DPD: change policy script for service violation logging; add NEWS

This commit renames the `service_violation` column that can be added via
a policy script to `failed_service`. This expresses the intent of it
better - the column contains services that failed and were removed after
confirmation.

Furthermore, the script is fixed so it actually does this - before it
would sometimes add services to the list that were not actually removed.
In the course of this, the type of the column was changed from a vector
to an ordered set.

Due to the column rename, the policy script itself is also renamed.

Also adds a NEWS entry for the DPD changes.

scripts/policy/protocols/conn/failed-service-logging.zeek

@@ -0,0 +1,38 @@
+##! This script adds the new column ``failed_service`` to the connection log.
+##! The column contains the list of protocols in a connection that raised protocol
+##! violations causing the analyzer to be removed. Protocols are listed in order
+##! that they were removed.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Conn::Info += {
+	## List of analyzers in a connection that raised violations
+	## causing their removal.
+	## Analyzers are listed in order that they were removed.
+	failed_service: set[string] &log &optional &ordered;
+};
+
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000
+	{
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
+		return;
+
+
+	# Only add if previously confirmed
+	if ( Analyzer::name(atype) !in c$service )
+		return;
+
+	set_conn(c, F);
+
+	local aname = to_lower(Analyzer::name(atype));
+	# No duplicate logging
+	if ( c$conn?$failed_service && aname in c$conn$failed_service )
+		return;
+
+	if ( ! c$conn?$failed_service )
+		c$conn$failed_service = set();
+
+	add c$conn$failed_service[aname];
+	}