btest/spicy: Remove most port usages

testing/btest/Baseline/spicy.event-args-mismatch/output

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-XXXXXXXXXX.XXXXXX analyzer error in <...>/test.evt, line 6: Event parameter mismatch, cannot convert Spicy value of type 'string' to Zeek value of type 'count'
+XXXXXXXXXX.XXXXXX analyzer error in <...>/test.evt, line 5: Event parameter mismatch, cannot convert Spicy value of type 'string' to Zeek value of type 'count'

testing/btest/Baseline/spicy.port-fail/output

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[error] <...>/port-fail.evt:7: port outside of valid range
+[error] <...>/port-fail.evt:9: port outside of valid range
 [error] error loading EVT file "<...>/port-fail.evt"

testing/btest/spicy/conn-id.spicy

@@ -1,8 +1,8 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o test.hlto %INPUT test.evt
-# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy test.hlto Spicy::enable_print=T >>output
-# @TEST-EXEC: zeek -b -r ${TRACES}/ftp/ipv6.trace Zeek::Spicy test.hlto Spicy::enable_print=T >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy test.hlto test.zeek Spicy::enable_print=T >>output
+# @TEST-EXEC: zeek -b -r ${TRACES}/ftp/ipv6.trace Zeek::Spicy test.hlto test.zeek Spicy::enable_print=T >>output
 # @TEST-EXEC: btest-diff output
 
 module Test;
@@ -16,6 +16,12 @@ public type Foo = unit {
 
 # @TEST-START-FILE test.evt
 protocol analyzer spicy::Test over TCP:
-    port 21/tcp-22/tcp,
     parse originator with Test::Foo;
 # @TEST-END-FILE
+
+# @TEST-START-FILE test.zeek
+event zeek_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_TEST, set(21/tcp, 22/tcp));
+	}
+# @TEST-END-FILE

testing/btest/spicy/context.spicy

@@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o x.hlto %INPUT ./ssh.evt
-# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy x.hlto Spicy::enable_print=T >output
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/single-conn.trace Zeek::Spicy x.hlto ssh.zeek Spicy::enable_print=T >output
 # @TEST-EXEC: btest-diff output
 #
 # @TEST-DOC: Check that the Zeek plugin passes a (and the same) %context object to both sides of a connection.
@@ -44,7 +44,13 @@ public type Responder = unit {
 
 # @TEST-START-FILE ssh.evt
 protocol analyzer spicy::SSH over TCP:
-    port 22/tcp,
     parse originator with SSH::Originator,
     parse responder with SSH::Responder;
 # @TEST-END-FILE
+
+
+# @TEST-START-FILE ssh.zeek
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+# @TEST-END-FILE

testing/btest/spicy/decline_input.spicy

@@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o foo.hlto foo.spicy foo.evt %INPUT
-# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto
+# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap foo.hlto foo.zeek
 # @TEST-EXEC: cat analyzer.log | zeek-cut analyzer_name failure_reason failure_data > analyzer.log2 && mv analyzer.log2 analyzer.log
 # @TEST-EXEC: btest-diff analyzer.log
 #
@@ -17,8 +17,13 @@ public type X = unit {
 
 # @TEST-START-FILE foo.evt
 protocol analyzer spicy::foo over UDP:
-    parse with foo::X,
-    ports { 12345/udp, 31337/udp };
+    parse with foo::X;
+# @TEST-END-FILE
+
+# @TEST-START-FILE foo.zeek
+event zeek_init() {
+    Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_FOO, set(12345/udp, 31337/udp));
+}
 # @TEST-END-FILE
 
 module zeek_foo;

testing/btest/spicy/double-event.zeek

@@ -9,6 +9,11 @@ event ssh::banner(i: int, software: string)
 	print i, software;
 	}
 
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+	}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -24,7 +29,6 @@ public type Banner = unit {
 
 protocol analyzer spicy::SSH over TCP:
     parse with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 on SSH::Banner -> event ssh::banner(1, self.software);

testing/btest/spicy/double-types.zeek

@@ -21,11 +21,14 @@ event dtest_result_tuple(r: R) {
     print "dtest_result_tuple", r$x, r$y;
 }
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_DTEST, 22/tcp);
+}
+
 # @TEST-START-FILE dtest.evt
 
 protocol analyzer spicy::dtest over TCP:
-    parse originator with dtest::Message,
-    port 22/tcp;
+    parse originator with dtest::Message;
 
 on dtest::Message -> event dtest_message(self.func);
 
@@ -57,7 +60,7 @@ public type SubMessage = unit {
 };
 
 public function bro_result(entry: Message) : tuple<FUNCS, RESULT>  {
-	return (entry.func, entry.sub.result);
+  return (entry.func, entry.sub.result);
 }
 
 # @TEST-END-FILE

testing/btest/spicy/event-args-mismatch.zeek

@@ -8,6 +8,10 @@
 
 event Banner::error(i: count) { }
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE test.spicy
 module SSH;
 
@@ -22,8 +26,7 @@ public type Banner = unit {
 # @TEST-START-FILE test.evt
 
 protocol analyzer spicy::SSH over TCP:
-    parse originator with SSH::Banner,
-    port 22/tcp;
+    parse originator with SSH::Banner;
 
 on SSH::Banner::magic -> event Banner::error(self.magic); # Error: string -> count
 

testing/btest/spicy/event-args.zeek

@@ -10,6 +10,10 @@ event Banner::error(msg: string) {
     print fmt("Error message: %s", msg);
 }
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE test.spicy
 module SSH;
 
@@ -24,8 +28,7 @@ public type Banner = unit {
 # @TEST-START-FILE test.evt
 
 protocol analyzer spicy::SSH over TCP:
-    parse originator with SSH::Banner,
-    port 22/tcp;
+    parse originator with SSH::Banner;
 
 on SSH::Banner::%error(msg: string) -> event Banner::error(msg);
 on SSH::Banner::%error() -> event Banner::error("n/a");

testing/btest/spicy/event-cond.zeek

@@ -29,6 +29,11 @@ event ssh::banner5(c: connection, is_orig: bool, version: string, software: stri
 	print "5", software;
 	}
 
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+	}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -46,7 +51,6 @@ import zeek;
 
 protocol analyzer spicy::SSH over TCP:
     parse with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 on SSH::Banner if ( True ) -> event ssh::banner1($conn, $is_orig, self.version, self.software);

testing/btest/spicy/export-bitfield.zeek

@@ -7,6 +7,10 @@
 #
 # @TEST-DOC: Tests that named and anonymous bitfields are exported as expected.
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_FOO, 80/tcp);
+}
+
 # @TEST-START-FILE export.spicy
 module foo;
 
@@ -33,8 +37,7 @@ public type X = unit {
 import foo;
 
 protocol analyzer FOO over TCP:
-    parse originator with foo::X,
-    port 80/tcp;
+    parse originator with foo::X;
 
 export foo::X;
 

testing/btest/spicy/export-switch.zeek

@@ -9,6 +9,9 @@
 event TEST_ZEEK::MessageEvt(message: TEST::Message)
 	{ print message; }
 
+event zeek_init()
+	{ Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 31337/udp); }
+
 # @TEST-START-FILE test.spicy
 module TEST;
 
@@ -22,7 +25,6 @@ public type Message = unit {
 # @TEST-START-FILE test.evt
 import TEST;
 protocol analyzer spicy::Test over UDP:
-    port 0/udp - 42000/udp,
     parse with TEST::Message;
 
 export TEST::Message;

testing/btest/spicy/export-type-e2e.zeek

@@ -7,6 +7,10 @@
 #
 # @TEST-DOC: Test type export end-to-end, with access from the Zeek side. Regression test for #3083.
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_FOO, 80/tcp);
+}
+
 # @TEST-START-FILE export.spicy
 module foo;
 
@@ -19,8 +23,7 @@ public type X = unit {
 import foo;
 
 protocol analyzer FOO over TCP:
-    parse with foo::X,
-    port 80/tcp;
+    parse with foo::X;
 
 export foo::X;
 

testing/btest/spicy/export-type-with-fields.zeek

@@ -21,8 +21,7 @@ public type X = unit {
 import foo;
 
 protocol analyzer FOO over TCP:
-    parse with foo::X,
-    port 80/tcp;
+    parse with foo::X;
 
 export foo::X with { x };
 export foo::X as foo::X1;

testing/btest/spicy/file-analysis-data-in-concurrent.zeek

@@ -4,6 +4,10 @@
 # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output
 # @TEST-EXEC: btest-diff output
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -51,7 +55,6 @@ import zeek;
 
 protocol analyzer spicy::SSH over TCP:
     parse originator with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 file analyzer spicy::Text:

testing/btest/spicy/file-analysis-data-in.zeek

@@ -20,6 +20,10 @@
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output-1
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output-2
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -70,7 +74,6 @@ import zeek;
 
 protocol analyzer spicy::SSH over TCP:
     parse with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 on SSH::Banner::software -> event have_filename($file, self.file_name);

testing/btest/spicy/file-data-in-at-offset.zeek

@@ -7,6 +7,10 @@
 # @TEST-EXEC: btest-diff x509.log
 # @TEST-EXEC: btest-diff output
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -41,7 +45,6 @@ import zeek;
 
 protocol analyzer spicy::SSH over TCP:
     parse with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 # @TEST-END-FILE

testing/btest/spicy/gap-recovery.zeek

@@ -1,16 +1,19 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o analyzer.hlto analyzer.spicy analyzer.evt
-# @TEST-EXEC: zeek -Cr ${TRACES}/spicy/gap-recovery.pcap analyzer.hlto Spicy::enable_print=T >output 2>&1
+# @TEST-EXEC: zeek -Cr ${TRACES}/spicy/gap-recovery.pcap analyzer.hlto %INPUT Spicy::enable_print=T >output 2>&1
 # @TEST-EXEC: if spicy-version 10503; then btest-diff output; else OUT=output-before-spicy-issue-1303; mv output "$OUT"; btest-diff "$OUT"; fi
 #
 # @TEST-DOC: Tests that parsers can resynchronize on gaps.
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 9000/tcp);
+}
+
 # @TEST-START-FILE analyzer.evt
 protocol analyzer spicy::HTTP over TCP:
     parse originator with test::Requests,
     parse responder with test::Responses,
-    port 9000/tcp,
     replaces HTTP;
 # @TEST-END-FILE
 

testing/btest/spicy/list-conversion.zeek

@@ -4,6 +4,10 @@
 # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT >output
 # @TEST-EXEC: btest-diff output
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_LISTCONV, 22/tcp);
+}
+
 @TEST-START-FILE listconv.spicy
 
 module listconv;
@@ -23,8 +27,7 @@ public type Test = unit {
 @TEST-START-FILE listconv.evt
 
 protocol analyzer listconv over TCP:
-    parse originator with listconv::Test,
-    port 22/tcp;
+    parse originator with listconv::Test;
 
 on listconv::Test -> event listconv::test($conn,
                                   $is_orig,

testing/btest/spicy/multiple-enum.zeek

@@ -12,11 +12,14 @@ event dtest_two(x: dtest::RESULT) {
     print "two", x;
 }
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_DTEST, 22/tcp);
+}
+
 # @TEST-START-FILE dtest.evt
 
 protocol analyzer spicy::dtest over TCP:
-    parse originator with dtest::Message,
-    port 22/tcp;
+    parse originator with dtest::Message;
 
 on dtest::Message if ( self.sswitch == 83 )
   -> event dtest_one(self.result);

testing/btest/spicy/network-time.spicy

@@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o test.hlto %INPUT ./udp-test.evt
-# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap test.hlto Spicy::enable_print=T >output
+# @TEST-EXEC: zeek -Cr ${TRACES}/udp-packet.pcap test.hlto network-time.zeek Spicy::enable_print=T >output
 # @TEST-EXEC: btest-diff output
 
 module Test;
@@ -20,7 +20,13 @@ public type Message = unit {
 
 # @TEST-START-FILE udp-test.evt
 protocol analyzer spicy::TEST over UDP:
-    parse with Test::Message,
-    port 11337/udp-11340/udp,
-    ports {31337/udp-31340/udp};
+    parse with Test::Message;
+# @TEST-END-FILE
+
+
+# @TEST-START-FILE network-time.zeek
+event zeek_init() {
+    Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_TEST, set(11337/udp, 11338/udp, 11339/udp, 11340/udp));
+    Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_TEST, set(31337/udp, 31338/udp, 31339/udp, 31340/udp));
+}
 # @TEST-END-FILE

testing/btest/spicy/optional.zeek

@@ -12,11 +12,14 @@ event foo_result_tuple(r: R) {
     print(r);
 }
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_FOO, 22/tcp);
+}
+
 # @TEST-START-FILE foo.evt
 
 protocol analyzer spicy::foo over TCP:
-    parse originator with Foo::Message,
-    port 22/tcp;
+    parse originator with Foo::Message;
 
 on Foo::Message -> event foo_result_tuple(Foo::bro_result(self));
 

testing/btest/spicy/parse-error.zeek

@@ -8,6 +8,10 @@
 #
 # @TEST-DOC: Trigger parse error after confirmation, should be recorded in dpd.log
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE test.spicy
 module SSH;
 
@@ -24,9 +28,7 @@ public type Banner = unit {
 # @TEST-START-FILE test.evt
 
 protocol analyzer spicy::SSH over TCP:
-    parse originator with SSH::Banner,
-    port 22/tcp
-
+    parse originator with SSH::Banner
     # With Zeek < 5.0, DPD tracking doesn't work correctly for replaced
     # analyzers because the ProtocolViolation() doesn't take a tag.
     #

testing/btest/spicy/port-fail.evt

@@ -2,6 +2,8 @@
 #
 # @TEST-EXEC-FAIL: spicyz %INPUT -d -o x.hlto >output 2>&1
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
+#
+# @TEST-DOC: Remove with v7.1
 
 protocol analyzer spicy::SSH over TCP:
     port 123456/udp;

testing/btest/spicy/port-range-one-port.zeek

@@ -5,7 +5,7 @@
 # @TEST-EXEC: grep -e 'Scheduling analyzer' -e 'error during parsing' < out > out.filtered
 # @TEST-EXEC: btest-diff out.filtered
 
-# @TEST-DOC: Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
+# @TEST-DOC: Remove with v7.1. Expect a single 'Scheduling analyzer ...' message in the debug output and no parsing errors. There was a bug that 'port 31336/udp' would be wrongly interpreted as a 31336/udp-31337/udp port range. Regression test for #3278.
 
 # @TEST-START-FILE udp-test.spicy
 module UDPTest;

testing/btest/spicy/profiling.zeek

@@ -13,6 +13,11 @@ event ssh::banner(c: connection, is_orig: bool, version: string, software: strin
 	print "SSH banner", c$id, is_orig, version, software;
 	}
 
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+	}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -28,9 +33,7 @@ public type Banner = unit {
 
 # @TEST-START-FILE ssh.evt
 protocol analyzer spicy::SSH over TCP:
-    # no port, we're using the signature
     parse with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);

testing/btest/spicy/protocol-analyzer-data-in.zeek

@@ -4,6 +4,10 @@
 # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT
 # @TEST-EXEC: btest-diff http.log
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -51,7 +55,6 @@ import zeek;
 
 protocol analyzer spicy::SSH over TCP:
     parse originator with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 # @TEST-END-FILE

testing/btest/spicy/protocol-analyzer-explicit-forwarding.zeek

@@ -4,6 +4,10 @@
 # @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace foo.hlto %INPUT Spicy::enable_print=T >output
 # @TEST-EXEC: btest-diff output
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_X, 22/tcp);
+}
+
 # @TEST-START-FILE foo.spicy
 module foo;
 import zeek;
@@ -37,7 +41,6 @@ public type Z = unit {
 # Analyzer instantiated from Zeek based on the traffic.
 protocol analyzer spicy::X over TCP:
     parse originator with foo::X,
-    port 22/tcp,
     replaces SSH;
 
 # Analyzers which will only be instantiated explicitly by us.

testing/btest/spicy/protocol-analyzer-tcp-over-udp.spicy

@@ -1,7 +1,7 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o test.hlto %INPUT ./foo.evt
-# @TEST-EXEC: zeek -Cr ${TRACES}/ssh/ssh-over-udp.pcap test.hlto
+# @TEST-EXEC: zeek -Cr ${TRACES}/ssh/ssh-over-udp.pcap test.hlto test.zeek
 # @TEST-EXEC: btest-diff ssh.log
 #
 # @TEST-DOC: Pass data from inside a UDP analyzer to a Zeek analyzers that works on top of TCP. Regression tests for #92 and also #91.
@@ -22,7 +22,12 @@ public type Bar = unit {
 import zeek;
 
 protocol analyzer spicy::Foo over UDP:
-    parse with Foo::Bar,
-    port 1234/udp;
+    parse with Foo::Bar;
 
 # @TEST-END-FILE
+
+# @TEST-START-FILE test.zeek
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_FOO, 1234/udp);
+}
+# @TEST-END-FILE

testing/btest/spicy/replaces-mismatch.zeek

@@ -19,7 +19,6 @@ public type Banner = unit {
 
 protocol analyzer spicy::SSH over TCP:
     parse with SSH::Banner,
-    port 22/tcp,
     replaces Ethernet; # fail
 
 # @TEST-END-FILE

testing/btest/spicy/replaces.zeek

@@ -8,6 +8,23 @@
 # We use the module search path for loading here as a regression test for #137.
 # Note that this that problem only showed up when the Spicy plugin was built
 # into Zeek.
+#
+# XXX: Replaces is kin of borked. "replaces" probably should inherit/use
+#      ports previously registered through Analyzer::register_for_port() for
+#      the analyzer that is being replaced, but that doesn't seem to be
+#      happening. Having ports previosly in .evt "worked around it" mostly.
+#
+#      This seems pretty much #3573.
+#
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+
+	# The following should maybe "do the right thing" when using replaces
+	# if we fiddle with the underlying enum value?
+	#
+	# Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 22/tcp);
+	}
 
 event ssh::banner(c: connection, is_orig: bool, version: string, software: string)
 	{
@@ -15,9 +32,9 @@ event ssh::banner(c: connection, is_orig: bool, version: string, software: strin
 	}
 
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
-    {
-    print atype, info$aid;
-    }
+	{
+	print atype, info$aid;
+	}
 
 # @TEST-START-FILE ssh.spicy
 module SSH;
@@ -38,7 +55,6 @@ public type Banner = unit {
 
 protocol analyzer spicy::SSH over TCP:
     parse with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);

testing/btest/spicy/resource-usage.zeek

@@ -1,11 +1,15 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -d -o test.hlto test.evt test.spicy
-# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto Zeek/Spicy/misc/resource-usage | sed 's/=[^ ]*/=XXX/g' >output
+# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Zeek/Spicy/misc/resource-usage | sed 's/=[^ ]*/=XXX/g' >output
 # @TEST-EXEC: btest-diff output
 #
 # @TEST-DOC: Exercise the misc/resource-usage.zeek script.
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE test.spicy
 module SSH;
 
@@ -20,7 +24,6 @@ public type Banner = unit {
 # @TEST-START-FILE test.evt
 
 protocol analyzer spicy::SSH over TCP:
-    parse originator with SSH::Banner,
-    port 22/tcp;
+    parse originator with SSH::Banner;
 
 # @TEST-END-FILE

testing/btest/spicy/skip-input-file.zeek

@@ -6,6 +6,10 @@
 #
 # @TEST-DOC: Validate that `skip_input` works for file analyzers.
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+}
+
 # @TEST-START-FILE ssh.spicy
 module SSH;
 
@@ -51,7 +55,6 @@ import zeek;
 
 protocol analyzer spicy::SSH over TCP:
     parse originator with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 file analyzer spicy::Text:

testing/btest/spicy/skip-input-protocol.zeek

@@ -11,6 +11,10 @@ redef udp_inactivity_timeout = 24hrs; # avoid long gaps to trigger removal
 
 event Test::foo() { print "event"; }
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 53/udp);
+}
+
 # @TEST-START-FILE test.spicy
 module Test;
 
@@ -37,7 +41,6 @@ public type Foo = unit {
 
 # @TEST-START-FILE test.evt
 protocol analyzer spicy::Test over UDP:
-    port 53/udp,
     parse with Test::Foo;
 
 on Test::Foo -> event Test::foo();

testing/btest/spicy/spicyz.test

@@ -2,7 +2,7 @@
 #
 # @TEST-EXEC: spicyz test.spicy test.evt -d -o test.hlto
 # @TEST-EXEC: zeek -NN test.hlto | grep -q ANALYZER_SPICY_TEST
-# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.zeek test.hlto "Spicy::enable_print = T;" >>output 2>&1
+# @TEST-EXEC: zeek -r ${TRACES}/http/post.trace test.hlto test.zeek "Spicy::enable_print = T;" >>output 2>&1
 # @TEST-EXEC: btest-diff output
 #
 # @TEST-DOC: Smoke test for a custom ahead-of-time compiled Spicy analyzer hooked into Zeek.
@@ -22,8 +22,7 @@ public type Dummy = unit {
 
 # @TEST-START-FILE test.evt
 protocol analyzer spicy::Test over TCP:
-    parse with test::Dummy,
-    port 80/tcp;
+    parse with test::Dummy;
 
 on test::Dummy -> event test::dummy(self.data);
 # @TEST-END-FILE
@@ -35,4 +34,9 @@ event test::dummy(data: vector of string)
 {
 	print "Event:", data;
 }
+
+event zeek_init()
+{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 80/tcp);
+}
 # @TEST-END-FILE

testing/btest/spicy/terminate-session.zeek

@@ -12,6 +12,10 @@
 redef likely_server_ports += { 53/udp }; # avoid flipping direction after termination
 redef udp_inactivity_timeout = 24hrs; # avoid long gaps to trigger removal
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_TEST, 53/udp);
+}
+
 # @TEST-START-FILE test.spicy
 module Test;
 
@@ -36,6 +40,5 @@ type Counter = tuple<counter:int64>;
 
 # @TEST-START-FILE test.evt
 protocol analyzer spicy::Test over UDP:
-    port 53/udp,
     parse originator with Test::Foo;
 # @TEST-END-FILE

testing/btest/spicy/toggle-protocol-analyzer.zeek

@@ -13,6 +13,8 @@
 const ENABLE = T &redef;
 
 event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+
     if ( ENABLE )
         Spicy::enable_protocol_analyzer(Analyzer::ANALYZER_SPICY_SSH);
     else
@@ -39,7 +41,6 @@ public type Banner = unit {
 
 # @TEST-START-FILE ssh.evt
 protocol analyzer spicy::SSH over TCP:
-    port 22/tcp,
     parse originator with SSH::Banner;
 
 on SSH::Banner -> event ssh::banner($conn, $is_orig, self.version, self.software);

testing/btest/spicy/tuple-arg.zeek

@@ -15,6 +15,11 @@ event ssh::banner(f: Foo)
 	print f;
 	}
 
+event zeek_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SPICY_SSH, 22/tcp);
+	}
+
 # @TEST-START-FILE ssh.spicy
 
 module SSH;
@@ -37,7 +42,6 @@ public type Banner = unit {
 
 protocol analyzer spicy::SSH over TCP:
     parse originator with SSH::Banner,
-    port 22/tcp,
     replaces SSH;
 
 on SSH::Banner -> event ssh::banner((1, self.software));

testing/btest/spicy/tuple-enum.zeek

@@ -13,12 +13,14 @@ event enum_message(f: Foo) {
 	print f;
 }
 
+event zeek_init() {
+	Analyzer::register_for_port(Analyzer::ANALYZER_TUPLEENUM, 22/tcp);
+}
+
 # @TEST-START-FILE tupleenum.evt
 
 protocol analyzer TupleEnum over TCP:
-    parse with TupleEnum::Message,
-    port 22/tcp,
-    replaces SSH;
+    parse with TupleEnum::Message;
 
 on TupleEnum::Message -> event enum_message( (self.a, cast<uint64>(self.b)) );
 

testing/btest/spicy/type-converter.zeek

@@ -1,9 +1,13 @@
 # @TEST-REQUIRES: have-spicy
 #
 # @TEST-EXEC: spicyz -o test.hlto conv.spicy ./conv.evt
-# @TEST-EXEC: ASAN_OPTIONS=detect_leaks=0 zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output
+# @TEST-EXEC: ASAN_OPTIONS='detect_odr_violation=0 detect_leaks=0' zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T >output
 # @TEST-EXEC: btest-diff output
 
+event zeek_init() {
+    Analyzer::register_for_port(Analyzer::ANALYZER_CONV, 22/tcp);
+}
+
 @TEST-START-FILE conv.spicy
 
 module Conv;
@@ -41,8 +45,7 @@ type MyStruct = struct {
 @TEST-START-FILE conv.evt
 
 protocol analyzer Conv over TCP:
-    parse originator with Conv::Test,
-    port 22/tcp;
+    parse originator with Conv::Test;
 
 on Conv::Test -> event conv::test($conn,
                                   $is_orig,

testing/btest/spicy/udp.zeek

@@ -15,6 +15,12 @@ event udp_test::message(c: connection, is_orig: bool, data: string)
 	print "UDP packet", c$id, is_orig, data;
 	}
 
+event zeek_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_UDP_TEST, set(11337/udp, 11338/udp, 11339/udp, 11340/udp));
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SPICY_UDP_TEST, set(31337/udp, 31338/udp, 31339/udp, 31340/udp));
+	}
+
 # @TEST-START-FILE udp-test.spicy
 module UDPTest;
 
@@ -25,9 +31,7 @@ public type Message = unit {
 
 # @TEST-START-FILE udp-test.evt
 protocol analyzer spicy::UDP_TEST over UDP:
-    parse with UDPTest::Message,
-    port 11337/udp-11340/udp,
-    ports {31337/udp-31340/udp};
+    parse with UDPTest::Message;
 
 on UDPTest::Message -> event udp_test::message($conn, $is_orig, self.data);
 # @TEST-END-FILE

testing/btest/spicy/zeekygen-enum-zeek-side.zeek

@@ -66,9 +66,7 @@ public type Banner = unit {
 %doc-description = "Just a \"test\" analyzer.h";
 
 protocol analyzer spicy::MySSH over TCP:
-    parse originator with MySSH::Banner,
-    port 22/tcp,
-    replaces SSH;
+    parse originator with MySSH::Banner;
 
 export MySSH::Compression;  # This one also exists on the Zeek side
 

testing/btest/spicy/zeekygen.zeek

@@ -41,9 +41,7 @@ public type Banner = unit {
 %doc-description = "Just a \"test\" analyzer.h";
 
 protocol analyzer spicy::SSH over TCP:
-    parse originator with SSH::Banner,
-    port 22/tcp,
-    replaces SSH;
+    parse originator with SSH::Banner;
 
 on SSH::Banner -> event ssh::banner((1, self.software));