From 85ca59484bef3de04c74c619665009f056b2b327 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 4 Sep 2024 16:59:30 +0200 Subject: [PATCH 1/2] postgresql: Initial parser implementation This adds a protocol parser for the PostgreSQL protocol and a new postgresql.log similar to the existing mysql.log. This should be considered preliminary and hopefully during 7.1 and 7.2 with feedback from the community, we can improve on the events and logs. Even if most PostgreSQL communication is encrypted in the real-world, this will minimally allow monitoring of the SSLRequest and hand off further analysis to the SSL analyzer. This originates from github.com/awelzel/spicy-postgresql, with lots of polishing happening in the past two days. --- NEWS | 16 + scripts/base/init-default.zeek | 1 + .../base/protocols/postgresql/__load__.zeek | 6 + scripts/base/protocols/postgresql/consts.zeek | 37 ++ scripts/base/protocols/postgresql/dpd.sig | 29 ++ scripts/base/protocols/postgresql/main.zeek | 245 +++++++++ .../protocols/postgresql/spicy-events.zeek | 147 ++++++ src/analyzer/protocol/CMakeLists.txt | 1 + .../protocol/postgresql/CMakeLists.txt | 5 + .../protocol/postgresql/postgresql.evt | 42 ++ .../protocol/postgresql/postgresql.spicy | 337 ++++++++++++ .../protocol/postgresql/postgresql_zeek.spicy | 43 ++ .../Baseline/core.print-bpf-filters/output2 | 9 +- .../canonified_loaded_scripts.log | 4 + .../btest/Baseline/coverage.find-bro-logs/out | 1 + .../coverage.record-fields/out.default | 29 ++ .../scripts.base.files.x509.files/files.log | 12 +- .../analyzer.cut | 3 + .../conn.cut | 3 + .../conn.cut | 3 + .../output | 483 ++++++++++++++++++ .../analyzer.cut | 3 + .../conn.cut | 3 + .../analyzer.cut | 3 + .../conn.cut | 3 + .../output | 14 + .../output | 7 + .../conn.cut | 3 + .../postgresql.cut | 5 + .../conn.cut | 3 + .../postgresql.cut | 5 + .../conn.cut | 3 + .../postgresql.cut | 3 + .../ssl.cut | 3 + .../conn.cut | 3 + .../postgresql.cut | 3 + .../ssl.cut | 3 + .../conn.cut | 3 + .../postgresql.cut | 11 + .../conn.cut | 3 + .../postgresql.cut | 9 + .../conn.cut | 3 + .../postgresql.cut | 3 + .../conn.cut | 4 + .../postgresql.cut | 5 + .../conn.cut | 3 + .../postgresql.cut | 6 + .../output | 9 + .../postgresql/bad-backend-message-1.pcap | Bin 0 -> 722 bytes .../postgresql/bad-startup-message-1.pcap | Bin 0 -> 739 bytes .../Traces/postgresql/http-on-port-5432.pcap | Bin 0 -> 6335 bytes .../Traces/postgresql/mysql-on-port-5432.pcap | Bin 0 -> 3034 bytes .../psql-aws-ssl-disable-15432.pcap | Bin 0 -> 1994 bytes .../postgresql/psql-aws-ssl-disable.pcap | Bin 0 -> 1994 bytes .../postgresql/psql-aws-ssl-preferred.pcap | Bin 0 -> 7676 bytes .../psql-aws-ssl-require-15432.pcap | Bin 0 -> 7804 bytes .../postgresql/psql-aws-ssl-require.pcap | Bin 0 -> 7804 bytes ...psql-create-insert-select-delete-drop.pcap | Bin 0 -> 3959 bytes .../psql-insert-fail-drop-fail.pcap | Bin 0 -> 3791 bytes .../Traces/postgresql/psql-login-fail.pcap | Bin 0 -> 1658 bytes .../postgresql/psql-login-no-sslrequest.pcap | Bin 0 -> 3443 bytes .../Traces/postgresql/psql-login-wrong.pcap | Bin 0 -> 2311 bytes .../btest/Traces/postgresql/psql-login.pcap | Bin 0 -> 2429 bytes .../Traces/postgresql/psql-select-now.pcap | Bin 0 -> 3197 bytes .../protocols/postgresql/availability.zeek | 4 + .../postgresql/bad-backend-message.zeek | 13 + .../postgresql/bad-startup-message.zeek | 11 + .../protocols/postgresql/dump-events.zeek | 17 + .../postgresql/http-on-port-5432.zeek | 13 + .../postgresql/mysql-on-port-5432.zeek | 13 + .../postgresql/parameter-status.zeek | 12 + .../base/protocols/postgresql/psql-auth.zeek | 20 + .../psql-aws-ssl-disable-15432.zeek | 12 + .../postgresql/psql-aws-ssl-disable.zeek | 14 + .../psql-aws-ssl-require-15432.zeek | 15 + .../postgresql/psql-aws-ssl-require.zeek | 15 + .../postgresql/psql-create-insert-select.zeek | 12 + .../psql-insert-fail-drop-fail.zeek | 12 + .../protocols/postgresql/psql-login-fail.zeek | 12 + .../postgresql/psql-login-no-sslrequest.zeek | 12 + .../protocols/postgresql/psql-select-now.zeek | 12 + .../postgresql/startup-parameter.zeek | 12 + 82 files changed, 1803 insertions(+), 10 deletions(-) create mode 100644 scripts/base/protocols/postgresql/__load__.zeek create mode 100644 scripts/base/protocols/postgresql/consts.zeek create mode 100644 scripts/base/protocols/postgresql/dpd.sig create mode 100644 scripts/base/protocols/postgresql/main.zeek create mode 100644 scripts/base/protocols/postgresql/spicy-events.zeek create mode 100644 src/analyzer/protocol/postgresql/CMakeLists.txt create mode 100644 src/analyzer/protocol/postgresql/postgresql.evt create mode 100644 src/analyzer/protocol/postgresql/postgresql.spicy create mode 100644 src/analyzer/protocol/postgresql/postgresql_zeek.spicy create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut create mode 100644 testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output create mode 100644 testing/btest/Traces/postgresql/bad-backend-message-1.pcap create mode 100644 testing/btest/Traces/postgresql/bad-startup-message-1.pcap create mode 100644 testing/btest/Traces/postgresql/http-on-port-5432.pcap create mode 100644 testing/btest/Traces/postgresql/mysql-on-port-5432.pcap create mode 100644 testing/btest/Traces/postgresql/psql-aws-ssl-disable-15432.pcap create mode 100644 testing/btest/Traces/postgresql/psql-aws-ssl-disable.pcap create mode 100644 testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap create mode 100644 testing/btest/Traces/postgresql/psql-aws-ssl-require-15432.pcap create mode 100644 testing/btest/Traces/postgresql/psql-aws-ssl-require.pcap create mode 100644 testing/btest/Traces/postgresql/psql-create-insert-select-delete-drop.pcap create mode 100644 testing/btest/Traces/postgresql/psql-insert-fail-drop-fail.pcap create mode 100644 testing/btest/Traces/postgresql/psql-login-fail.pcap create mode 100644 testing/btest/Traces/postgresql/psql-login-no-sslrequest.pcap create mode 100644 testing/btest/Traces/postgresql/psql-login-wrong.pcap create mode 100644 testing/btest/Traces/postgresql/psql-login.pcap create mode 100644 testing/btest/Traces/postgresql/psql-select-now.pcap create mode 100644 testing/btest/scripts/base/protocols/postgresql/availability.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/dump-events.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek create mode 100644 testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek diff --git a/NEWS b/NEWS index 497138927b..d9e7e2cd0d 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,22 @@ Breaking Changes New Functionality ----------------- +- Zeek now includes a PostgreSQL protocol analyzer. This analyzer is enabled + by default. The analyzer's events and its ``postgresql.log`` should be + considered preliminary and experimental until the arrival of Zeek's next + long-term-stable release (8.0). + + If you observe unusually high CPU consumption or other issues due to this + analyzer being enabled by default, the easiest way to disable it is via the + ``Analyzer::disabled_analyzers`` const as follows: + + redef Analyzer::disabled_analyzers += { + Analyzer::ANALYZER_POSTGRESQL, + }; + + If you observe PostgreSQL traffic in your environment, please provide feedback + about the analyzer and structure of the new log. + * The LDAP analyzer now supports handling of non-sealed GSS-API WRAP tokens. * StartTLS support was added to the LDAP analyzer. The SSL analyzer is enabled diff --git a/scripts/base/init-default.zeek b/scripts/base/init-default.zeek index 3c65158182..35c75875d2 100644 --- a/scripts/base/init-default.zeek +++ b/scripts/base/init-default.zeek @@ -67,6 +67,7 @@ @load base/protocols/ntlm @load base/protocols/ntp @load base/protocols/pop3 +@load base/protocols/postgresql @load base/protocols/quic @load base/protocols/radius @load base/protocols/rdp diff --git a/scripts/base/protocols/postgresql/__load__.zeek b/scripts/base/protocols/postgresql/__load__.zeek new file mode 100644 index 0000000000..06f9a2e4b5 --- /dev/null +++ b/scripts/base/protocols/postgresql/__load__.zeek @@ -0,0 +1,6 @@ +@if ( have_spicy_analyzers() ) +@load ./consts +@load ./spicy-events +@load ./main +@load-sigs ./dpd +@endif diff --git a/scripts/base/protocols/postgresql/consts.zeek b/scripts/base/protocols/postgresql/consts.zeek new file mode 100644 index 0000000000..03a8b23030 --- /dev/null +++ b/scripts/base/protocols/postgresql/consts.zeek @@ -0,0 +1,37 @@ +module PostgreSQL; + +export { + # https://www.postgresql.org/docs/current/protocol-error-fields.html + global error_ids: table[string] of string = { + ["S"] = "SeverityLocalized", + ["V"] = "Severity", # non-localized + ["C"] = "Code", + ["M"] = "Message", + ["D"] = "Detail", + ["H"] = "Hint", + ["P"] = "Position", + ["p"] = "InternalPosition", + ["q"] = "InternalQuery", + ["W"] = "Where", + ["s"] = "Schema", + ["t"] = "Table", + ["c"] = "Column", + ["d"] = "Data", + ["n"] = "Constraint", + ["F"] = "File", + ["L"] = "Line", + ["R"] = "Routine", + } &default=function(c: string): string { return fmt("UnknownErrorId%s", c); } &redef; + + global auth_ids: table[count] of string = { + [2] = "KerberosV5", + [3] = "CleartextPassword", + [5] = "MD5Password", + [7] = "GSSAPI", + [8] = "GSSAPIContinue", + [9] = "SSPI", + [10] = "SASL", + [11] = "SASLContinue", + [12] = "SASLFinal", + } &default=function(id: count): string { return fmt("UnknownAuthId%s", id); } &redef; +} diff --git a/scripts/base/protocols/postgresql/dpd.sig b/scripts/base/protocols/postgresql/dpd.sig new file mode 100644 index 0000000000..1bae4b0b6b --- /dev/null +++ b/scripts/base/protocols/postgresql/dpd.sig @@ -0,0 +1,29 @@ +# Enable the analyzer if we see the SSLRequest message and a S|N reply from the server. +signature dpd_postgresql_client_sslrequest { + ip-proto == tcp + payload /^\x00\x00\x00\x08\x04\xd2\x16\x2f/ +} + +signature dpd_postgresql_server_ssl_confirm { + requires-reverse-signature dpd_postgresql_client_sslrequest + payload /^[SN]/ + enable "PostgreSQL" +} + +signature dpd_postgresql_client_startup_3_x { + ip-proto == tcp + # 4 byte length, then protocol version major, minor (16bit each), + # then expect the "user\x00" parameter to follow. Not sure about + # other versions, but we likely wouldn't properly parse them anyway. + payload /^....\x00\x03\x00.{0,256}user\x00/ +} + +signature dpd_postgresql_server_any_response { + requires-reverse-signature dpd_postgresql_client_startup_3_x + + # One byte printable message type 4 bytes length. Assumes the first + # server message is not larger 64k(2^16) so match on \x00\x00 after + # the first byte. + payload /^[a-zA-Z0-9]\x00\x00../ + enable "PostgreSQL" +} diff --git a/scripts/base/protocols/postgresql/main.zeek b/scripts/base/protocols/postgresql/main.zeek new file mode 100644 index 0000000000..d7cc1cc45f --- /dev/null +++ b/scripts/base/protocols/postgresql/main.zeek @@ -0,0 +1,245 @@ +##! Implements base functionality for PostgreSQL analysis. + +@load ./consts +@load ./spicy-events + +@load base/protocols/conn/removal-hooks + +module PostgreSQL; + +export { + ## Log stream identifier. + redef enum Log::ID += { LOG }; + + type Version: record { + major: count; + minor: count; + }; + + ## Record type containing the column fields of the PostgreSQL log. + type Info: record { + ## Timestamp for when the activity happened. + ts: time &log; + ## Unique ID for the connection. + uid: string &log; + ## The connection's 4-tuple of endpoint addresses/ports. + id: conn_id &log; + + ## The user as found in the StartupMessage. + user: string &optional &log; + ## The database as found in the StartupMessage. + database: string &optional &log; + ## The application name as found in the StartupMessage. + application_name: string &optional &log; + + # The command or message from the frontend. + frontend: string &optional &log; + # Arguments for the command. + frontend_arg: string &optional &log; + # The reply from the backend. + backend: string &optional &log; + # Arguments for the reply from the backend. + backend_arg: string &optional &log; + + # Whether the login/query was successful. + success: bool &optional &log; + + # The number of rows returned or affectd. + rows: count &optional &log; + }; + + type State: record { + version: Version &optional; + user: string &optional; + database: string &optional; + application_name: string &optional; + rows: count &default=0; + errors: vector of string; + }; + + ## Default hook into PostgreSQL logging. + global log_postgresql: event(rec: Info); + + global finalize_postgresql: Conn::RemovalHook; + + global ports: set[port] = { 5432/tcp } &redef; +} + +redef record connection += { + postgresql: Info &optional; + postgresql_state: State &optional; +}; + +redef likely_server_ports += { ports }; + +event zeek_init() { + Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports); + + Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]); +} + +hook set_session(c: connection) { + if ( ! c?$postgresql ) + c$postgresql = Info($ts=network_time(), $uid=c$uid, $id=c$id); + + if ( ! c?$postgresql_state ) { + c$postgresql_state = State(); + Conn::register_removal_hook(c, finalize_postgresql); + } +} + +function emit_log(c: connection) { + if ( ! c?$postgresql ) + return; + + if ( c$postgresql_state?$user ) + c$postgresql$user = c$postgresql_state$user; + + if ( c$postgresql_state?$database ) + c$postgresql$database = c$postgresql_state$database; + + if ( c$postgresql_state?$application_name ) + c$postgresql$application_name = c$postgresql_state$application_name; + + Log::write(PostgreSQL::LOG, c$postgresql); + delete c$postgresql; +} + +event PostgreSQL::ssl_request(c: connection) { + hook set_session(c); + + c$postgresql$frontend = "ssl_request"; +} + +event PostgreSQL::ssl_reply(c: connection, b: string) { + hook set_session(c); + + c$postgresql$backend = "ssl_reply"; + c$postgresql$backend_arg = b; + c$postgresql$success = b == "S"; + + emit_log(c); +} + +event PostgreSQL::startup_parameter(c: connection, name: string, value: string) { + hook set_session(c); + + if ( name == "user" ) { + c$postgresql_state$user = value; + } else if ( name == "database" ) { + c$postgresql_state$database = value; + } else if ( name== "application_name" ) { + c$postgresql_state$application_name = value; + } +} + +event PostgreSQL::startup_message(c: connection, major: count, minor: count) { + hook set_session(c); + + c$postgresql_state$version = Version($major=major, $minor=minor); + c$postgresql$frontend = "startup"; +} + +event PostgreSQL::error_response_identified_field(c: connection, code: string, value: string) { + hook set_session(c); + + local errors = c$postgresql_state$errors; + errors += fmt("%s=%s", error_ids[code], value); +} + +event PostgreSQL::notice_response_identified_field(c: connection, code: string, value: string) { + hook set_session(c); + + local notice = fmt("%s=%s", error_ids[code], value); + if ( c$postgresql?$backend_arg ) + c$postgresql$backend_arg += "," + notice; + else + c$postgresql$backend_arg = notice; +} + +event PostgreSQL::error_response(c: connection) { + hook set_session(c); + + if ( c$postgresql?$backend ) + c$postgresql$backend += ",error"; + else + c$postgresql$backend = "error"; + + local errors = join_string_vec(c$postgresql_state$errors, ","); + c$postgresql_state$errors = vector(); + + if ( c$postgresql?$backend_arg ) + c$postgresql$backend_arg += "," + errors; + else + c$postgresql$backend_arg = errors; + + c$postgresql$success = F; + + emit_log(c); +} + +event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) { + hook set_session(c); + + if ( c$postgresql?$backend && ! ends_with(c$postgresql$backend, "auth") ) + c$postgresql$backend += ",auth_request"; + else + c$postgresql$backend = "auth_request"; + + if ( c$postgresql?$backend_arg ) + c$postgresql$backend_arg += "," + auth_ids[identifier]; + else + c$postgresql$backend_arg = auth_ids[identifier]; +} + +event PostgreSQL::authentication_ok(c: connection) { + hook set_session(c); + + c$postgresql$backend = "auth_ok"; + c$postgresql$success = T; + + emit_log(c); +} + +event PostgreSQL::terminate(c: connection) { + if ( c?$postgresql ) + emit_log(c); + + hook set_session(c); + c$postgresql$frontend = "terminate"; + emit_log(c); +} + +event PostgreSQL::simple_query(c: connection, query: string) { + if ( c?$postgresql ) + emit_log(c); + + hook set_session(c); + + c$postgresql$frontend = "simple_query"; + c$postgresql$frontend_arg = query; + c$postgresql_state$rows = 0; +} + +event PostgreSQL::data_row(c: connection, column_values: count) { + hook set_session(c); + + ++c$postgresql_state$rows; +} + +event PostgreSQL::ready_for_query(c: connection, transaction_status: string) { + # Log a query (if there was one). + if ( ! c?$postgresql ) + return; + + # If no one said otherwise, the last action was successful. + if ( ! c$postgresql?$success ) + c$postgresql$success = transaction_status == "I" || transaction_status == "T"; + + c$postgresql$rows = c$postgresql_state$rows; + emit_log(c); +} + +hook finalize_postgresql(c: connection) &priority=-5 { + emit_log(c); +} diff --git a/scripts/base/protocols/postgresql/spicy-events.zeek b/scripts/base/protocols/postgresql/spicy-events.zeek new file mode 100644 index 0000000000..0c48c2bfe2 --- /dev/null +++ b/scripts/base/protocols/postgresql/spicy-events.zeek @@ -0,0 +1,147 @@ +##! Events generated by the PostgreSQL analyzer. + +## Event generated for frontend SSLRequest messages. +## +## c: The connection. +global PostgreSQL::ssl_request: event(c: connection); + +## Event generated for backend SSL reply. +## +## c: The connection. +## +## data: The server's reply: S for secure, N for unencrypted. +global PostgreSQL::ssl_reply: event(c: connection, data: string); + +## Event generated for backend authentication requests. +## +## c: The connection. +## +## identifier: The identifier in the request. +## +## data: The request data, if any. +## +## .. zeek:see:: PostgreSQL::authentication_response +## .. zeek:see:: PostgreSQL::authentication_ok +global PostgreSQL::authentication_request: event(c: connection, identifier: count, data: string); + +## Event generated for backend authentication requests indicating successful +## authentication. +## +## c: The connection. +## +## .. zeek:see:: PostgreSQL::authentication_request +## .. zeek:see:: PostgreSQL::authentication_response +global PostgreSQL::authentication_ok: event(c: connection); + +## Event generated for frontend authentication responses. +## +## c: The connection. +## +## data: The response data, if any. +## +## .. zeek:see:: PostgreSQL::authentication_request +## .. zeek:see:: PostgreSQL::authentication_ok +global PostgreSQL::authentication_response: event(c: connection, data: string); + + +## Event generated for every parameter in a StartupMessage. +## +## c: The connection. +## +## name: The name of the parameter. +## +## value: The value of the parameter. +global PostgreSQL::startup_parameter: event(c: connection, name: string, value: string); + +## Event generated for a StartupMessage. +## +## c: The connection. +## +## major: The major protocol version. +## +## minor: The minor protocol version. +global PostgreSQL::startup_message: event(c: connection, major: count, minor: count); + +## Event generated for every backed ReadyForQuery message. +## +## c: The connection. +## +## transaction_status: I (idle), T (in transaction block), E (error). +global PostgreSQL::ready_for_query: event(c: connection, transaction_status: string); + +## Event generated for every frontend SimpleQuery message. +## +## c: The connection. +## +## query: The query string. +global PostgreSQL::simple_query: event(c: connection, query: string); + +## Event generated for identified field within an ErrorResponse. +## +## c: The connection. +## +## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html) +## +## value: The field value. +## +## .. zeek:see:: PostgreSQL::error_response +global PostgreSQL::error_response_identified_field: event(c: connection, code: string, value: string); + +## Event generated for a ErrorResponse. +## +## c: The connection. +## +## .. zeek:see:: PostgreSQL::error_response_identified_field +global PostgreSQL::error_response: event(c: connection); + +## Event generated for identified field within a NoticeResponse. +## +## c: The connection. +## +## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html) +## +## value: The field value. +## +## .. zeek:see:: PostgreSQL::notice_response +global PostgreSQL::notice_response_identified_field: event(c: connection, code: string, value: string); + +## Event generated for a NoticeResponse. +## +## c: The connection. +## +## .. zeek:see:: PostgreSQL::notice_response_identified_field +global PostgreSQL::notice_response: event(c: connection); + +## Event generated for every backend DataRow message. +## +## c: The connection. +## +## column_values: The number of columns in this row. +global PostgreSQL::data_row: event(c: connection, column_values: count); + +## Event generated for backend runtime parameter status reports. +## +## c: The connection. +## +## name: The name of the runtime parameter. +## +## value: The current value of the parameter. +## +global PostgreSQL::parameter_status: event(c: connection, name: string, value: string); + +## Generated for a BackendKeyData message for cancellation. +## +## c: The connection. +## +## process_id: The process ID of the backend. +## +## secret_key: The secret key of the backend. +global PostgreSQL::backend_key_data: event(c: connection, process_id: count, secret_key: count); + +## Event generated For a frontend Terminate message. +## +## c: The connection. +global PostgreSQL::terminate: event(c: connection); + +## Event generated for not implemented messages. +global PostgreSQL::not_implemented: event(c: connection, is_orig: bool, typ: string, chunk: string); diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 896c53b4e6..654b1bab03 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -28,6 +28,7 @@ add_subdirectory(ntlm) add_subdirectory(ntp) add_subdirectory(pia) add_subdirectory(pop3) +add_subdirectory(postgresql) add_subdirectory(quic) add_subdirectory(radius) add_subdirectory(rdp) diff --git a/src/analyzer/protocol/postgresql/CMakeLists.txt b/src/analyzer/protocol/postgresql/CMakeLists.txt new file mode 100644 index 0000000000..5b638e765f --- /dev/null +++ b/src/analyzer/protocol/postgresql/CMakeLists.txt @@ -0,0 +1,5 @@ +spicy_add_analyzer( + NAME PostgreSQL + PACKAGE_NAME spicy-postgresql + SOURCES postgresql.spicy postgresql.evt postgresql_zeek.spicy + MODULES PostgreSQL PostgreSQL_Zeek) diff --git a/src/analyzer/protocol/postgresql/postgresql.evt b/src/analyzer/protocol/postgresql/postgresql.evt new file mode 100644 index 0000000000..c01e6262e8 --- /dev/null +++ b/src/analyzer/protocol/postgresql/postgresql.evt @@ -0,0 +1,42 @@ +import PostgreSQL; +import PostgreSQL_Zeek; + +protocol analyzer PostgreSQL over TCP: + parse originator with PostgreSQL::FrontendMessages, + parse responder with PostgreSQL::BackendMessages; + +on PostgreSQL::NotImplemented -> event PostgreSQL::not_implemented($conn, $is_orig, ("%c" % typ), self.chunk); + +on PostgreSQL::AuthenticationRequest if ( self.identifier != 0 )-> event PostgreSQL::authentication_request($conn, self.identifier, self.data); + +on PostgreSQL::AuthenticationRequest if ( self.identifier == 0 ) -> event PostgreSQL::authentication_ok($conn); + +on PostgreSQL::AuthenticationResponse -> event PostgreSQL::authentication_response($conn, self.data); + +on PostgreSQL::FrontendMessages::ssl_request -> event PostgreSQL::ssl_request($conn); + +on PostgreSQL::MaybeBackendSSL::ssl_byte -> event PostgreSQL::ssl_reply($conn, ("%c" % self.ssl_byte)); + +on PostgreSQL::StartupParameter -> event PostgreSQL::startup_parameter($conn, self.name, self.value); + +on PostgreSQL::StartupMessage -> event PostgreSQL::startup_message($conn, self.version.major, self.version.minor); + +on PostgreSQL::ErrorIdentifiedField -> event PostgreSQL::error_response_identified_field($conn, ("%c" % self.code), self.value); + +on PostgreSQL::ErrorResponse -> event PostgreSQL::error_response($conn); + +on PostgreSQL::SimpleQuery -> event PostgreSQL::simple_query($conn, self.query); + +on PostgreSQL::ReadyForQuery -> event PostgreSQL::ready_for_query($conn, "%c" % self.transaction_status); + +on PostgreSQL::NoticeIdentifiedField -> event PostgreSQL::notice_response_identified_field($conn, ("%c" % self.code), self.value); + +on PostgreSQL::NoticeResponse -> event PostgreSQL::notice_response($conn); + +on PostgreSQL::Terminate -> event PostgreSQL::terminate($conn); + +on PostgreSQL::DataRow -> event PostgreSQL::data_row($conn, self.column_values); + +on PostgreSQL::ParameterStatus -> event PostgreSQL::parameter_status($conn, self.name, self.value); + +on PostgreSQL::BackendKeyData -> event PostgreSQL::backend_key_data($conn, self.process_id, self.secret_key); diff --git a/src/analyzer/protocol/postgresql/postgresql.spicy b/src/analyzer/protocol/postgresql/postgresql.spicy new file mode 100644 index 0000000000..897723b7aa --- /dev/null +++ b/src/analyzer/protocol/postgresql/postgresql.spicy @@ -0,0 +1,337 @@ +# A PostgreSQL analyzer. +# +# https://www.postgresql.org/docs/current/protocol.html +# +# Protocol version 3.0 + +module PostgreSQL; + +import spicy; + +type SSLFrontendState = enum { + Requested, + NotRequested, +}; + +type SSLBackendState = enum { + S, + N, +}; + +# How many chunks to buffer initially when seeing a backend message +# before a frontend or vice versa. +const MAX_BUFFERED = 4; + +# When a connection switches to SSL, this consumes all the SSL chunks. +# In zeek_postgres.spicy, SSLSink%init calls zeek::protocol_begin() and +# then zeek::protocol_data_in() +# +# There's a single SSLSink shared between backend and frontend. +type SSLSink = unit { + chunk: bytes &chunked &eod; +}; + +# Used as context for synchronization between frontend/backend. +type Context = struct { + ssl_frontend_state: SSLFrontendState; + ssl_backend_state: SSLBackendState; + ssl_sink: sink&; + ssl_sink_connected: bool; +}; + +type ProtocolVersion = unit { + major: uint16; + minor: uint16; +}; + +type StartupParameter = unit { + name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0); + : uint8 &requires=($$ == 0); + value: /[\x20-\x7e]+/ &requires=(|$$| > 0); + : uint8 &requires=($$ == 0); +}; + +type StartupMessage = unit { + length: uint32 &requires=(self.length >= 9); + version: ProtocolVersion &requires=($$.major == 3); + parameters: StartupParameter[] &size=self.length - 9; + : skip b"\x00"; +}; + +# Top-level entry for the client. +public type FrontendMessages = unit { + %context = Context; + on %init { + # Until the first FrontendMessages are initialized, ssl_sink in the + # context is a Null reference. Also, we want to use a single sink + # for both, frontend and backend by calling beg + self.context().ssl_sink = self.s1; + } + + var buffered: vector; + var s1_connected: bool; + var ssl_requested: bool; + sink s1; + + # Peek at the client data. + length: uint32 &requires=(self.length >= 8); + version_or_magic: uint32 { + self.ssl_requested = self.length == 8 && $$ == 80877103; + + if (self.ssl_requested) { + self.context().ssl_frontend_state = SSLFrontendState::Requested; + } else { + self.context().ssl_frontend_state = SSLFrontendState::NotRequested; + self.context().ssl_backend_state = SSLBackendState::N; + + # Pre-check the supported major version here. + local major = $$ >> 16; + if (major != 3) + throw "unsupported PostgreSQL major version %s" % major; + + # Put length and version back into the buffer so PlainFrontendMessages + # can re-parse it. + # + # This explicitly avoids using random access functionality like + # `self.input()` and `self.set_input()` which would disable automatic + # trimming in this unit (which is top-level unit parsing unbounded + # amounts of data). + self.buffered.push_back(pack(self.length, spicy::ByteOrder::Network)); + self.buffered.push_back(pack(self.version_or_magic, spicy::ByteOrder::Network)); + } + } + + # void field for raising an event. + ssl_request: void if(self.ssl_requested == True); + + # print "frontend ssl", self.context(); + + # If the client requested SSL, we do not know how to continue parsing + # until the server confirmed SSL usage via 'S' or 'N' responses. As long + # as it hasn't responded, stall the parsing here and buffer bytes until + # the context() is populated. + # + # In normal operations, Zeek should see the server's response before + # attempting to parse more data, but Robin was concerned it that in + # some circumstances (out-of-order packets, reassembly artifacts) we + # may see the client's data before the server's. + # + # In the future, barrier: https://github.com/zeek/spicy/pull/1373 + : bytes &chunked &eod { + if (!self.context().ssl_backend_state) { + self.buffered.push_back($$); + + if (|self.buffered| > MAX_BUFFERED) + throw "too many frontend messages buffered"; + } else { + # print "frontend ssl_state backend set!", self.context(); + if (!self.s1_connected) { + if (self.context().ssl_backend_state == SSLBackendState::S) { + if (!self.context().ssl_sink_connected) { + self.context().ssl_sink.connect(new SSLSink()); + self.context().ssl_sink_connected = True; + } + } else { + # print "connecting plain frontend messages"; + self.s1.connect(new PlainFrontendMessages()); + } + + self.s1_connected = True; + + if (|self.buffered| > 0) { + for (b in self.buffered) + self.s1.write(b); + } + + self.buffered.resize(0); + } + + self.s1.write($$); + } + } +}; + +type PlainFrontendMessages = unit { + startup_message: StartupMessage; + : FrontendMessage[]; +}; + +type FrontendMessage = unit { + typ: uint8; + length: uint32 &requires=(self.length >= 4); + + switch (self.typ) { + 'p' -> : AuthenticationResponse; + 'X' -> : Terminate; + 'Q' -> : SimpleQuery; + * -> not_implemented: NotImplemented(self.typ); + } &size=self.length - 4; +}; + +type AuthenticationResponse = unit { + # This is PasswordMessage, SASLInitialMessage, etc. based on context. + # For now, just thread it through. + data: bytes &eod; +}; + +type Terminate = unit {}; + +type SimpleQuery = unit { + query: bytes &until=b"\x00"; +}; + +# The client has requested SSL, the server either confirms (S) or +# stays in plaintext (N) mode. Depending on the result, we connect +# our sink to the SSL sink, or to a PlainBackendMessages unit. +# +type MaybeBackendSSL = unit(ctx: Context&) { + + # Connected SSL, or plaintext. + sink s1; + + ssl_byte: uint8 &requires=($$ == 'S' || $$ == 'N') { + # print "backend ssl_byte", $$; + if ($$ == 'S') { + ctx.ssl_backend_state = SSLBackendState::S; + if (!ctx.ssl_sink_connected) { + ctx.ssl_sink.connect(new SSLSink()); + ctx.ssl_sink_connected = True; + } + + # Share the SSL sink with the frontend. + self.s1 = ctx.ssl_sink; + } else { + ctx.ssl_backend_state = SSLBackendState::N; + self.s1.connect(new PlainBackendMessages()); + } + } + + # Now that s1 is connected, forward the rest of the connection to it. + : bytes &chunked &eod -> self.s1; +}; + +# Top-level entry for the server. +public type BackendMessages = unit { + %context = Context; + + var buffered: vector; + var s1_connected: bool; + sink s1; + + # Buffer until the SSL frontend state was populated. + : bytes &chunked &eod { + if (!self.context().ssl_frontend_state) { + # print "backend buffering ", |$$|; + self.buffered.push_back($$); + + if (|self.buffered| > MAX_BUFFERED) + throw "too many backend messages buffered"; + } else { + # The ssl_frontend_state has been set. If The client requested SSL, + # connect to an SSLMaybe instance. If it did not, connect + # directly to PlainBackendMessages. + # print "backend", self.context(), |self.buffered|, self.s1, self.s1_connected; + if (!self.s1_connected) { + + if (self.context().ssl_frontend_state == SSLFrontendState::Requested) { + self.s1.connect(new MaybeBackendSSL(self.context())); + } else { + self.s1.connect(new PlainBackendMessages()); + } + + self.s1_connected = True; + + if (|self.buffered| > 0) { + for (b in self.buffered) + self.s1.write(b); + } + self.buffered.resize(0); + } + + # print "backend writing to sink", $$, |self.s1|; + self.s1.write($$); + } + } +}; + +type PlainBackendMessages = unit { + : BackendMessage[]; +}; + +type BackendMessage = unit { + typ: uint8; + length: uint32 &requires=(self.length >= 4); + + switch (self.typ) { + 'K' -> backend_key_data: BackendKeyData; + 'E' -> error: ErrorResponse; + 'R' -> auth: AuthenticationRequest(self.length - 4); + 'S' -> parameter_status: ParameterStatus; + 'D' -> data_row: DataRow; + 'Z' -> ready_for_query: ReadyForQuery; + 'N' -> notice: NoticeResponse; + * -> not_implemented: NotImplemented(self.typ); + } &size=self.length - 4; +}; + +type ParameterStatus = unit { + name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0); + : uint8 &requires=($$ == 0); + value: /[\x20-\x7e]+/ &requires=(|$$| > 0); + : uint8 &requires=($$ == 0); +}; + +# Possible values are 'I' if idle (not in a transaction block); +# 'T' if in a transaction block; or 'E' if in a failed transaction block +# (queries will be rejected until block is ended). +type ReadyForQuery = unit { + transaction_status: uint8 &requires=($$ == 'I' || $$ == 'T' || $$ == 'E'); +}; + +type NoticeIdentifiedField = unit { + code: uint8; + value: bytes &until=b"\x00"; +}; + +type NoticeResponse = unit { + : NoticeIdentifiedField[]; + : skip b"\x00"; +}; + +# Just for counting right now. +type DataRow = unit { + column_values: uint16; + : skip bytes &eod; +}; + +# Fields with a 1 byte field as documented here: +# https://www.postgresql.org/docs/current/protocol-error-fields.html +type ErrorIdentifiedField = unit { + code: uint8; + value: bytes &until=b"\x00"; +}; + +type ErrorResponse = unit { + : ErrorIdentifiedField[]; + : skip b"\x00"; +}; + +type AuthenticationRequest = unit(length: uint32) { + identifier: uint32 &requires=($$ <= 12) { + if (self.identifier == 0 && length != 4) + throw "AuthenticationOK with wrong length: %s" % length; + } + + # There's more structure (GSS-API, SASL, cleartext), but for now + # just thread through the raw data. + data: bytes &eod; +}; + +type BackendKeyData = unit { + process_id: uint32; + secret_key: uint32; +}; + +type NotImplemented = unit(typ: uint8) { + chunk: bytes &eod; +}; diff --git a/src/analyzer/protocol/postgresql/postgresql_zeek.spicy b/src/analyzer/protocol/postgresql/postgresql_zeek.spicy new file mode 100644 index 0000000000..d6cb4425af --- /dev/null +++ b/src/analyzer/protocol/postgresql/postgresql_zeek.spicy @@ -0,0 +1,43 @@ +# Set up protocol confirmation/rejection for analyzers, as well as any further +# Zeek-specific analysis. + +module PostgreSQL_Zeek; + +import PostgreSQL; +import zeek; + +# If we see a client StartupMessage, that's pretty good. +on PostgreSQL::StartupMessage::%done { + zeek::confirm_protocol(); +} + +# If the server replied with an ssl_byte and we let it through, +# that's also pretty good. +on PostgreSQL::MaybeBackendSSL::ssl_byte { + zeek::confirm_protocol(); +} + +on PostgreSQL::SSLSink::%init { + zeek::protocol_begin("SSL"); +} + +on PostgreSQL::SSLSink::%done { + zeek::protocol_end(); +} + +on PostgreSQL::SSLSink::chunk { + # print "ssl_chunk", zeek::is_orig(), self; + zeek::protocol_data_in(zeek::is_orig(), self.chunk); +} + +on PostgreSQL::StartupMessage::%error(msg: string) { + zeek::reject_protocol("error while parsing PostgreSQL StartupMessage: %s" % msg); +} + +on PostgreSQL::FrontendMessage::%error(msg: string) { + zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg); +} + +on PostgreSQL::BackendMessage::%error(msg: string) { + zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg); +} diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2 index 008e033114..aa3b0f8410 100644 --- a/testing/btest/Baseline/core.print-bpf-filters/output2 +++ b/testing/btest/Baseline/core.print-bpf-filters/output2 @@ -38,6 +38,7 @@ 2 53 1 5353 1 5355 +1 5432 1 563 1 585 1 587 @@ -65,8 +66,8 @@ 1 992 1 993 1 995 -74 and -73 or -74 port -46 tcp +75 and +74 or +75 port +47 tcp 28 udp diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 07dc32da6d..01b7a84395 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -435,6 +435,10 @@ scripts/base/init-default.zeek scripts/base/protocols/ntp/main.zeek scripts/base/protocols/ntp/consts.zeek scripts/base/protocols/pop3/__load__.zeek + scripts/base/protocols/postgresql/__load__.zeek + scripts/base/protocols/postgresql/consts.zeek + scripts/base/protocols/postgresql/spicy-events.zeek + scripts/base/protocols/postgresql/main.zeek scripts/base/protocols/quic/__load__.zeek scripts/base/protocols/quic/spicy-events.zeek scripts/base/protocols/quic/consts.zeek diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out index ad46a67218..942ef6e082 100644 --- a/testing/btest/Baseline/coverage.find-bro-logs/out +++ b/testing/btest/Baseline/coverage.find-bro-logs/out @@ -41,6 +41,7 @@ ocsp openflow packet_filter pe +postgresql print_log_path quic radius diff --git a/testing/btest/Baseline/coverage.record-fields/out.default b/testing/btest/Baseline/coverage.record-fields/out.default index 25aec2b3c8..21b8fde5b3 100644 --- a/testing/btest/Baseline/coverage.record-fields/out.default +++ b/testing/btest/Baseline/coverage.record-fields/out.default @@ -509,6 +509,35 @@ connection { * size: count, log=F, optional=F * state: count, log=F, optional=F } + * postgresql: record PostgreSQL::Info, log=F, optional=T + PostgreSQL::Info { + * application_name: string, log=T, optional=T + * backend: string, log=T, optional=T + * backend_arg: string, log=T, optional=T + * database: string, log=T, optional=T + * frontend: string, log=T, optional=T + * frontend_arg: string, log=T, optional=T + * id: record conn_id, log=T, optional=F + conn_id { ... } + * rows: count, log=T, optional=T + * success: bool, log=T, optional=T + * ts: time, log=T, optional=F + * uid: string, log=T, optional=F + * user: string, log=T, optional=T + } + * postgresql_state: record PostgreSQL::State, log=F, optional=T + PostgreSQL::State { + * application_name: string, log=F, optional=T + * database: string, log=F, optional=T + * errors: vector of string, log=F, optional=F + * rows: count, log=F, optional=T + * user: string, log=F, optional=T + * version: record PostgreSQL::Version, log=F, optional=T + PostgreSQL::Version { + * major: count, log=F, optional=F + * minor: count, log=F, optional=F + } + } * quic: record QUIC::Info, log=F, optional=T QUIC::Info { * client_initial_dcid: string, log=T, optional=T diff --git a/testing/btest/Baseline/scripts.base.files.x509.files/files.log b/testing/btest/Baseline/scripts.base.files.x509.files/files.log index ce19924fa1..e64dfc52c0 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log +++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log @@ -7,10 +7,10 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string -XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 -XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d -XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 -XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 -XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d -XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 +XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 +XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d +XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 +XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 +XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d +XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut new file mode 100644 index 0000000000..2abd20b8b3 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +1673270800.189652 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut new file mode 100644 index 0000000000..fb9e1bb702 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 54958 127.0.0.1 5432 - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut new file mode 100644 index 0000000000..d9e7067ced --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 54906 127.0.0.1 5432 - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output b/testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output new file mode 100644 index 0000000000..aa8bd9f268 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output @@ -0,0 +1,483 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +XXXXXXXXXX.XXXXXX PostgreSQL::ssl_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 613.140106 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX analyzer_confirmation_info + [0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL + [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}], f=, aid=3] + +XXXXXXXXXX.XXXXXX PostgreSQL::ssl_reply + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] data: string = N + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = user + [2] value: string = zeek + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = database + [2] value: string = zeek + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = application_name + [2] value: string = psql + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = client_encoding + [2] value: string = UTF8 + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_message + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] major: count = 3 + [2] minor: count = 0 + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=5, num_bytes_ip=352, flow_label=0, l2_addr=], resp=[size=25, state=4, num_pkts=4, num_bytes_ip=217, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 738.019943 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] identifier: count = 10 + [2] data: string = SCRAM-SHA-256\x00\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=6, num_bytes_ip=404, flow_label=0, l2_addr=], resp=[size=25, state=4, num_pkts=5, num_bytes_ip=293, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 98.031998 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] data: string = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=7, num_bytes_ip=511, flow_label=0, l2_addr=], resp=[size=118, state=4, num_pkts=6, num_bytes_ip=345, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 646.156311 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] identifier: count = 11 + [2] data: string = r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096 + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=8, num_bytes_ip=563, flow_label=0, l2_addr=], resp=[size=118, state=4, num_pkts=7, num_bytes_ip=490, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 935.058594 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] data: string = c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M= + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] identifier: count = 12 + [2] data: string = v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4= + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = application_name + [2] value: string = psql + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = client_encoding + [2] value: string = UTF8 + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = DateStyle + [2] value: string = ISO, MDY + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = default_transaction_read_only + [2] value: string = off + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = in_hot_standby + [2] value: string = off + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = integer_datetimes + [2] value: string = on + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = IntervalStyle + [2] value: string = postgres + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = is_superuser + [2] value: string = on + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = server_encoding + [2] value: string = UTF8 + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = server_version + [2] value: string = 14.5 (Debian 14.5-1.pgdg110+1) + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = session_authorization + [2] value: string = zeek + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = standard_conforming_strings + [2] value: string = on + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = TimeZone + [2] value: string = Etc/UTC + +XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] process_id: count = 96 + [2] secret_key: count = 590994220 + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::simple_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=10, num_bytes_ip=776, flow_label=0, l2_addr=], resp=[size=583, state=4, num_pkts=9, num_bytes_ip=1059, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=25.0 msecs 581.121445 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] query: string = select now() + +XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] is_orig: bool = F + [2] typ: string = T + [3] chunk: string = \x00\x01now\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\xa0\x00\x08\xff\xff\xff\xff\x00\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::data_row + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] column_values: count = 1 + +XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] is_orig: bool = F + [2] typ: string = C + [3] chunk: string = SELECT 1\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::terminate + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=271, state=4, num_pkts=12, num_bytes_ip=898, flow_label=0, l2_addr=], resp=[size=672, state=4, num_pkts=11, num_bytes_ip=1252, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=27.0 msecs 49.064636 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = user + [2] value: string = postgres + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = database + [2] value: string = postgres + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = application_name + [2] value: string = psql + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = client_encoding + [2] value: string = UTF8 + +XXXXXXXXXX.XXXXXX analyzer_confirmation_info + [0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL + [1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}], f=, aid=3] + +XXXXXXXXXX.XXXXXX PostgreSQL::startup_message + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] major: count = 3 + [2] minor: count = 0 + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=3, num_bytes_ip=248, flow_label=0, l2_addr=], resp=[size=24, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 885.890961 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] identifier: count = 10 + [2] data: string = SCRAM-SHA-256\x00\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=4, num_bytes_ip=300, flow_label=0, l2_addr=], resp=[size=24, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 msecs 925.872803 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] data: string = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=TwGbAdrgxcvfe7FNe0iWJfSf + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=], resp=[size=117, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 165.006638 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] identifier: count = 11 + [2] data: string = r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,s=iKUi26lwqA6spIkddhe7hw==,i=4096 + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=], resp=[size=117, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 603.790283 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] data: string = c=biws,r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,p=Y0VuiVVs4GDpPeMPkQcE0ADRvkq3Njc1mpCIrK1m/1Q= + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] identifier: count = 12 + [2] data: string = v=na9OnyjI3MkvsAm3C8I8BoeiU4I6QL3HPaMCcLTOgfA= + +XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = in_hot_standby + [2] value: string = off + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = integer_datetimes + [2] value: string = on + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = TimeZone + [2] value: string = Etc/UTC + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = IntervalStyle + [2] value: string = postgres + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = is_superuser + [2] value: string = on + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = application_name + [2] value: string = psql + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = default_transaction_read_only + [2] value: string = off + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = scram_iterations + [2] value: string = 4096 + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = DateStyle + [2] value: string = ISO, MDY + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = standard_conforming_strings + [2] value: string = on + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = session_authorization + [2] value: string = postgres + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = client_encoding + [2] value: string = UTF8 + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = server_version + [2] value: string = 16.4 (Debian 16.4-1.pgdg120+1) + +XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] name: string = server_encoding + [2] value: string = UTF8 + +XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] process_id: count = 876 + [2] secret_key: count = 4268530428 + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::simple_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=], resp=[size=613, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 889.820099 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] query: string = DROP TABLE IF EXISTS t; + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = S + [2] value: string = NOTICE + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = V + [2] value: string = NOTICE + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = C + [2] value: string = 00000 + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = M + [2] value: string = table "t" does not exist, skipping + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = F + [2] value: string = tablecmds.c + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = L + [2] value: string = 1300 + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = R + [2] value: string = DropErrorMsgNonExistent + +XXXXXXXXXX.XXXXXX PostgreSQL::notice_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] is_orig: bool = F + [2] typ: string = C + [3] chunk: string = DROP TABLE\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::simple_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=], resp=[size=744, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 164.001465 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] query: string = CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); + +XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] is_orig: bool = F + [2] typ: string = C + [3] chunk: string = CREATE TABLE\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::simple_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=], resp=[size=768, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 734.786987 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] query: string = INSERT INTO t VALUES (now(), now(), now()); + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = S + [2] value: string = ERROR + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = V + [2] value: string = ERROR + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = C + [2] value: string = 42804 + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = M + [2] value: string = column "i" is of type integer but expression is of type timestamp with time zone + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = H + [2] value: string = You will need to rewrite or cast the expression. + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = P + [2] value: string = 23 + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = F + [2] value: string = parse_target.c + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = L + [2] value: string = 586 + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = R + [2] value: string = transformAssignedExpr + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::simple_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=], resp=[size=981, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=21.0 msecs 95.991135 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] query: string = DROP TABLE t; + +XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] is_orig: bool = F + [2] typ: string = C + [3] chunk: string = DROP TABLE\x00 + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::simple_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=], resp=[size=1003, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 620.843887 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] query: string = DROP TABLE t; + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = S + [2] value: string = ERROR + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = V + [2] value: string = ERROR + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = C + [2] value: string = 42P01 + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = M + [2] value: string = table "t" does not exist + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = F + [2] value: string = tablecmds.c + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = L + [2] value: string = 1294 + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] code: string = R + [2] value: string = DropErrorMsgNonExistent + +XXXXXXXXXX.XXXXXX PostgreSQL::error_response + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + +XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=], resp=[size=1106, state=4, num_pkts=10, num_bytes_ip=1628, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 727.893829 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + [1] transaction_status: string = I + +XXXXXXXXXX.XXXXXX PostgreSQL::terminate + [0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=431, state=4, num_pkts=12, num_bytes_ip=1058, flow_label=0, l2_addr=], resp=[size=1106, state=4, num_pkts=11, num_bytes_ip=1686, flow_label=0, l2_addr=], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 757.93457 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=, vlan=, inner_vlan=, dpd=, dpd_state=, service_violation={\x0a\x0a}] + diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut new file mode 100644 index 0000000000..da70449a97 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +1362692526.939527 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 141.142.228.5 59856 192.150.187.43 5432 unsupported PostgreSQL major version 12132 (...) GET /download/CHANGES.bro-aux.txt HTTP/1 diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut new file mode 100644 index 0000000000..98dfde72b4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 5432 ShADadFf - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut new file mode 100644 index 0000000000..25786b3609 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data +1723562242.888659 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 43330 127.0.0.1 5432 unsupported PostgreSQL major version 3490 (...) \xf4\x00\x00\x01\x0d\xa2\x1b\x18\x00\x00\x00@\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut new file mode 100644 index 0000000000..20f05381c4 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 43330 127.0.0.1 5432 ShAdDaFf - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output b/testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output new file mode 100644 index 0000000000..e7f454e9e5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +parameter_status, ClEkJM2Vm5giqnMf4h, application_name, psql +parameter_status, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8 +parameter_status, ClEkJM2Vm5giqnMf4h, DateStyle, ISO, MDY +parameter_status, ClEkJM2Vm5giqnMf4h, default_transaction_read_only, off +parameter_status, ClEkJM2Vm5giqnMf4h, in_hot_standby, off +parameter_status, ClEkJM2Vm5giqnMf4h, integer_datetimes, on +parameter_status, ClEkJM2Vm5giqnMf4h, IntervalStyle, postgres +parameter_status, ClEkJM2Vm5giqnMf4h, is_superuser, on +parameter_status, ClEkJM2Vm5giqnMf4h, server_encoding, UTF8 +parameter_status, ClEkJM2Vm5giqnMf4h, server_version, 14.5 (Debian 14.5-1.pgdg110+1) +parameter_status, ClEkJM2Vm5giqnMf4h, session_authorization, zeek +parameter_status, ClEkJM2Vm5giqnMf4h, standard_conforming_strings, on +parameter_status, ClEkJM2Vm5giqnMf4h, TimeZone, Etc/UTC diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output new file mode 100644 index 0000000000..610f2d5306 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output @@ -0,0 +1,7 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +authentication_request, CHhAvVGS1DHFjwGM9, 10, SCRAM-SHA-256\x00\x00 +authentication_response, CHhAvVGS1DHFjwGM9, SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi +authentication_request, CHhAvVGS1DHFjwGM9, 11, r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096 +authentication_response, CHhAvVGS1DHFjwGM9, c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M= +authentication_request, CHhAvVGS1DHFjwGM9, 12, v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4= +authentication_ok, CHhAvVGS1DHFjwGM9 diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut new file mode 100644 index 0000000000..4e4c694aea --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut new file mode 100644 index 0000000000..597c86e52b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql startup - auth_ok MD5Password T - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql simple_query select now() - - T 1 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql terminate - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut new file mode 100644 index 0000000000..2e73ad317b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut new file mode 100644 index 0000000000..f042198d3e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql startup - auth_ok MD5Password T - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql simple_query select now() - - T 1 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql terminate - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut new file mode 100644 index 0000000000..62a51c0bf1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 ssl,postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut new file mode 100644 index 0000000000..82db165636 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 - - - ssl_request - ssl_reply S T - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut new file mode 100644 index 0000000000..3f0f7aaa8d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut new file mode 100644 index 0000000000..d5b92b5fe9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 ssl,postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut new file mode 100644 index 0000000000..016bae386b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 - - - ssl_request - ssl_reply S T - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut new file mode 100644 index 0000000000..03afaeae6f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut new file mode 100644 index 0000000000..3f0dca0291 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut new file mode 100644 index 0000000000..2dd0f35f01 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql startup - auth_ok SASL,SASLContinue,SASLFinal T - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE IF EXISTS t; - SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (42, 'forty-two', now()); - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (86, 'eighty-six', now()); - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query SELECT * from t; - - T 2 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DELETE FROM t; - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql terminate - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut new file mode 100644 index 0000000000..ac1fcb70a9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut new file mode 100644 index 0000000000..2655631373 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut @@ -0,0 +1,9 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql startup - auth_ok SASL,SASLContinue,SASLFinal T - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE IF EXISTS t; - SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (now(), now(), now()); error SeverityLocalized=ERROR,Severity=ERROR,Code=42804,Message=column "i" is of type integer but expression is of type timestamp with time zone,Hint=You will need to rewrite or cast the expression.,Position=23,File=parse_target.c,Line=586,Routine=transformAssignedExpr F - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; - - T 0 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; error SeverityLocalized=ERROR,Severity=ERROR,Code=42P01,Message=table "t" does not exist,File=tablecmds.c,Line=1294,Routine=DropErrorMsgNonExistent F - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql terminate - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut new file mode 100644 index 0000000000..d665ddf487 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51732 127.0.0.1 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut new file mode 100644 index 0000000000..a53fd4fec6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51732 127.0.0.1 5432 postgres postgres psql startup - auth_request,auth_request,error SASL,SASLContinue,SeverityLocalized=FATAL,Severity=FATAL,Code=28P01,Message=password authentication failed for user "postgres",File=auth.c,Line=323,Routine=auth_failed F - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut new file mode 100644 index 0000000000..785a35936e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut @@ -0,0 +1,4 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 37268 127.0.0.1 5432 postgresql +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut new file mode 100644 index 0000000000..5f03cd4e59 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut @@ -0,0 +1,5 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 zeek zeek psql startup - auth_ok SASL,SASLContinue,SASLFinal T - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 zeek zeek psql terminate - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 37268 127.0.0.1 5432 zeek zeek psql startup - auth_request SASL - - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut new file mode 100644 index 0000000000..670096f2e5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p service +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 postgresql diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut new file mode 100644 index 0000000000..377f2a534b --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut @@ -0,0 +1,6 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 - - - ssl_request - ssl_reply N F - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql startup - auth_ok SASL,SASLContinue,SASLFinal T - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql simple_query select now() - - T 1 +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql terminate - - - - - diff --git a/testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output b/testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output new file mode 100644 index 0000000000..308a07c4d1 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output @@ -0,0 +1,9 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +startup_parameter, CHhAvVGS1DHFjwGM9, user, zeek +startup_parameter, CHhAvVGS1DHFjwGM9, database, zeek +startup_parameter, CHhAvVGS1DHFjwGM9, application_name, psql +startup_parameter, CHhAvVGS1DHFjwGM9, client_encoding, UTF8 +startup_parameter, ClEkJM2Vm5giqnMf4h, user, zeek +startup_parameter, ClEkJM2Vm5giqnMf4h, database, zeek +startup_parameter, ClEkJM2Vm5giqnMf4h, application_name, psql +startup_parameter, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8 diff --git a/testing/btest/Traces/postgresql/bad-backend-message-1.pcap b/testing/btest/Traces/postgresql/bad-backend-message-1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1303a99d88f84b0536bbf4d3ee78fa0fee905ee5 GIT binary patch literal 722 zcmca|c+)~A1{MYcU}0bca`?pdB#SI&V(*wk=4FgUOsSXa-$zzD+E z)`?nVHD9v@sa(MH|N1`z1_maU|JPZVIJh31VZQ|uXJlq(2brvf*JK6;kjXZ?U?z)N zTw7Ps&)Wes-EM)<|I_FugG`5+YydRb31|}tBLlFTO=@_+Zr%zr8R}*`py{0r0!$45 zG=Oeogt!-EssPZf$xoOVLV-qsFfss}=w8DMHgO?V6D5EqTEk4_-wh1~VFqRfhSK8H zB8IBe)NBR@kR@e6OK>}T{~eGeHBVudKm()`7$AYD&IVb+zZ+!Y6`+ZpK=*<$G5|Z< zdjDOpiFdJ@2y(VQva|VjM*)ohCJT_kckw#4h7TMbn_&h+LpTr^!V|DLRS0O}t3Vz+ Vp0D8to45(9i6Y2xCixZQc>o^Drh@5mr({XdOvGRSn8$t6IOoq#rhFfstU+2kV|*v-3PCPUr)7-;%~1_369 ze;PnHGD6%7GW8G8t?E-57(#(YfiN-vo9O;t~bdqN4mFh}-$6;dA>(4sZbN sgxLfQ@^8Q(|AFRqkWDQAfNrTNb&bh(dXRTlXi9>)Ai=+UrTvX5+v7*pBh8Tk%4BJ#%;W*0VFi zomsCpLTVmC3T-bDh;^;>|eE;*e zUVrPk_g}a@v6M)h`uOQniBq>WKKSv||2Xoy=YIR(XYbxs{Lei(lV1MS*o_+xe3(d# z9X|4#L$};=_|T!-lV3mgH%5OuJQi7Bt=y3~hwt=6cB4JC^@p%QB7N)ks$`jVxU2Zt zyH~DWdl);Mc;TzXXTMpGtREh`J(>Q|>F<(t>~tIXt+wt+oQ73;hWyUI{XF@7>Dqwb zCt&@NOGnv*Pn3Z`jM_Rm_J^1-g`z@|4Ran~g zTCU@9JH2qGw7#-bPHijC;LW{MxEHcBmC8mso63$Sw*sMzQcbv_$sVhTkbcdxNt>&d zbhEisE|obxo-A3G@bSh}dTKm*#tZNf=2D)jjVBj8*A-SMJ=bLCh477%BX`Akay)qz zCp&phgcD&k6ovfd7bptv{b?Wyk01(fTsoS#_|$B4GT`()B2XoZllLbQ|2z^sgBFkc z_412k@$LH#viRZ4{T4e&uv{j?E}S1vF7i;AtWs}Iv&f0CbGHNtdX~hbD5b!k`h!mWjMljY|! zh4JJ*_$CWwLwL>bWMP^$_}guOfojbmgSywYpm(p0MmdK@_w4N>e8w+ z%WFC|^QE=J!n$BB<>6HeJ}A#&Rq2Qno80uarOV1*qaoDsKAS5WD=d&Tm+S|Yl72Y+ zI-D%@IGM?^?2K6`nE6>aS?F<+wynxqQ;FCX3q2IjF=15l{4+Ivpn9l=1QdeHHR@bH&;|`?&3}MHTt$;eL-8);DOHmRqX0T1s z@OCv7yoO*a>svBtu&VMJjJI~W83DTNFP`Zx#?PRL=aX1#q)8?ibizlZk#Jj;1=@Fi z?QC&yZS-z**g*JP@et_7CXMC(<@x#U@>mi&FIpy`aoQ}PQ`7~wh0@>z00-a^H1Mp{jq$;{4~d5CMF*Mk_&ID?M`tVwFcV%5@V z%vG(~K+TK=4H37Ij3aiWke_bW=rsR7RJ3RSRmyPGDGzz5(_e-GLt(L{jsF7SREH1S zVH?yJodR|z=@>A3P|c&Y9R;JUxzplp?C7F)IgXaz`+OyEtTdI@?KXQtb2)zDi2ctuhX86 zs0CMqyDQOZXb$XhCHXd%p5DCh_`+7@@ygk?rRB8>vmgX$cr@^_SsrK;EdhOqI+0$O zn=X_K5W6->IVAyAfqh|&q-_*HQ;_mFIU`XFm{Cs~XPEIYGpw|+Fs*rOdz8LfCefq| z$PlwoLEWYgZ;&0m$$@%4Zx+z%%=IQmr*()5pN^XnXz(mD-03_b@Q8Dq0DyI$v`zP6 z`uu&p*n;lpSmaO$p;n$3GE1nCEw00eEiFW>hbWuN3%OijMq47$b0oSHY9|JZ@H*On z&_g3=3xv<0kEHzfKXB8Y|7ETG6aC76{h5yP@BE@)`GYh%Bx|QDQq-0-krM(QLpAsg zArmXu0sRN%$G(d}dLT(jLQx{?c*Wt18&5<{ z?CBT=qz*xI`$R6tS zX$e$sDoYGAquik8D5OS`wj=TC1`u&0wpmzSlcAxFj@TMyf|e4NXr5zb4LYqTb36}? zDPWZfLx4c{t2M$G3UyRBgrj@W|G@=PW0*$!OKx&@EN0d*hKdJ&bP%O2Fo{&#T122H zBu;T|Mmlh8TZH_WHbFW=-#Rahq-d;FivU{5?WXSdI>Is7%ff>xMwu5Cmp)?m;SBIB zB{0)Rt=^2fm=|*Mk#i!K#?beRO=Ca@;Yex9HQia%>AU!>~f* z;ljpNRQ-?|bgM!Nfm$J5!XwZU4MurYZ7ZH_I`;eX5#zPu7D$R~lMdiS5nFJSY0RB$ zDpk9vd$kcm97U=kU7(|9Yn^yeOAb142hGJo35_(ei-spnmvVVkr?qxXzk}N7x$v$m z0LB@>6pz?3k`r-HK(|E`ASvcb#I1KM$mOtlP`VGGTK6?w&PERQuD!8P+R%D{o(ze? zYq)+0LQ?)Tl>hoz^bFqijQ#QQE2RAI<}l33;8?4U z84b5rG~VLtq)62wCT}c1zIk?i1+64r^)2onA3pHesJCM1r_fKJ;OR>PuwrwgR5>&J z{$rln;h6SlsDu(MDT$28hE=$Sc^Eb8lmAA>_$(M#Lesb;7(QkdR`q{9><%(>syBe1+2cy|?<)`;%)(?>8^qnYg%fS2w*s#mQfzQ?EX> jZ*dsM($C1pFaKr0$2YHB{p1~7&L_^F@A~)!eEjskNKEbc literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/mysql-on-port-5432.pcap b/testing/btest/Traces/postgresql/mysql-on-port-5432.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5d44e55f2dd63f3ecaeb6ae920bd59ad9e3437e0 GIT binary patch literal 3034 zcmdUxZA@Eb6vv;oKqsRP$S}-hOIM>zTx;p-Qj{rRSR?WpwnQ-I+BfKR^j_$_#WjAg zxcG*=Y-%)UmP}ou@WDhsZ0ZbtAc{CO(bP=G67-WBo8ZRFW{h6XdALuxw;4D3(I+{{ z)63;|{{Qow^R(&758pDA9Kx2O5MqK4=H%(l@j)A@hdqXNZ6I}oR5>nJlj^)J-#!ih zfH78E;tQvnAHg?|o0YRQLqN$<&gPgmYYSU6f;p~ zOV%p9;S!15#$*do~MS>OrFMY8#P?4 zmxqSiMr`C>=m8AvLc^wAjs+x^&fJg)hCf}@6PMtl?d`3lK&n=>IL$sTiZZb`-F9r? z@dDSw{nzd|UH8=Y<*Adw_wUags(I{<)m}5*V7%4 zJH>b`?~rc~x5rz+Nn#=%if~a;lC3f?984anDBwcfd_<5rArOn)5=%2bL;&-)^Ai5G?3N|)Q^ws4|Ua3Giv1Xb-BG* z$w#4*>z|GPIjrRJeXNpd>$HW_Ev>0SlX7LNzLH4%4v2B69ENt$W(@nEr^Ngl65(vl zeV`}qf;sw|x`#r@d|za(wOC{7x)2r29I=rONR6RgR6&E|cT}(?GrFt&*3t?Cb{NOu zSb0Xl3=Y_4LM$a08=n{&z5DvMcL!o8K0dO2$LIE3%v5pIMj9anhIY|R5BOi8UR_yU z4@32M%yjXTF4K&a&|A(7B!rIv+z)#U?V|8X#}#VhYX(AwfRP(qV3!3R&40MD?U$&9$@Bl-*P_wDfaTVdEOAM}R7C`eT!Y|<; zR_`_}{mhSmD8k9}{EN|3{(r+a1=TVbl>vGbR#q+bC`QBS)_SbgPrdqT!Kj%2>!{3u z0)tUmq&;?uDOf$P)_ORvX;kp$CA|U|74v$dQud1BsJukI-o-MhUZ=rp5Hnp!>N7#x zS)e)CsMG=+-k_1)cI2RAiQ0Ib!BrbUu#raiH=tYFcDn&#A*Qyv{r0As#=16pSwimg z#e&{4`-9C54K@4gGEX>nrQ6K~crL`3VgHXCyBwr0%b5_>Wg1-4{=ZPE7m_txQvmM* zZ5Y}`FNAi-GIjYLgR3q_!R0KvJOMv%v@Ul5LUmbPEkz{!qHqNgvKSI$F@l=Uz2sJ?rzr+kJxze8IfVa= zG|h#9w+_AJLdKehspg#wt7@JD&69}z^-n!EOLLF0=4({*7Ywdyo&?Ry2*13NfuF}q z4mF#w6n%hQ|Et(>onpVr!hT7yMP@SpmmZ76enX;vgjT`Bh-wv<+6$Y08+;9-~a#s literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-aws-ssl-disable-15432.pcap b/testing/btest/Traces/postgresql/psql-aws-ssl-disable-15432.pcap new file mode 100644 index 0000000000000000000000000000000000000000..051c542acd3c3d0fe3f8b4ffe451a63c2b535baf GIT binary patch literal 1994 zcmaKtZ)h8J7{{MWlQfI5w2rZKTWsbAcAZ=P^!g{IFJk}9#Z^kz6f{HPCHW;DOYgF~ zYsHEq4&MmdsAcU7i_pE=sQN~x73&K{!HHEW6%?5;27BQIoiDc8x>29!cWc&MLJywg z?tb_C{J!^nzIXTY*B@WBfgLus^>qLN55DzHrN8;h1<&I?)$us&xN!-8e=@GSpdX++ z&=`fNbG-J;%Wu3bUfqA`?6vNr?Vz;^6a%|_DbY7^bsU`A1 z7u=i4$TayT86XOOI@g+rO7!ldXRn=EzVAT#wz(%x`F+1WBG2|T-zGYe-9)aRc0&)Y zL{*_#4D8~X>nxhLA>CQ57w#@H)F^Phe-N37H)q^%9%)n+#A0AK5y!r&O7seMC+?Mq zw}^<40jL2O)0qYnjGcsxWJoDVXXcSqDCFg|WXP(LRHRV`1^rYW(s`LFMv^IMH6trI z7>OV0G<%dh=GlC|g~=U9RCyTbdhf##9Mv(u5NbW#!KXCo zOs6wRY0P+4)#M4DZ!_>Tai4BTN=DK$$+W6uRc#bAp41Hu|4Kp|;wU?zDh$Kl3&(I4 z#%gdXDum_}c;JXp6sEBsTZHRL9xk^f3a8I3KN!Mr-C4L^3fB@wVTFjr$Lb)Ce5#6Y z9SJn?aNVm)^a^)szb_|Z!=XWEd6qW(iuzjf0l125EQ|xp;s}*BMQ|?nAEoHsmGTrl z7{U}yQi|ZWjTE&+F-1$HbPouK#~pLC&w*ZzPe?+NU80_Z;yDWB0qQUcI@Tc!>*wNTE z+tU&y;v&j?4p*b9FgOy}%ZawCL^L>YuAKNHQtX6XLhKeopW;}j1v|}!HlWZ8znpIe=i=ibZH*DG*fH<-@?Q10N(Z$Io8-k#GB>B^6#q{*vBL zQgPyl!#BblU9o*r22}==%HE8DFXjt}f)mPCsqgIkQyFLlo#3XeoAr5qw`R>H^x#SE z?svb>eee5xe|O)0apglR*kEH@Uk9+@!B^hN^q0Ro;YHl1I+lRuQ;fyrr(Lp2&ZG z;Mz<^rolJJ05SN@vDQjdqBn=nE}dC;U`P74*{4qW`hIy#p6O}3OLQc=h}<~kf*!mR zRh4GJzmscjFlpX~bVsSta(}sq8ZBJ!uS6!|ooN@GLmE{TvE<)H#NzduM33eENA+dm z3K0=90CfOGjj3>ou@jIHbulGs%s3JYg}js&bxDzvvN*<|pq7P&dM|Q<= zL>(9N#;k&(={XgLX;!nOCADIKsXVMoHfyjjx#Nhc3?p6dc{GBf8s-;*9qrwGN~^{+ zI+GNO`s<1+o#Od60#6h7YPu+AL^YF4D{@v*$1vkbO;_=+EVL?NeUGctSpA-PjKU%jOHVXF0{K)` z;X2}P<>C6fCedTL*Zy54aR@0*8q2e^?vs@_+77@CyvL{G05dp3Wlj;ipZk|mbbhfi zMGuECMH7^w{VN+OIvB$g&6CpIU_m_Y7@KVtoa?v&^x=v9`~~j~1wx_2!O-DA*ca@M zhJmpd>JV=!pjT%28 NGnYOqYrIU<{{gbRbOrzb literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap b/testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3521c1b7b49601a0182116dfc694a065330f973b GIT binary patch literal 7676 zcmd5>2{cvf`~LQs9LJE%Gf`5)KBmr*IZ>voOp(k)GLv~MltQUAP^LI3MRO{pl1M2- z#En#vG?BXutz zNV&MN{%l_-S;OgfC*Z=_! z5FDTYe!vUFfB+B&LO>8M4?%DU9w7i}h|dp000swG3SQEyOyt4@+A z^)b#mV)zb(tP*nw3KcZOVJ)MLvj7)p5?IXE6~R)o9MjcBvzfZmvNWlqRm2Gb@vi=# zx`NlL7=Mv}XFh+hcFo&@4MN?P*6k*}lUeIisMe0pyx0qM6%ytrE*x2ERkQziem3ht z)uyIvCb>$ZcEs;1{-9WchmYFRzr~+Msy3DjaHPb4<@xjbpe1MPidf;y;n+KyajLwm z20`j!1$|qhsnsz6594Gs@UEpSDhQBD%xN^Bm2 zOcDrq9700pVaGh!F%gB@nncC06PyHo0&kF`)6?s9_(Nah1XL8%?24QwuS=j3*ndkC z1X2FD-+zFE#JV(Tb<$T31Ysird;%ojpY*}4=f1`x{cRdO7hOk(lFQC1p3GKf@2S~+ z_e92F7uHu~)xB2tL%Rs4B$`e9eLtH%jJMgqa7hYNVE3~^$6VU`Vgs9bme+X<``=$7 zuW_ZtGjC8-)gVB2!9vR-zmbHI+z4@Rxu^&>zs}xT<-(9IHhC&%#_ey4_>L;=A<4Fn z{7AsZfOD!Uq~>_@K1NqV$aq@@iBc-tWc&QfxJ~0g^akPq>w1UIl=D{ETN@=jRv!QJ zP=n;gfv2Ma#Tz?2qiS0=oTd&&o?AnIE|tD8j*;G-^2sv#z!{T%SP==-Lm4 zuCRuD+FriB$*uD1Kqni=eXc-s=N;eq-}s?0P1ymm1`h;u32Q=LHA=JXKgfBwG;klC zRNor>Dt23sI}7U$p1@nutIx=xW`bG1g2HSM8;~%LTYiUdw2cd70h ztsS{iyTUqQe^AJu{cIE7AACyrh;4O8YtO`NB1+TJn$lWx#}|CA;(vLtPAA%y&yr`g z;ohU?i?)l+pBSldm9H{6>CXFMgtu&=gU7|g7c+wl)581k!|ALqg!Eb+k8-;PNbmNu z$`rnpdj&EI?r{Kc6OZ6@fH(;u;YfHQLc|gA1cZQt*FAIsJQO$%hr@%z;2;{mpUQ@^ zLh%wvJUA;0Di1mzJ0P=DY@CBUy?i$X`}tD2n3o5Eg`LI1-8ndTi#t^cmBc4ayNjfSd*D_tSNEW0l52cj6@Eamu~Vi$vrgZFx(JoVzKCZR{p+OUPcxKMLaB7g zmAahJ*D%MSL&xbO0%pv19O5(0%b4SwubJsM$^@q4Z~^hX#WNiTV~36dKoyVITG%-5 zpMNi4_maMTq4~&?C2{GV?F%|uX{Etp`pF@O0JMI<0j(UG`LrFwZ*$CJ103*|3exS-WmI;Qf_* zap)~bXJ6-g_3e$rt@t(YR9_zOs={cB0NKU^6V9qyYyet6a#zwEt-P~PPR z>7*svsY1^V`h3VW^@vg{x?WO6d)3sorS7V6wf5xU26wIMQNelvYR+c|qxQmWNf$Kc zcf9kHhe%rL zh@{a;bCz_ej@HZC)k0^d23rE62pN$><11hf;B<<=h{m6b;~mS(^RPc{t$En&L;2gi z`a+MTG+p!J4;+urK;zSA+QHl_|F^yQ$95ozicg74;1@es=jRvv!wC{_i>%NkSoxd; zDT3sY(gM(JObv?faEjZK{JN^p&n(l&gWO_tO}mK?wctUuu#e6sEJsxn{)t|H71fV1 z{UAmt?mW$3C6Mgs9xBkOYxA*e7fV5mjl=e=2bU&xFSt4xUuW^m-^(D>^r;Vv^stB( zjo`vcOiCp^SKG7vsQ-t@$!;kpj!54&d0Mi6=cl^!A~IzO^yO7|mhCF9I&tBs)a93j zq5da6y=JS53~{+DJKAe4x~KLVL9=#jtxPHLoQCsD@9*vR)KhlZI3#)*97OL_(`+hlKgv0tjr->{!qQ+@~qC!&)-i-u_M9V9xIho!<;j0W4;34}cCsiMio;J9B$LtH3rK zWpKlB%ID|y0Pf%vgb;*C$+XpiJ3PH$3_axU(UqC#y>roNB@n&8&}IgD>TGl_g#33? z>k4yf-J3bJXeB?U*4D=}r`G>rsQ%Zh2=jR=9i>z0R2o%HRe7$@|4-fq{8yWQ_;SMZ z%-j1})K>CpH^1b!Hxx~dtWM!{SmC8&M2>kZRj4YMTVpI0Qhfke;dd?A`sZ`#kBGaKJYQO-V+RT^NC>P_eFkXRwBlM-ueCNuh)(O150?6s6ZYibKO{b-dG zK1#OBXZ%ojGuKIVv*zaHcVZL9SG{lDPq07&DQAL}G#ek96}<#@-kF8zlY{d~ZShk! z?}56_*}rgOKFHj^kWqMNJc&cVFI$-3O@M#2g^76ZvTZbhgS&n>@kNcDMcY7qrt2NN zMVG@H4wDh?OBo0GwlAV+?7NbE_icRfcE`$^odwq-ycKeAK~%Z+3h9O%zE+cb(MH9t zW`mcU^rw!kQQdSL&$@O*r-*fr)vnf>NZsMmXA7jn734j1UfHo{XUC#%Pjp1>j;8Pj z7G>~TEREhrYdr7CGQLstysu62j*t?yBWnjjoIVJou#5zFjBny2uF`8!yfT(s$>m?%6OwztEsy;cRUSjkfhj? zyA!EA8sz*=fiqFktGWa#N4cwIWyitz4WTjg9w1PlHBIX8d*rm6oc75}%}zSH4%znR_ClQ@1Y%-mEeU5S@#|58u8(V9!5t-ZG| zGcqrP2OiFIk#@dgDpH8bsE0+bdfmtB^(N5MH}>@UC*KB|4BKPzR#&}@3E7sWyNX^; zeBJf*u>s+GlKN5=517$nEIywS>`A_-?bqmVSk3&;a%`@ML+AgS z=Z-4OxiUC+uIL5B$7BPsl0WCl4mh=#&mHSn$lw8-fmqC$gEtteOhnJ$A_^iy*=#=% zQ!qqq2gCx;;UOCKw*eP?MygAwb$*}DUif9XF-PlF$MjMK_Fzq8gPSsgZL9j$W;C!G zrbRybl9sP6oE@{aV1?@VxonpmWyDRmGlvG}J0-T~Tk%3D1i=7h!wcC|2KxiU@9aLT zoBAZ*)KK}Bv{@P0tczPKP$3k5{q-J|P+s!eT8ym+H(5altOSeMyF0K+^D6T>rTWY{ zsTXWgM>mAelO {xK&N5%@eQ<(DEZkiB;7xYD}tWZ?XJo-K|m+1qMZ_aoLZ-q$~I zU08o}NsObyAGoG+=9A4aSj6A7OpQtKz)XVahVVv$0b4c{9sZNxu`F#x1Y1^GB`Y`u zmxRTfmK|j*XCfy577=Ti;ZMYI3{e2G>Nd@4g!OsuDsjpw+FHnm`-`)_6gTVUB(%;|`O<~3$V^k#L00XtHLb>w)>&yM)P zj*MfaFPiSfB40z9Pu}IHazfYE9iU~O-v8apDJ`6l=Go5m+>7}(pdaSm0rO%phqed? zjY(VaEZWLoBO2l$Z5{CS#MCo;aZgB_AC_Bpnzl$={B9oGW!~yLJx{$$biL@nUh(4d z*}G2;W}kb1NSo)>iuW%j@4mU6+?z0}VXP9Bw2NDFftYvo2;jyz*(uHej>5+PSj^@G zN!PrNadL%g7AFmmlVOaLbmO0#ba)wvd&0U9>uFA8YPs%Q>u<`|<4Y72WDM5{+l4=m zPZ>87PtHeWSDeuoACq6D7wM)o;i+nNXX7>VD*@W=hs;=l@@);ZFIA(Nkq!LzlKZyj z9a^~|T}3CT5dV0RR!lvRxv$S7Gp#JX(ZRH<>V?*lctP#HAu^A?I9gqbc0~^u7(7Zk zzkb;t^1-QAfm#HoZ2Qzv^SHX2FsD|jM3*elty@Oc+$9$5EKaFig5RiIwW`H3&+7Za zOnq$!-=He~z7K*2!_I`Oe;sYSo3~h`P+QdU>@)ox&$gMi9ojecLP0|;Yxw!LOurqM zvQOW07RpKNNj)mDH)FsqG^SuOG+&{5Fj=cA@<<^&Nu(g-{_(Poo5FWf)kSP8#rK$= zO&%_=jrR1t9cREHVY#H3jZ9M2Pf*`9L>ZO!>nrAIo%GCYl8|t<^_lNntoI>8BP__O z?}nS6jfm`#2&`F|5*#1^3J8liB64NWnIgJ5OGLw&w))F35$%J!jcE}*g(B*}M6`5T zL{V=T2Mqf+uHoPGlFa+uO}BW!hWt@)wTvxoa%;h4TTHc94OW0|Eho4FlVdSkE#RbP z1ye0wW~xPhnMs}cB1|oh_Ww`|Y7Eu#6e}QLS}ltcrNVYvNGa>fc?b0_RgHX97+xY+ zJ3$nso2{(kaU(zJdql_W@6;_~D=StPRFiWJ!7gbb-c;h|BTc@Bdpg$d z?7s8ZZj5?g%fVW+lcTtJT`FngPLjw({eZcDJH0qH-wRvE=mSpR2G@Ya93rh5>P#Z* zW)i8s2ojl(5jmdqgGdR3EN#>nTZh;*kId|n99iqa|%!AjM3BF>zdTd)nX*9SDN(k zSmvu{B1~9qjr^K$=Bqag%^OU+Gn&<`eAui_ShKw0`%g?QaDlh5q|AiV&64G#u68_D z(sTQ0NrC%kCuu7r4@>w8CWLQ=m@#LCvH)N!EL54b!cFiCz#P7Fc`*n8h7z#>`E_K? dEL%nMCbMkMS!Lg1mdy(!!XeUh*|)K>{{sU-obmtw literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-aws-ssl-require-15432.pcap b/testing/btest/Traces/postgresql/psql-aws-ssl-require-15432.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ad7dcab4e09e6048b35bdbf079460a8af0c8d47d GIT binary patch literal 7804 zcmd5>2{@Gd+y1??8DmLyS)=3-X6$Pyku_mjM6yPf$yP)dN1Ujr6Ouh;=~NskT9j%? zW65?>isY2gMrBvN-#gL?UFZK@=R4nZ{av0e^EPuo_j5n@Jilk&X}?>RhXFV+_cJpC z00JNQiywEhbHxL5_%|B1_CTPw5dPZ|+(QKG0nlTn8UjN?=b`GN@L09F6@|$rdK-qE zH6>7_T+HN9jtT%69KIZfA(FgJuf0L9BUmgOicFJX`yLr$&f?D^17HYV6DB25R1{rr zL$ZmidG=9=E}6?4AT{m(7jlMSgC~j(kx3|W0YqL4Goi7Fvl=sv#W{HaXGw^j6wQN- zrjJ052+H@mGm4BNE?GH`>p~SyvJm5ch$xJVMn3t5xD!Q$w1~J?L1h#fydZwhb-oH} z3~y8g^_vS+NP;S?isk|08TPZt5VZsH-H9TG^%KE5m;#O2UVW#lI%78r@x~7kg@O16 z*l4tRi1-Lav_m235b|#XO=p#VbV2#6prFYtK?&c=Z$n{G#8n@NARl@RjfE{jQkbVu z#K)_DhzJE8JM<0lA&Mx7MG!{>AX~B6*A`O3x*P^GF-H#a8Pgf#nUQwCzs#1DzkDvo zxFe+~NlMh7zol667uL7}L$wV>I%)fUox>E4%gk+8^QDGXS{hvCEWA=Rs^$snhp zxS^=wT(v^AGRUr8Q7s32s%5HIfnC+4YJQ+y&0ft1R6!QV1o}V^r~_p%0}E<_%4-1) z094&wf?Zr)f;=-4ui)KFhBv|aabG{3lsqcK_GQmumYx#I=HMSD92W%Jv^XK zJtVRqZ}LE2^b^ZkqwxT2Y=qSfU9@HD)g&;82dr4=EBsT259%v2{{mkn4>@c70-Y*B z37Yd&qb>B+LqSMF8v}qk7E9gus{iPqBB*6F4HuV}N;}1`F-`BQkv+~`F% zPBuFam*8Mu4~jHd3cW(&6ft5oOlpgVtCXEb;9hSxkD%33X8vwUb5IMq~*gE)^Au3R#PyMpjkVaDWfh$Xf7{CRt0J>_Dcc zQ1r+;vq=BMSrkq(34JvOCl+P(wQABFRn&YxsQQQEd@mn429f?=VFVAbF~|}Cuaht_ z&}Bz$zmS82o0jPx94UBX-{SXF%A-j@+0lk}`;T1t53W^J#cRwf3{LIn&rjmC^}jZ7 zGra@**wwQCPJ|*g&<|UV>~nl6rLfVhu&T>r_q(@G+v%&{c#7mzw8+H$WN<{}X`0{L zTr1BAje;BJ8Crj~J@&1?W>IS}liuR7rglQONr;m3VTXC=*`MRe^_Jv(5%p&mZF^1` z)6(-IkmR=*iwvAJzMV;vc=IP0ZTs$3*ga!2R3gR4^G;2zLhhz*Jj*V0a9$JWD>h%* z?8l>Lq1c?V+9DviuvX~V5JrUGirQXe>tZ3-#$d;tdwr(+y{G8WBjZx$=WN)Lq`NvQ z3~EJw$6%p#^J5TYsE7iYUIlv~E`y_ACezEJ`6u)8JRL7=)=#&7dv)NLu}HJDzFQtW zg=xpC4ssZ%BS;DrSx zh~Bj`+Bg0s<1EcO)z6do(EPeVn*iC4kGuwb>QbC0Sv}^T`1N~J!M80m6#^O}MWQch z?NJLPI(zIB>NeW)t~8M?KXS{C*o=lNUk)$7Hbbwsd%DNlWS`X|KQ@_BQK}Zsl^q{< zgz!uwSu<Q;UpC5F`)&=J#&}2AkxNSUlw~uTw7(OB->zrv@ zb=s!HeCs~U)7LTqn3$_~6=a&M#D;u|ZpEmry;9saS$#a5qoj$AGsZ#kUcW@tCxGLC z!;Xy{gLywY?9i4h9B==oZ_vrF0VlsJTo2J$IQen*3_o=8Q%=pF{KY-2$uA5fsuJc; z{(?Q-rv-xz>IU++i@dPk+-ccAld&~{vf25mH|JR+rI@7$SB%S3>rR|Goynf2-qv>A zGFN570smQdBWW{ee9)ORO}~IJoURISCD6zCo_zjj&)uOLwJdcs>h5lgIzPKfkWOg+ zpzi@nZRAKz+Q;f+jpE9NJrA#Dh(#aK)A*?KY1^pT>|4@}?7|xI;!6-@28V-(2Z6i< z^(-Iy7*B><#SB?|*6)Hi{vhX_k8adsPkvGmQd81!DA+l3Ly|0s{^3nHUs|SoE>nlIukLV7(eZRw_CJa0$EeJGJ-FW_+b#F_ zf3Rw#Z`oex8W*a>Nu!b{T{{P(0^9jC>pe&JFm)C6Dj#~~eH2qS36NX9!oGku9y6Z1 zU&2QrVm}A1yZ^rG*^nL%MGE)vJJZV8E{4H~)Z=%8NWi;*GIcdVJKbimu%{(t>hW;` zsYI@A+p|woTUv(?Y{#c;ZrahEaEY3^w^h<}-I*sRTcn(ZA591qJ9T$Q+<&7*6Wg-I_G-rFBYxoA0rG-%x7S{3w3+n`~jl0D>o?A6#d_v*3XZVoOcPayfw zUH_%i@bpHkI00gY1wux+wq;=_sQQx`UycHWr>&RPI!W_ZTv=`<>yg>~@u1bd)cTYw zk}s)juJU+YZ(|$Ub2CW;r&XHFijdz-rge0qZxi5H(C5Ov9FIKoL6E)15;q}3|V6Dd>MDmJ_AF6YwH_Lk1mewVQ#*2g`eV0yY^hfhm> zc7AEEP{?iD4RMjJPp0a_<4bc^n}ux+7_TCfN9sszp-&&45c7LBWt{5XYpal__+faB z*ohI-U&|{y{R0q#Qj2%52Bg~DPU%Zt?meRXh@BFj_N*y={7LK(=hdImnDr&~mu*$< zF0rpsbnlIQL0UWUo}zGIU8P_1i$?a+(9_HB%a@q7UX4Syse4=i+`=LlLm)vw2p9qu zkKi$QEDph8;Km1cKrCxJ!eBu0col^_oTX-^}Sz}DK1}SZ5EZC zSsyhs`MOy)L(bQ!TJBXt$wtF*KEoLvqi2u0@2!vg^RsrK!?eM(_SDwb(xl%X$f*po zN%tr5c1h~W874$oSj$elEF8T0^W;lula3<~d9||`(%1;O9>1xRVeLHUbgbLk<6nz^ zvAE`Qn;Bz=1d=WWtLV2jS{L*J2cOilNi!dp5+2iMPXbS}`=XP8_uEN8B*PgqgF(P| zhry5bwtsXO>~H9OJQ2gi+cbLcd7XpZxwM3mqNm}X4xE{pQRIQ5u86}2NP>X{#|7==5B#dtddZ7z%1P{!|Cab) zLe6WP+B6)p^Q}+<+jxNI)Gh)1`n3<$ndi69?0-SM!e|@kJ{|9ITkO2eA4l1u**_fy zNsn9Ep#zLW_^!P^#pIN zoZJ+cx+yYAz6Wq5xX}>cM)PiVqhSa4)OKkcx49Vd|GL=xi$meB&uEK2vi+N@*uTQ~ zKh1*+VKvj%x7JFYxgKg`C7qOWQCR9VZwp+ey;WjC@0YQ}N6jX<&kX~6B!Z#fT zj~SZR^A1~UMcRG%O}H=qo&l|ON4kd1ldI_DcZR#>-`r}-VBKmuJpaa!)-ST=XSCq0 zrjcVDb2o-=SY{YD+M;cwA*?;`C)}S6pO`*eSN>nr{qJFjt2dp9K2(cIQ}8 z2@xj)Jj=En#Mba$(`Gl9IMGdZ@_L^A8OLbA^Ft^EK>_9BXX1@4yoW4gnPX#by*}ph zDZi?UGj33;YmWPwG?Jp5ne9t)91S%?Ys;?T1|g6M8Vf&3fL#oK^jueun}4of1Vhf+ zywSoyveRO=Hdt4!x9JV*??{N7y|%IN{bWsFv*L_INczjEyF&CWH;k#wvaJOZiP<@I zO+9xvZws45Nwh)|e`B#6R?B{wFR(T*Y`7|Fv4f;JfvfCMA}FFyEjRcLmW0NlmSr(> zS%?xpM1(EV5ucAJ1XXqas;Xs{rek$mp}=ulQ%2#Xv>xsB<<^e7WDE`V?UpYw&AS<2 zBq_Z--d!OkOyM5K+G8wOnOl5veY|Y?ytIcBG_w9;{WEk$z0_GLL61$h56FN4t zHKEE;ZbGz8lm@Af8zR6L(ne!ZM|Lo1td1OA&=FPGk#MvlYZ~V|($wH>T4j$?U-`8c z8&^a>=vl&kaLvG`96cVT`v*TRxh}KU#t3(Nw{>eRntQ7e0)Byc(O4wger6s^Hp2z7 zg~LWTMMK$?c72nrHp8%~0nKgnRW_@oYYvIDm-#8r7+!F`zW-pqtDW2>;?ZeR_A$R( z%q+ra&*QGw>MCJ`o%}_q4R?0utgTq%zbTvHAC2-_KZ*fa@Ma?#3pGKK7<*7n)EpOR z;siChjcPK;H>b%1J*Y`7 zX<1pAa?s56J)Esk5%Lw2`Ca8~d(Noed$-(bjWCmV@jdUr5$8A|a8}H0N;oM)dIN*z zif_flXua}Wk?@;kRobpi&!$wjO?I!$56+7lQ}Lk4$wgh@7hSguYe?8~vnoq6^>XDX zUp3k+$8ih@fCfTik%`=xr&%W2yud`aWz9<}Q4WJ6%Hwh+V;fN|+ptg>C`o7y+zzkl}o{ zlvF~u454lj?EL1I5^vL+8YqE)uWs42D)p1Aj(czM#s;6dKC2O9u0sCX0>500;wq@V zbH08*H8jZ7Q6Fz-E9xsn54o^Wz`-(5o`3emmzmb5}(FW^qhc%$FNXX61e3p=|3xph!H7`{{ zh19P8CS(y5vIMO|{Hu@~)h|4rQ0{+{cEY-{J+L(KzO{cv&qg$-a0L#yz}yUN&kMfCwwZQ){`_a-wZNv7L3}=%&}7ppq>9j@vEUP^P-?b8R~e*n0W;h+Ej literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-aws-ssl-require.pcap b/testing/btest/Traces/postgresql/psql-aws-ssl-require.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4e2dd5b214b05d1dac0aac7a78ac47064033e930 GIT binary patch literal 7804 zcmd5>2{@GN+kf8KjImVqokrmhX6$PyC2PX8i0mTEWIGXIBu*;S5s56x)~PsBv?$e( zhGaX@LUKxIqs>~r=N;;VuJiw{^PTUy{w|NpyfgE=fA{bHz4vp^Gaa`o@-YAhzWz*4 z1AxE>fs#i&?A`Ie0{)LKI|m@xR}BBQhV~M{8UPGf>BhjA@Nj=^No2f6!?NPkwSqds zF4|HkQXXbvxPBD?7#zM5har-D%`U$}uOnD22Z~IW<@g>MV$R^tAOm0wUJ@pxQB)LN zP$zY*oJCGDM3>Iv3zCtI`3pJAxXBwuhsY!pxdXVF+~1)apB3HJLluh*y7zC;}wu zj^7ZwP(*tak^v$AM$k-l`pNUsmxqF;qJq{6eM`R`6750}<=+uO0rVKU=9dUL$~ulB zK3MTXL@21#@o$LtQA8muf;b@n*^I@$w3HFi=Q5g(JG77Al))U!j<)~(d5*N=h10pF zokvSjWW*f=T3gifmj^f+6^oN?gv{Tpuq5+m`kvQEBBE1eFkmG=h9Aq1)UK$dfZV3i zrjn-9wMw`8ZvPzeiB_Hqjeg_napLsZ-X+;-Cg-FAhjc+dj? z7roJ10l zi-;rQi3A*iM+oqqz#>=-4ui)KFhB|5aabG{3zPu{K_GQGundNf*(cT;l53~d5gF94 z85UiXKe4Aj_K{V+$yg9JKFa#4K3X!(S`rw7_XfJ=`wIV<>4*A?A~4TaslzThzd)x- zZQlFUS9k58ukH&$61o@wG_hFP`WFMqL&~6@**sEOSx$CNT)9@v4*Q4xonF(x;(kv6 z3juhbuu$4rap1do7I6U{_)7%1Axa#spAv^{&ck953}!L-y~{v0V6`hh&CL6?h5KO& z4}nuLVO_!~4}x&v0fmu9<)UyBurwTjA49XJ@>7QARzJc3A>4DV66khZq z2RDbkms@D4zZaEEkwLGJxJ6Ca1(Vt2 zms4cXH)6RZ{<puN6soSwY7>f-FpruVRgI!U)u5dhNpYkw zj#3RMdNWA>#935s3JHBT7dIAVHJdf*D^=8dKgjxr;(RY3B@Q8fuP}lK*f?YnfY(Ww zIOwuuyDyZ`&}K2ieIJWnIkW~mmhoy9RCThY-}oa>@tu23P3cODDx>4u1`1NR?E)_k zUd!ynK5(}hxEZBP3l6|mBDN$GkKH*sO(RnMyl>XkE9Gt2vRLeFC--H+{!)wO zEdh%SER|c1uCNSBEv^@SGK>)wu%>mC*tuCMv@}LJboz~go(R!OG&obT4LC*Te{Py;5`UdU%TCnrG!|@PZ^E*Gzff;~ye(LeLoxik~-T6g;)U(;m zI?H&b^B3*xIVlus)G%1ERrHy|#)nn|(^;F7s2g1#`*IhWsKhPVw`@$2){u7UWHx7p zW_$Y;t30)FNBn2~^`wp9?!AX8Q;f3+)A^DxPZDF4|Iz374!oWEF=FYTVs7ogXbNzy z4bclP81mmkt&jd#m+`*#@Lfq&;8EC!N`>^Gc`OGcpL2+X@dC5fxGL6H* z&4WN$gnE`AeT=8TsbZQUIpcRBoIr?+YuD9A?6D6@!Wt@CjzzB1SEVV^=+m+|5sFak zk6$piIBXN|B)s1;jj{)U5fB}X#dIsYVT9;UH&_2Pb$ z?y%Y!_|Ez+W7F1R_k?g2ZaR%J;r?(aCb)xNyV3j8PL{s1LG^u~{Pz-?Yl9S)E^{cN zkHwAU?UwRWirURZ?-{tGUKrNPrA*~La&t-*+s!okDD&Wr5EAqzs6tbN(7~`BD(-C! zn|yGDKq^yc-}2V2{~n1Y;nr7q_+-xj-Im`Mw+y)^T>yM&^2oMSj`#sHvUq4yJzj_NDmhe zYjH4T|E<6!Q*if2thoVVjs?OdxOTCKG@9W=)|X_U^tkQ(DrYiZ)y1XOa$eaj@Ap~n zN^d-RQTjQJ!(9=t?`vvHe`+pmE1h6TZyTMW9J7}9PCGierD~(cj!GUKU0-s(?whP-@qV63MN?Cq z+x%J!atg}(gu`ywtxJe*do>RV~^s8xi9^c!D=jP zykMtxYmq~pvS(lXGt#Q@w^XG)tE&TAp55gv4?nr|j$)a4+oc3_n!3#cz;!HwF$Piu zgn%Jn@dzG+$Knti22Ol%2E?+bBMcT~f{g#t8Hg87v|l^U-^`l+>{*k4ZpS$VKY7l~ znnhf5XU+e`i1r`%K6E;x>QZ#6x>OyimZti`>FmFAsQgdE+1~@S@OQ3Nc+ph0-gu1PczUtPldhiIYoh=BtQ+h&W%Q&Yz3nBL z^!q&pwGj^TKnh>Cw7!CIQjDdI-1zh2p-X!wo|D&h9=gw`dxA;EMk(|LOdgBqSbSQ~ zrlTYArQ{dO%YHXlarQ_s>0GFqVcT7sqCVj0mtL4M{eB7I0b^z-@TPb!*a`T)?F2*$ z>@m|A1bnv{{Ah0bN1MU!roIQ`aXfs@pY}a%aI}9g(wy#b3v1uI?FEn37~jPs8G`Z4 zNd~`GXV(ofO58}=7m+3ly2iwU7BJ*<&!%@yplIw{en+S{?Vk5{+Lr8DZ8E{5Ok zA!1y_nMym**$`>+sqFDmvXqLlxAC8j+}YVNl);kjsDpb*Lcv8xgzOdf{HoJ--iKq- zS>k-)ro>;u&S)LqFcRkaS~!VgEXaFuyC8nes{5L(Gh3&3Kcih_wvX|iO!T@TamMzK zWR6(Q4+lZY16&H9Uy1Q5u@@Ja3TC3^0#WO<^t?K{yMkL~NKV9O`>6Z|#FIV3=b~iS z^a|IG^VKUTOoGX4q7#(c07rro4FOIxZ)PSMPHE%evjN z7B8g8>4ooE^L&WY_eHQzV9eRge@u~!d(k}a2;<6pA4;1x%89mU|vKIF_%KA+s zE22!~n&Z%6V~a+<5gVOo`***I^e5gnqPK0!)Utha3GMtYaMt{rqoyqOQPaV>2SYl) z$XT4yfk#artHr+_3|+NC=S>um4iRnOzJjj#M@_((mCZ(s`4M6{MC?wUi-;h2lAJ|p zubjm>_D&W0_k2&V(UTUUp97HZ%X7|i(NVtP4J6P6xuRk54y$ zL$pB^KqmtZxF2F68v6g*#qeCz1XoXQr<;zcxgMChVB?O9u9G;<@l^Yj(NWB$Vde+H z0sbAi)-*!Yu^{h?E&H%_e3x}OEu_+VD9%1lb3WskO?Uwag&-)PLgI9yiKXwbr5tN? z^tI3XJbu*|H3_Co8VxN8dr2RU>SyQpQ=LAAo1?kq)bWBa$OK*UKS_Y?%s_Ns*G!nZ zub%_MF1mcNB0w5(n#m33Rqtzd)#f`AlIAaME&V^(Fjg)*B^8$WeDansW7Abr8mnS+ z(fEO!+=k}fTN}4TOrRv%Ac?=RST4I{zswa_mk$keESa0~Tts20s^_e#RwuNbYTJtikJySivraoR3xY_w~K zVwqX~wZsx>^3p_4rML`D5v#2ZH3utXea^8|1+=ksLtCvkO8DNfFD;Q}dd3P`RE0|I zSbAFc@bu=S8YhKu@pf@Kq&{Yh0DnjuT?;C*jY(%$Bzay%)L}&;(TaF=f2~M!ldoBg z14@1QY%SI=i@n#oh;!e{!40_vi&gIId%x(4?9a9)xEnic+Un8Rn@te#3yh1d1+wjC z<+Eioo+n!*EQE6`l#RCQn{4%2#?4J=Y?E2pte33ZFWONNpgL`Q*5%6XeFN_H3g?N* zQ>2{30oPe42%mZ%bidS8iy*iPl%zM^+>yJgYGvSt9A;oF%4^Lh3^)M~8__ji6C{PX z6V*h+X`Uv|P?H;|CQFum)#RQ5)TAErLN?B7V*5yFd4=tC+UUt{U(SNj>SK{xJf5b8 z98#xQrOKOCC-U~k-f*mtdKa5|AfTt=m9e_GAV+wgqQ>1xR!U;~evXHe5vPt>M!wR$ z$+=$1HSb7D_=&fM%YS-1N$XV@Dio_+8oOp-Rn)7Zf=siCFO|yU%Z}YrL!NI5*L^J3 z`bsh?@r>i11l14Yt4^2x9_M#GKJnUhh1KLK1#8bzpRvFpyOGFxE6%h+TDgI?XCG11 zEjcLR#kx9Nn>=EsEaJJhe1nHv5`;mag!!aM zN)~w?lkSdh!^G*l@Lrbmn^jH5_6<)a)wfLaEH4PnPZ(A6qADoFoD~pXErvBFY`Ru+ zLOT6I^(X#Xv{+7K7!U*vgsuf9@?f20n`q-a6Wx%rD62+IWRUmOMAx*kjPDtsCQ_U= zk&TPVJ*fj9P2DRE+=|y(`mU4aOlFw5>;J0ZR^`KUT-?R^GD<+=A`Vo;;OLs~7I2yw z#J+=!=enh=8oFf|b&KK9H@B4enqAXE2?Wi$WrKYB2X{TszS8wgehvNBA5D3R1#Srb zaxR9asP^WW#@)2=5Hlx3yuF>czYHVn?0P{*t6;VJrA=g?tX=P`s)~szmje&?k9kj~uz0gyzu>^MGF`vDX42H?j)YLb}fr za#+ryTm=={)e}ib$|Z+=iSS}%}0mu z1!zF??S$_G&i%U0o*B$8R{Gpxm8%T9=&?7T$+WM_hjjPZZx153<$poVy^`mDgc0HSg0{SL-+<@3s2iD8~{L32tkDJx2(CeHJBl6 z+LiNYTeE2|0n)|t-)PIAv{6JJi1>f!r4T&_WiBsvcJMn~^?AHhzGjzW4Z!~Z7_Qr< literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-create-insert-select-delete-drop.pcap b/testing/btest/Traces/postgresql/psql-create-insert-select-delete-drop.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7ebe574c09d71d807336b9cf357661d94c9b725d GIT binary patch literal 3959 zcmaJ^ZEO?g9e;3Apu~*wk|i`D9H9eJ9Pl}gy0J-9TOjuHyOyf=3zizS$fVw zR&tdq@P&Hd+<1>IjE3}g||@1$w!6|eOd0nvOHP>A;s-gLOQUBKY?sopS1UIICWH- z^-ccRp6kgC_j_ZxpOWxS-Z4)4GcD9%Ukv z4bRR6rz3rH{Sjq0kmVxIp2@(-qL>&OPdoZvJ~JHF7Ke@sst4si*lr~b3!%AIzU76& z1(ZMLHRPA7y|+zSZ5c%Q#}1U`?+5w&u-dRgiFMwih%Dzm(aR2cr}~^j3lpP#V-77H z42-#lH93=Vxn_gzsbJVUEpQ%uY%{XQAX`K!nU%Gqs_|0#)M+A5P0{h)qNE8KK}o{N z7c_AOdVnm^JI!&pnv^Aha9ZkUBJQK3Z6TPi%=5XJb~g=s+;Bs0JB2A@$s)u%wmgs zCWJfa!VW7*!WE`D=m9v%{(&BVr^XH{9e|d>b5Hg);ST!8YSj+fe-a?t{n61eChi>! zb4)0}a1)_eJjQ6p=o|JwJFVm%Ou{q=rTbmsB5e=X4Z6~X-PZ&gHi>j?@oKsefXKy0 zM<LN5=I}pB;ll;02Qtm`<&eNy~!DNV3KVi=wL87YcFvc%yd@CqWt2V~nS-so$hRKwf5tYiu9Vw!`RQrJJz8s0Tb=`~D3 z4bP*g8*p~?CW5Ds*3jdNa^5&ssUmnQSCTm-GH{x}2Q$wrsVuM97>&U*)m19;jZtg8 z7unBIPqf9*qZj!+6!{A38Q4?S(}Q}@_ja=$lk@g5E18G;nC76)v+SR!^N$TC-T4)8 zzJg4_=_;lk+&w*^kr)?^Gog|AD7YH;h7(+jIplQMn1gV@wA0<%f_%^h%eioB!bU1wc|oncLG8xvNt00fxkpgbab zm%9C{!K1tV9NgYU9&54e7I~cL)>+%F+XZd~F_Q(ms<^nu?!ZJ{yKmQA-rLG*>qeBZ z@>y9%FUnZo?)|zv?4POKe^%RV-3WHSKpyg86;ChPZH{qa&KGB1WTq5(#^?znlU4$K zgy#R1^=aXk$aC_n!J{wV7vQHIc^+P>=7AOgzpWZX_&6SpX4Fo9_f z>LtkDuj$1OUM?fc@CQ{aF5EUdDqYvG(wMG$1};-8yNrUB_Dttxu;N3K{IxQP8?4Y} zsomQ1z!L-snC75n`q>B6%)bpDePMiH<~s8De^kZe#s<}hZ{4#1I|vt;=Af`n_AeCn zziVKJDC~9%S+-TfBBFb`9%A8Fv>;suqF#{eP>|3PB6gJ#2cRHsL>#J%$UdYRzcmnb R>mkti8~i6_`Ct{|!1u#~ty2I1 literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-insert-fail-drop-fail.pcap b/testing/btest/Traces/postgresql/psql-insert-fail-drop-fail.pcap new file mode 100644 index 0000000000000000000000000000000000000000..215b56d1485cb218635800c4a9e73744f9e66219 GIT binary patch literal 3791 zcmaJ^Yi!$86ux}`;UQpyX$+7sqeGj>vb;!JAY*Cjw&|KalC;|pD7cQ3dP!{0cG`8) zposB?351vw9)i(LYx#pT1Op_5Cd3ckuntNE6M{cHHW2(^Fa=T0xwccgv^mmI>eqL^ z@4M$7yC>f}da#}}5-aBC38{mFukV`8?tk7zy5Vn3d$eXRrZ4`+J721wpFMjWA@z;(vyJtxi#osm!HehX8X7J@wr(IiCacGZUBB6a5w7SZDA> zROI^l3odd1pfK%05g)F6L=j(J67i~f()O4W5fD%9J*Ns9$#6P1%xS{H z8BS3OBG2ifETtu`2v@XS1;Q6ZLDJKL#LF2`%8|iTM~ksmZvo5Yb(il)mXn(;mZqa; z@=Yh=6PMS`>)V_xQTLfi7r6uIV%mf1?kVr1i0hU_1l@<)tB8JdG64{)Aumcs6Os7F zWLIRP|K^av{VY^ko_pnE>hPadC1cG_#OFMR8|j+e;;7_D?*ANdk#VSoX%EUhU-^V0 zzOy7EaBtXIMGOFUzXA}UMZ5`NB)3}%yVY=NtaCV$QFFWb(X7zi(JOexZQa>q7Kxmm za*-F|aZGzqB2SecKq4=HXAv=$IakwXnE#Q1piiW4j_DO^M|*nGvCRWGozZi{YTRHH384qb~9)6u`6x zrF*dQDfR6^i>|p6`(PzFr2GASRk|VYEr7li`0%herq!@%S;k6uhj*wX4h?C+&UU3= zi1+6Qc-9+fPmJbw1$uY#zM>M1sat);O}>FJ(m(Zvi}>pa&BgTVo5~L&{exRA`lj0) zxcvvxZ~Cc9zZvL<&~4~Ya>-~|;#&Kp@tv_iJU^;Mih*cLtffsB#KB-JG|&_1>gVE7 zz9-d}%SOWZmTf@IG)ZJRp2sdSt=}0yjtT`u9y~~E*(P}!7edWwF7H|Ni5mtX5#HT==mF{OisNLS&fs_zC(&@`NCTuC31RdEjmUl@GIaLtl)4zKuOY>t9$kO)G2Ay1H5 z-!2S`oW$V4MxRH?WpX~h_a@&4N@|Vyh;wLe1+Ys9X(;?#c=jJ0ap%RbgLWTtku)4( z+JkO@fy!re1AJ+9khuZ=nDZPNzz&)YI6A0#03fbyPxSROsYqK7%fvbuc6%(DN;3Mb z^bMPT(?#Bgn=tJ`%N;8}M90H1tDMoWM+WjuGnZnypPzP?>jj8HvbQf4i?U?M{Ed1s zNE}`;1%X+suVpf_pfQrHGs13B)7^}g7ZnBHCLQ!1zL?QGJn8WT;ITxzDl4q2%4%H8 z^~w^9kH9O4kSG+pY(X1+O&A_N3Zf?9DyBWCD7ErA_3$-Il;PpbrQqR76t%a@DGEId zM-yx$#V)uA+Nw@6>qQ236X;+@Ih7ybR5znDxTiK4Ca?Ro=8NoM;r)(EEGqZLdXsD- z#l(73eV}S6(lf{=ne~!9wtj;f7IERn6no$|7g-G-aG3T$3UwEjAE6z^TNF&O@EtI- z7b*NwbW≥!_}y=u40x<0l&Qw|Ijj&dY^TQDWALYZ*~v0D7^#zcLDt`oBd$6ePBxdi751x6Bt45Q18DvYTxei&J0cus>g9T9Ax z9@6g*kPd}YH6g8YYEICxZEtP~kp!J=IDjHhKPL$p7PuInGDeS{1)Byz9Hu?!N_AFF z(3SeuvdLVjy>p(a<7m?w*=ZB5)XIguVD0Xmf4j(bxP)mBTBN)D=u(Y0bsW~>Ni1^v zNVP~8G#U1q5#(&O5CP4+JJ*b#x%8${;s!m3u zv8HB0%p?|BvBFsd8|&`>HCDgZxBQ@5Jf8fm!5ZTUhxulp4AX?>|0v&5ew_Nh$@0aZ zJPrTD7?dyD=%l>xlIR888sDoYso%d^xMuTA&UvOcDGEUyylLRnIpQb7wm1ra>Qg zkwkE~2`NJ}$ZljJ^fwZlpqx6-e0Sdfs>EtSxj8JZxt>=lA^H|GRgquO2UJ zp%Bzcr2sT|v3+iB%mNH_;d|2A#lR_mR^8h+Xe&DW<1#)#dZnzqd2Z&|cXH>FHnmp$ z8bDi^S}W8t#kQ}uyX13CLBT#kK9iRWK*+66RdRXrN?D=pO9j%mmJX%fy!e(&CUlkT zL2^4zBAs2-*`#|%oqwxj#d!n<^BTodu8x#d8 zIwDBkkWZBS;Bi}<(|hGc%e~i~tRNz#dk3hZK6httwi<2r4rF*cgh?jfACx4Z5GO?X?Kl-@J8 z4fo7I_soOQXfNQs%>R}K-~Z(Pq17tnn^j0p38-Td)K!6WvZvb+2CL#BPshGzVi77PB1g9QXMG zLQ^2dae9$68CuLl_i6E2^%NTMTz%mgo+yXLJ`aw*``0(94aA zF*#36dm4v1dxK@D$72{U1_lhHjylt{A>!~(+dBq@zLREiyUEqbw*)*!hivcUi2i{i z3_QT0q_d0a-%Hlhw2!O$O4_rS_6E@pZ)NlosK1DRau9G?EpCe)`qM8R#^zo_J@kZm zS&oGwK9--12Jl2GCzT!J#h~D0$3hX79B{TuJ>gYgCAZdk!QNnO04KQ^N#C751CLNW z&l&hklmDfvE6HzQ@;mW^T3COXqn;pPbhG)0Nh1y8rb<-8*ugM1De-xRxP)O);&5J~ XZk0OzREdh?COZBh=XCv94sq!(XSt-YuJ~@MiXO{=s3C*!KSt@QB|8Y&=C*Dp+gJTO zbpRf~m_1n6v#ELb5Z;+H6JvCu>L$WMY&qn(waLM=7zoED`d3`QIY35gqgZVm-uaugzl}YV|s; zt)1pBMSBu<(%0^`Q)i!7cPiBCCe-RU)++eBW~WBf{!(S)4oZBkEb$>A{&qic^h_m< zw~tXbHmJmczsJGfTQf-fwMc9NH>k#RMWVZ(YLr!CA?sU^^$D8w9SyN*39=sjQJK;5 zb1I)i;(0owNS!@Y*R!29 zrnO{`yxgvmF92D;_VR~Rb8XQDMe{YFyU~SFv+BZfJ5o_=*G*+c%g?EN3W?`VmnA~q zZvM1LG$Ij9_}}If)x|)ae!jUFs(Ul2s)Ig4C*4bnZOu5R+)o;HMkKaD|Lf0bE>4No zvP8&t{_7&q1o;~E<`j2w!A|y~Tcl+9T6!Ikq(N8VMQ4{^DkV0AFP?r5Pwb!&lka+e_LJor-YF8zXcm@bKg0w2Y1kti7Y-O510$VT_fULbDrlO{_$M7LqGgLsVj1u7WNeyC z$NMK74!^mNvsx@IoW*49?LxWVgIs+BK4#kYN-w)>&BOVof4ja)Ml-`iS6-UZ1R zrHdMHME;1@c1|@wLj(i*FBXY*Fu;tpO++kVZc?mJN?i}q7T4~$jh}F3oKA;ze2+EL zIq2Ie2!6@QPZ{mTo;}@}>}3DwcwpEWv!MLXK)${qxiQ)iYX9kB!*aS08HAJfRU zBeCJ>D)O*_(74wS!^&I&i3=~3C4wOrHx!8uFvN}>0l%MQO~#VWX8j)4=VZ1T&Bmb3 zDRuYQ2LstLXJByLmD(~mmJIObSg_AMJY>PgYH@cjL__&g241Q!d(^-y>+OuhdZpv~vd^CLb z`+AO-*cdB>;2gwCT#^+@ilM6&ilq3Fl#qmT86+pbpJE1eKFBAS;#smoinQEw^;6dKePDa_2J>vO$x@ayo;$XA*caUikYy_z_Hk5Rhl z6!yyJ=oJ24mIzH(3uC9eVQeTrs7CCwfYle8OVa7^saRz?dgov|F5`5BHt&MWTG3rcP91A@$2NbvR&!o9`$75UHqw literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-login-wrong.pcap b/testing/btest/Traces/postgresql/psql-login-wrong.pcap new file mode 100644 index 0000000000000000000000000000000000000000..aa16d73bdff6f6821599d9488c20880165040fb2 GIT binary patch literal 2311 zcmaKtOKcl;5QisD1koZS9%_r=fEymAiCwSbcyXW>wj;a5azfro15&hEZ<}o#+wlXF z3PGAvno!!Lpf+tF&7tB_sZtM3)srQTTq=a9P=f$f>II1cmtHEFnb}>-TkIWalx(#5 z_M6}Qz5eO@8`}Uo-AJLe<;T4qBHu@HW7qN_B7b_`BpWI0ULROJxpAyOGMZEOI4zai2a0IL1be|c#X&3GLc50M={V_EV*1ox)JFj;$tL!iFVYr z#gdEgIunQL5>fJ>m#su3B%m3fm{)UfQdMUmDHr5vIj`zhayFaN6uF>f(o<=9PK9iK zJ_SljQ`3bhHLYZlTKYJQj>H1`q2IS=H*Z<28{sWn%2l5CU5lNY=KbZ80F$UmU0XbF zqU>ejC+57ynsp-1E8_>pIFcSr&^?5Reb~Zq&rrC}J^X&y-RYNf_g604xx*Wr>^J6< zj9p#DUEN{#S1nKCBf7RJzydyvy0+MT7T#o{T9=6KH)Bb;qpBxzTj7$9!(}Didz^pPyAznw3#>cSS$swLKMT`*d;97QRH1UB&L?q(B z-wLpWLe#azqpg*FO!U?z;%I;VY$eiKKEi&c@fd|-W=@+^=12Q_$7e>;5m}iZ_heJ5 zD*MaxQK_Rl6%CSp1odrBL>KSxjH$1mh>&|- zTI!`hJdZ8nAKsL&LCLX9u#6ZsNREc2>B!u6QkQ|PMN5Tmh(|`1I z1_neg^kwCIzLd!&opP}-gYO~Z{p36*YbiD9JeJ8h>2>C8qxV@G#OSs|3M70!KMc{u zlzylFsekr&yCC2o?{UM_)=$P#FP@Bb4&rNzc9??L|A#HHorzC; wj#!pB+EvrhSk^i&E51m?vsGdgqh&|OLpvgLu;T@jXiOc)sn7G&s}^GPKlT|a?*IS* literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-login.pcap b/testing/btest/Traces/postgresql/psql-login.pcap new file mode 100644 index 0000000000000000000000000000000000000000..17f01a363527f575d70f19bc1f01b2a1f6ed2aa6 GIT binary patch literal 2429 zcmaKtUrZZy9Ke4RrW6;msK}5InwU71GFoU$Np{KjH)sXfS_&&Asn_e#9y{)?cUNf1 zjJzqL%*AK3VHO{7iHYIK2bXMW7G)1&8S2AyZ*y79d6oxr(z$RCa0gd?|u&+z*u?E z=-=3T@+IDR)poG!WC*d<9qiWG>Ko2IT5ZPfYietsMY8vY!^ngn`P4TixzWG!fZW)Q z0R8&a7Y=^9*lHys-6YQdxgU1IC|}gs6I-Fqev@oCUkCc+@-Z9v{5No{Df%K6T?<=> zxyC-E#LkMu<2LgCw6C&NssdqCnp6dMIsYt{KZ4R3U<}=4gONGgi{-P`-J9u(Q1eJw%)Uo zY0$(dUo_v*V1W{M%zTYD7m1MX_FReB22E)V0ip?_Av_T38|w&<^mTN3eMNU4>{Q)7 z_A%|1$K0vdt9=5!lBxSUmYv$red7;1$-{0K<%_ysh^^6HJ*h|p_toD^Lv_^+z=>)Td1@_IUESu2J2CBDX=LdTPNPTEs`Dh*3lt+R{T) zJ7E!V(A4hR$rTX7C|@+S%fY*pxK@z}sXc$!O2oFzKs;AHjf_6bM|-E0@$qnes6X11 zTTD;8ymOjUW7-FFo()eert*T4K9e0DKJV=p`WVJ3FdkR04|Q*XZuJ7hF45k0nYu=A zd!V;lSb+5(t-44YbTp8!KpCTa(E_Z;KB2w+t|Ac%P*W%oUC>(x_EzMWgs`X`(#one zP?+J7?!0Wl(0YqTKn>tsxN)OR8A-8UP^i#9^z>4Mmf1b;>1HP>_e0O2lp?;)#Iw zk{n%N#$;ji+}z{{$MtLMd2OkE@a$4bi*Ww&v88!-Kw9jIWahNa^mv+M@UeQ_Jq+`f&nk$YlywWtt>U>zwi#!R0$DNL`!6=2jmgHyItfqa#t}*<@Un#5|E_ zXX$NCf)r27dR)_4DVg~H`({DX`4q3lVZQRZFwbj5mgo~L0l1qpHx!Gl-uoU zcfUb*Xw!HN?~SurJuR!k5}ozM;g85yX(FtejB~OyE35M`?;$xA{**FkoPd0$Wr-(4 zI@cMQ7$9%KlSd(DHnS)0;p9FNz$5Z09FgjWE_Ru|g)Z}m7;oVS GbpHpt@RJz; literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/postgresql/psql-select-now.pcap b/testing/btest/Traces/postgresql/psql-select-now.pcap new file mode 100644 index 0000000000000000000000000000000000000000..991fc2f9e7af4709cfb477fc0d4da9e0bdeac063 GIT binary patch literal 3197 zcmaKuUu;u#6vuzN6ln%dri`r{NMVYMb*#6v+e&DlYr6v7#@2SS5wza6x7~&Iw!8Ok zqr5nS4@RR2#;0mz8{?0F(HJ92oFNE_mc$1!4#ERQ@Daj`Z8`W&h)ltotHL|MN0Q3h_YZ3B>qRPR zy#)7{sls|nJX4m~z>uod1>!Ze3VPk|>)Vn17mzD!&CViuc9TX{tMCA-u$gLYEFoW` zb**QJ3(`g}Hk!RHdxjD>mL-DL-)aiP>!9^oKO(;dWMz@LdYb-44XGA%GZge86)KC z{U3-_S$ocak)#V+B(+yb=+#rI{mYU_H&DBI3qvvx4ZYZ?_G7t5N=%m}f_B@jQeqkq z9ZPf*ViZj#(P5Gtes{n3_@Fb>I^6ALdxDW}_I0asz$u`ReITTAYT0wNh)tRhwTMrl zEps%riBcg*48FpU(;x`F*l22}vgeUFGhdbnsSV>oep1|ow%owB906ZlIgLSIY)G-k z69ZjwTl#p$?hYRu80Z`xFv*Tqm%?*_LzD50kRI(B_j-qI-GbBMFbNK;+1`P2$3Sl7 z0_2)#C(dbd)!xq4%s(EX1%NG6B=;r~Up>N*uRt<-vC#s|Z**V8dMDTh5{f-e~uIneKq+01@dyU%AC>Kz&N zTl*X+-wyIC7bJUu?g)b>Kffa$kL>BbQi}y?gz2Le1m)jGB00v8ml#5QX+fBk*)Nbd z?JY}$f_&>N5Eqb$I|9xnSu^1{U54*g>J<){g=wQ$*r8?OY$?)+&yQiNI z%A(&Q9!gss_?jN02f!Q4PcK|DlpSHXQt##zKA>b0JlP*OXfpP>M<{G-l#g-a2_>XR zoG5b5JRIWB_u1H7!5zWZxBRZaiLmKLKQ9pPz@}Rm1VpXO zC-{hB6jPJiTIh$|7{sWoI(v~Gm3l2k{-`|J4o9UKk4nQ#NsK$Fx>{z)rw|Lh*r@6c zvzL&#ba<*nP(9LDAl?PlcQE%2qzVKVSh{JVUj!q>4fkH7-=rHYW{ahbwX~Uc8rjZW zX3H*X#}3wJw|26vW;1^CJRk7%dR##xOMh(hE!zrGD<_}ZL<>BtC9k%u8CrIdCf`#c z^)4pAN@0i>qM;WXP2Qd}QsQT2iIDt{@S&kj9!&o3Fd%e@-38cXgl?wT=_S~0RA?=9 zX>TbOi7&jj95H(tiL-SYQSJLl=zGf)672=zeH4mB+p@&m7OL^IMpTR00vg|?#oSp! Gy#GHoq5GWx literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/postgresql/availability.zeek b/testing/btest/scripts/base/protocols/postgresql/availability.zeek new file mode 100644 index 0000000000..ed16b1e891 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/availability.zeek @@ -0,0 +1,4 @@ +# @TEST-DOC: Check that the PostgreSQL analyzer is available. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -NN | grep -qi 'ANALYZER_POSTGRESQL' diff --git a/testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek b/testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek new file mode 100644 index 0000000000..574025bbe9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek @@ -0,0 +1,13 @@ +# @TEST-DOC: Startup message triggering integer overflow + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-backend-message-1.pcap %INPUT +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut +# @TEST-EXEC: test ! -f reporter.log + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek b/testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek new file mode 100644 index 0000000000..118552b65f --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: Startup message triggering integer overflow + +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-startup-message-1.pcap ${PACKAGE} %INPUT +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: test ! -f reporter.log + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek b/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek new file mode 100644 index 0000000000..07f07a951b --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/dump-events.zeek @@ -0,0 +1,17 @@ +# @TEST-DOC: Test that misc/dump events works. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output +# +# @TEST-EXEC: btest-diff output + +@load base/protocols/postgresql/spicy-events.zeek +@load misc/dump-events + +redef DumpEvents::dump_all_events = T; +redef DumpEvents::include=/^(PostgreSQL|analyzer_)/; + +event zeek_init() { + Analyzer::register_for_port(Analyzer::ANALYZER_POSTGRESQL, 5432/tcp); +} diff --git a/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek b/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek new file mode 100644 index 0000000000..1e19888bf0 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek @@ -0,0 +1,13 @@ +# @TEST-DOC: Test rejecting wrong protocol. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut +# @TEST-EXEC: test ! -f postgresql.log + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek b/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek new file mode 100644 index 0000000000..9f7bc52f33 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek @@ -0,0 +1,13 @@ +# @TEST-DOC: Test rejecting wrong protocol. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut +# @TEST-EXEC: test ! -f postgresql.log + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek b/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek new file mode 100644 index 0000000000..fffb9c63b8 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Test the parameter status event. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output +# +# @TEST-EXEC: btest-diff output + +@load base/protocols/postgresql + +event PostgreSQL::parameter_status(c: connection, name: string, value: string) { + print "parameter_status", c$uid, name, value; +} diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek new file mode 100644 index 0000000000..d40d9bcc82 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek @@ -0,0 +1,20 @@ +# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output +# +# @TEST-EXEC: btest-diff output + +@load base/protocols/postgresql + +event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) { + print "authentication_request", c$uid, identifier, data; +} + +event PostgreSQL::authentication_response(c: connection, data: string) { + print "authentication_response", c$uid, data; +} + +event PostgreSQL::authentication_ok(c: connection) { + print "authentication_ok", c$uid; +} diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek new file mode 100644 index 0000000000..ca28dd3654 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Test that the dpd.sig picks up a plaintext connection on a non-standard port. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek new file mode 100644 index 0000000000..c057c521b9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek @@ -0,0 +1,14 @@ +# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut +# @TEST-EXEC: test ! -f ssl.log + +@load base/protocols/conn +@load base/protocols/postgresql +@load base/protocols/ssl diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek new file mode 100644 index 0000000000..9bba902072 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek @@ -0,0 +1,15 @@ +# @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff ssl.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql +@load base/protocols/ssl diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek new file mode 100644 index 0000000000..ec2e4bda50 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek @@ -0,0 +1,15 @@ +# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff ssl.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql +@load base/protocols/ssl diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek new file mode 100644 index 0000000000..13bf673800 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Trace with CREATE TABLE, INSERT, SELECT DELETE and DROP. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek new file mode 100644 index 0000000000..b037213bc5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek new file mode 100644 index 0000000000..1ad7bf05a9 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek new file mode 100644 index 0000000000..7814304611 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: The client does not start with SSLRequest. This pcap has two connections, attempting without password. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek b/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek new file mode 100644 index 0000000000..ce631c9825 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output +# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut +# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut +# +# @TEST-EXEC: btest-diff conn.cut +# @TEST-EXEC: btest-diff postgresql.cut + +@load base/protocols/conn +@load base/protocols/postgresql diff --git a/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek b/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek new file mode 100644 index 0000000000..77b23b45b7 --- /dev/null +++ b/testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek @@ -0,0 +1,12 @@ +# @TEST-DOC: Event for name, value pairs in the startup message. +# +# @TEST-REQUIRES: ${SCRIPTS}/have-spicy +# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output +# +# @TEST-EXEC: btest-diff output + +@load base/protocols/postgresql + +event PostgreSQL::startup_parameter(c: connection, name: string, value: string) { + print "startup_parameter", c$uid, name, value; +} From d0da13413b3188ec02831865e66a2f17bf3862b8 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 6 Sep 2024 15:49:42 +0200 Subject: [PATCH 2/2] postgresql: Simplify SSL buffering and forwarding The ssl_sink can only be connected form the backend side, so don't overcomplicate it. --- .../protocol/postgresql/postgresql.spicy | 34 ++++++++----------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/src/analyzer/protocol/postgresql/postgresql.spicy b/src/analyzer/protocol/postgresql/postgresql.spicy index 897723b7aa..e3127fe6c8 100644 --- a/src/analyzer/protocol/postgresql/postgresql.spicy +++ b/src/analyzer/protocol/postgresql/postgresql.spicy @@ -64,7 +64,8 @@ public type FrontendMessages = unit { on %init { # Until the first FrontendMessages are initialized, ssl_sink in the # context is a Null reference. Also, we want to use a single sink - # for both, frontend and backend by calling beg + # for both, frontend and backend by calling begin_protocol() within + # the SSLSink's %init hook (see postgresql_zeek.spicy). self.context().ssl_sink = self.s1; } @@ -112,9 +113,9 @@ public type FrontendMessages = unit { # the context() is populated. # # In normal operations, Zeek should see the server's response before - # attempting to parse more data, but Robin was concerned it that in - # some circumstances (out-of-order packets, reassembly artifacts) we - # may see the client's data before the server's. + # attempting to parse more data, but Robin was concerned that in some + # circumstances (out-of-order packets, reassembly artifacts) we may + # see the client's data before the server's. # # In the future, barrier: https://github.com/zeek/spicy/pull/1373 : bytes &chunked &eod { @@ -126,14 +127,11 @@ public type FrontendMessages = unit { } else { # print "frontend ssl_state backend set!", self.context(); if (!self.s1_connected) { - if (self.context().ssl_backend_state == SSLBackendState::S) { - if (!self.context().ssl_sink_connected) { - self.context().ssl_sink.connect(new SSLSink()); - self.context().ssl_sink_connected = True; - } - } else { - # print "connecting plain frontend messages"; + if (self.context().ssl_backend_state == SSLBackendState::N) { self.s1.connect(new PlainFrontendMessages()); + } else { + assert (self.context().ssl_sink_connected); + assert (self.context().ssl_backend_state == SSLBackendState::S); } self.s1_connected = True; @@ -181,22 +179,20 @@ type SimpleQuery = unit { }; # The client has requested SSL, the server either confirms (S) or -# stays in plaintext (N) mode. Depending on the result, we connect -# our sink to the SSL sink, or to a PlainBackendMessages unit. +# denies (N). Depending on the result, the ssl_sink in the context +# is connected with a SSLUnit and used, or a sink connected with the +# PlainBackendMessages unit. # type MaybeBackendSSL = unit(ctx: Context&) { - - # Connected SSL, or plaintext. + # Connected to SSLSink or plaintext messages. sink s1; ssl_byte: uint8 &requires=($$ == 'S' || $$ == 'N') { # print "backend ssl_byte", $$; if ($$ == 'S') { ctx.ssl_backend_state = SSLBackendState::S; - if (!ctx.ssl_sink_connected) { - ctx.ssl_sink.connect(new SSLSink()); - ctx.ssl_sink_connected = True; - } + ctx.ssl_sink.connect(new SSLSink()); + ctx.ssl_sink_connected = True; # Share the SSL sink with the frontend. self.s1 = ctx.ssl_sink;