dpd: Replace negated service fmt() magic with dedicated field

...the only known cases where the `-` for `connection$service` was
handled is to skip/ignore these analyzers.

Slight suspicion that join_string_set() should maybe become a bif
now determine_service() runs once for each connection.

Closes #2388

scripts/base/frameworks/analyzer/dpd.zeek

@@ -46,6 +46,9 @@ export {
 redef record connection += {
 	dpd: Info &optional;
 	dpd_state: State &optional;
+	## The set of services (analyzers) for which Zeek has observed a
+	## violation after the same service had previously been confirmed.
+	service_violation: set[AllAnalyzers::Tag] &default=set();
 };
 
 event zeek_init() &priority=5
@@ -56,10 +59,6 @@ event zeek_init() &priority=5
 event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
 	{
 	local analyzer = Analyzer::name(atype);
-
-	if ( fmt("-%s",analyzer) in c$service )
-		delete c$service[fmt("-%s", analyzer)];
-
 	add c$service[analyzer];
 	}
 
@@ -73,7 +72,7 @@ event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
 		return;
 
 	delete c$service[analyzer];
-	add c$service[fmt("-%s", analyzer)];
+	add c$service_violation[atype];
 
 	local info: Info;
 	info$ts=network_time();

scripts/base/protocols/conn/main.zeek

@@ -6,6 +6,7 @@
 ##! the destination port being the ICMP message code.
 
 @load base/utils/site
+@load base/utils/strings
 
 module Conn;
 
@@ -225,14 +226,7 @@ function conn_state(c: connection, trans: transport_proto): string
 
 function determine_service(c: connection): string
 	{
-	local service = "";
-	for ( s in c$service )
-		{
-		if ( sub_bytes(s, 0, 1) != "-" )
-			service = service == "" ? s : cat(service, ",", s);
-		}
-
-	return to_lower(service);
+	return to_lower(join_string_set(c$service, ","));
 	}
 
 ## Fill out the c$conn record for logging