From 21888a145a86bbc04d227261cfbcf12b04dba85c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 3 May 2023 11:16:14 +0100
Subject: [PATCH 1/2] SSL: do not try to disable failed analyzer

Currently, if a TLS/DTLS analyzer fails with a protocol violation, we
will still try to remove the analyzer later, which results in the
following error message:

error: connection does not have analyzer specified to disable

Now, instead we don't try removing the analyzer anymore, after a
violation occurred.
---
 scripts/base/protocols/ssl/main.zeek             |   9 +++++++++
 .../.stderr                                      |   1 +
 .../Traces/tls/tls1.2-protocol-violation.pcap    | Bin 0 -> 8601 bytes
 .../protocols/ssl/tls-protocol-violation.test    |   5 +++++
 4 files changed, 15 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
 create mode 100644 testing/btest/Traces/tls/tls1.2-protocol-violation.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test

diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek
index 3e74950951..f4c2eb4e18 100644
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@@ -499,6 +499,15 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 		}
 	}
 
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
+	{
+	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+		{
+		# analyzer errored out; prevent us from trying to remove it later
+		delete info$c$ssl$analyzer_id;
+		}
+	}
+
 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
 	{
 	set_session(c);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap b/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..76a51c00c9c8622b9e52bd02094b8da16f185076
GIT binary patch
literal 8601
zcmd6sc{o+w+sF4Aam@3O;baV98>14(kRh2x<S~oP$1zrN6cL3&GL;Z1r6O}qDwOFU
zk`l>d%utbN@b1l{U-bN*-+R4(yzhIiYhCtUd+qPNhWq~9YcJ0q-OWV;Xkh)fvH}1I
z=!PmkX1cSJ1~7)M;nD{>>pv;4{CtOt)rS_)1pv*ZP)$G+Td<4+08^a_BZdKWM9qQe
zYBN}=6uGj(Wdi_6G^PxJLZJ}|S{$hA`T>51My{y`IMV)9U(;Q)v8JBa4FDgpahG9b
z*aD(vKpo$I)C96%UdqNi_Z?D!)J-9E09L2ra}R|rtg9<H(E?hKHMsoNccmx?xbFh^
zO?@|qESN^J;5DTepjlY$vl}O@49~_gq<9LN8n|p$L<Enr!itsBf2+uY*Ce0VsK|vv
zAk+~6LJfs79h0Z3Qmr&U6#E#ITj<h9<qzfPeHsv&3A<+3`U0H<09Pm=WjkdXMU=up
z!BK=MTY)^_GT;Rq0n`9hAQm`HQJ~0Dq$uJPW(o$#2Gjv%;1q?8LQCPNYyr3cb_yc}
z1>h)h6lsbCMTEjmp`!><1c9qS4saOI1QY=UAOpArEvpVio+3k$q=-?NC}<!H*bT@5
zX#fGBp|DbDC=3)NfPtKa6JP`A01ki^parl13RpoxbK(ck188V5kN^%)f&`fWMt~Qp
zV*q%d#yF@O+^fxLpcgqI5ey{44*41q5?}^cATbeWtr!7e0FOmrkysQ4fk9#*-$5hM
zC=>#PM4^xfBoYZt9Mm3xfY&4hNe9GWfYq|uhcKb-v9J#vyt~PVOb<-gq(rhX&xypX
ztqHWkxuB{WCl};PW{_X)N1@Cg&d(Mi=Ox53_QzaK?lUfBQrY_;yoM>Po;lk8<XId1
z@;3GRipEP9cYVnyPTn1Aq;Ap^o~rL!aO;Z{qIjI90}d(73beogq{{S(9=ZUS-UFEH
zU=*eRj6$EivN{@8;L>stD%|+)^6aUpKdgExn?Xh_om7l|%pxNKfx!SEIZmD)q{E`D
z&{%e)o|gO;kQct8WoOePx;c^Di1__ZzAheafzYKq3&;dNq+zGAaPoHdBf84-fjn>x
zj-6H8WWR}y30|9kH}drHB)PfD%YicRGZee{U(fVC4|~WE0t17Hkfa;l!p$X!2>&4l
zLuRxIpddG+ygaB3DuJs%Tj*8=+yN>nC@QNdtJ#9&wqN>cWg*W5GQb8{*)eKL$||bs
z4{6zv+5~xKXr!xs#p(n(dwcrIvw<vd1syw`MG(|KJY+>)5aeI0<5ZGY0`Y4t@mhXC
z-fqE8(D2wnR`@xN9cSs}?dFF!@O6=uX8>_<B|SUJ+Ra&B1l+oI$EWS*<LBy!Hzm6H
zcn0}cSQz20J-uCBU>y#S4Q_<upqG**!Ai2eZX_@YA^hudATR(b3c(CO^*Ce{<c5>S
zkuz!E>dsB?v-A^ZWlf7N?88M=`3lz`5osT*_Ih|2SxtDJ-uHRt3rSj1&s=~pGi^|>
zLC27q5$x~6<zKVQ>|BdGt~^U6{&LBqk@ha$m-P}UCwg<92k_2ltBs^<o5=FyzlgAL
z&U?0t<&U5xiIv{`o<3c}07mblwQWP?m1Mt3`&-A4lAQRBzHBpMjFM8fta}h7VpW{N
zRMM0+p|_2Rw9{55GvsS5%bdrxk5*N=MFU)jGvKt8ZIElfbI*lc(Og?vJ4^-aq7kDt
zsC^p6G68W1OkzR~sxyL;!=gfeE(X(XKYsw%W&S<GAZ54V-4C>0?`ZU8^~|J2{hmOv
z2q5yJ5EN)eYC$1r1_eaWJRnyjhel61wO1$1)Q~$bGr{n6WvQ^M7bpNXU_x`DIj#oN
z;fplC=iY3dP_AOV=CqQqlDF!*0?Y`+3L1?<Vy>+EjsQD+j|73Wm&MRrAP1IK8ViL6
z4GQt|3JLCowee^TP#xTbWq=x>5qISgNCXNEN`sQ?4Uq^g0S^+%KX9j<T;QsA%et&O
z1^h=&+tdOyfpvt?`ruwr=Ze-9&6quKd#Je!(fhBqE>3H$SL118$gD-oTEJ)%WTAIJ
za^$*k1OiP0iJ;;7J&628ob*2sCxN0rwGc5pe|6N)CD4C^*sA{vu%aOpME&aCQFQ<E
z^o`Jgyc_{YU#jgc-gVW3?VWLqxKyMg{qD!)k+b^di(W}H;&1P?2WuzPSap28#DvHi
zN=uD$&lerd)>wq8Ohx|_m8qF9m8~~r_Q;fVDv#-Gr1Fo5dJ(C@!OzY2rp9X2iBd9|
zGQA}3A~zpLhUpJh&%>;{nWOkw{ydeF*ljU3p;q6ddqgxjO@`p>Qn&Y$cKJb`r-~Ki
z=fy#M?#mvY^Ig_Q#Qert6)OFsu?GjW%XmaJ&atas@{2Ik`=jhp&)AU;=d1Br1Hy#Y
zep8<;_Hx(r3J5%UY*Y^3x09?+h^W!#P!gGLJi?@u>;HX^3S~ZZ=~%xF`8DkkIz7JO
zXHnZfxum#p(q(X|3q?+oBdw4p>RH~9S>~SB%H|z|QXWM9Z(tN^WR3nTTuF~4?}uV(
z%!DwdO8R?Sex(fzf4_BPLhQHDU8fX|ou1(8YDo+VB;g5K^5T#itm01KXRU51lns2H
zyz!Qnrg&pFQivbXOI{en!|hP)yuY`DvVysvA8D2FAgBakeVy<MAgHVe%7aR(imDLd
z{~u+e|3v4p)BTi?k(!;$M?{+=2{*gA*g4gg7r#gazb=wdqixqWe87Bs?oD-#UQeCO
zi!C>p@njKN;vEWWD&y$n_0ua&zJez13e^_1m}36z472-p=y|a)yn1paJ;LVIj^0}n
z*t!=*Zl88kHTkrMG>H$rAPHSd=c-}wYJLzxowX^Hyi!%^iBV~}+i#OcA5@|qFC2y6
z;~#U0zsjT|B%g*)#HCa9z^V83iBF8@dD1fZ#xJ}-dz&*$bk26yICE8zEu#A_zvI&^
zbM(OZ!XFGbhjq`QoNB{{LS#=9cH20#EIbMMXw$rZ8#QD3Qy`tF2dNfs)VIB~c>JZY
z&&LGO?hE$G>vRr*=p49#&Lwr};YwxVi_4G2EoV`6L!vE~e8157Z{ZDZEPm1%fnCj)
zYjmasu@I!8E#PV{h9Hasp(-pI;xPc~tnn10GN^WC#}(xm#b0<D6zE1I!EU??)OD|1
zcV2A*?2>B`y|)fJ2%_X`AUO}zSg(OF`Y%nA?0-wse}@aG_KSeb&rbb20V_*m3q9>s
zrjtOipRXcfcz?z22IHH8c@?Vc(L&~tJWnkaf5`IPZhc9=yP-Q8!o#++Rhkjoa}s-1
zVsJ(rGQAhI&l7le>`Tj;x(<f1rQSoTSWin=38eGo@!&Kv)#BT74J3`^mZ+%-&HGcU
zi?llwi^ZgDnTjQz8hhOt4HUXZLO=RsG+Z=wxWc}Y7Q+Wq`3Q#YAHIl^Q1JH)^RbQJ
zFEuIn{^-6)7NHw>-=E(vd*J;ttayl)4q%0L-*EYD_l=@oggMV&wQ=_y-M7kl9_Bgz
zuNygkAj48JdO^}Sa#t$#s6`s<frrTM$-5_>C1&{>a-6lT;&Ke?ZIck>YO_;37pB><
zO@Hil0GBZ-IjBl1;e-E8@d0#|W<&HF{tKGaR^LaN#j}oXgO0*;wgur=<wpDiXLdgq
zm-e7}hz}o6x7~B}GBVzo5>1YDRE{VRVCc#kbk=2j^=-%31u<a&y%WN;3WRCFHB2KA
zo0jtbgv$_+{{>=h#*JM5Ur!YO3BDDJe2SwV0kn+Tkg?sgP^~v}Tluoc{q{GRtcn-&
zC5?_>xLjvgdtn;I_b##HPajj;-iwkcwvnX<;jd&<zgIr1-=QiaxF?xV;(wrN&O~Ee
zA&2y=ImvRO(SbQMJ416f(@m%1KR6O|PUjvmef=WC_%`O=wSbhYfP1EnxF+^&Rhk%N
z(L|A_I8V|Iqf!%*8#_%-^$oUPe(UL1^Fr%|m(EC2$&3%dfoK~*yW?J%TmHc-DLWPc
zImU+b#D1zO@fAmr?qhqY;}vDSk7sVSvFlVkl^)Or#Fm|^JdfCjuvQc*CLRbnxX>o~
zVs8ab+U<U~mLKQc%A;RrC+sbHlx!u|;7fiDl3)Hp*1rWW{VG}EO)rF1X82}x(~AM2
zFWnW8d<m`*L6eg~^0`Qkzf;H!%n$fqcS&fAxG5@D0auzi6fM@!D>BTShCQE6NY8qC
zDvbP6(2j#fM8z$!v@fLQCc#_J@uXSll7jl!x6k72O_5v$^|s$mcZ7z;ZOs@qqQS)|
z*M59s_P8sp;&p`ajQ@9jwJ8Rq8HdcdI<BFIgL{L<L`&Y!Yn4S`@Mk$(osCsC<mr|U
zZ#C1(4R`4rt;u~N-JtS-opH3zB_ix-AswUUjUxkzXC8h2oWQ4rF?+7NaJkTVs|P1u
zd-tWWV|Ai^*OR#eV>J$Jkyqs@3t-M@Yi7zhC%ffsLi))TA^8tFMvdq|gJ4JIrZ08e
zkzTSBtwv0?8DY$LoNP~yi@2cG`INpWZrh{O+NMO~7&Lr_fM$XYGGIV{fB*>}K*446
zkrANe?+GJUj_Y^io+*Todv8nHPvmN>Be#Qr4hTg6t7Wqy;z)=+tSJ8eZxwm)Kz!9t
zMNL={>MR1w0v*{P0KBv;O6%gcC)afL33u7{y*=xzT;wHj_65<sVWg9nJX*W&8`(@Y
zPshtbR7UaWP|SjSv}AhsD~q#cK~F}ymDB_f_r5Qx2@U!`U!V%hRu!N*m(vQ3WbSnO
zRPK$gkz(}k31Q_^dSq5`II(HFeAxrsY_7H&?bs6Oay_nkAtAKkLdATwIcrk3T+Bot
zokzc8C`qGhsUuE{?+jlF?)}HFxu;}HW|JbC?)zN4RwMUghA~(wc{Y`vRJ3O{J6XWT
zFWHeQmKqW|NE?1avMBHK0m~N}rk7skD3m6}dobtjdM?ALRCw-X=tB0ZJUOd&myD{k
zWbGKvzLagQ#I8958;;d;M0oY^&xCf409vMo#aiRELU%tmtCpEI+z#JIkIB6tcVHpE
z5MJ4{*>r#pw5o8~ocaKV9ZhiRTS(ZL`py&{n67;m$;0Mhnf){MJ%bLOG=DMvwW}!W
z>V)XG4DR&lQJ_TYa79;3VSWGoschBTPE^HK*f>MZKe<)8HS7eF5*wYM_8GqaOc&%<
z-+BKs4jFcZoZwkEq{!Mw3%El=fy-vM0&K1Y!-`)<{#FrkD{FAwt^8lYirmmF3f&C2
zcfKIF^BnqauFYPTtvLU;0s-fQBQr=(Q%}9gwu7yXPT+oq$8VFUBsc|6B2&tyN$i3q
zaVC<5ErHo{eG-YipsN2%Sg~{x2SCTptL3+G7_NxI<G7-;X&f`FGXssoWpsTU0gg0$
z#9nwDtPAE#ssv2@K8IoP@h7abRo1Yb{nhmUaPBxT3HRJ^^;8_TwRU!W2I_eo8e0CV
z{(sFE4PPJ~s2bo1*}+ua?EAi*W3r-o%v2}b>|VB{%|qni163Q+fo(wy`mtJ0#M3V<
zS#+%u626w##yu_UQ0-jFZL%|1ZursI&Js7-nJ(L^&MsOpZ||Y&<VyJL%yPFk{0qN%
zp$2YCimjsKS((pqB-iJn_I$_L7w=EL{LCDkH{X}M6d6h^c=$Gh&8W+uGXZC7m&lQu
zF3^mB%yZ2)VS1Xrw-oOmfJmEtbLXb_;BeX_j5U?!L-q09x4Mx%irCSr&R)uO@GNo2
zu{d1tqtLiV-;j^tds}j+QfR(JmsoFoP=bx$B!<_36f41v3?BMY6aRoS%GJih%Uh2y
z>0*bt_~TGK%jM_+UF=*x<{Jy(RZNU`>JLl19DObB!t*#VlRKk~aBbSI^>y>q*1kwt
zds(aC&)q0p(-IcW+N~IZJ5}*ijEN2i7~2u@)#KgY)s_jI(?54-duyx74lZ9XO;LT>
zsQ&XktGP3AI;GUaEmsBIXP;H8_kLdLrXwip3Gdg+PT>SiSjBiOIJji&?T+>C;ny5L
z*~W1^CE-H;M9jbkF*66Sro^tO$}_DoI<$y*m{v@1F|_BNgllMkHcq%?l55J$Idh8A
za%(s~%MBHqB+OLKp+d!`KlQ8)H!(ggM*U_EWc8O=Oj7x_?!L&NxKl2)Fk1Dn!SMkb
zwWx97At#ive?f=T7m;2=e39vusZvqng<(Xkh>DXvFL~wFWgf8xBOut6Ul^NFD%8yg
zHk^AUJ_t}RJ|Ftiz_~W)sm#KtfO^$TcYK_v)U(GY!SL8O#&_h{tPCG{1t`Csu_NK=
zE;72Nh>ppN3mEIpFYz~5q<`A}xv|khvJ|0aY!ilcY<+C{njFn{{Iae?5m_YnSS-TB
zXxwe0cK+(0RtL{KxiMkQEX#uu&vqt08K8c6aggT|Dk968i{Ij5)#%H}tqHMMoY+v_
zF||)Y1q#95#UpId#G2c7>@j){e;o2N)04_8cdpK-)Be&zR~~%Dz$PK-4DZsb!In>&
z`-UW|Y+j|gJ|-AWaV2M7qKa#8JLJ$U-fy1iAQLu~DiRuf`rS6mD>#inrkuTAD<$vs
z17dN0zB7k|dafN=Jk)BbuRz>(-9V}^+^NQi@vHmZ3hW(|uMXmFO)b|`CnJ~D51rLf
zNIjAL@^sY69CC@>yIT(rEeNU22=aASUFC19b|Bau!%L7w;yJmgwGI}uqq~wTa(35h
z6>!ac?+kA99drL9h_~`uJLN@f#(vPTDx7@ubZ?97qh>Mwa*-I>l~B*1vNxTXZ)M`<
zdb4xHRjC&)9+^xlH_O>>P|x)4SqttJk}l;^nicEZ{r!|Ahk!h6H`(jv(^A2<sixBC
z?5KC#_iiTNOO0CT{xRMb#p}|_+<ts1@-~XBA{Ikrx-VNfZYEVEdCR2lPSMp9-<F6o
z-SzRUmHy%1@`cZ#jlzbWS`8Z7yYI7(O`j&R_8#1Jg&iY0Ir=_gDGV%HTKJk0(faY`
z*Do%eI0Pd`sb*(}j9H)?9o~5W(dV}`RE6g;W`DBOJ71dg=E9@eav~uwB}nLdyvBG{
zi@-a@lHr{-XUvD5GzyfSxZ37+YNYH(Qu(V_Z{EhF9q(SrOi4==FBOUyDqFZbG36R}
z|Fdp6kQw5?u<so0Ckct5K|$(G#kWFtVp`M=Z&A^9!z@Gujx0q|3PP=>2zXo<T8~y?
zw;b?@_o<HRldzpzl2WHwhjIR1m)l92xpTIt+b2Z6pS@%}dI_J+o4@x~<*?dIb*i13
z3Ochxd)(728S6{0-=}|ze4KLKK%x_-ayLZff4|*wqlf9gleCfkb!dEl5*Pf1`whw)
zYya~LNQKD^D_*Oi2Ut+RYT2BjP{`1BnDcjrH)g0Lu2s(SvR!2=UC&T!oNrX(tKXtB
ztyR#LNba*dx+uz5n=Z4gaG>?_VnogNk@q3=c247-#}@fKPq$UsckC&6kR0JUH{!5z
zBl+n2ab*^JUF0#*V_4N@3R~|sG@eJHm-U3JwKzhZuiPUcHK<j#x)NdUXu)J2J0I+q
z$9I_bD0bk^41Z?`lwgpiTsy}fL?+caGrk#gY%yte|3jMeaC^DSm;QrP;_?!X?z<ZA
z^;AEH*fTo2pIMx6oHFAfG)XtvKDC$;{z3Hve&B5ewC*XebXy;*>2w?~WZB;QZXB=S
zj(b;2$+9zDjy~vLS9`-^ho4aGOiUinkww4I06Ftd%#5IT<F0acDe{<im$-l((0r=f
zh}GP?Vz4`Z=#pSj<8#!DMwNMcTajjY9nmzo#mqyr<KK09ckOiGKHq*rl%?y0d<|XY
z^s?WN=gTIs4;c@Y2|Pj45@H{#T(~64o{!)1NBvu7H+G=IsnKk^z+Bm~(EQV|i&KfX
zm}2iOe6LT<L}cJJ7*loe$zFMHF9_$9>KGf5)p$?a-Y`6=<x%Z3aImq*H{jMz7P94g
zF9JoA?cfDwr5hiG8$!N*rMtVeAh~}2O-hE-N1O+(dY}adMe5r`hWjp~m4coh-Wcl!
zo{=lzz(6;a<|JX~?pb{XX|$`}3!A3J{)sxHy{d=5#qaR**{6h)5Ut-D+;F$LK^A0;
zG`}OX_kGfEi$EE#vRvasoN8R2p8A<v51YNmxb;qTbXg}L<xf4dK}iJ>`bNfM@AA{R
zo@t!WNU5klHQu9m^ZwwVFW#x}<<Yp=<JOZLT*P)WiGe0n8?$#2a}IR#<i_D^$xcTP
zX1cPy9d#ZXR~Oa#%KOHxt3WDxe`VI0jxCSmb(pdqwp+Dj+!Q*K!N2Rh!9^+Amn982
zeu)f!Y|k4eq^P8q@ze5grLD+gyiX2uh<3#@-L7wqn`^2{ToC-`9ZXiGqsGAT!CCuH
z5jT#8Bd#L+_lP_HClqnrOLV_S9CsZ(a1e?_xcs(*+czr<E0(JLts=C8JIK0GkrUd%
zvB@Q#{NAE*vI1XYkoMTMWcisU+;twv(7%U8p#yB_i_j)RTk!o**IDtvm&Y3o!HV2w
n3_le&!vau>dkDiKuWlnO&i@I)f*;z>R$)ed!a^R}6sG<cDKn(@

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
new file mode 100644
index 0000000000..0d68f8495d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test
@@ -0,0 +1,5 @@
+# This tests that no error messages are output when a protocol violation occurs
+
+# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT
+# @TEST-EXEC: test -f dpd.log
+# @TEST-EXEC: btest-diff .stderr

From 9a47e201f846ece3cbde7d845e786c25a7c0a564 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 3 May 2023 13:41:36 +0100
Subject: [PATCH 2/2] SSL: failing analyzer handling - address review feedback

Fold the two analyzer_violation_info events into one. See GH-3012
---
 scripts/base/protocols/ssl/main.zeek | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek
index f4c2eb4e18..1389b711db 100644
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@@ -501,11 +501,6 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-		{
-		# analyzer errored out; prevent us from trying to remove it later
-		delete info$c$ssl$analyzer_id;
-		}
 	}
 
 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
@@ -523,5 +518,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 	{
 	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
 		if ( info$c?$ssl )
+			{
+			# analyzer errored out; prevent us from trying to remove it later
+			delete info$c$ssl$analyzer_id;
 			finish(info$c, T);
+			}
 	}