Move UnknownProtocol options to init-bare.zeek

Otherwise the `unknown_protocol` event cannot be used independently
from `policy/mic/unknown-protocols.zeek`.

scripts/base/init-bare.zeek

@@ -5367,6 +5367,28 @@ export {
 	option sampling_duration = 10min;
 }
 
+module UnknownProtocol;
+export {
+	## How many reports for an analyzer/protocol pair will be allowed to
+	## raise events before becoming rate-limited.
+	const sampling_threshold : count = 3 &redef;
+
+	## The rate-limiting sampling rate. One out of every of this number of
+	## rate-limited pairs of a given type will be allowed to raise events
+	## for further script-layer handling. Setting the sampling rate to 0
+	## will disable all output of rate-limited pairs.
+	const sampling_rate : count = 100000 &redef;
+
+	## How long an analyzer/protocol pair is allowed to keep state/counters in
+	## in memory. Once the threshold has been hit, this is the amount of time
+	## before the rate-limiting for a pair expires and is reset.
+	const sampling_duration = 1hr &redef;
+
+	## The number of bytes to extract from the next header and log in the
+	## first bytes field.
+	const first_bytes_count = 10 &redef;
+}
+
 module BinPAC;
 export {
 	## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to

scripts/policy/misc/unknown-protocols.zeek

@@ -26,25 +26,6 @@ export {
 		## header.
 		first_bytes:  string   &log;
 	};
-
-	## How many reports for an analyzer/protocol pair will be allowed to
-	## raise events before becoming rate-limited.
-	const sampling_threshold : count = 3 &redef;
-
-	## The rate-limiting sampling rate. One out of every of this number of
-	## rate-limited pairs of a given type will be allowed to raise events
-	## for further script-layer handling. Setting the sampling rate to 0
-	## will disable all output of rate-limited pairs.
-	const sampling_rate : count = 100000 &redef;
-
-	## How long an analyzer/protocol pair is allowed to keep state/counters in
-	## in memory. Once the threshold has been hit, this is the amount of time
-	## before the rate-limiting for a pair expires and is reset.
-	const sampling_duration = 1hr &redef;
-
-	## The number of bytes to extract from the next header and log in the
-	## first bytes field.
-	const first_bytes_count = 10 &redef;
 }
 
 event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)

src/packet_analysis/Manager.cc

@@ -44,14 +44,11 @@ void Manager::InitPostScript()
 		                                          detail::pkt_profile_freq,
 		                                          pkt_profile_file->AsFile());
 
-	if ( unknown_protocol )
-		{
 	unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
 	unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
 	unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
 	unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
 	}
-	}
 
 void Manager::Done()
 	{

testing/btest/Baseline/core.unknown-protocol-event/out

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ETHERNET, 35020, 02070400222d81db1004

testing/btest/core/unknown-protocol-event.zeek

@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
+	{ print analyzer_name, protocol, bytestring_to_hexstr(first_bytes); }
+