diff --git a/CHANGES b/CHANGES
index 53f28b811b..6c209a27f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+7.0.0-dev.461 | 2024-07-10 18:45:36 +0200
+
+ * Extend btest for logging of disabled analyzers (Jan Grashoefer, Corelight)
+
+ * Add logging of disabled analyzers to analyzer.log (Jan Grashoefer, Corelight)
+
7.0.0-dev.458 | 2024-07-10 11:05:19 +0200
* testing/btest: Default to HILTI_JIT_PARALLELISM=1 (Arne Welzel, Corelight)
diff --git a/NEWS b/NEWS
index d757ddff05..e526919b09 100644
--- a/NEWS
+++ b/NEWS
@@ -112,6 +112,9 @@ New Functionality
the object-based representation of ports that ``to_json()`` generates for that
Zeek type.
+- The ``analyzer.log`` now optionally supports logging of disabled analyzers
+ through the new option ``Analyzer::logging::include_disabling``.
+
Changed Functionality
---------------------
diff --git a/VERSION b/VERSION
index 151a1023da..e7572f9d9b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.0.0-dev.458
+7.0.0-dev.461
diff --git a/scripts/base/frameworks/analyzer/logging.zeek b/scripts/base/frameworks/analyzer/logging.zeek
index dc3a611f4d..cde62315c2 100644
--- a/scripts/base/frameworks/analyzer/logging.zeek
+++ b/scripts/base/frameworks/analyzer/logging.zeek
@@ -53,6 +53,12 @@ export {
## service field.
option include_confirmations = F;
+ ## Enable tracking of analyzers getting disabled. This is mostly
+ ## interesting for troubleshooting of analyzers in DPD scenarios.
+ ## Setting this option may also generated multiple log entries per
+ ## connection.
+ option include_disabling = F;
+
## If a violation contains information about the data causing it,
## include at most this many bytes of it in the log.
option failure_data_max_size = 40;
@@ -88,11 +94,24 @@ event zeek_init() &priority=5
Option::set_change_handler("Analyzer::Logging::include_confirmations",
include_confirmations_handler);
+ local include_disabling_handler = function(id: string, new_value: bool): bool {
+ if ( new_value )
+ enable_event_group("Analyzer::Logging::include_disabling");
+ else
+ disable_event_group("Analyzer::Logging::include_disabling");
+
+ return new_value;
+ };
+ Option::set_change_handler("Analyzer::Logging::include_disabling",
+ include_disabling_handler);
+
# Call the handlers directly with the current values to avoid config
# framework interactions like creating entries in config.log.
enable_handler("Analyzer::Logging::enable", Analyzer::Logging::enable);
include_confirmations_handler("Analyzer::Logging::include_confirmations",
Analyzer::Logging::include_confirmations);
+ include_disabling_handler("Analyzer::Logging::include_disabling",
+ Analyzer::Logging::include_disabling);
}
@@ -119,7 +138,7 @@ function populate_from_file(rec: Info, f: fa_file)
{
rec$fuid = f$id;
# If the confirmation didn't have a connection, but the
- # fa_file object has has exactly one, use it.
+ # fa_file object has exactly one, use it.
if ( ! rec?$uid && f?$conns && |f$conns| == 1 )
{
for ( _, c in f$conns )
@@ -151,7 +170,7 @@ event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirm
Log::write(LOG, rec);
}
-event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=6
{
if ( atype in ignore_analyzers )
return;
@@ -180,3 +199,25 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
Log::write(LOG, rec);
}
+
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000 &group="Analyzer::Logging::include_disabling"
+ {
+ if ( atype in ignore_analyzers )
+ return;
+
+ local rec = Info(
+ $ts=network_time(),
+ $cause="disabled",
+ $analyzer_kind=analyzer_kind(atype),
+ $analyzer_name=Analyzer::name(atype),
+ );
+
+ populate_from_conn(rec, c);
+
+ if ( c?$dpd_state && aid in c$dpd_state$violations )
+ {
+ rec$failure_data = fmt("Disabled after %d violations", c$dpd_state$violations[aid]);
+ }
+
+ Log::write(LOG, rec);
+ }
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 297bdb3584..c3b551dc84 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -108,6 +108,8 @@
0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) ->
0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) ->
0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)) ->
+0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_disabling, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) ->
+0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0)) ->
0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Broker::peer_counts_as_iosource, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) ->
0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) ->
0.000000 MetaHookPost CallFunction(Option::set_change_handler, , (Conn::default_extract, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)) ->
@@ -302,6 +304,7 @@
0.000000 MetaHookPost CallFunction(__init_primary_bifs, , ()) ->
0.000000 MetaHookPost CallFunction(__init_secondary_bifs, , ()) ->
0.000000 MetaHookPost CallFunction(disable_event_group, , (Analyzer::Logging::include_confirmations)) ->
+0.000000 MetaHookPost CallFunction(disable_event_group, , (Analyzer::Logging::include_disabling)) ->
0.000000 MetaHookPost CallFunction(enable_module_events, , (Analyzer::Logging)) ->
0.000000 MetaHookPost CallFunction(getenv, , (CLUSTER_NODE)) ->
0.000000 MetaHookPost CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS)) ->
@@ -313,6 +316,7 @@
0.000000 MetaHookPost CallFunction(is_packet_analyzer, , (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)) ->
0.000000 MetaHookPost CallFunction(lambda_<15261139872714441626>, , (Analyzer::Logging::include_confirmations, F)) ->
0.000000 MetaHookPost CallFunction(lambda_<2645182068207650863>, , (Analyzer::Logging::enable, T)) ->
+0.000000 MetaHookPost CallFunction(lambda_<3084630089048204467>, , (Analyzer::Logging::include_disabling, F)) ->
0.000000 MetaHookPost CallFunction(port_to_count, , (2123/udp)) ->
0.000000 MetaHookPost CallFunction(port_to_count, , (2152/udp)) ->
0.000000 MetaHookPost CallFunction(port_to_count, , (3544/udp)) ->
@@ -1024,6 +1028,8 @@
0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_confirmations, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0))
+0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_disabling, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
+0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Broker::peer_counts_as_iosource, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
0.000000 MetaHookPre CallFunction(Option::set_change_handler, , (Conn::default_extract, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100))
@@ -1218,6 +1224,7 @@
0.000000 MetaHookPre CallFunction(__init_primary_bifs, , ())
0.000000 MetaHookPre CallFunction(__init_secondary_bifs, , ())
0.000000 MetaHookPre CallFunction(disable_event_group, , (Analyzer::Logging::include_confirmations))
+0.000000 MetaHookPre CallFunction(disable_event_group, , (Analyzer::Logging::include_disabling))
0.000000 MetaHookPre CallFunction(enable_module_events, , (Analyzer::Logging))
0.000000 MetaHookPre CallFunction(getenv, , (CLUSTER_NODE))
0.000000 MetaHookPre CallFunction(getenv, , (ZEEK_DEFAULT_LISTEN_ADDRESS))
@@ -1229,6 +1236,7 @@
0.000000 MetaHookPre CallFunction(is_packet_analyzer, , (AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS))
0.000000 MetaHookPre CallFunction(lambda_<15261139872714441626>, , (Analyzer::Logging::include_confirmations, F))
0.000000 MetaHookPre CallFunction(lambda_<2645182068207650863>, , (Analyzer::Logging::enable, T))
+0.000000 MetaHookPre CallFunction(lambda_<3084630089048204467>, , (Analyzer::Logging::include_disabling, F))
0.000000 MetaHookPre CallFunction(port_to_count, , (2123/udp))
0.000000 MetaHookPre CallFunction(port_to_count, , (2152/udp))
0.000000 MetaHookPre CallFunction(port_to_count, , (3544/udp))
@@ -1939,6 +1947,8 @@
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::ignore_analyzers, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_confirmations, lambda_<15261139872714441626>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_confirmations)elsedisable_event_group(Analyzer::Logging::include_confirmations)return (Analyzer::Logging::new_value)}, 0)
+0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_disabling, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(Analyzer::Logging::include_disabling, lambda_<3084630089048204467>{ if (Analyzer::Logging::new_value) enable_event_group(Analyzer::Logging::include_disabling)elsedisable_event_group(Analyzer::Logging::include_disabling)return (Analyzer::Logging::new_value)}, 0)
0.000000 | HookCallFunction Option::set_change_handler(Broker::peer_counts_as_iosource, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Conn::analyzer_inactivity_timeouts, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
0.000000 | HookCallFunction Option::set_change_handler(Conn::default_extract, Config::config_option_changed{ if ( == Config::location) return (Config::new_value)Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerce Config::log)return (Config::new_value)}, -100)
@@ -2133,6 +2143,7 @@
0.000000 | HookCallFunction __init_primary_bifs()
0.000000 | HookCallFunction __init_secondary_bifs()
0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_confirmations)
+0.000000 | HookCallFunction disable_event_group(Analyzer::Logging::include_disabling)
0.000000 | HookCallFunction enable_module_events(Analyzer::Logging)
0.000000 | HookCallFunction getenv(CLUSTER_NODE)
0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
@@ -2144,6 +2155,7 @@
0.000000 | HookCallFunction is_packet_analyzer(AllAnalyzers::ANALYZER_ANALYZER_TCPSTATS)
0.000000 | HookCallFunction lambda_<15261139872714441626>(Analyzer::Logging::include_confirmations, F)
0.000000 | HookCallFunction lambda_<2645182068207650863>(Analyzer::Logging::enable, T)
+0.000000 | HookCallFunction lambda_<3084630089048204467>(Analyzer::Logging::include_disabling, F)
0.000000 | HookCallFunction port_to_count(2123/udp)
0.000000 | HookCallFunction port_to_count(2152/udp)
0.000000 | HookCallFunction port_to_count(3544/udp)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-default
similarity index 80%
rename from testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations
rename to testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-default
index ef8059b705..db390c9968 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-no-confirmations
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-default
@@ -13,6 +13,4 @@ XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 5399
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
-XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
-XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
index 87e8855b64..56c4033614 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-confirmations
@@ -15,6 +15,4 @@ XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 5399
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
-XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
-XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-disabling b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-disabling
new file mode 100644
index 0000000000..662d888f7c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.logging/analyzer.log-include-disabling
@@ -0,0 +1,17 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator ,
+#empty_field (empty)
+#unset_field -
+#path analyzer
+#open XXXX-XX-XX-XX-XX-XX
+#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data
+#types time string string string string string addr port addr port string string
+XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: out_of_bound: DCE_RPC_PDU:frag: -2665 > 31 -
+XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
+XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
+XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
+XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
+XXXXXXXXXX.XXXXXX violation protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers -
+XXXXXXXXXX.XXXXXX disabled protocol DCE_RPC ClEkJM2Vm5giqnMf4h - 10.0.0.55 53994 60.190.189.214 8124 - Disabled after 6 violations
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/scripts/base/frameworks/analyzer/logging.zeek b/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
index 6f8be11f24..7e6be8e6be 100644
--- a/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/logging.zeek
@@ -1,11 +1,19 @@
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT
-# @TEST-EXEC: mv analyzer.log analyzer.log-no-confirmations
-# @TEST-EXEC: btest-diff analyzer.log-no-confirmations
+# @TEST-EXEC: mv analyzer.log analyzer.log-default
+# @TEST-EXEC: btest-diff analyzer.log-default
# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_confirmations=T
# @TEST-EXEC: mv analyzer.log analyzer.log-include-confirmations
# @TEST-EXEC: btest-diff analyzer.log-include-confirmations
+# @TEST-EXEC: zeek -r ${TRACES}/socks.trace %INPUT Analyzer::Logging::include_disabling=T
+# @TEST-EXEC: mv analyzer.log analyzer.log-include-disabling
+# @TEST-EXEC: btest-diff analyzer.log-include-disabling
+
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/socks
+
+# DCE RPC violations are ignored by default. Consider violations for this
+# test so that the analyzer will be disabled eventually.
+redef DPD::ignore_violations -= { Analyzer::ANALYZER_DCE_RPC };