ZVal(ZAM::file_mgr_analyzer_name(atype->AsEnumVal()));
internal-op Is-Protocol-Analyzer
classes VV VC
op-types I X
eval auto atype = $1.ToVal(Z_TYPE);
$$ = analyzer_mgr->Lookup(atype->AsEnumVal()) != nullptr;
$$ = ZAM::analyzer_mgr_lookup(atype->AsEnumVal()) != nullptr;
internal-op Clear-Table
op1-read
@ -550,47 +496,33 @@ internal-op Files-Enable-Reassembly
op1-read
class V
op-types S
eval auto f = $1->CheckString();
file_mgr->EnableReassembly(f);
eval ZAM::file_mgr_enable_reassembly($1);
internal-op Files-Set-Reassembly-Buffer
op1-read
classes VV Vi
op-types S U
eval auto f = $1->CheckString();
file_mgr->SetReassemblyBuffer(f, $2);
eval ZAM::file_mgr_set_reassembly_buffer($1, $2);
internal-op Files-Set-Reassembly-Buffer
class VVV
op-types I S U
side-effects OP_FILES_SET_REASSEMBLY_BUFFER_VV OP_VV
eval auto f = $1->CheckString();
$$ = file_mgr->SetReassemblyBuffer(f, $2);
eval $$ = ZAM::file_mgr_set_reassembly_buffer($1, $2);
internal-op Files-Set-Reassembly-Buffer
class VVi
op-types I S U
side-effects OP_FILES_SET_REASSEMBLY_BUFFER_Vi OP_VV_I2
eval auto f = $1->CheckString();
$$ = file_mgr->SetReassemblyBuffer(f, $2);
eval $$ = ZAM::file_mgr_set_reassembly_buffer($1, $2);
internal-op Get-Bytes-Thresh
classes VVV VVC
op-types U R I
eval auto a = analyzer::conn_size::GetConnsizeAnalyzer($1);
auto res = 0U;
if ( a )
res = static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, $2);
$$ = res;
eval $$ = ZAM::conn_size_get_bytes_threshold($1, $2);
macro SetBytesThresh(cid, threshold, is_orig)
bool res = false;
auto a = analyzer::conn_size::GetConnsizeAnalyzer(cid);
if ( a )
{
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
res = true;
}
bool res = ZAM::conn_size_set_bytes_threshold(threshold, cid, is_orig);
internal-op Set-Bytes-Thresh
op1-read

7
src/script_opt/ZAM/Profile.h
View file

@ -4,11 +4,14 @@
#pragma once
#include "zeek/script_opt/ProfileFunc.h"
#include "zeek/util.h"
#include <memory>
#include <set>
#include <string>
namespace zeek::detail {
class Location;
class ZAMLocInfo {
public:
// A generalization of the notion of "Location" that includes associating

117
src/script_opt/ZAM/Support.cc
View file

@ -8,7 +8,17 @@
#include "zeek/Reporter.h"
#include "zeek/ScriptValidation.h"
#include "zeek/ZeekString.h"
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/broker/Manager.h"
#include "zeek/file_analysis/Manager.h"
#include "zeek/file_analysis/file_analysis.bif.h"
#include "zeek/logging/Manager.h"
#include "zeek/packet_analysis/Manager.h"
#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
#include "zeek/script_opt/ProfileFunc.h"
#include "zeek/session/Manager.h"
namespace zeek::detail {
@ -17,6 +27,113 @@ std::string curr_func;
std::shared_ptr<ZAMLocInfo> curr_loc;
TypePtr log_ID_enum_type;
TypePtr any_base_type = base_type(TYPE_ANY);
bool log_mgr_write(zeek::EnumVal* v, zeek::RecordVal* r) { return zeek::log_mgr->Write(v, r); }
size_t broker_mgr_flush_log_buffers() { return zeek::broker_mgr->FlushLogBuffers(); }
zeek::Connection* session_mgr_find_connection(zeek::Val* cid) { return zeek::session_mgr->FindConnection(cid); }
bool packet_mgr_remove_teredo(zeek::Val* cid) {
auto teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
if ( teredo ) {
zeek::detail::ConnKey conn_key(cid);
static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
return true;
}
return false;
}
bool packet_mgr_remove_gtpv1(zeek::Val* cid) {
auto gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
if ( gtpv1 ) {
zeek::detail::ConnKey conn_key(cid);
static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
return true;
}
return false;
}
zeek::StringVal* analyzer_name(zeek::EnumVal* val) {
plugin::Component* component = zeek::analyzer_mgr->Lookup(val);
if ( ! component )
component = zeek::packet_mgr->Lookup(val);
if ( ! component )
component = zeek::file_mgr->Lookup(val);
if ( component )
return new StringVal(component->CanonicalName());
return new StringVal("<error>");
}
zeek::plugin::Component* analyzer_mgr_lookup(zeek::EnumVal* v) { return zeek::analyzer_mgr->Lookup(v); }
zeek_uint_t conn_size_get_bytes_threshold(Val* cid, bool is_orig) {
if ( auto* a = analyzer::conn_size::GetConnsizeAnalyzer(cid) )
return static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetByteAndPacketThreshold(true, is_orig);
return 0;
}
bool conn_size_set_bytes_threshold(zeek_uint_t threshold, Val* cid, bool is_orig) {
if ( auto* a = analyzer::conn_size::GetConnsizeAnalyzer(cid) ) {
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetByteAndPacketThreshold(threshold, true, is_orig);
return true;
}
return false;
}
// File analysis wrappers
void file_mgr_set_handle(StringVal* h) { zeek::file_mgr->SetHandle(h->ToStdString()); }
bool file_mgr_add_analyzer(StringVal* file_id, EnumVal* tag, RecordVal* args) {
const auto& tag_ = zeek::file_mgr->GetComponentTag(tag);
if ( ! tag_ )
return false;
using zeek::BifType::Record::Files::AnalyzerArgs;
auto rv = args->CoerceTo(AnalyzerArgs);
return zeek::file_mgr->AddAnalyzer(file_id->CheckString(), tag_, std::move(rv));
}
bool file_mgr_remove_analyzer(StringVal* file_id, EnumVal* tag, RecordVal* args) {
const auto& tag_ = zeek::file_mgr->GetComponentTag(tag);
if ( ! tag_ )
return false;
using zeek::BifType::Record::Files::AnalyzerArgs;
auto rv = args->CoerceTo(AnalyzerArgs);
return zeek::file_mgr->RemoveAnalyzer(file_id->CheckString(), tag_, std::move(rv));
}
bool file_mgr_analyzer_enabled(zeek::EnumVal* v) {
auto c = zeek::file_mgr->Lookup(v->AsEnumVal());
return c && c->Enabled();
}
zeek::StringVal* file_mgr_analyzer_name(EnumVal* v) {
// to be placed into a ZVal
return file_mgr->GetComponentNameVal({NewRef{}, v}).release();
}
bool file_mgr_enable_reassembly(StringVal* file_id) {
std::string fid = file_id->CheckString();
return zeek::file_mgr->EnableReassembly(fid);
}
bool file_mgr_disable_reassembly(StringVal* file_id) {
std::string fid = file_id->CheckString();
return zeek::file_mgr->DisableReassembly(fid);
}
bool file_mgr_set_reassembly_buffer(StringVal* file_id, uint64_t max) {
std::string fid = file_id->CheckString();
return zeek::file_mgr->SetReassemblyBuffer(fid, max);
}
} // namespace ZAM
bool ZAM_error = false;

78
src/script_opt/ZAM/Support.h
View file

@ -1,14 +1,41 @@
// See the file "COPYING" in the main distribution directory for copyright.
// Low-level support utilities/globals for ZAM compilation.
//
// Many of the wrapper functions are here to break header dependencies
// between ZBody.cc and the rest of Zeek. This avoids rebuilding of ZBody.cc
// when working on Zeek components unrelated to script optimization.
//
#pragma once
#include "zeek/Expr.h"
#include "zeek/Stmt.h"
#include "zeek/script_opt/ZAM/Profile.h"
#include <vector>
namespace zeek::detail {
#include "zeek/IntrusivePtr.h"
#include "zeek/script_opt/ZAM/Profile.h"
#include "zeek/util.h"
namespace zeek {
class Connection;
class EnumVal;
class RecordVal;
class StringVal;
class Type;
class Val;
using ValPtr = IntrusivePtr<Val>;
using StringValPtr = IntrusivePtr<StringVal>;
using TypePtr = IntrusivePtr<Type>;
namespace plugin {
class Component;
}
namespace detail {
class Expr;
class Stmt;
using ValVec = std::vector<ValPtr>;
@ -28,6 +55,45 @@ extern TypePtr log_ID_enum_type;
// Needed for a slight performance gain when dealing with "any" types.
extern TypePtr any_base_type;
// log_mgr->Write()
bool log_mgr_write(EnumVal* v, RecordVal* r);
// broker_mgr->FlushLogBuffers()
size_t broker_mgr_flush_log_buffers();
// session_mgr->FindConnection()
zeek::Connection* session_mgr_find_connection(Val* cid);
// We've seen these two cause overhead even with normal script execution,
// maybe we should fix them via conn removal hooks or some such.
bool packet_mgr_remove_teredo(Val* cid);
bool packet_mgr_remove_gtpv1(Val* cid);
// Analyzer-Name op
StringVal* analyzer_name(zeek::EnumVal* v);
// Used with Is-Protocol-Analyzer op
plugin::Component* analyzer_mgr_lookup(EnumVal* v);
// Conn size analyzer accessors for byte thresholds.
//
// Note: The underlying API uses a bool parameter to distinguish between
// packet and byte thresholds. For now, only need bytes and seems less
// obfuscated to use individual functions.
zeek_uint_t conn_size_get_bytes_threshold(Val* cid, bool is_orig);
bool conn_size_set_bytes_threshold(zeek_uint_t threshold, Val* cid, bool is_orig);
// File analysis facade.
void file_mgr_set_handle(StringVal* h);
bool file_mgr_add_analyzer(StringVal* file_id, EnumVal* tag, RecordVal* args);
bool file_mgr_remove_analyzer(StringVal* file_id, EnumVal* tag, RecordVal* args);
bool file_mgr_analyzer_enabled(EnumVal* v);
zeek::StringVal* file_mgr_analyzer_name(EnumVal* v);
bool file_mgr_enable_reassembly(StringVal* file_id);
bool file_mgr_disable_reassembly(StringVal* file_id);
bool file_mgr_set_reassembly_buffer(StringVal* file_id, uint64_t max);
} // namespace ZAM
// True if a function with the given profile can be compiled to ZAM.
@ -40,7 +106,6 @@ extern bool IsAny(const Type* t);
// Convenience functions for getting to these.
inline bool IsAny(const TypePtr& t) { return IsAny(t.get()); }
inline bool IsAny(const Expr* e) { return IsAny(e->GetType()); }
// Run-time checking for "any" type being consistent with
// expected typed. Returns true if the type match is okay.
@ -61,4 +126,5 @@ extern StringVal* ZAM_sub_bytes(const StringVal* s, zeek_uint_t start, zeek_int_
extern StringValPtr ZAM_val_cat(const ValPtr& v);
} // namespace zeek::detail
} // namespace detail
} // namespace zeek

5
src/script_opt/ZAM/Validate.cc
View file

@ -1,8 +1,11 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <map>
#include <regex>
#include <string>
#include "zeek/script_opt/ZAM/ZBody.h"
#include "zeek/Reporter.h"
#include "zeek/script_opt/ZAM/ZInst.h"
#include "zeek/script_opt/ZAM/ZOp.h"
using std::string;

12
src/script_opt/ZAM/ZBody.cc
View file

@ -4,7 +4,9 @@
#include "zeek/Desc.h"
#include "zeek/EventHandler.h"
#include "zeek/File.h"
#include "zeek/Frame.h"
#include "zeek/OpaqueVal.h"
#include "zeek/Overflow.h"
#include "zeek/RE.h"
#include "zeek/Reporter.h"
@ -12,7 +14,15 @@
#include "zeek/Trigger.h"
#include "zeek/script_opt/ScriptOpt.h"
#include "zeek/script_opt/ZAM/Compile.h"
#include "zeek/session/Manager.h"
#include "zeek/script_opt/ZAM/Support.h"
// Forward declarations from RunState.cc
namespace zeek::run_state {
extern double network_time;
extern bool reading_traces;
extern bool reading_live;
extern bool terminating;
} // namespace zeek::run_state
namespace zeek::detail {

29
src/script_opt/ZAM/ZBody.h
View file

@ -4,34 +4,9 @@
#pragma once
#include <vector>
#include "zeek/script_opt/ZAM/IterInfo.h"
#include "zeek/script_opt/ZAM/Profile.h"
#include "zeek/script_opt/ZAM/Support.h"
////////////////////////////////////////////////////////////////////////
// Headers needed for run-time execution:
// Needed for managing the corresponding values.
#include "zeek/File.h"
#include "zeek/Func.h"
#include "zeek/OpaqueVal.h"
// Just needed for BiFs.
#include "zeek/analyzer/Manager.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/broker/Manager.h"
#include "zeek/file_analysis/Manager.h"
#include "zeek/file_analysis/file_analysis.bif.h"
#include "zeek/logging/Manager.h"
#include "zeek/packet_analysis/Manager.h"
#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
#include "zeek.bif.func_h"
// For reading_live and reading_traces
#include "zeek/RunState.h"
////////////////////////////////////////////////////////////////////////
namespace zeek::detail {

1
src/script_opt/ZAM/ZInst.h
View file

@ -4,7 +4,6 @@
#pragma once
#include "zeek/Desc.h"
#include "zeek/Func.h"
#include "zeek/TraverseTypes.h"
#include "zeek/script_opt/ZAM/BuiltInSupport.h"

2
src/script_opt/ZAM/ZOp.cc
View file

@ -2,7 +2,7 @@
#include "zeek/script_opt/ZAM/ZOp.h"
#include "zeek/script_opt/ZAM/Support.h"
#include "zeek/Type.h"
namespace zeek::detail {

51
src/threading/SerialTypes.cc
View file

@ -82,6 +82,57 @@ std::string Field::TypeName() const {
return n;
}
Value::Value(const Value& other) {
type = other.type;
subtype = other.subtype;
present = other.present;
switch ( other.type ) {
case TYPE_ENUM:
case TYPE_STRING:
case TYPE_FILE:
case TYPE_FUNC: {
val.string_val.data = util::copy_string(other.val.string_val.data, other.val.string_val.length);
break;
}
case TYPE_PATTERN: {
val.pattern_text_val = util::copy_string(val.pattern_text_val);
break;
}
case TYPE_TABLE: {
val.set_val.vals = new Value*[other.val.set_val.size];
for ( zeek_int_t i = 0; i < other.val.set_val.size; i++ )
val.set_val.vals[i] = new Value(*other.val.set_val.vals[i]);
break;
}
case TYPE_VECTOR: {
val.vector_val.vals = new Value*[other.val.vector_val.size];
for ( zeek_int_t i = 0; i < other.val.vector_val.size; i++ )
val.vector_val.vals[i] = new Value(*other.val.vector_val.vals[i]);
break;
}
default: {
// Deal with simple/atomic types.
val = other.val;
break;
}
};
}
Value::Value(Value&& other) noexcept {
present = other.present;
type = other.type;
subtype = other.type;
line_number = other.line_number;
val = other.val; // take ownership.
other.val = _val();
other.line_number = -1;
other.present = false;
}
Value::~Value() {
if ( ! present )
return;

13
src/threading/SerialTypes.h
View file

@ -106,7 +106,7 @@ private:
struct Value {
TypeTag type; //! The type of the value.
TypeTag subtype; //! Inner type for sets and vectors.
bool present; //! False for optional record fields that are not set.
bool present = false; //! False for optional record fields that are not set.
struct set_t {
zeek_int_t size;
@ -185,6 +185,16 @@ struct Value {
Value(TypeTag arg_type, TypeTag arg_subtype, bool arg_present = true)
: type(arg_type), subtype(arg_subtype), present(arg_present) {}
/**
* Copy constructor.
*/
Value(const Value& other);
/**
* Move constructor.
*/
Value(Value&& other) noexcept;
/**
* Destructor.
*/
@ -241,7 +251,6 @@ struct Value {
private:
friend class IPAddr;
Value(const Value& other) = delete;
// For values read by the input framework, this can represent the line number
// containing this value. Used by the Ascii reader primarily.

11
src/util.cc
View file

@ -1649,7 +1649,8 @@ TEST_CASE("util path ops"){
#ifdef _MSC_VER
// TODO: adapt these tests to Windows paths
#else
SUBCASE("SafeDirname"){SafeDirname d("/this/is/a/path", false);
SUBCASE("SafeDirname") {
SafeDirname d("/this/is/a/path", false);
CHECK(d.result == "/this/is/a");
SafeDirname d2("invalid", false);
@ -1671,10 +1672,7 @@ SUBCASE("SafeBasename") {
#endif
}
SafeDirname::SafeDirname(const char* path, bool error_aborts)
: SafePathOp() {
DoFunc(path ? path : "", error_aborts);
}
SafeDirname::SafeDirname(const char* path, bool error_aborts) : SafePathOp() { DoFunc(path ? path : "", error_aborts); }
SafeDirname::SafeDirname(const string& path, bool error_aborts) : SafePathOp() { DoFunc(path, error_aborts); }
@ -2303,8 +2301,7 @@ static void strerror_r_helper(char* result, char* buf, size_t buflen) {
buf[buflen - 1] = 0;
}
static void strerror_r_helper(int result, char* buf, size_t buflen) { /* XSI flavor of strerror_r, no-op. */
}
static void strerror_r_helper(int result, char* buf, size_t buflen) { /* XSI flavor of strerror_r, no-op. */ }
void zeek_strerror_r(int zeek_errno, char* buf, size_t buflen) {
#ifdef _MSC_VER

9
testing/btest/Baseline/core.print-bpf-filters/output2
View file

@ -38,6 +38,7 @@
2 53
1 5353
1 5355
1 5432
1 563
1 585
1 587
@ -65,8 +66,8 @@
1 992
1 993
1 995
74 and
73 or
74 port
46 tcp
75 and
74 or
75 port
47 tcp
28 udp

4
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -435,6 +435,10 @@ scripts/base/init-default.zeek
scripts/base/protocols/ntp/main.zeek
scripts/base/protocols/ntp/consts.zeek
scripts/base/protocols/pop3/__load__.zeek
scripts/base/protocols/postgresql/__load__.zeek
scripts/base/protocols/postgresql/consts.zeek
scripts/base/protocols/postgresql/spicy-events.zeek
scripts/base/protocols/postgresql/main.zeek
scripts/base/protocols/quic/__load__.zeek
scripts/base/protocols/quic/spicy-events.zeek
scripts/base/protocols/quic/consts.zeek

1
testing/btest/Baseline/coverage.find-bro-logs/out
View file

@ -41,6 +41,7 @@ ocsp
openflow
packet_filter
pe
postgresql
print_log_path
quic
radius

29
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -509,6 +509,35 @@ connection {
* size: count, log=F, optional=F
* state: count, log=F, optional=F
}
* postgresql: record PostgreSQL::Info, log=F, optional=T
PostgreSQL::Info {
* application_name: string, log=T, optional=T
* backend: string, log=T, optional=T
* backend_arg: string, log=T, optional=T
* database: string, log=T, optional=T
* frontend: string, log=T, optional=T
* frontend_arg: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* rows: count, log=T, optional=T
* success: bool, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* user: string, log=T, optional=T
}
* postgresql_state: record PostgreSQL::State, log=F, optional=T
PostgreSQL::State {
* application_name: string, log=F, optional=T
* database: string, log=F, optional=T
* errors: vector of string, log=F, optional=F
* rows: count, log=F, optional=T
* user: string, log=F, optional=T
* version: record PostgreSQL::Version, log=F, optional=T
PostgreSQL::Version {
* major: count, log=F, optional=F
* minor: count, log=F, optional=F
}
}
* quic: record QUIC::Info, log=F, optional=T
QUIC::Info {
* client_initial_dcid: string, log=T, optional=T

12
testing/btest/Baseline/scripts.base.files.x509.files/files.log
View file

@ -7,10 +7,10 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string
XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
#close XXXX-XX-XX-XX-XX-XX

12
testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log Normal file
View file

@ -0,0 +1,12 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.105 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 172.24.133.205 43090 172.24.133.205 8000 1 GET 172.24.133.205:8000 / - 1.0 python-requests/2.31.0 - 0 643 200 OK - - (empty) test 1:34 - - - - FM4Ls72L4REzbA61lg - text/html
#close XXXX-XX-XX-XX-XX-XX

35
testing/btest/Baseline/scripts.base.protocols.ldap.invalid_credentials/ldap.log Normal file
View file

@ -0,0 +1,35 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ldap
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
#types time string addr port addr port int int string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 65 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 66 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 83 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 84 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 101 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 102 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 119 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 120 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 137 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 138 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 155 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 156 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 173 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 174 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 191 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 192 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 209 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 210 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 227 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 228 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 245 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 246 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 263 3 bind SASL SASL bind in progress - - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 264 3 bind SASL invalid credentials 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563? - GSS-SPNEGO
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.66.141 53653 192.168.66.138 389 349 - unbind - - - -
#close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
1673270800.189652 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 54958 127.0.0.1 5432 -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 54906 127.0.0.1 5432 -

483
testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output Normal file
View file

@ -0,0 +1,483 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
XXXXXXXXXX.XXXXXX PostgreSQL::ssl_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 613.140106 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX analyzer_confirmation_info
[0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL
[1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}], f=<uninitialized>, aid=3]
XXXXXXXXXX.XXXXXX PostgreSQL::ssl_reply
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = N
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = user
[2] value: string = zeek
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = database
[2] value: string = zeek
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::startup_message
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] major: count = 3
[2] minor: count = 0
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=5, num_bytes_ip=352, flow_label=0, l2_addr=<uninitialized>], resp=[size=25, state=4, num_pkts=4, num_bytes_ip=217, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 738.019943 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 10
[2] data: string = SCRAM-SHA-256\x00\x00
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=6, num_bytes_ip=404, flow_label=0, l2_addr=<uninitialized>], resp=[size=25, state=4, num_pkts=5, num_bytes_ip=293, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 98.031998 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=7, num_bytes_ip=511, flow_label=0, l2_addr=<uninitialized>], resp=[size=118, state=4, num_pkts=6, num_bytes_ip=345, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 646.156311 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 11
[2] data: string = r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=8, num_bytes_ip=563, flow_label=0, l2_addr=<uninitialized>], resp=[size=118, state=4, num_pkts=7, num_bytes_ip=490, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 935.058594 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 12
[2] data: string = v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = DateStyle
[2] value: string = ISO, MDY
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = default_transaction_read_only
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = in_hot_standby
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = integer_datetimes
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = IntervalStyle
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = is_superuser
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_version
[2] value: string = 14.5 (Debian 14.5-1.pgdg110+1)
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = session_authorization
[2] value: string = zeek
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = standard_conforming_strings
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = TimeZone
[2] value: string = Etc/UTC
XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] process_id: count = 96
[2] secret_key: count = 590994220
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=10, num_bytes_ip=776, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=9, num_bytes_ip=1059, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=25.0 msecs 581.121445 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = select now()
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = T
[3] chunk: string = \x00\x01now\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\xa0\x00\x08\xff\xff\xff\xff\x00\x00
XXXXXXXXXX.XXXXXX PostgreSQL::data_row
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] column_values: count = 1
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = SELECT 1\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::terminate
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=271, state=4, num_pkts=12, num_bytes_ip=898, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=11, num_bytes_ip=1252, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=27.0 msecs 49.064636 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = user
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = database
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX analyzer_confirmation_info
[0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL
[1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}], f=<uninitialized>, aid=3]
XXXXXXXXXX.XXXXXX PostgreSQL::startup_message
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] major: count = 3
[2] minor: count = 0
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=3, num_bytes_ip=248, flow_label=0, l2_addr=<uninitialized>], resp=[size=24, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 885.890961 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 10
[2] data: string = SCRAM-SHA-256\x00\x00
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=4, num_bytes_ip=300, flow_label=0, l2_addr=<uninitialized>], resp=[size=24, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 msecs 925.872803 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=TwGbAdrgxcvfe7FNe0iWJfSf
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=<uninitialized>], resp=[size=117, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 165.006638 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 11
[2] data: string = r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,s=iKUi26lwqA6spIkddhe7hw==,i=4096
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=<uninitialized>], resp=[size=117, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 603.790283 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = c=biws,r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,p=Y0VuiVVs4GDpPeMPkQcE0ADRvkq3Njc1mpCIrK1m/1Q=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 12
[2] data: string = v=na9OnyjI3MkvsAm3C8I8BoeiU4I6QL3HPaMCcLTOgfA=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = in_hot_standby
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = integer_datetimes
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = TimeZone
[2] value: string = Etc/UTC
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = IntervalStyle
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = is_superuser
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = default_transaction_read_only
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = scram_iterations
[2] value: string = 4096
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = DateStyle
[2] value: string = ISO, MDY
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = standard_conforming_strings
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = session_authorization
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_version
[2] value: string = 16.4 (Debian 16.4-1.pgdg120+1)
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] process_id: count = 876
[2] secret_key: count = 4268530428
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 889.820099 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = DROP TABLE IF EXISTS t;
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = S
[2] value: string = NOTICE
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = V
[2] value: string = NOTICE
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = C
[2] value: string = 00000
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = M
[2] value: string = table "t" does not exist, skipping
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = F
[2] value: string = tablecmds.c
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = L
[2] value: string = 1300
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = R
[2] value: string = DropErrorMsgNonExistent
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = DROP TABLE\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 164.001465 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = CREATE TABLE\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 734.786987 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = INSERT INTO t VALUES (now(), now(), now());
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = S
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = V
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = C
[2] value: string = 42804
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = M
[2] value: string = column "i" is of type integer but expression is of type timestamp with time zone
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = H
[2] value: string = You will need to rewrite or cast the expression.
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = P
[2] value: string = 23
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = F
[2] value: string = parse_target.c
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = L
[2] value: string = 586
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = R
[2] value: string = transformAssignedExpr
XXXXXXXXXX.XXXXXX PostgreSQL::error_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=21.0 msecs 95.991135 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = DROP TABLE t;
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = DROP TABLE\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 620.843887 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = DROP TABLE t;
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = S
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = V
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = C
[2] value: string = 42P01
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = M
[2] value: string = table "t" does not exist
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = F
[2] value: string = tablecmds.c
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = L
[2] value: string = 1294
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = R
[2] value: string = DropErrorMsgNonExistent
XXXXXXXXXX.XXXXXX PostgreSQL::error_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1106, state=4, num_pkts=10, num_bytes_ip=1628, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 727.893829 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::terminate
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=431, state=4, num_pkts=12, num_bytes_ip=1058, flow_label=0, l2_addr=<uninitialized>], resp=[size=1106, state=4, num_pkts=11, num_bytes_ip=1686, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 757.93457 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]

3
testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
1362692526.939527 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 141.142.228.5 59856 192.150.187.43 5432 unsupported PostgreSQL major version 12132 (...) GET /download/CHANGES.bro-aux.txt HTTP/1

3
testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 5432 ShADadFf -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
1723562242.888659 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 43330 127.0.0.1 5432 unsupported PostgreSQL major version 3490 (...) \xf4\x00\x00\x01\x0d\xa2\x1b\x18\x00\x00\x00@\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root

3
testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 43330 127.0.0.1 5432 ShAdDaFf -

14
testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
parameter_status, ClEkJM2Vm5giqnMf4h, application_name, psql
parameter_status, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8
parameter_status, ClEkJM2Vm5giqnMf4h, DateStyle, ISO, MDY
parameter_status, ClEkJM2Vm5giqnMf4h, default_transaction_read_only, off
parameter_status, ClEkJM2Vm5giqnMf4h, in_hot_standby, off
parameter_status, ClEkJM2Vm5giqnMf4h, integer_datetimes, on
parameter_status, ClEkJM2Vm5giqnMf4h, IntervalStyle, postgres
parameter_status, ClEkJM2Vm5giqnMf4h, is_superuser, on
parameter_status, ClEkJM2Vm5giqnMf4h, server_encoding, UTF8
parameter_status, ClEkJM2Vm5giqnMf4h, server_version, 14.5 (Debian 14.5-1.pgdg110+1)
parameter_status, ClEkJM2Vm5giqnMf4h, session_authorization, zeek
parameter_status, ClEkJM2Vm5giqnMf4h, standard_conforming_strings, on
parameter_status, ClEkJM2Vm5giqnMf4h, TimeZone, Etc/UTC

7
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
authentication_request, CHhAvVGS1DHFjwGM9, 10, SCRAM-SHA-256\x00\x00
authentication_response, CHhAvVGS1DHFjwGM9, SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi
authentication_request, CHhAvVGS1DHFjwGM9, 11, r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096
authentication_response, CHhAvVGS1DHFjwGM9, c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M=
authentication_request, CHhAvVGS1DHFjwGM9, 12, v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4=
authentication_ok, CHhAvVGS1DHFjwGM9

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 postgresql

5
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql startup - auth_ok MD5Password T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql simple_query select now() - - T 1
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 postgresql

5
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql startup - auth_ok MD5Password T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql simple_query select now() - - T 1
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 ssl,postgresql

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 - - - ssl_request - ssl_reply S T -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 ssl,postgresql

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 - - - ssl_request - ssl_reply S T -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgresql

11
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE IF EXISTS t; - SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (42, 'forty-two', now()); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (86, 'eighty-six', now()); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query SELECT * from t; - - T 2
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DELETE FROM t; - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgresql

9
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut Normal file
View file

@ -0,0 +1,9 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE IF EXISTS t; - SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (now(), now(), now()); error SeverityLocalized=ERROR,Severity=ERROR,Code=42804,Message=column "i" is of type integer but expression is of type timestamp with time zone,Hint=You will need to rewrite or cast the expression.,Position=23,File=parse_target.c,Line=586,Routine=transformAssignedExpr F -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; error SeverityLocalized=ERROR,Severity=ERROR,Code=42P01,Message=table "t" does not exist,File=tablecmds.c,Line=1294,Routine=DropErrorMsgNonExistent F -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51732 127.0.0.1 5432 postgresql

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51732 127.0.0.1 5432 postgres postgres psql startup - auth_request,auth_request,error SASL,SASLContinue,SeverityLocalized=FATAL,Severity=FATAL,Code=28P01,Message=password authentication failed for user "postgres",File=auth.c,Line=323,Routine=auth_failed F -

4
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut Normal file
View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 37268 127.0.0.1 5432 postgresql
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 postgresql

5
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 zeek zeek psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 zeek zeek psql terminate - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 37268 127.0.0.1 5432 zeek zeek psql startup - auth_request SASL - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 postgresql

6
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 - - - ssl_request - ssl_reply N F -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql simple_query select now() - - T 1
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql terminate - - - - -

9
testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output Normal file
View file

@ -0,0 +1,9 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
startup_parameter, CHhAvVGS1DHFjwGM9, user, zeek
startup_parameter, CHhAvVGS1DHFjwGM9, database, zeek
startup_parameter, CHhAvVGS1DHFjwGM9, application_name, psql
startup_parameter, CHhAvVGS1DHFjwGM9, client_encoding, UTF8
startup_parameter, ClEkJM2Vm5giqnMf4h, user, zeek
startup_parameter, ClEkJM2Vm5giqnMf4h, database, zeek
startup_parameter, ClEkJM2Vm5giqnMf4h, application_name, psql
startup_parameter, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8

8
testing/btest/Traces/README
View file

@ -21,3 +21,11 @@ Trace Index/Sources:
- ldap/ctu-sme-11-win7ad-1-ldap-tcp-50041.pcap: Harvested from CTU-SME-11
(Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 389 and port 50041.
https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- ldap/ldap_invalid_credentials.pcap
Provided by Martin van Hensbergen in issue #3919.
- dns/tkey.pcap: Harvested from CTU-SME-11
(Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).
- dns/dynamic-update.pcap: : Harvested from CTU-SME-11
(Experiment-VM-Microsoft-Windows7AD-1) dataset, filtering on tcp port 53.
https://zenodo.org/records/7958259 (DOI 10.5281/zenodo.7958258).

BIN
testing/btest/Traces/dns/dynamic-update.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/http/basic-auth-with-colon.trace Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ldap/ldap_invalid_credentials.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/bad-backend-message-1.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/bad-startup-message-1.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/http-on-port-5432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/mysql-on-port-5432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-disable-15432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-disable.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-require-15432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-require.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-create-insert-select-delete-drop.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-insert-fail-drop-fail.pcap Normal file
View file

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show more