protocol: Add StreamEvent analyzer

This analyzer can be used to transport raw stream data for a given
connection to the script layer. For example, adding this analyzer into
the HTTP::upgrade_analyzer or using it to configure a child WebSocket
analyzer allows to get access to the raw stream data in script land
when no more appropriate protocol analyzer is available.

NEWS

@@ -86,6 +86,20 @@ New Functionality
 
   redef LogSQLite::journal_mode=LogSQLite::SQLITE_JOURNAL_MODE_WAL;
 
+* A pseudo protocol analyzer StreamEvent has been added. Attaching this analyzer
+  to TCP connections allows processing the connection's stream data in the
+  scripting layer. One example use-case is interactive terminal sessions over
+  HTTP connections upgraded to TCP.
+
+	redef HTTP::upgrade_analyzers += {
+		["tcp"] = Analyzer::ANALYZER_STREAM_EVENT,
+	};
+
+	event stream_deliver(c: connection, is_orig: bool, data: string);
+
+  This comes with performance caveats: For use-cases with high-data rates
+  a native protocol analyzer with dedicated events will be far more efficient.
+
 Changed Functionality
 ---------------------
 

src/analyzer/protocol/CMakeLists.txt

@@ -41,6 +41,7 @@ add_subdirectory(snmp)
 add_subdirectory(socks)
 add_subdirectory(ssh)
 add_subdirectory(ssl)
+add_subdirectory(stream_event)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(websocket)

src/analyzer/protocol/stream_event/CMakeLists.txt

@@ -0,0 +1,8 @@
+zeek_add_plugin(
+    Zeek
+    StreamEvent
+    SOURCES
+    StreamEvent.cc
+    Plugin.cc
+    BIFS
+    events.bif)

src/analyzer/protocol/stream_event/Plugin.cc

@@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/analyzer/Component.h"
+#include "zeek/analyzer/protocol/stream_event/StreamEvent.h"
+
+namespace zeek::plugin::detail::Zeek_StreamEvent {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+    zeek::plugin::Configuration Configure() override {
+        AddComponent(new zeek::analyzer::Component("STREAM_EVENT",
+                                                   zeek::analyzer::stream_event::StreamEvent_Analyzer::Instantiate));
+
+        zeek::plugin::Configuration config;
+        config.name = "Zeek::StreamEvent";
+        config.description = "Delivers stream data as events";
+        return config;
+    }
+} plugin;
+
+} // namespace zeek::plugin::detail::Zeek_StreamEvent

src/analyzer/protocol/stream_event/README

@@ -0,0 +1,9 @@
+TCP application analyzer for handing raw stream data to script-land.
+
+This analyzer can be added as an upgrade analyzer, registered via the
+well-known ports mechanism, or even DPD. It allows script-layer access
+to the stream data when no more specific analyzer is available.
+
+This is similar to the tcp_contents event, but more flexible in that it
+can be added to an existing connection, or disabled over the lifetime
+of a connection.

src/analyzer/protocol/stream_event/StreamEvent.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/analyzer/protocol/stream_event/StreamEvent.h"
+
+#include "zeek/analyzer/protocol/stream_event/events.bif.h"
+
+namespace zeek::analyzer::stream_event {
+
+StreamEvent_Analyzer::StreamEvent_Analyzer(Connection* conn)
+    : analyzer::tcp::TCP_ApplicationAnalyzer("STREAM_EVENT", conn) {}
+
+
+void StreamEvent_Analyzer::DeliverStream(int len, const u_char* data, bool orig) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+    auto s = len > 0 ? zeek::make_intrusive<StringVal>(len, reinterpret_cast<const char*>(data)) :
+                       zeek::val_mgr->EmptyString();
+
+    BifEvent::enqueue_stream_deliver(this, Conn(), orig, std::move(s));
+}
+void StreamEvent_Analyzer::Undelivered(uint64_t seq, int len, bool orig) {
+    analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+
+    BifEvent::enqueue_stream_undelivered(this, Conn(), orig, seq, len);
+}
+
+} // namespace zeek::analyzer::stream_event

src/analyzer/protocol/stream_event/StreamEvent.h

@@ -0,0 +1,19 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/analyzer/protocol/tcp/TCP.h"
+
+namespace zeek::analyzer::stream_event {
+
+class StreamEvent_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer {
+public:
+    explicit StreamEvent_Analyzer(Connection* conn);
+
+    void DeliverStream(int len, const u_char* data, bool orig) override;
+    void Undelivered(uint64_t seq, int len, bool orig) override;
+
+    static analyzer::Analyzer* Instantiate(Connection* conn) { return new StreamEvent_Analyzer(conn); }
+};
+
+} // namespace zeek::analyzer::stream_event

src/analyzer/protocol/stream_event/events.bif

@@ -0,0 +1,33 @@
+## Generated for each chunk of reassembled TCP payload.
+##
+## This is a low-level event to inspect stream data from the originator
+## and responder endpoints. This can be useful for debugging purposes, or
+## for logging of plain-text interactive sessions when no more appropriate
+## analyzer is available.
+##
+## Note that this event is potentially expensive if connections that have
+## the stream event analyzer attached carry significant amounts of data.
+## Generally, a native protocol parser will have much less overhead than
+## passing the complete stream data to the scripting layer.
+##
+## c: The connection.
+##
+## is_orig: T if stream data is from the originator-side, else F.
+##
+## data: The raw payload.
+##
+## .. zeek:see:: stream_undelivered tcp_contents
+event stream_deliver%(c: connection, is_orig: bool, data: string%);
+
+## Generated when Zeek detects a gap in a reassembled TCP payload stream.
+##
+## c: The connection.
+##
+## is_orig: T if the gap is in the originator-side input, else F.
+##
+## seq: The sequence number of the first byte of the gap.
+##
+## len: The length of the gap.
+##
+## .. zeek:see:: stream_deliver content_gap
+event stream_undelivered%(c: connection, is_orig: bool, seq: count, len: count%);

testing/btest/Baseline/core.analyzer-stream-event-disable/out

@@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9, new_connection
+CHhAvVGS1DHFjwGM9, T, 136, GET /download/CHANGES.bro-aux.tx
+CHhAvVGS1DHFjwGM9, F, 1448, HTTP/1.1 200 OK\x0d\x0aDate: Thu, 07 M
+CHhAvVGS1DHFjwGM9, connection_state_remove

testing/btest/Baseline/core.analyzer-stream-event/out

@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9, T, 136, GET /download/CHANGES.bro-aux.tx
+CHhAvVGS1DHFjwGM9, F, 1448, HTTP/1.1 200 OK\x0d\x0aDate: Thu, 07 M
+CHhAvVGS1DHFjwGM9, F, 1448,    rather than all. (Robin Somme
+CHhAvVGS1DHFjwGM9, F, 1448, s/check-release to run before ma
+CHhAvVGS1DHFjwGM9, F, 663,  thread library when necessary (

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -249,6 +249,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -249,6 +249,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -441,6 +441,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
@@ -744,6 +745,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
@@ -1379,6 +1381,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -1682,6 +1685,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_StreamEvent.events.bif.zeek, <...>/Zeek_StreamEvent.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2316,6 +2320,7 @@
 0.000000 | HookLoadFile  ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_StreamEvent.events.bif.zeek <...>/Zeek_StreamEvent.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -2619,6 +2624,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_StreamEvent.events.bif.zeek <...>/Zeek_StreamEvent.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek

testing/btest/Baseline/scripts.base.files.x509.files/files.log

@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	CHhAvVGS1DHFjwGM9	192.168.4.149	60623	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	F	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	ClEkJM2Vm5giqnMf4h	192.168.4.149	60624	74.125.239.129	443	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	F	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/core/analyzer-stream-event-disable.zeek

@@ -0,0 +1,30 @@
+# @TEST-DOC: Show-case disable_analyzer() for ANALYZER_STREAM_EVENT after receiving a few events.
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_STREAM_EVENT, 80/tcp);
+	}
+
+
+event new_connection(c: connection)
+	{
+	print c$uid, "new_connection";
+	}
+
+global deliveries = 0;
+
+event stream_deliver(c: connection, is_orig: bool, data: string)
+	{
+	++deliveries;
+	print c$uid, is_orig, |data|, data[:32];
+
+	if ( deliveries == 2 )
+		disable_analyzer(c$id, current_analyzer());
+	}
+
+event connection_state_remove(c: connection)
+	{
+	print c$uid, "connection_state_remove";
+	}

testing/btest/core/analyzer-stream-event.zeek

@@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_STREAM_EVENT, 80/tcp);
+	}
+
+event stream_deliver(c: connection, is_orig: bool, data: string)
+	{
+	print c$uid, is_orig, |data|, data[:32];
+	}