scripts/analyzer: Introduce Analyzer::requested_analyzers

In certain deployment scenarios, all analyzers are disabled by default.
However, conditionally/optionally loaded scripts may rely on analyzers
functioning and declare a request for them.

Add a global set set to the Analyzer module where external scripts can record
their requirement/request for a certain analyzer. Analyzers found in this
set are enabled at zeek_init() time.

NEWS

@@ -150,6 +150,11 @@ New Functionality
   ``ssh2_gh_gex_init``, ``ssh2_gss_init``, ssh2_rsa_secret``) to detect
   when SSH client and server roles are reversed.
 
+- Analyzers found in the new ``Analyzer::requested_analyzers`` set will be
+  enabled at ``zeek_init()`` time. The set can be populated via :zeek:see:`redef`.
+  This change only has an effect in settings where ``Analyzer::disable_all``
+  is changed to ``T``. By default, all analyzers continue to be enabled.
+
 Changed Functionality
 ---------------------
 

scripts/base/frameworks/analyzer/main.zeek

@@ -149,6 +149,16 @@ export {
 	## Analyzer::register_for_port(s) and packet analyzers can add to this
 	## using PacketAnalyzer::register_for_port(s).
 	global ports: table[AllAnalyzers::Tag] of set[port];
+
+	## A set of protocol, packet or file analyzer tags requested to
+	## be enabled during startup.
+	##
+	## By default, all analyzers in Zeek are enabled. When all analyzers
+	## are disabled through :zeek:see:`Analyzer::disable_all`, this set
+	## set allows to record analyzers to be enabled during Zeek startup.
+	##
+	## This set can be added to via :zeek:see:`redef`.
+	global requested_analyzers: set[AllAnalyzers::Tag] = {} &redef;
 }
 
 @load base/bif/analyzer.bif
@@ -164,6 +174,12 @@ event zeek_init() &priority=5
 		disable_analyzer(a);
 	}
 
+event zeek_init() &priority=-5
+	{
+	for ( a in requested_analyzers )
+		Analyzer::enable_analyzer(a);
+	}
+
 function enable_analyzer(tag: AllAnalyzers::Tag) : bool
 	{
 	if ( is_packet_analyzer(tag) )

testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/conn.log

@@ -0,0 +1,34 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C7fIlMZDuRiqjpYbb	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CtxTCR2Yer0FR1tIBg	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CqlVyW1YwZ15RhTBc4	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C1Xkzz2MaGtLrc1Tla	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CFLRIC3zaTU1loLGxh	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	Ck51lg1bScffFj34Ri	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	-	0	ShADad	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CBA8792iHmnhPLksKa	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	-	0	^h	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.frameworks.analyzer.request-analyzer/http.log

@@ -0,0 +1,24 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	1.1	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	141.142.220.118	49998	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/b/bd/Bookshelf-40x201_6.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	141.142.220.118	50000	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	141.142.220.118	49999	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	141.142.220.118	50001	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CLNN1k2QMum1aexUK7	141.142.220.118	35642	208.80.152.2	80	1	GET	meta.wikimedia.org	/images/wikimedia-button.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	141.142.220.118	49997	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	141.142.220.118	49996	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	141.142.220.118	49998	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CNnMIj2QSd84NKf7U3	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C9mvWx3ezztgzcexV7	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CpmdRlaUoJLN3uIRa	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	1.0	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	-	0	0	304	Not Modified	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/frameworks/analyzer/request-analyzer.zeek

@@ -0,0 +1,16 @@
+# @TEST-DOC: Ensure only the HTTP analyzer is enabled (filter out some noise from the trace)
+# @TEST-EXEC: zeek -b -f 'port 53 or port 80'  -r ${TRACES}/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: test ! -f dns.log
+
+@load base/protocols/conn
+@load base/protocols/dns
+@load base/protocols/http
+
+# Turn all analyzers off.
+redef Analyzer::disable_all = T;
+
+redef Analyzer::requested_analyzers += {
+	Analyzer::ANALYZER_HTTP,
+};