Analyzer failure logging: tweaks and test fixes

The main part of this commit are changes in tests. A lot of the tests that previously relied on analyzer.log or dpd.log now use the new analyzer-failed.log. I verified all the changes and, as far as I can tell, everything behaves as it should. This includes the external test baselines. This change also enables logging of file and packet analyzer to analyzer_failed.log and fixes some small behavior issues. The analyzer_failed event is no longer raised when the removal of an analyzer is vetoed. If an analyzer is no longer active when an analyzer violation is raised, currently the analyzer_failed event is raised. This can, e.g., happen when an analyzer error happens at the very end of the connection. This makes the behavior more similar to what happened in the past, and also intuitively seems to make sense. A bug introduced in the failed service logging was fixed.
2025-10-09 18:18:19 +00:00 · 2025-04-10 11:13:33 +01:00 · 2025-04-10 11:13:33 +01:00 · af77a7a83b
commit af77a7a83b
parent 8c814fa88c
143 changed files with 4523 additions and 4329 deletions
--- a/testing/btest/scripts/base/protocols/ldap/add.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/add.zeek
@ -5,7 +5,6 @@
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: The addRequest/addResponse operation is not implemented, yet we process it.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-encrypted.zeek
@ -7,6 +7,6 @@
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
 # @TEST-EXEC: ! test -f weird.log
-# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: Test LDAP analyzer with SASL encrypted payloads.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-ntlm.zeek
@ -6,7 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: This broke after #3826 got merged
--- a/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-scram-sha-512.zeek
@ -6,7 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: This broke after #3826 got merged
--- a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek
@ -6,6 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek
@ -6,6 +6,6 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ldap_search.log
-# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-srp-who-am-i.zeek
@ -5,7 +5,6 @@
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: SASL authentication using SRP (Secure Remote Password)
--- a/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/spnego-ntlmssp.zeek
@ -9,7 +9,6 @@
 # @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: SASL bindRequest with SPNEGO NTLMSSP.
--- a/testing/btest/scripts/base/protocols/ldap/starttls.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/starttls.zeek
@ -7,8 +7,7 @@
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
 # @TEST-EXEC: btest-diff ssl.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: LDAP supports StartTLS through extendedRequest 1.3.6.1.4.1.1466.20037

--- a/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/who-am-i.zeek
@ -6,8 +6,7 @@
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ldap.log
-# @TEST-EXEC: ! test -f dpd.log
-# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: ! test -f analyzer_failed.log
 #
 # @TEST-DOC: Testing OpenLDAP's ldapwhoami utility with simple authentication.