mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 18:18:19 +00:00
85ca59484b
This adds a protocol parser for the PostgreSQL protocol and a new postgresql.log similar to the existing mysql.log. This should be considered preliminary and hopefully during 7.1 and 7.2 with feedback from the community, we can improve on the events and logs. Even if most PostgreSQL communication is encrypted in the real-world, this will minimally allow monitoring of the SSLRequest and hand off further analysis to the SSL analyzer. This originates from github.com/awelzel/spicy-postgresql, with lots of polishing happening in the past two days.
43 lines
1.1 KiB
Text
43 lines
1.1 KiB
Text
# Set up protocol confirmation/rejection for analyzers, as well as any further
|
|
# Zeek-specific analysis.
|
|
|
|
module PostgreSQL_Zeek;
|
|
|
|
import PostgreSQL;
|
|
import zeek;
|
|
|
|
# If we see a client StartupMessage, that's pretty good.
|
|
on PostgreSQL::StartupMessage::%done {
|
|
zeek::confirm_protocol();
|
|
}
|
|
|
|
# If the server replied with an ssl_byte and we let it through,
|
|
# that's also pretty good.
|
|
on PostgreSQL::MaybeBackendSSL::ssl_byte {
|
|
zeek::confirm_protocol();
|
|
}
|
|
|
|
on PostgreSQL::SSLSink::%init {
|
|
zeek::protocol_begin("SSL");
|
|
}
|
|
|
|
on PostgreSQL::SSLSink::%done {
|
|
zeek::protocol_end();
|
|
}
|
|
|
|
on PostgreSQL::SSLSink::chunk {
|
|
# print "ssl_chunk", zeek::is_orig(), self;
|
|
zeek::protocol_data_in(zeek::is_orig(), self.chunk);
|
|
}
|
|
|
|
on PostgreSQL::StartupMessage::%error(msg: string) {
|
|
zeek::reject_protocol("error while parsing PostgreSQL StartupMessage: %s" % msg);
|
|
}
|
|
|
|
on PostgreSQL::FrontendMessage::%error(msg: string) {
|
|
zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
|
|
}
|
|
|
|
on PostgreSQL::BackendMessage::%error(msg: string) {
|
|
zeek::reject_protocol("error while parsing PostgreSQL: %s" % msg);
|
|
}
|