Move dpd.log to policy script

This is the first phase of moving from the current dpd log to a more
modern logfile, without some of the weirdnesses that the current dpd log
contains.

Tests will not pass in the current state; this is just splitting out
functionality.

scripts/base/frameworks/analyzer/dpd.zeek

@@ -1,31 +1,8 @@
-##! Activates port-independent protocol detection and selectively disables
+##! Disables analyzers if protocol violations occur.
-##! analyzers if protocol violations occur.
 
 module DPD;
 
 export {
-	## Add the DPD logging stream identifier.
-	redef enum Log::ID += { LOG };
-
-	## A default logging policy hook for the stream.
-	global log_policy: Log::PolicyHook;
-
-	## The record type defining the columns to log in the DPD logging stream.
-	type Info: record {
-		## Timestamp for when protocol analysis failed.
-		ts:             time            &log;
-		## Connection unique ID.
-		uid:            string          &log;
-		## Connection ID containing the 4-tuple which identifies endpoints.
-		id:             conn_id         &log;
-		## Transport protocol for the violation.
-		proto:          transport_proto &log;
-		## The analyzer that generated the violation.
-		analyzer:       string          &log;
-		## The textual reason for the analysis failure.
-		failure_reason: string          &log;
-	};
-
 	## Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
 	option max_violations: table[Analyzer::Tag] of count = table() &deprecated="Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200" &default = 5;
 
@@ -45,17 +22,11 @@ export {
 }
 
 redef record connection += {
-	dpd: Info &optional;
 	## The set of services (analyzers) for which Zeek has observed a
 	## violation after the same service had previously been confirmed.
 	service_violation: set[string] &default=set() &ordered;
 };
 
-event zeek_init() &priority=5
-	{
-	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
-	}
-
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
@@ -94,28 +65,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 		return;
 
 	add c$service_violation[analyzer];
-
-	local dpd: Info;
-	dpd$ts = network_time();
-	dpd$uid = c$uid;
-	dpd$id = c$id;
-	dpd$proto = get_port_transport_proto(c$id$orig_p);
-	dpd$analyzer = analyzer;
-
-	# Encode data into the reason if there's any as done for the old
-	# analyzer_violation event, previously.
-	local reason = info$reason;
-	if ( info?$data )
-		{
-		local ellipsis = |info$data| > 40 ? "..." : "";
-		local data = info$data[0:40];
-		reason = fmt("%s [%s%s]", reason, data, ellipsis);
-		}
-
-	dpd$failure_reason = reason;
-	c$dpd = dpd;
 	}
 
+
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=5
 	{
 	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
@@ -145,17 +97,3 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 
 	}
 
-event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
-	{
-	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
-		return;
-
-	if ( ! info?$c )
-		return;
-
-	if ( info$c?$dpd )
-		{
-		Log::write(DPD::LOG, info$c$dpd);
-		delete info$c$dpd;
-		}
-	}

scripts/policy/frameworks/analyzer/dpd-log.zeek

@@ -0,0 +1,92 @@
+##! Creates the now deprecated dpd.logfile.
+# Remove in v8.1
+
+@deprecated("dpd.log is deprecated; remove in 8.1")
+
+module DPD;
+
+export {
+	## Add the DPD logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## A default logging policy hook for the stream.
+	global log_policy: Log::PolicyHook;
+
+	## The record type defining the columns to log in the DPD logging stream.
+	type Info: record {
+		## Timestamp for when protocol analysis failed.
+		ts:             time            &log;
+		## Connection unique ID.
+		uid:            string          &log;
+		## Connection ID containing the 4-tuple which identifies endpoints.
+		id:             conn_id         &log;
+		## Transport protocol for the violation.
+		proto:          transport_proto &log;
+		## The analyzer that generated the violation.
+		analyzer:       string          &log;
+		## The textual reason for the analysis failure.
+		failure_reason: string          &log;
+	};
+}
+
+redef record connection += {
+	dpd: Info &optional;
+};
+
+event zeek_init() &priority=5
+	{
+	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
+	}
+
+# Runs before the same event handler in base/frameworks/analyzer/dpd.zeek
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=15
+	{
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
+		return;
+
+	if ( ! info?$c )
+		return;
+
+	local c = info$c;
+	local analyzer = Analyzer::name(atype);
+	# If the service hasn't been confirmed yet, or already failed,
+	# don't generate a log message for the protocol violation.
+	if ( analyzer !in c$service || analyzer in c$service_violation )
+		return;
+
+	local dpd: Info;
+	dpd$ts = network_time();
+	dpd$uid = c$uid;
+	dpd$id = c$id;
+	dpd$proto = get_port_transport_proto(c$id$orig_p);
+	dpd$analyzer = analyzer;
+
+	# Encode data into the reason if there's any as done for the old
+	# analyzer_violation event, previously.
+	local reason = info$reason;
+	if ( info?$data )
+		{
+		local ellipsis = |info$data| > 40 ? "..." : "";
+		local data = info$data[0:40];
+		reason = fmt("%s [%s%s]", reason, data, ellipsis);
+		}
+
+	dpd$failure_reason = reason;
+	c$dpd = dpd;
+	}
+
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5
+	{
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
+		return;
+
+	if ( ! info?$c )
+		return;
+
+	if ( info$c?$dpd )
+		{
+		Log::write(DPD::LOG, info$c$dpd);
+		delete info$c$dpd;
+		}
+	}
+