Make ports for LDAP analyzers fully configurable

This moves the ports the LDAP analyzers should be triggered on from the
EVT file to the Zeek module. This gives users full control over which
ports the analyzers are registered for while previously they could only
register them for additional ports (there is no Zeek script equivalent
of `Manager::UnregisterAnalyzerForPort`).

The analyzers could still be triggered via DPD, but this is intentional.
To fully disable analyzers users can use e.g.,

```zeek
event zeek_init()
    {
    Analyzer::disable_analyzer(Analyzer::ANALYZER_LDAP_TCP);
    }
```

scripts/base/protocols/ldap/main.zeek

@@ -6,6 +6,14 @@ export {
   redef enum Log::ID += { LDAP_LOG,
                           LDAP_SEARCH_LOG };
 
+  ## TCP ports which should be considered for analysis.
+  const ports_tcp = { 389/tcp, 3268/tcp } &redef;
+
+  ## UDP ports which should be considered for analysis.
+  const ports_udp = { 389/udp } &redef;
+
+  redef likely_server_ports += { LDAP::ports_tcp, LDAP::ports_udp };
+
   ## Whether clear text passwords are captured or not.
   option default_capture_password = F;
 
@@ -260,6 +268,9 @@ redef record connection += {
 
 #############################################################################
 event zeek_init() &priority=5 {
+  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_TCP, LDAP::ports_tcp);
+  Analyzer::register_for_ports(Analyzer::ANALYZER_LDAP_UDP, LDAP::ports_udp);
+
   Log::create_stream(LDAP::LDAP_LOG, [$columns=Message, $ev=log_ldap, $path="ldap", $policy=log_policy]);
   Log::create_stream(LDAP::LDAP_SEARCH_LOG, [$columns=Search, $ev=log_ldap_search, $path="ldap_search", $policy=log_policy_search]);
 }

src/analyzer/protocol/ldap/ldap.evt

@@ -1,12 +1,10 @@
 # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
 
 protocol analyzer LDAP_TCP over TCP:
-    parse with LDAP::Messages,
+    parse with LDAP::Messages;
-    ports { 389/tcp, 3268/tcp};
 
 protocol analyzer LDAP_UDP over UDP:
-    parse with LDAP::Messages,
+    parse with LDAP::Messages;
-    ports { 389/udp };
 
 import LDAP;
 

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -18,9 +18,11 @@
 1 25
 1 2811
 1 3128
+1 3268
 1 3306
 2 3389
 1 3544
+2 389
 1 4011
 2 443
 1 445
@@ -60,8 +62,8 @@
 1 992
 1 993
 1 995
-67 and
+70 and
-66 or
+69 or
-67 port
+70 port
-44 tcp
+46 tcp
-23 udp
+24 udp

testing/btest/Baseline/spicy.port-range-one-port/out.filtered

@@ -1,5 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[zeek]   Scheduling analyzer for port 389/tcp
-[zeek]   Scheduling analyzer for port 3268/tcp
-[zeek]   Scheduling analyzer for port 389/udp
 [zeek]   Scheduling analyzer for port 31336/udp

testing/btest/core/print-bpf-filters.zeek

@@ -1,3 +1,5 @@
+# @TEST-REQUIRES: have-spicy
+#
 # @TEST-EXEC: zeek -r $TRACES/empty.trace >output
 # @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: zeek -r $TRACES/empty.trace -f "port 42" >>output
@@ -6,10 +8,9 @@
 # @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff conn.log
-# 
+#
 # The order in the output of enable_auto_protocol_capture_filters isn't
 # stable, for reasons not clear. We canonify it first.
 # @TEST-EXEC: zeek -r $TRACES/empty.trace PacketFilter::enable_auto_protocol_capture_filters=T
 # @TEST-EXEC: cat packet_filter.log | zeek-cut filter | sed 's#[()]##g' | tr ' ' '\n' | sort | uniq -c | awk '{print $1, $2}' >output2
 # @TEST-EXEC: btest-diff output2
-

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-718bc67ea10606ec29acfdae05c463518319e8f2
+5ac67a3895edf0ea6a757ae3ea8626621f57db41