Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/awelzel/add-postgresql-parser'

Browse source 
* origin/topic/awelzel/add-postgresql-parser:
  postgresql: Simplify SSL buffering and forwarding
  postgresql: Initial parser implementation
This commit is contained in:
Arne Welzel 2024-09-06 17:47:36 +02:00
commit b9ca50c6bb
84 changed files with 1821 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

21
CHANGES
View file

@ -1,3 +1,24 @@
7.1.0-dev.250 | 2024-09-06 17:47:36 +0200
* postgresql: Simplify SSL buffering and forwarding (Arne Welzel, Corelight)
The ssl_sink can only be connected form the backend side, so don't
overcomplicate it.
* postgresql: Initial parser implementation (Arne Welzel, Corelight)
This adds a protocol parser for the PostgreSQL protocol and a new
postgresql.log similar to the existing mysql.log.
This should be considered preliminary and hopefully during 7.1 and 7.2
with feedback from the community, we can improve on the events and logs.
Even if most PostgreSQL communication is encrypted in the real-world, this
will minimally allow monitoring of the SSLRequest and hand off further
analysis to the SSL analyzer.
This originates from github.com/awelzel/spicy-postgresql, with lots of
polishing happening in the past two days.
7.1.0-dev.247 | 2024-09-05 19:19:31 +0200 7.1.0-dev.247 | 2024-09-05 19:19:31 +0200
* testing/external: Update private baselines (Arne Welzel, Corelight) * testing/external: Update private baselines (Arne Welzel, Corelight)

16
NEWS
View file

@ -28,6 +28,22 @@ Breaking Changes
New Functionality New Functionality
----------------- -----------------
- Zeek now includes a PostgreSQL protocol analyzer. This analyzer is enabled
by default. The analyzer's events and its ``postgresql.log`` should be
considered preliminary and experimental until the arrival of Zeek's next
long-term-stable release (8.0).
If you observe unusually high CPU consumption or other issues due to this
analyzer being enabled by default, the easiest way to disable it is via the
``Analyzer::disabled_analyzers`` const as follows:
redef Analyzer::disabled_analyzers += {
Analyzer::ANALYZER_POSTGRESQL,
};
If you observe PostgreSQL traffic in your environment, please provide feedback
about the analyzer and structure of the new log.
* The LDAP analyzer now supports handling of non-sealed GSS-API WRAP tokens. * The LDAP analyzer now supports handling of non-sealed GSS-API WRAP tokens.
* StartTLS support was added to the LDAP analyzer. The SSL analyzer is enabled * StartTLS support was added to the LDAP analyzer. The SSL analyzer is enabled

2
VERSION
View file

@ -1 +1 @@
7.1.0-dev.247 7.1.0-dev.250

1
scripts/base/init-default.zeek
View file

@ -67,6 +67,7 @@
@load base/protocols/ntlm @load base/protocols/ntlm
@load base/protocols/ntp @load base/protocols/ntp
@load base/protocols/pop3 @load base/protocols/pop3
@load base/protocols/postgresql
@load base/protocols/quic @load base/protocols/quic
@load base/protocols/radius @load base/protocols/radius
@load base/protocols/rdp @load base/protocols/rdp

6
scripts/base/protocols/postgresql/__load__.zeek Normal file
View file

@ -0,0 +1,6 @@
@if ( have_spicy_analyzers() )
@load ./consts
@load ./spicy-events
@load ./main
@load-sigs ./dpd
@endif

37
scripts/base/protocols/postgresql/consts.zeek Normal file
View file

@ -0,0 +1,37 @@
module PostgreSQL;
export {
# https://www.postgresql.org/docs/current/protocol-error-fields.html
global error_ids: table[string] of string = {
["S"] = "SeverityLocalized",
["V"] = "Severity", # non-localized
["C"] = "Code",
["M"] = "Message",
["D"] = "Detail",
["H"] = "Hint",
["P"] = "Position",
["p"] = "InternalPosition",
["q"] = "InternalQuery",
["W"] = "Where",
["s"] = "Schema",
["t"] = "Table",
["c"] = "Column",
["d"] = "Data",
["n"] = "Constraint",
["F"] = "File",
["L"] = "Line",
["R"] = "Routine",
} &default=function(c: string): string { return fmt("UnknownErrorId%s", c); } &redef;
global auth_ids: table[count] of string = {
[2] = "KerberosV5",
[3] = "CleartextPassword",
[5] = "MD5Password",
[7] = "GSSAPI",
[8] = "GSSAPIContinue",
[9] = "SSPI",
[10] = "SASL",
[11] = "SASLContinue",
[12] = "SASLFinal",
} &default=function(id: count): string { return fmt("UnknownAuthId%s", id); } &redef;
}

29
scripts/base/protocols/postgresql/dpd.sig Normal file
View file

@ -0,0 +1,29 @@
# Enable the analyzer if we see the SSLRequest message and a S|N reply from the server.
signature dpd_postgresql_client_sslrequest {
ip-proto == tcp
payload /^\x00\x00\x00\x08\x04\xd2\x16\x2f/
}
signature dpd_postgresql_server_ssl_confirm {
requires-reverse-signature dpd_postgresql_client_sslrequest
payload /^[SN]/
enable "PostgreSQL"
}
signature dpd_postgresql_client_startup_3_x {
ip-proto == tcp
# 4 byte length, then protocol version major, minor (16bit each),
# then expect the "user\x00" parameter to follow. Not sure about
# other versions, but we likely wouldn't properly parse them anyway.
payload /^....\x00\x03\x00.{0,256}user\x00/
}
signature dpd_postgresql_server_any_response {
requires-reverse-signature dpd_postgresql_client_startup_3_x
# One byte printable message type 4 bytes length. Assumes the first
# server message is not larger 64k(2^16) so match on \x00\x00 after
# the first byte.
payload /^[a-zA-Z0-9]\x00\x00../
enable "PostgreSQL"
}

245
scripts/base/protocols/postgresql/main.zeek Normal file
View file

@ -0,0 +1,245 @@
##! Implements base functionality for PostgreSQL analysis.
@load ./consts
@load ./spicy-events
@load base/protocols/conn/removal-hooks
module PostgreSQL;
export {
## Log stream identifier.
redef enum Log::ID += { LOG };
type Version: record {
major: count;
minor: count;
};
## Record type containing the column fields of the PostgreSQL log.
type Info: record {
## Timestamp for when the activity happened.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## The user as found in the StartupMessage.
user: string &optional &log;
## The database as found in the StartupMessage.
database: string &optional &log;
## The application name as found in the StartupMessage.
application_name: string &optional &log;
# The command or message from the frontend.
frontend: string &optional &log;
# Arguments for the command.
frontend_arg: string &optional &log;
# The reply from the backend.
backend: string &optional &log;
# Arguments for the reply from the backend.
backend_arg: string &optional &log;
# Whether the login/query was successful.
success: bool &optional &log;
# The number of rows returned or affectd.
rows: count &optional &log;
};
type State: record {
version: Version &optional;
user: string &optional;
database: string &optional;
application_name: string &optional;
rows: count &default=0;
errors: vector of string;
};
## Default hook into PostgreSQL logging.
global log_postgresql: event(rec: Info);
global finalize_postgresql: Conn::RemovalHook;
global ports: set[port] = { 5432/tcp } &redef;
}
redef record connection += {
postgresql: Info &optional;
postgresql_state: State &optional;
};
redef likely_server_ports += { ports };
event zeek_init() {
Analyzer::register_for_ports(Analyzer::ANALYZER_POSTGRESQL, ports);
Log::create_stream(PostgreSQL::LOG, [$columns=Info, $ev=log_postgresql, $path="postgresql"]);
}
hook set_session(c: connection) {
if ( ! c?$postgresql )
c$postgresql = Info($ts=network_time(), $uid=c$uid, $id=c$id);
if ( ! c?$postgresql_state ) {
c$postgresql_state = State();
Conn::register_removal_hook(c, finalize_postgresql);
}
}
function emit_log(c: connection) {
if ( ! c?$postgresql )
return;
if ( c$postgresql_state?$user )
c$postgresql$user = c$postgresql_state$user;
if ( c$postgresql_state?$database )
c$postgresql$database = c$postgresql_state$database;
if ( c$postgresql_state?$application_name )
c$postgresql$application_name = c$postgresql_state$application_name;
Log::write(PostgreSQL::LOG, c$postgresql);
delete c$postgresql;
}
event PostgreSQL::ssl_request(c: connection) {
hook set_session(c);
c$postgresql$frontend = "ssl_request";
}
event PostgreSQL::ssl_reply(c: connection, b: string) {
hook set_session(c);
c$postgresql$backend = "ssl_reply";
c$postgresql$backend_arg = b;
c$postgresql$success = b == "S";
emit_log(c);
}
event PostgreSQL::startup_parameter(c: connection, name: string, value: string) {
hook set_session(c);
if ( name == "user" ) {
c$postgresql_state$user = value;
} else if ( name == "database" ) {
c$postgresql_state$database = value;
} else if ( name== "application_name" ) {
c$postgresql_state$application_name = value;
}
}
event PostgreSQL::startup_message(c: connection, major: count, minor: count) {
hook set_session(c);
c$postgresql_state$version = Version($major=major, $minor=minor);
c$postgresql$frontend = "startup";
}
event PostgreSQL::error_response_identified_field(c: connection, code: string, value: string) {
hook set_session(c);
local errors = c$postgresql_state$errors;
errors += fmt("%s=%s", error_ids[code], value);
}
event PostgreSQL::notice_response_identified_field(c: connection, code: string, value: string) {
hook set_session(c);
local notice = fmt("%s=%s", error_ids[code], value);
if ( c$postgresql?$backend_arg )
c$postgresql$backend_arg += "," + notice;
else
c$postgresql$backend_arg = notice;
}
event PostgreSQL::error_response(c: connection) {
hook set_session(c);
if ( c$postgresql?$backend )
c$postgresql$backend += ",error";
else
c$postgresql$backend = "error";
local errors = join_string_vec(c$postgresql_state$errors, ",");
c$postgresql_state$errors = vector();
if ( c$postgresql?$backend_arg )
c$postgresql$backend_arg += "," + errors;
else
c$postgresql$backend_arg = errors;
c$postgresql$success = F;
emit_log(c);
}
event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) {
hook set_session(c);
if ( c$postgresql?$backend && ! ends_with(c$postgresql$backend, "auth") )
c$postgresql$backend += ",auth_request";
else
c$postgresql$backend = "auth_request";
if ( c$postgresql?$backend_arg )
c$postgresql$backend_arg += "," + auth_ids[identifier];
else
c$postgresql$backend_arg = auth_ids[identifier];
}
event PostgreSQL::authentication_ok(c: connection) {
hook set_session(c);
c$postgresql$backend = "auth_ok";
c$postgresql$success = T;
emit_log(c);
}
event PostgreSQL::terminate(c: connection) {
if ( c?$postgresql )
emit_log(c);
hook set_session(c);
c$postgresql$frontend = "terminate";
emit_log(c);
}
event PostgreSQL::simple_query(c: connection, query: string) {
if ( c?$postgresql )
emit_log(c);
hook set_session(c);
c$postgresql$frontend = "simple_query";
c$postgresql$frontend_arg = query;
c$postgresql_state$rows = 0;
}
event PostgreSQL::data_row(c: connection, column_values: count) {
hook set_session(c);
++c$postgresql_state$rows;
}
event PostgreSQL::ready_for_query(c: connection, transaction_status: string) {
# Log a query (if there was one).
if ( ! c?$postgresql )
return;
# If no one said otherwise, the last action was successful.
if ( ! c$postgresql?$success )
c$postgresql$success = transaction_status == "I" || transaction_status == "T";
c$postgresql$rows = c$postgresql_state$rows;
emit_log(c);
}
hook finalize_postgresql(c: connection) &priority=-5 {
emit_log(c);
}

147
scripts/base/protocols/postgresql/spicy-events.zeek Normal file
View file

@ -0,0 +1,147 @@
##! Events generated by the PostgreSQL analyzer.
## Event generated for frontend SSLRequest messages.
##
## c: The connection.
global PostgreSQL::ssl_request: event(c: connection);
## Event generated for backend SSL reply.
##
## c: The connection.
##
## data: The server's reply: S for secure, N for unencrypted.
global PostgreSQL::ssl_reply: event(c: connection, data: string);
## Event generated for backend authentication requests.
##
## c: The connection.
##
## identifier: The identifier in the request.
##
## data: The request data, if any.
##
## .. zeek:see:: PostgreSQL::authentication_response
## .. zeek:see:: PostgreSQL::authentication_ok
global PostgreSQL::authentication_request: event(c: connection, identifier: count, data: string);
## Event generated for backend authentication requests indicating successful
## authentication.
##
## c: The connection.
##
## .. zeek:see:: PostgreSQL::authentication_request
## .. zeek:see:: PostgreSQL::authentication_response
global PostgreSQL::authentication_ok: event(c: connection);
## Event generated for frontend authentication responses.
##
## c: The connection.
##
## data: The response data, if any.
##
## .. zeek:see:: PostgreSQL::authentication_request
## .. zeek:see:: PostgreSQL::authentication_ok
global PostgreSQL::authentication_response: event(c: connection, data: string);
## Event generated for every parameter in a StartupMessage.
##
## c: The connection.
##
## name: The name of the parameter.
##
## value: The value of the parameter.
global PostgreSQL::startup_parameter: event(c: connection, name: string, value: string);
## Event generated for a StartupMessage.
##
## c: The connection.
##
## major: The major protocol version.
##
## minor: The minor protocol version.
global PostgreSQL::startup_message: event(c: connection, major: count, minor: count);
## Event generated for every backed ReadyForQuery message.
##
## c: The connection.
##
## transaction_status: I (idle), T (in transaction block), E (error).
global PostgreSQL::ready_for_query: event(c: connection, transaction_status: string);
## Event generated for every frontend SimpleQuery message.
##
## c: The connection.
##
## query: The query string.
global PostgreSQL::simple_query: event(c: connection, query: string);
## Event generated for identified field within an ErrorResponse.
##
## c: The connection.
##
## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
##
## value: The field value.
##
## .. zeek:see:: PostgreSQL::error_response
global PostgreSQL::error_response_identified_field: event(c: connection, code: string, value: string);
## Event generated for a ErrorResponse.
##
## c: The connection.
##
## .. zeek:see:: PostgreSQL::error_response_identified_field
global PostgreSQL::error_response: event(c: connection);
## Event generated for identified field within a NoticeResponse.
##
## c: The connection.
##
## code: The code (https://www.postgresql.org/docs/current/protocol-error-fields.html)
##
## value: The field value.
##
## .. zeek:see:: PostgreSQL::notice_response
global PostgreSQL::notice_response_identified_field: event(c: connection, code: string, value: string);
## Event generated for a NoticeResponse.
##
## c: The connection.
##
## .. zeek:see:: PostgreSQL::notice_response_identified_field
global PostgreSQL::notice_response: event(c: connection);
## Event generated for every backend DataRow message.
##
## c: The connection.
##
## column_values: The number of columns in this row.
global PostgreSQL::data_row: event(c: connection, column_values: count);
## Event generated for backend runtime parameter status reports.
##
## c: The connection.
##
## name: The name of the runtime parameter.
##
## value: The current value of the parameter.
##
global PostgreSQL::parameter_status: event(c: connection, name: string, value: string);
## Generated for a BackendKeyData message for cancellation.
##
## c: The connection.
##
## process_id: The process ID of the backend.
##
## secret_key: The secret key of the backend.
global PostgreSQL::backend_key_data: event(c: connection, process_id: count, secret_key: count);
## Event generated For a frontend Terminate message.
##
## c: The connection.
global PostgreSQL::terminate: event(c: connection);
## Event generated for not implemented messages.
global PostgreSQL::not_implemented: event(c: connection, is_orig: bool, typ: string, chunk: string);

1
src/analyzer/protocol/CMakeLists.txt
View file

@ -28,6 +28,7 @@ add_subdirectory(ntlm)
add_subdirectory(ntp) add_subdirectory(ntp)
add_subdirectory(pia) add_subdirectory(pia)
add_subdirectory(pop3) add_subdirectory(pop3)
add_subdirectory(postgresql)
add_subdirectory(quic) add_subdirectory(quic)
add_subdirectory(radius) add_subdirectory(radius)
add_subdirectory(rdp) add_subdirectory(rdp)

5
src/analyzer/protocol/postgresql/CMakeLists.txt Normal file
View file

@ -0,0 +1,5 @@
spicy_add_analyzer(
NAME PostgreSQL
PACKAGE_NAME spicy-postgresql
SOURCES postgresql.spicy postgresql.evt postgresql_zeek.spicy
MODULES PostgreSQL PostgreSQL_Zeek)

42
src/analyzer/protocol/postgresql/postgresql.evt Normal file
View file

@ -0,0 +1,42 @@
import PostgreSQL;
import PostgreSQL_Zeek;
protocol analyzer PostgreSQL over TCP:
parse originator with PostgreSQL::FrontendMessages,
parse responder with PostgreSQL::BackendMessages;
on PostgreSQL::NotImplemented -> event PostgreSQL::not_implemented($conn, $is_orig, ("%c" % typ), self.chunk);
on PostgreSQL::AuthenticationRequest if ( self.identifier != 0 )-> event PostgreSQL::authentication_request($conn, self.identifier, self.data);
on PostgreSQL::AuthenticationRequest if ( self.identifier == 0 ) -> event PostgreSQL::authentication_ok($conn);
on PostgreSQL::AuthenticationResponse -> event PostgreSQL::authentication_response($conn, self.data);
on PostgreSQL::FrontendMessages::ssl_request -> event PostgreSQL::ssl_request($conn);
on PostgreSQL::MaybeBackendSSL::ssl_byte -> event PostgreSQL::ssl_reply($conn, ("%c" % self.ssl_byte));
on PostgreSQL::StartupParameter -> event PostgreSQL::startup_parameter($conn, self.name, self.value);
on PostgreSQL::StartupMessage -> event PostgreSQL::startup_message($conn, self.version.major, self.version.minor);
on PostgreSQL::ErrorIdentifiedField -> event PostgreSQL::error_response_identified_field($conn, ("%c" % self.code), self.value);
on PostgreSQL::ErrorResponse -> event PostgreSQL::error_response($conn);
on PostgreSQL::SimpleQuery -> event PostgreSQL::simple_query($conn, self.query);
on PostgreSQL::ReadyForQuery -> event PostgreSQL::ready_for_query($conn, "%c" % self.transaction_status);
on PostgreSQL::NoticeIdentifiedField -> event PostgreSQL::notice_response_identified_field($conn, ("%c" % self.code), self.value);
on PostgreSQL::NoticeResponse -> event PostgreSQL::notice_response($conn);
on PostgreSQL::Terminate -> event PostgreSQL::terminate($conn);
on PostgreSQL::DataRow -> event PostgreSQL::data_row($conn, self.column_values);
on PostgreSQL::ParameterStatus -> event PostgreSQL::parameter_status($conn, self.name, self.value);
on PostgreSQL::BackendKeyData -> event PostgreSQL::backend_key_data($conn, self.process_id, self.secret_key);

333
src/analyzer/protocol/postgresql/postgresql.spicy Normal file
View file

@ -0,0 +1,333 @@
# A PostgreSQL analyzer.
#
# https://www.postgresql.org/docs/current/protocol.html
#
# Protocol version 3.0
module PostgreSQL;
import spicy;
type SSLFrontendState = enum {
Requested,
NotRequested,
};
type SSLBackendState = enum {
S,
N,
};
# How many chunks to buffer initially when seeing a backend message
# before a frontend or vice versa.
const MAX_BUFFERED = 4;
# When a connection switches to SSL, this consumes all the SSL chunks.
# In zeek_postgres.spicy, SSLSink%init calls zeek::protocol_begin() and
# then zeek::protocol_data_in()
#
# There's a single SSLSink shared between backend and frontend.
type SSLSink = unit {
chunk: bytes &chunked &eod;
};
# Used as context for synchronization between frontend/backend.
type Context = struct {
ssl_frontend_state: SSLFrontendState;
ssl_backend_state: SSLBackendState;
ssl_sink: sink&;
ssl_sink_connected: bool;
};
type ProtocolVersion = unit {
major: uint16;
minor: uint16;
};
type StartupParameter = unit {
name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
value: /[\x20-\x7e]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
};
type StartupMessage = unit {
length: uint32 &requires=(self.length >= 9);
version: ProtocolVersion &requires=($$.major == 3);
parameters: StartupParameter[] &size=self.length - 9;
: skip b"\x00";
};
# Top-level entry for the client.
public type FrontendMessages = unit {
%context = Context;
on %init {
# Until the first FrontendMessages are initialized, ssl_sink in the
# context is a Null reference. Also, we want to use a single sink
# for both, frontend and backend by calling begin_protocol() within
# the SSLSink's %init hook (see postgresql_zeek.spicy).
self.context().ssl_sink = self.s1;
}
var buffered: vector<bytes>;
var s1_connected: bool;
var ssl_requested: bool;
sink s1;
# Peek at the client data.
length: uint32 &requires=(self.length >= 8);
version_or_magic: uint32 {
self.ssl_requested = self.length == 8 && $$ == 80877103;
if (self.ssl_requested) {
self.context().ssl_frontend_state = SSLFrontendState::Requested;
} else {
self.context().ssl_frontend_state = SSLFrontendState::NotRequested;
self.context().ssl_backend_state = SSLBackendState::N;
# Pre-check the supported major version here.
local major = $$ >> 16;
if (major != 3)
throw "unsupported PostgreSQL major version %s" % major;
# Put length and version back into the buffer so PlainFrontendMessages
# can re-parse it.
#
# This explicitly avoids using random access functionality like
# `self.input()` and `self.set_input()` which would disable automatic
# trimming in this unit (which is top-level unit parsing unbounded
# amounts of data).
self.buffered.push_back(pack(self.length, spicy::ByteOrder::Network));
self.buffered.push_back(pack(self.version_or_magic, spicy::ByteOrder::Network));
}
}
# void field for raising an event.
ssl_request: void if(self.ssl_requested == True);
# print "frontend ssl", self.context();
# If the client requested SSL, we do not know how to continue parsing
# until the server confirmed SSL usage via 'S' or 'N' responses. As long
# as it hasn't responded, stall the parsing here and buffer bytes until
# the context() is populated.
#
# In normal operations, Zeek should see the server's response before
# attempting to parse more data, but Robin was concerned that in some
# circumstances (out-of-order packets, reassembly artifacts) we may
# see the client's data before the server's.
#
# In the future, barrier: https://github.com/zeek/spicy/pull/1373
: bytes &chunked &eod {
if (!self.context().ssl_backend_state) {
self.buffered.push_back($$);
if (|self.buffered| > MAX_BUFFERED)
throw "too many frontend messages buffered";
} else {
# print "frontend ssl_state backend set!", self.context();
if (!self.s1_connected) {
if (self.context().ssl_backend_state == SSLBackendState::N) {
self.s1.connect(new PlainFrontendMessages());
} else {
assert (self.context().ssl_sink_connected);
assert (self.context().ssl_backend_state == SSLBackendState::S);
}
self.s1_connected = True;
if (|self.buffered| > 0) {
for (b in self.buffered)
self.s1.write(b);
}
self.buffered.resize(0);
}
self.s1.write($$);
}
}
};
type PlainFrontendMessages = unit {
startup_message: StartupMessage;
: FrontendMessage[];
};
type FrontendMessage = unit {
typ: uint8;
length: uint32 &requires=(self.length >= 4);
switch (self.typ) {
'p' -> : AuthenticationResponse;
'X' -> : Terminate;
'Q' -> : SimpleQuery;
* -> not_implemented: NotImplemented(self.typ);
} &size=self.length - 4;
};
type AuthenticationResponse = unit {
# This is PasswordMessage, SASLInitialMessage, etc. based on context.
# For now, just thread it through.
data: bytes &eod;
};
type Terminate = unit {};
type SimpleQuery = unit {
query: bytes &until=b"\x00";
};
# The client has requested SSL, the server either confirms (S) or
# denies (N). Depending on the result, the ssl_sink in the context
# is connected with a SSLUnit and used, or a sink connected with the
# PlainBackendMessages unit.
#
type MaybeBackendSSL = unit(ctx: Context&) {
# Connected to SSLSink or plaintext messages.
sink s1;
ssl_byte: uint8 &requires=($$ == 'S' || $$ == 'N') {
# print "backend ssl_byte", $$;
if ($$ == 'S') {
ctx.ssl_backend_state = SSLBackendState::S;
ctx.ssl_sink.connect(new SSLSink());
ctx.ssl_sink_connected = True;
# Share the SSL sink with the frontend.
self.s1 = ctx.ssl_sink;
} else {
ctx.ssl_backend_state = SSLBackendState::N;
self.s1.connect(new PlainBackendMessages());
}
}
# Now that s1 is connected, forward the rest of the connection to it.
: bytes &chunked &eod -> self.s1;
};
# Top-level entry for the server.
public type BackendMessages = unit {
%context = Context;
var buffered: vector<bytes>;
var s1_connected: bool;
sink s1;
# Buffer until the SSL frontend state was populated.
: bytes &chunked &eod {
if (!self.context().ssl_frontend_state) {
# print "backend buffering ", |$$|;
self.buffered.push_back($$);
if (|self.buffered| > MAX_BUFFERED)
throw "too many backend messages buffered";
} else {
# The ssl_frontend_state has been set. If The client requested SSL,
# connect to an SSLMaybe instance. If it did not, connect
# directly to PlainBackendMessages.
# print "backend", self.context(), |self.buffered|, self.s1, self.s1_connected;
if (!self.s1_connected) {
if (self.context().ssl_frontend_state == SSLFrontendState::Requested) {
self.s1.connect(new MaybeBackendSSL(self.context()));
} else {
self.s1.connect(new PlainBackendMessages());
}
self.s1_connected = True;
if (|self.buffered| > 0) {
for (b in self.buffered)
self.s1.write(b);
}
self.buffered.resize(0);
}
# print "backend writing to sink", $$, |self.s1|;
self.s1.write($$);
}
}
};
type PlainBackendMessages = unit {
: BackendMessage[];
};
type BackendMessage = unit {
typ: uint8;
length: uint32 &requires=(self.length >= 4);
switch (self.typ) {
'K' -> backend_key_data: BackendKeyData;
'E' -> error: ErrorResponse;
'R' -> auth: AuthenticationRequest(self.length - 4);
'S' -> parameter_status: ParameterStatus;
'D' -> data_row: DataRow;
'Z' -> ready_for_query: ReadyForQuery;
'N' -> notice: NoticeResponse;
* -> not_implemented: NotImplemented(self.typ);
} &size=self.length - 4;
};
type ParameterStatus = unit {
name: /[-_\/A-Za-z0-9]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
value: /[\x20-\x7e]+/ &requires=(|$$| > 0);
: uint8 &requires=($$ == 0);
};
# Possible values are 'I' if idle (not in a transaction block);
# 'T' if in a transaction block; or 'E' if in a failed transaction block
# (queries will be rejected until block is ended).
type ReadyForQuery = unit {
transaction_status: uint8 &requires=($$ == 'I' || $$ == 'T' || $$ == 'E');
};
type NoticeIdentifiedField = unit {
code: uint8;
value: bytes &until=b"\x00";
};
type NoticeResponse = unit {
: NoticeIdentifiedField[];
: skip b"\x00";
};
# Just for counting right now.
type DataRow = unit {
column_values: uint16;
: skip bytes &eod;
};
# Fields with a 1 byte field as documented here:
# https://www.postgresql.org/docs/current/protocol-error-fields.html
type ErrorIdentifiedField = unit {
code: uint8;
value: bytes &until=b"\x00";
};
type ErrorResponse = unit {
: ErrorIdentifiedField[];
: skip b"\x00";
};
type AuthenticationRequest = unit(length: uint32) {
identifier: uint32 &requires=($$ <= 12) {
if (self.identifier == 0 && length != 4)
throw "AuthenticationOK with wrong length: %s" % length;
}
# There's more structure (GSS-API, SASL, cleartext), but for now
# just thread through the raw data.
data: bytes &eod;
};
type BackendKeyData = unit {
process_id: uint32;
secret_key: uint32;
};
type NotImplemented = unit(typ: uint8) {
chunk: bytes &eod;
};

43
src/analyzer/protocol/postgresql/postgresql_zeek.spicy Normal file
View file

@ -0,0 +1,43 @@
# Set up protocol confirmation/rejection for analyzers, as well as any further
# Zeek-specific analysis.
module PostgreSQL_Zeek;
import PostgreSQL;
import zeek;
# If we see a client StartupMessage, that's pretty good.
on PostgreSQL::StartupMessage::%done {
zeek::confirm_protocol();
}
# If the server replied with an ssl_byte and we let it through,
# that's also pretty good.
on PostgreSQL::MaybeBackendSSL::ssl_byte {
zeek::confirm_protocol();
}
on PostgreSQL::SSLSink::%init {
zeek::protocol_begin("SSL");
}
on PostgreSQL::SSLSink::%done {
zeek::protocol_end();
}
on PostgreSQL::SSLSink::chunk {
# print "ssl_chunk", zeek::is_orig(), self;
zeek::protocol_data_in(zeek::is_orig(), self.chunk);
}
on PostgreSQL::StartupMessage::%error(msg: string) {
zeek::reject_protocol("error while parsing PostgreSQL StartupMessage: %s" % msg);
}
on PostgreSQL::FrontendMessage::%error(msg: string) {
zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
}
on PostgreSQL::BackendMessage::%error(msg: string) {
zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
}

9
testing/btest/Baseline/core.print-bpf-filters/output2
View file

@ -38,6 +38,7 @@
2 53 2 53
1 5353 1 5353
1 5355 1 5355
1 5432
1 563 1 563
1 585 1 585
1 587 1 587
@ -65,8 +66,8 @@
1 992 1 992
1 993 1 993
1 995 1 995
74 and 75 and
73 or 74 or
74 port 75 port
46 tcp 47 tcp
28 udp 28 udp

4
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -435,6 +435,10 @@ scripts/base/init-default.zeek
scripts/base/protocols/ntp/main.zeek scripts/base/protocols/ntp/main.zeek
scripts/base/protocols/ntp/consts.zeek scripts/base/protocols/ntp/consts.zeek
scripts/base/protocols/pop3/__load__.zeek scripts/base/protocols/pop3/__load__.zeek
scripts/base/protocols/postgresql/__load__.zeek
scripts/base/protocols/postgresql/consts.zeek
scripts/base/protocols/postgresql/spicy-events.zeek
scripts/base/protocols/postgresql/main.zeek
scripts/base/protocols/quic/__load__.zeek scripts/base/protocols/quic/__load__.zeek
scripts/base/protocols/quic/spicy-events.zeek scripts/base/protocols/quic/spicy-events.zeek
scripts/base/protocols/quic/consts.zeek scripts/base/protocols/quic/consts.zeek

1
testing/btest/Baseline/coverage.find-bro-logs/out
View file

@ -41,6 +41,7 @@ ocsp
openflow openflow
packet_filter packet_filter
pe pe
postgresql
print_log_path print_log_path
quic quic
radius radius

29
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -509,6 +509,35 @@ connection {
* size: count, log=F, optional=F * size: count, log=F, optional=F
* state: count, log=F, optional=F * state: count, log=F, optional=F
} }
* postgresql: record PostgreSQL::Info, log=F, optional=T
PostgreSQL::Info {
* application_name: string, log=T, optional=T
* backend: string, log=T, optional=T
* backend_arg: string, log=T, optional=T
* database: string, log=T, optional=T
* frontend: string, log=T, optional=T
* frontend_arg: string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* rows: count, log=T, optional=T
* success: bool, log=T, optional=T
* ts: time, log=T, optional=F
* uid: string, log=T, optional=F
* user: string, log=T, optional=T
}
* postgresql_state: record PostgreSQL::State, log=F, optional=T
PostgreSQL::State {
* application_name: string, log=F, optional=T
* database: string, log=F, optional=T
* errors: vector of string, log=F, optional=F
* rows: count, log=F, optional=T
* user: string, log=F, optional=T
* version: record PostgreSQL::Version, log=F, optional=T
PostgreSQL::Version {
* major: count, log=F, optional=F
* minor: count, log=F, optional=F
}
}
* quic: record QUIC::Info, log=F, optional=T * quic: record QUIC::Info, log=F, optional=T
QUIC::Info { QUIC::Info {
* client_initial_dcid: string, log=T, optional=T * client_initial_dcid: string, log=T, optional=T

12
testing/btest/Baseline/scripts.base.files.x509.files/files.log
View file

@ -7,10 +7,10 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string
XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
1673270800.189652 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 54958 127.0.0.1 5432 -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-startup-message/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 54906 127.0.0.1 5432 -

483
testing/btest/Baseline/scripts.base.protocols.postgresql.dump-events/output Normal file
View file

@ -0,0 +1,483 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
XXXXXXXXXX.XXXXXX PostgreSQL::ssl_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 613.140106 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX analyzer_confirmation_info
[0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL
[1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}], f=<uninitialized>, aid=3]
XXXXXXXXXX.XXXXXX PostgreSQL::ssl_reply
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=8, state=4, num_pkts=3, num_bytes_ip=172, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 382.205963 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = N
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = user
[2] value: string = zeek
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = database
[2] value: string = zeek
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::startup_message
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=4, num_bytes_ip=224, flow_label=0, l2_addr=<uninitialized>], resp=[size=1, state=4, num_pkts=3, num_bytes_ip=165, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 510.23674 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] major: count = 3
[2] minor: count = 0
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=5, num_bytes_ip=352, flow_label=0, l2_addr=<uninitialized>], resp=[size=25, state=4, num_pkts=4, num_bytes_ip=217, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 738.019943 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 10
[2] data: string = SCRAM-SHA-256\x00\x00
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=6, num_bytes_ip=404, flow_label=0, l2_addr=<uninitialized>], resp=[size=25, state=4, num_pkts=5, num_bytes_ip=293, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 98.031998 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=7, num_bytes_ip=511, flow_label=0, l2_addr=<uninitialized>], resp=[size=118, state=4, num_pkts=6, num_bytes_ip=345, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 646.156311 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 11
[2] data: string = r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=8, num_bytes_ip=563, flow_label=0, l2_addr=<uninitialized>], resp=[size=118, state=4, num_pkts=7, num_bytes_ip=490, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 935.058594 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 12
[2] data: string = v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = DateStyle
[2] value: string = ISO, MDY
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = default_transaction_read_only
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = in_hot_standby
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = integer_datetimes
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = IntervalStyle
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = is_superuser
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_version
[2] value: string = 14.5 (Debian 14.5-1.pgdg110+1)
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = session_authorization
[2] value: string = zeek
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = standard_conforming_strings
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = TimeZone
[2] value: string = Etc/UTC
XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] process_id: count = 96
[2] secret_key: count = 590994220
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=9, num_bytes_ip=724, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=8, num_bytes_ip=542, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=24.0 msecs 738.073349 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=10, num_bytes_ip=776, flow_label=0, l2_addr=<uninitialized>], resp=[size=583, state=4, num_pkts=9, num_bytes_ip=1059, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=25.0 msecs 581.121445 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = select now()
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = T
[3] chunk: string = \x00\x01now\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\xa0\x00\x08\xff\xff\xff\xff\x00\x00
XXXXXXXXXX.XXXXXX PostgreSQL::data_row
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] column_values: count = 1
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = SELECT 1\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=266, state=4, num_pkts=11, num_bytes_ip=846, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=10, num_bytes_ip=1111, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 796.102524 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::terminate
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=35336/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=271, state=4, num_pkts=12, num_bytes_ip=898, flow_label=0, l2_addr=<uninitialized>], resp=[size=672, state=4, num_pkts=11, num_bytes_ip=1252, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=27.0 msecs 49.064636 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = user
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = database
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::startup_parameter
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX analyzer_confirmation_info
[0] atype: AllAnalyzers::Tag = Analyzer::ANALYZER_POSTGRESQL
[1] info: AnalyzerConfirmationInfo = [c=[id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0a\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}], f=<uninitialized>, aid=3]
XXXXXXXXXX.XXXXXX PostgreSQL::startup_message
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=294.923782 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] major: count = 3
[2] minor: count = 0
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=84, state=4, num_pkts=3, num_bytes_ip=248, flow_label=0, l2_addr=<uninitialized>], resp=[size=24, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=1.0 msec 885.890961 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 10
[2] data: string = SCRAM-SHA-256\x00\x00
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=4, num_bytes_ip=300, flow_label=0, l2_addr=<uninitialized>], resp=[size=24, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=2.0 msecs 925.872803 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=TwGbAdrgxcvfe7FNe0iWJfSf
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=139, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=<uninitialized>], resp=[size=117, state=4, num_pkts=3, num_bytes_ip=188, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=3.0 msecs 165.006638 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 11
[2] data: string = r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,s=iKUi26lwqA6spIkddhe7hw==,i=4096
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=5, num_bytes_ip=407, flow_label=0, l2_addr=<uninitialized>], resp=[size=117, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=5.0 msecs 603.790283 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] data: string = c=biws,r=TwGbAdrgxcvfe7FNe0iWJfSf3mBBWw9W0eciRd2Pkg2/HIB1,p=Y0VuiVVs4GDpPeMPkQcE0ADRvkq3Njc1mpCIrK1m/1Q=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_request
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] identifier: count = 12
[2] data: string = v=na9OnyjI3MkvsAm3C8I8BoeiU4I6QL3HPaMCcLTOgfA=
XXXXXXXXXX.XXXXXX PostgreSQL::authentication_ok
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = in_hot_standby
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = integer_datetimes
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = TimeZone
[2] value: string = Etc/UTC
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = IntervalStyle
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = is_superuser
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = application_name
[2] value: string = psql
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = default_transaction_read_only
[2] value: string = off
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = scram_iterations
[2] value: string = 4096
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = DateStyle
[2] value: string = ISO, MDY
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = standard_conforming_strings
[2] value: string = on
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = session_authorization
[2] value: string = postgres
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = client_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_version
[2] value: string = 16.4 (Debian 16.4-1.pgdg120+1)
XXXXXXXXXX.XXXXXX PostgreSQL::parameter_status
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] name: string = server_encoding
[2] value: string = UTF8
XXXXXXXXXX.XXXXXX PostgreSQL::backend_key_data
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] process_id: count = 876
[2] secret_key: count = 4268530428
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=248, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=4, num_bytes_ip=333, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 734.848022 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=6, num_bytes_ip=568, flow_label=0, l2_addr=<uninitialized>], resp=[size=613, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=6.0 msecs 889.820099 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = DROP TABLE IF EXISTS t;
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = S
[2] value: string = NOTICE
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = V
[2] value: string = NOTICE
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = C
[2] value: string = 00000
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = M
[2] value: string = table "t" does not exist, skipping
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = F
[2] value: string = tablecmds.c
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = L
[2] value: string = 1300
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = R
[2] value: string = DropErrorMsgNonExistent
XXXXXXXXXX.XXXXXX PostgreSQL::notice_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = DROP TABLE\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=277, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=5, num_bytes_ip=881, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 133.00705 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=7, num_bytes_ip=649, flow_label=0, l2_addr=<uninitialized>], resp=[size=744, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=7.0 msecs 164.001465 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time);
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = CREATE TABLE\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=339, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=6, num_bytes_ip=1064, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 630.836487 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=8, num_bytes_ip=763, flow_label=0, l2_addr=<uninitialized>], resp=[size=768, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 734.786987 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = INSERT INTO t VALUES (now(), now(), now());
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = S
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = V
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = C
[2] value: string = 42804
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = M
[2] value: string = column "i" is of type integer but expression is of type timestamp with time zone
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = H
[2] value: string = You will need to rewrite or cast the expression.
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = P
[2] value: string = 23
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = F
[2] value: string = parse_target.c
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = L
[2] value: string = 586
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = R
[2] value: string = transformAssignedExpr
XXXXXXXXXX.XXXXXX PostgreSQL::error_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=388, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=7, num_bytes_ip=1140, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=20.0 msecs 999.908447 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=9, num_bytes_ip=864, flow_label=0, l2_addr=<uninitialized>], resp=[size=981, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=21.0 msecs 95.991135 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = DROP TABLE t;
XXXXXXXXXX.XXXXXX PostgreSQL::not_implemented
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] is_orig: bool = F
[2] typ: string = C
[3] chunk: string = DROP TABLE\x00
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=407, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=8, num_bytes_ip=1405, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 515.939713 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::simple_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=10, num_bytes_ip=935, flow_label=0, l2_addr=<uninitialized>], resp=[size=1003, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 620.843887 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] query: string = DROP TABLE t;
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = S
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = V
[2] value: string = ERROR
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = C
[2] value: string = 42P01
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = M
[2] value: string = table "t" does not exist
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = F
[2] value: string = tablecmds.c
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = L
[2] value: string = 1294
XXXXXXXXXX.XXXXXX PostgreSQL::error_response_identified_field
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] code: string = R
[2] value: string = DropErrorMsgNonExistent
XXXXXXXXXX.XXXXXX PostgreSQL::error_response
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1100, state=4, num_pkts=9, num_bytes_ip=1479, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 715.9729 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
XXXXXXXXXX.XXXXXX PostgreSQL::ready_for_query
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=426, state=4, num_pkts=11, num_bytes_ip=1006, flow_label=0, l2_addr=<uninitialized>], resp=[size=1106, state=4, num_pkts=10, num_bytes_ip=1628, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 727.893829 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]
[1] transaction_status: string = I
XXXXXXXXXX.XXXXXX PostgreSQL::terminate
[0] c: connection = [id=[orig_h=127.0.0.1, orig_p=56698/tcp, resp_h=127.0.0.1, resp_p=5432/tcp], orig=[size=431, state=4, num_pkts=12, num_bytes_ip=1058, flow_label=0, l2_addr=<uninitialized>], resp=[size=1106, state=4, num_pkts=11, num_bytes_ip=1686, flow_label=0, l2_addr=<uninitialized>], start_time=XXXXXXXXXX.XXXXXX, duration=23.0 msecs 757.93457 usecs, service={\x0aPOSTGRESQL\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, service_violation={\x0a\x0a}]

3
testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/analyzer.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
1362692526.939527 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 141.142.228.5 59856 192.150.187.43 5432 unsupported PostgreSQL major version 12132 (...) GET /download/CHANGES.bro-aux.txt HTTP/1

3
testing/btest/Baseline/scripts.base.protocols.postgresql.http-on-port-5432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.228.5 59856 192.150.187.43 5432 ShADadFf -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/analyzer.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
1723562242.888659 violation protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 43330 127.0.0.1 5432 unsupported PostgreSQL major version 3490 (...) \xf4\x00\x00\x01\x0d\xa2\x1b\x18\x00\x00\x00@\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00root

3
testing/btest/Baseline/scripts.base.protocols.postgresql.mysql-on-port-5432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 43330 127.0.0.1 5432 ShAdDaFf -

14
testing/btest/Baseline/scripts.base.protocols.postgresql.parameter-status/output Normal file
View file

@ -0,0 +1,14 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
parameter_status, ClEkJM2Vm5giqnMf4h, application_name, psql
parameter_status, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8
parameter_status, ClEkJM2Vm5giqnMf4h, DateStyle, ISO, MDY
parameter_status, ClEkJM2Vm5giqnMf4h, default_transaction_read_only, off
parameter_status, ClEkJM2Vm5giqnMf4h, in_hot_standby, off
parameter_status, ClEkJM2Vm5giqnMf4h, integer_datetimes, on
parameter_status, ClEkJM2Vm5giqnMf4h, IntervalStyle, postgres
parameter_status, ClEkJM2Vm5giqnMf4h, is_superuser, on
parameter_status, ClEkJM2Vm5giqnMf4h, server_encoding, UTF8
parameter_status, ClEkJM2Vm5giqnMf4h, server_version, 14.5 (Debian 14.5-1.pgdg110+1)
parameter_status, ClEkJM2Vm5giqnMf4h, session_authorization, zeek
parameter_status, ClEkJM2Vm5giqnMf4h, standard_conforming_strings, on
parameter_status, ClEkJM2Vm5giqnMf4h, TimeZone, Etc/UTC

7
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-auth/output Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
authentication_request, CHhAvVGS1DHFjwGM9, 10, SCRAM-SHA-256\x00\x00
authentication_response, CHhAvVGS1DHFjwGM9, SCRAM-SHA-256\x00\x00\x00\x00 n,,n=,r=RDNGxQAy+XBG1FTcB1V4APAi
authentication_request, CHhAvVGS1DHFjwGM9, 11, r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,s=+CteaSWwgyiphFuGGX5BiA==,i=4096
authentication_response, CHhAvVGS1DHFjwGM9, c=biws,r=RDNGxQAy+XBG1FTcB1V4APAiQKfUt9glP8g5pxy9DbOPP7XP,p=dyDbm15UroGE6wwsbEqiKmSYJNRf50RC/KK2ULYhR4M=
authentication_request, CHhAvVGS1DHFjwGM9, 12, v=0jpq9fPJQZCGXFdlCjQTGro71zmbxS/ENeTsnR2nWp4=
authentication_ok, CHhAvVGS1DHFjwGM9

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 postgresql

5
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable-15432/postgresql.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql startup - auth_ok MD5Password T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql simple_query select now() - - T 1
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 15432 zeek zeek psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 postgresql

5
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-disable/postgresql.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql startup - auth_ok MD5Password T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql simple_query select now() - - T 1
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36060 52.200.36.167 5432 zeek zeek psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 ssl,postgresql

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/postgresql.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 - - - ssl_request - ssl_reply S T -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require-15432/ssl.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 15432 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 ssl,postgresql

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/postgresql.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 - - - ssl_request - ssl_reply S T -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-aws-ssl-require/ssl.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.123.132 36934 52.200.36.167 5432 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 secp256r1 database-1.cyx4x7yvdoay.us-east-1.rds.amazonaws.com

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgresql

11
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-create-insert-select/postgresql.cut Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE IF EXISTS t; - SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (42, 'forty-two', now()); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (86, 'eighty-six', now()); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query SELECT * from t; - - T 2
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DELETE FROM t; - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 40190 127.0.0.1 5432 postgres postgres psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgresql

9
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-insert-fail-drop-fail/postgresql.cut Normal file
View file

@ -0,0 +1,9 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE IF EXISTS t; - SeverityLocalized=NOTICE,Severity=NOTICE,Code=00000,Message=table "t" does not exist, skipping,File=tablecmds.c,Line=1300,Routine=DropErrorMsgNonExistent T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query CREATE TABLE IF NOT EXISTS t (i int, s varchar, t time); - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query INSERT INTO t VALUES (now(), now(), now()); error SeverityLocalized=ERROR,Severity=ERROR,Code=42804,Message=column "i" is of type integer but expression is of type timestamp with time zone,Hint=You will need to rewrite or cast the expression.,Position=23,File=parse_target.c,Line=586,Routine=transformAssignedExpr F -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; - - T 0
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql simple_query DROP TABLE t; error SeverityLocalized=ERROR,Severity=ERROR,Code=42P01,Message=table "t" does not exist,File=tablecmds.c,Line=1294,Routine=DropErrorMsgNonExistent F -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 56698 127.0.0.1 5432 postgres postgres psql terminate - - - - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51732 127.0.0.1 5432 postgresql

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-fail/postgresql.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51732 127.0.0.1 5432 postgres postgres psql startup - auth_request,auth_request,error SASL,SASLContinue,SeverityLocalized=FATAL,Severity=FATAL,Code=28P01,Message=password authentication failed for user "postgres",File=auth.c,Line=323,Routine=auth_failed F -

4
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/conn.cut Normal file
View file

@ -0,0 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 37268 127.0.0.1 5432 postgresql
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 postgresql

5
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-login-no-sslrequest/postgresql.cut Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 zeek zeek psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 37272 127.0.0.1 5432 zeek zeek psql terminate - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 37268 127.0.0.1 5432 zeek zeek psql startup - auth_request SASL - -

3
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/conn.cut Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 postgresql

6
testing/btest/Baseline/scripts.base.protocols.postgresql.psql-select-now/postgresql.cut Normal file
View file

@ -0,0 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p user database application_name frontend frontend_arg backend backend_arg success rows
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 - - - ssl_request - ssl_reply N F -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql startup - auth_ok SASL,SASLContinue,SASLFinal T -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql simple_query select now() - - T 1
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 35336 127.0.0.1 5432 zeek zeek psql terminate - - - - -

9
testing/btest/Baseline/scripts.base.protocols.postgresql.startup-parameter/output Normal file
View file

@ -0,0 +1,9 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
startup_parameter, CHhAvVGS1DHFjwGM9, user, zeek
startup_parameter, CHhAvVGS1DHFjwGM9, database, zeek
startup_parameter, CHhAvVGS1DHFjwGM9, application_name, psql
startup_parameter, CHhAvVGS1DHFjwGM9, client_encoding, UTF8
startup_parameter, ClEkJM2Vm5giqnMf4h, user, zeek
startup_parameter, ClEkJM2Vm5giqnMf4h, database, zeek
startup_parameter, ClEkJM2Vm5giqnMf4h, application_name, psql
startup_parameter, ClEkJM2Vm5giqnMf4h, client_encoding, UTF8

BIN
testing/btest/Traces/postgresql/bad-backend-message-1.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/bad-startup-message-1.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/http-on-port-5432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/mysql-on-port-5432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-disable-15432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-disable.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-preferred.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-require-15432.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-aws-ssl-require.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-create-insert-select-delete-drop.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-insert-fail-drop-fail.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-login-fail.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-login-no-sslrequest.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-login-wrong.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-login.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/postgresql/psql-select-now.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/postgresql/availability.zeek Normal file
View file

@ -0,0 +1,4 @@
# @TEST-DOC: Check that the PostgreSQL analyzer is available.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -NN | grep -qi 'ANALYZER_POSTGRESQL'

13
testing/btest/scripts/base/protocols/postgresql/bad-backend-message.zeek Normal file
View file

@ -0,0 +1,13 @@
# @TEST-DOC: Startup message triggering integer overflow
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-backend-message-1.pcap %INPUT
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
# @TEST-EXEC: test ! -f reporter.log
@load base/protocols/conn
@load base/protocols/postgresql

11
testing/btest/scripts/base/protocols/postgresql/bad-startup-message.zeek Normal file
View file

@ -0,0 +1,11 @@
# @TEST-DOC: Startup message triggering integer overflow
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/bad-startup-message-1.pcap ${PACKAGE} %INPUT
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: test ! -f reporter.log
@load base/protocols/conn
@load base/protocols/postgresql

17
testing/btest/scripts/base/protocols/postgresql/dump-events.zeek Normal file
View file

@ -0,0 +1,17 @@
# @TEST-DOC: Test that misc/dump events works.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >>output
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap %INPUT >>output
#
# @TEST-EXEC: btest-diff output
@load base/protocols/postgresql/spicy-events.zeek
@load misc/dump-events
redef DumpEvents::dump_all_events = T;
redef DumpEvents::include=/^(PostgreSQL|analyzer_)/;
event zeek_init() {
Analyzer::register_for_port(Analyzer::ANALYZER_POSTGRESQL, 5432/tcp);
}

13
testing/btest/scripts/base/protocols/postgresql/http-on-port-5432.zeek Normal file
View file

@ -0,0 +1,13 @@
# @TEST-DOC: Test rejecting wrong protocol.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/http-on-port-5432.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
# @TEST-EXEC: test ! -f postgresql.log
@load base/protocols/conn
@load base/protocols/postgresql

13
testing/btest/scripts/base/protocols/postgresql/mysql-on-port-5432.zeek Normal file
View file

@ -0,0 +1,13 @@
# @TEST-DOC: Test rejecting wrong protocol.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/mysql-on-port-5432.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p history service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < analyzer.log > analyzer.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -r 's,(.*) \(/[^\)]+\),\1 (...),'" btest-diff analyzer.cut
# @TEST-EXEC: test ! -f postgresql.log
@load base/protocols/conn
@load base/protocols/postgresql

12
testing/btest/scripts/base/protocols/postgresql/parameter-status.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Test the parameter status event.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
#
# @TEST-EXEC: btest-diff output
@load base/protocols/postgresql
event PostgreSQL::parameter_status(c: connection, name: string, value: string) {
print "parameter_status", c$uid, name, value;
}

20
testing/btest/scripts/base/protocols/postgresql/psql-auth.zeek Normal file
View file

@ -0,0 +1,20 @@
# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
#
# @TEST-EXEC: btest-diff output
@load base/protocols/postgresql
event PostgreSQL::authentication_request(c: connection, identifier: count, data: string) {
print "authentication_request", c$uid, identifier, data;
}
event PostgreSQL::authentication_response(c: connection, data: string) {
print "authentication_response", c$uid, data;
}
event PostgreSQL::authentication_ok(c: connection) {
print "authentication_ok", c$uid;
}

12
testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable-15432.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Test that the dpd.sig picks up a plaintext connection on a non-standard port.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable-15432.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql

14
testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-disable.zeek Normal file
View file

@ -0,0 +1,14 @@
# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-disable.pcap %INPUT
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
# @TEST-EXEC: test ! -f ssl.log
@load base/protocols/conn
@load base/protocols/postgresql
@load base/protocols/ssl

15
testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require-15432.zeek Normal file
View file

@ -0,0 +1,15 @@
# @TEST-DOC: Test that the dpd.sig picks up the SSLRequest and server response on a non-standard port.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require-15432.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff ssl.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql
@load base/protocols/ssl

15
testing/btest/scripts/base/protocols/postgresql/psql-aws-ssl-require.zeek Normal file
View file

@ -0,0 +1,15 @@
# @TEST-DOC: Test that SSLRequest is recognized and ssl.log exists
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-aws-ssl-require.pcap %INPUT
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name < ssl.log > ssl.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff ssl.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql
@load base/protocols/ssl

12
testing/btest/scripts/base/protocols/postgresql/psql-create-insert-select.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Trace with CREATE TABLE, INSERT, SELECT DELETE and DROP.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-create-insert-select-delete-drop.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql

12
testing/btest/scripts/base/protocols/postgresql/psql-insert-fail-drop-fail.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-insert-fail-drop-fail.pcap ${PACKAGE} %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql

12
testing/btest/scripts/base/protocols/postgresql/psql-login-fail.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-fail.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql

12
testing/btest/scripts/base/protocols/postgresql/psql-login-no-sslrequest.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: The client does not start with SSLRequest. This pcap has two connections, attempting without password.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql

12
testing/btest/scripts/base/protocols/postgresql/psql-select-now.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Test Zeek parsing a trace file through the PostgreSQL analyzer.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-select-now.pcap %INPUT >output
# @TEST-EXEC: zeek-cut -m ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log > conn.cut
# @TEST-EXEC: zeek-cut -m < postgresql.log > postgresql.cut
#
# @TEST-EXEC: btest-diff conn.cut
# @TEST-EXEC: btest-diff postgresql.cut
@load base/protocols/conn
@load base/protocols/postgresql

12
testing/btest/scripts/base/protocols/postgresql/startup-parameter.zeek Normal file
View file

@ -0,0 +1,12 @@
# @TEST-DOC: Event for name, value pairs in the startup message.
#
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-EXEC: zeek -b -Cr ${TRACES}/postgresql/psql-login-no-sslrequest.pcap %INPUT >output
#
# @TEST-EXEC: btest-diff output
@load base/protocols/postgresql
event PostgreSQL::startup_parameter(c: connection, name: string, value: string) {
print "startup_parameter", c$uid, name, value;
}