SSL: do not try to disable failed analyzer

Currently, if a TLS/DTLS analyzer fails with a protocol violation, we will still try to remove the analyzer later, which results in the following error message: error: connection does not have analyzer specified to disable Now, instead we don't try removing the analyzer anymore, after a violation occurred.
2025-10-02 14:48:21 +00:00 · 2023-05-03 11:16:14 +01:00 · 2023-05-03 11:16:14 +01:00 · 21888a145a
commit 21888a145a
parent cc25129b2f
4 changed files with 15 additions and 0 deletions
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -499,6 +499,15 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 		}
 	}

+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
+	{
+	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+		{
+		# analyzer errored out; prevent us from trying to remove it later
+		delete info$c$ssl$analyzer_id;
+		}
+	}
+
 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
 	{
 	set_session(c);