Call ProtocolConfirmed on modbus

After a PDU is successfully parsed from both sides of a
modbus connection we're now declaring the protocol confirmed.

A small extension to the modbus/events test was added to verify
that "modbus" was identified in the service field in conn.log.

src/analyzer/protocol/modbus/modbus-analyzer.pac

@@ -47,6 +47,42 @@
 
 	%}
 
+refine connection ModbusTCP_Conn += {
+	%member{
+		// Fields used to determine if the protocol has been confirmed or not.
+		bool confirmed;
+		bool orig_pdu;
+		bool resp_pdu;
+		%}
+
+	%init{
+		confirmed = false;
+		orig_pdu = false;
+		resp_pdu = false;
+		%}
+
+	function SetPDU(is_orig: bool): bool
+		%{
+		if ( is_orig )
+			orig_pdu = true;
+		else
+			resp_pdu = true;
+
+		return true;
+		%}
+
+	function SetConfirmed(): bool
+		%{
+		confirmed = true;
+		return true;
+		%}
+
+	function IsConfirmed(): bool
+		%{
+		return confirmed && orig_pdu && resp_pdu;
+		%}
+};
+
 refine flow ModbusTCP_Flow += {
 
 	function deliver_message(header: ModbusTCP_TransportHeader): bool
@@ -62,6 +98,21 @@ refine flow ModbusTCP_Flow += {
 		return true;
 		%}
 
+	function deliver_ModbusTCP_PDU(message: ModbusTCP_PDU): bool
+		%{
+		// We will assume that if an entire PDU from both sides
+		// is successfully parsed then this is definitely modbus.
+		connection()->SetPDU(${message.is_orig});
+
+		if ( ! connection()->IsConfirmed() )
+			{
+			connection()->SetConfirmed();
+			connection()->bro_analyzer()->ProtocolConfirmation();
+			}
+
+		return true;
+		%}
+
 	# EXCEPTION
 	function deliver_Exception(header: ModbusTCP_TransportHeader, message: Exception): bool
 		%{

src/analyzer/protocol/modbus/modbus-protocol.pac

@@ -64,6 +64,8 @@ type ModbusTCP_PDU(is_orig: bool) = record {
 		true  -> request:  ModbusTCP_Request(header);
 		false -> response: ModbusTCP_Response(header);
 	};
+} &let {
+	deliver: bool = $context.flow.deliver_ModbusTCP_PDU(this);
 } &length=header.len+6, &byteorder=bigendian;
 
 type ModbusTCP_TransportHeader = record {

testing/btest/scripts/base/protocols/modbus/events.bro

@@ -5,6 +5,8 @@
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
 # @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
 # @TEST-EXEC: btest-diff coverage
+# @TEST-EXEC: btest-diff conn.log
+
 
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
 {