First prototype of new analyzer framework.

This is a larger internal change that moves the analyzer
infrastructure to a more flexible model where the available analyzers
don't need to be hardcoded at compile time anymore. While currently
they actually still are, this will in the future enable external
analyzer plugins. For now, it does already add the capability to
dynamically enable/disable analyzers from script-land, replacing the
old Analyzer::Available() methods.

There are three major parts going into this:

    - A new plugin infrastructure in src/plugin. This is independent
      of analyzers and will eventually support plugins for other parts
      of Bro as well (think: readers and writers). The goal is that
      plugins can be alternatively compiled in statically or loadead
      dynamically at runtime from a shared library. While the latter
      isn't there yet, there'll be almost no code change for a plugin
      to make it dynamic later (hopefully :)

    - New analyzer infrastructure in src/analyzer. I've moved a number
      of analyzer-related classes here, including Analyzer and DPM;
      the latter now renamed to Analyzer::Manager. More will move here
      later. Currently, there's only one plugin here, which provides
      *all* existing analyzers. We can modularize this further in the
      future (or not).

    - A new script interface in base/framework/analyzer. I think that
      this will eventually replace the dpm framework, but for now
      that's still there as well, though some parts have moved over.

I've also remove the dpd_config table; ports are now configured via
the analyzer framework. For exmaple, for SSH:

    const ports = { 22/tcp } &redef;

    event bro_init() &priority=5
        {
        ...
        Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
        }

As you can see, the old ANALYZER_SSH constants have more into an enum
in the Analyzer namespace.

This is all hardly tested right now, and not everything works yet.
There's also a lot more cleanup to do (moving more classes around;
removing no longer used functionality; documenting script and C++
interfaces; regression tests). But it seems to generally work with a
small trace at least.

The debug stream "dpm" shows more about the loaded/enabled analyzers.

A new option -N lists loaded plugins and what they provide (including
those compiled in statically; i.e., right now it outputs all the
analyzers).

This is all not cast-in-stone yet, for some things we need to see if
they make sense this way. Feedback welcome.

scripts/base/frameworks/analyzer/__load__.bro

@@ -0,0 +1 @@
+@load ./main

scripts/base/frameworks/analyzer/main.bro

@@ -0,0 +1,119 @@
+
+module Analyzer;
+
+# Analyzer::Tag is defined in types.bif, and automatically extended by plugins
+# as they are loaded.
+
+export {
+	## XXX.
+	global enable_analyzer: function(tag: Analyzer::Tag) : bool;
+
+	## XXX.
+	global disable_analyzer: function(tag: Analyzer::Tag) : bool;
+
+	## XXX.
+	global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
+
+	## XXX.
+	global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
+
+	## XXX.
+	global registered_ports: function(tag: Analyzer::Tag) : set[port];
+
+	## Translate an analyzer type to an ASCII string.
+	##
+	## atype: The analyzer tag.
+	##
+	## Returns: The analyzer *aid* as string.
+	global name: function(atype: Analyzer::Tag) : string;
+
+	## Schedules an analyzer for a future connection from a given IP address and
+	## port. The function ignores the scheduling request if the connection did
+	## not occur within the specified time interval.
+	##
+	## orig: The IP address originating a connection in the future.
+	##
+	## resp: The IP address responding to a connection from *orig*.
+	##
+	## resp_p: The destination port at *resp*.
+	##
+	## analyzer: The analyzer ID.
+	##
+	## tout: The timeout interval after which to ignore the scheduling request.
+	##
+	## Returns: True if succesful.
+	global expect_connection: function(orig: addr, resp: addr, resp_p: port,
+					   analyzer: Analyzer::Tag, tout: interval) : bool;
+
+	## Analyzers to disable at startup.
+	global disabled_analyzers: set[Analyzer::Tag] = {
+		ANALYZER_INTERCONN,
+		ANALYZER_STEPPINGSTONE,
+		ANALYZER_BACKDOOR,
+		ANALYZER_TCPSTATS,
+	}
+
+	&redef;
+}
+
+@load base/analyzer.bif
+
+global ports: table[Analyzer::Tag] of set[port];
+
+event bro_init()
+	{
+	for ( a in disabled_analyzers )
+		disable_analyzer(a);
+	}
+
+function enable_analyzer(tag: Analyzer::Tag) : bool
+	{
+	return __enable_analyzer(tag);
+	}
+
+function disable_analyzer(tag: Analyzer::Tag) : bool
+	{
+	return __disable_analyzer(tag);
+	}
+
+function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
+	{
+	local rc = T;
+	
+	for ( p in ports ) 
+		{
+		if ( ! register_for_port(tag, p) )
+			rc = F;
+		}
+
+	return rc;
+	}
+
+function register_for_port(tag: Analyzer::Tag, p: port) : bool
+	{
+	if ( ! __register_for_port(tag, p) )
+		return F;
+
+	if ( tag !in ports )
+		ports[tag] = set();
+	
+	add ports[tag][p];
+	return T;
+	}
+
+function registered_ports(tag: Analyzer::Tag) : set[port]
+	{
+	return tag in ports ? ports[tag] : set();
+	}
+
+function name(atype: Analyzer::Tag) : string
+	{
+	return __name(atype);
+	}
+
+function expect_connection(orig: addr, resp: addr, resp_p: port,
+			   analyzer: Analyzer::Tag, tout: interval) : bool
+	{
+	return __expect_connection(orig, resp, resp_p, analyzer, tout);
+	}
+

scripts/base/frameworks/dpd/main.bro

@@ -41,33 +41,27 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(DPD::LOG, [$columns=Info]);
-	
-	# Populate the internal DPD analysis variable.
-	for ( a in dpd_config )
-		{
-		for ( p in dpd_config[a]$ports )
-			{
-			if ( p !in dpd_analyzer_ports )
-				dpd_analyzer_ports[p] = set();
-			add dpd_analyzer_ports[p][a];
-			}
-		}
 	}
 
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
+function foo() : string
 	{
-	local analyzer = analyzer_name(atype);
-	
+	return "HTTP";
+	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+	{
+	local analyzer = Analyzer::name(atype);
+
 	if ( fmt("-%s",analyzer) in c$service )
 		delete c$service[fmt("-%s", analyzer)];
 
 	add c$service[analyzer];
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                          reason: string) &priority=10
 	{
-	local analyzer = analyzer_name(atype);
+	local analyzer = Analyzer::name(atype);
 	# If the service hasn't been confirmed yet, don't generate a log message
 	# for the protocol violation.
 	if ( analyzer !in c$service )
@@ -86,7 +80,7 @@ event protocol_violation(c: connection, atype: count, aid: count,
 	c$dpd = info;
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
 	{
 	if ( !c?$dpd || aid in c$dpd$disabled_aids )
 		return;
@@ -100,7 +94,7 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string
 	add c$dpd$disabled_aids[aid];
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
 				reason: string) &priority=-5
 	{
 	if ( c?$dpd )

scripts/base/frameworks/tunnels/main.bro

@@ -83,19 +83,17 @@ export {
 }
 
 const ayiya_ports = { 5072/udp };
-redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
-
 const teredo_ports = { 3544/udp };
-redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
-
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] };
-
 redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info]);
+
+	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)

scripts/base/init-bare.bro

@@ -2846,34 +2846,11 @@ const remote_trace_sync_peers = 0 &redef;
 ## consistency check.
 const remote_check_sync_consistency = F &redef;
 
-## Analyzer tags. The core automatically defines constants
-## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
-##
-## .. bro:see:: dpd_config
-##
-## .. todo::We should autodoc these automaticallty generated constants.
-type AnalyzerTag: count;
-
-## Set of ports activating a particular protocol analysis.
-##
-## .. bro:see:: dpd_config
-type dpd_protocol_config: record {
-	ports: set[port] &optional;	##< Set of ports.
-};
-
-## Port configuration for Bro's "dynamic protocol detection". Protocol
-## analyzers can be activated via either well-known ports or content analysis.
-## This table defines the ports.
-##
-## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_match_only_beginning dpd_ignore_ports
-const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
-
 ## Reassemble the beginning of all TCP connections before doing
 ## signature-matching. Enabling this provides more accurate matching at the
 ## expensive of CPU cycles.
 ##
-## .. bro:see:: dpd_config dpd_buffer_size
+## .. bro:see:: dpd_buffer_size
 ##    dpd_match_only_beginning dpd_ignore_ports
 ##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
@@ -2888,24 +2865,24 @@ const dpd_reassemble_first_packets = T &redef;
 ## activated afterwards. Then only analyzers that can deal with partial
 ## connections will be able to analyze the session.
 ##
-## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
+## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning
 ##    dpd_ignore_ports
 const dpd_buffer_size = 1024 &redef;
 
 ## If true, stops signature matching if dpd_buffer_size has been reached.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_config dpd_ignore_ports
+##    dpd_ignore_ports
 ##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
 ##    only signatures used for dynamic protocol detection.
 const dpd_match_only_beginning = T &redef;
 
 ## If true, don't consider any ports for deciding which protocol analyzer to
-## use. If so, the value of :bro:see:`dpd_config` is ignored.
+## use. 
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_match_only_beginning dpd_config
+##    dpd_match_only_beginning
 const dpd_ignore_ports = F &redef;
 
 ## Ports which the core considers being likely used by servers. For ports in
@@ -2913,13 +2890,6 @@ const dpd_ignore_ports = F &redef;
 ## connection if it misses the initial handshake.
 const likely_server_ports: set[port] &redef;
 
-## Deprated. Set of all ports for which we know an analyzer, built by
-## :doc:`/scripts/base/frameworks/dpd/main`.
-##
-## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
-##    itself we still need it.
-global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
-
 ## Per-incident timer managers are drained after this amount of inactivity.
 const timer_mgr_inactivity_timeout = 1 min &redef;
 
@@ -3028,9 +2998,9 @@ module GLOBAL;
 ## Number of bytes per packet to capture from live interfaces.
 const snaplen = 8192 &redef;
 
-# Load the logging framework here because it uses fairly deep integration with
+# Load these frameworks here because it uses fairly deep integration with
 # BiFs and script-land defined types.
 @load base/frameworks/logging
-
 @load base/frameworks/input
+@load base/frameworks/analyzer
 

scripts/base/init-default.bro

@@ -20,6 +20,7 @@
 # loaded in base/init-bare.bro
 #@load base/frameworks/logging
 @load base/frameworks/notice
+@load base/frameworks/analyzer
 @load base/frameworks/dpd
 @load base/frameworks/signatures
 @load base/frameworks/packet-filter

scripts/base/protocols/conn/inactivity.bro

@@ -6,9 +6,9 @@ module Conn;
 export {
 	## Define inactivity timeouts by the service detected being used over
 	## the connection.
-	const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = {
+	const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
 		# For interactive services, allow longer periods of inactivity.
-		[[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs,
+		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
 	} &redef;
 	
 	## Define inactivity timeouts based on common protocol ports.
@@ -18,7 +18,7 @@ export {
 	
 }
 	
-event protocol_confirmation(c: connection, atype: count, aid: count)
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 	{
 	if ( atype in analyzer_inactivity_timeouts )
 		set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);

scripts/base/protocols/dns/main.bro

@@ -117,19 +117,17 @@ redef capture_filters += {
 	["netbios-ns"] = "udp port 137",
 };
 
-const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
-redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
-
 const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
 const dns_tcp_ports = { 53/tcp };
-redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
-redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
 
-redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+redef likely_server_ports += { dns_udp_ports, dns_tcp_ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]);
+
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_TCP_BINPAC, dns_tcp_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS_UDP_BINPAC, dns_udp_ports);
 	}
 
 function new_session(c: connection, trans_id: count): Info

scripts/base/protocols/ftp/main.bro

@@ -96,11 +96,10 @@ redef record connection += {
 };
 
 # Configure DPD
-const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP.
 redef capture_filters += { ["ftp"] = "port 21 and port 2811" };
-redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
 
-redef likely_server_ports += { 21/tcp, 2811/tcp };
+const ports = { 21/tcp, 2811/tcp };
+redef likely_server_ports += { ports };
 
 # Establish the variable for tracking expected connections.
 global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
@@ -108,6 +107,7 @@ global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
 event bro_init() &priority=5
 	{
 	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
 	}
 
 ## A set of commands where the argument can be expected to refer
@@ -228,7 +228,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 			{
 			c$ftp$passive=F;
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			Analyzer::expect_connection(id$resp_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins);
 			}
 		else
 			{
@@ -281,7 +281,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 				data$h = id$resp_h;
 			
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			Analyzer::expect_connection(id$orig_h, data$h, data$p, Analyzer::ANALYZER_FILE, 5mins);
 			}
 		else
 			{

scripts/base/protocols/http/main.bro

@@ -119,29 +119,26 @@ redef record connection += {
 	http_state:  State &optional;
 };
 
-# Initialize the HTTP logging stream.
-event bro_init() &priority=5
-	{
-	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
-	}
-
 # DPD configuration.
-const ports = {
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
-	8000/tcp, 8080/tcp, 8888/tcp,
-};
-redef dpd_config += { 
-	[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
-};
 redef capture_filters +=  {
 	["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
 };
 
-redef likely_server_ports += { 
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
+const ports = {
+	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
 	8000/tcp, 8080/tcp, 8888/tcp,
 };
 
+redef likely_server_ports += { ports };
+
+
+# Initialize the HTTP logging stream and ports.
+event bro_init() &priority=5
+	{
+	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
+	}
+
 function code_in_range(c: count, min: count, max: count) : bool
 	{
 	return c >= min && c <= max;

scripts/base/protocols/irc/dcc-send.bro

@@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	c$irc$dcc_file_name = argument;
 	c$irc$dcc_file_size = size;
 	local p = count_to_port(dest_port, tcp);
-	expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
+	Analyzer::expect_connection(to_addr("0.0.0.0"), address, p, Analyzer::ANALYZER_FILE, 5 min);
 	dcc_expected_transfers[address, p] = c$irc;
 	}
 

scripts/base/protocols/irc/main.bro

@@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" };
 redef capture_filters += { ["irc-6669"] = "port 6669" };
 
 # DPD configuration.
-const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
-redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
-
-redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
 	}
 	
 function new_session(c: connection): Info

scripts/base/protocols/modbus/main.bro

@@ -31,12 +31,14 @@ redef record connection += {
 
 # Configure DPD and the packet filter.
 redef capture_filters += { ["modbus"] = "tcp port 502" };
-redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] };
-redef likely_server_ports += { 502/tcp };
+
+const ports = { 502/tcp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
 	}
 
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5

scripts/base/protocols/smtp/main.bro

@@ -74,9 +74,6 @@ export {
 	const mail_path_capture = ALL_HOSTS &redef;
 		
 	global log_smtp: event(rec: Info);
-	
-	## Configure the default ports for SMTP analysis.
-	const ports = { 25/tcp, 587/tcp } &redef;
 }
 
 redef record connection += { 
@@ -86,13 +83,14 @@ redef record connection += {
 
 # Configure DPD
 redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
-redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] };
 
-redef likely_server_ports += { 25/tcp, 587/tcp };
+const ports = { 25/tcp, 587/tcp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
 	
 function find_address_in_smtp_header(header: string): string

scripts/base/protocols/socks/main.bro

@@ -34,9 +34,13 @@ export {
 	global log_socks: event(rec: Info);
 }
 
+const ports = { 1080/tcp };
+redef likely_server_ports += { ports };
+
 event bro_init() &priority=5
 	{
 	Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
 	}
 
 redef record connection += {
@@ -45,7 +49,6 @@ redef record connection += {
 
 # Configure DPD
 redef capture_filters += { ["socks"] = "tcp port 1080" };
-redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] };
 redef likely_server_ports += { 1080/tcp };
 
 function set_session(c: connection, version: count)

scripts/base/protocols/ssh/main.bro

@@ -76,10 +76,11 @@ export {
 }
 
 # Configure DPD and the packet filter
-redef capture_filters += { ["ssh"] = "tcp port 22" };
-redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] };
 
-redef likely_server_ports += { 22/tcp };
+const ports = { 22/tcp };
+ 
+redef capture_filters += { ["ssh"] = "tcp port 22" };
+redef likely_server_ports += { ports };
 
 redef record connection += {
 	ssh: Info &optional;
@@ -88,6 +89,7 @@ redef record connection += {
 event bro_init() &priority=5
 {
 	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
 }
 
 function set_session(c: connection)

scripts/base/protocols/ssl/main.bro

@@ -94,11 +94,6 @@ redef record Info += {
 		delay_tokens: set[string] &optional;
 };
 
-event bro_init() &priority=5
-	{
-	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
-	}
-
 redef capture_filters += {
 	["ssl"] = "tcp port 443",
 	["nntps"] = "tcp port 563",
@@ -117,16 +112,9 @@ redef capture_filters += {
 const ports = {
 	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
+} &redef;
 
-redef dpd_config += {
-	[[ANALYZER_SSL]] = [$ports = ports]
-};
-
-redef likely_server_ports += {
-	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
-	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
+redef likely_server_ports += { ports };
 
 # A queue that buffers log records.
 global log_delay_queue: table[count] of Info;
@@ -135,6 +123,12 @@ global log_delay_queue_head = 0;
 # The bottom queue index that points to the next record to be flushed.
 global log_delay_queue_tail = 0;
 
+event bro_init() &priority=5
+	{
+	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports);
+	}
+
 function set_session(c: connection)
 	{
 	if ( ! c?$ssl )
@@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}
 
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
 	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && analyzer_name(atype) == "SSL" )
+	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
 		c$ssl$analyzer_id = aid;
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                          reason: string) &priority=5
 	{
 	if ( c?$ssl )

scripts/base/protocols/syslog/main.bro

@@ -27,10 +27,9 @@ export {
 }
 
 redef capture_filters += { ["syslog"] = "port 514" };
-const ports = { 514/udp } &redef;
-redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
 
-redef likely_server_ports += { 514/udp };
+const ports = { 514/udp };
+redef likely_server_ports += { ports };
 
 redef record connection += {
 	syslog: Info &optional;
@@ -39,6 +38,7 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(Syslog::LOG, [$columns=Info]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG_BINPAC, ports);
 	}
 
 event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5