From 9a47e201f846ece3cbde7d845e786c25a7c0a564 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 3 May 2023 13:41:36 +0100
Subject: [PATCH] SSL: failing analyzer handling - address review feedback

Fold the two analyzer_violation_info events into one. See GH-3012
---
 scripts/base/protocols/ssl/main.zeek | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek
index f4c2eb4e18..1389b711db 100644
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@@ -501,11 +501,6 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
 
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-		{
-		# analyzer errored out; prevent us from trying to remove it later
-		delete info$c$ssl$analyzer_id;
-		}
 	}
 
 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
@@ -523,5 +518,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 	{
 	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
 		if ( info$c?$ssl )
+			{
+			# analyzer errored out; prevent us from trying to remove it later
+			delete info$c$ssl$analyzer_id;
 			finish(info$c, T);
+			}
 	}