test: Add btest verifying max_analyzer_violations functionality

The pcap has been generated roughly based on the example found on wikipedia
with some added garbled response after the STAT command from the client.

testing/btest/Baseline/core.max-analyzer-violations/output

@@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+reply, CHhAvVGS1DHFjwGM9, OK, example.com POP3-Server
+request, CHhAvVGS1DHFjwGM9, USER, zeek@zeek.org
+reply, CHhAvVGS1DHFjwGM9, OK, Please enter your password
+request, CHhAvVGS1DHFjwGM9, PASS, zeek
+reply, CHhAvVGS1DHFjwGM9, OK, mailbox locked and ready
+request, CHhAvVGS1DHFjwGM9, STAT, 
+1, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (+)
+2, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (???)
+3, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (..)
+4, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (???)
+5, violation, Analyzer::ANALYZER_POP3, CHhAvVGS1DHFjwGM9, 4, unknown server command (..x)
+reply, CHhAvVGS1DHFjwGM9, OK, 1 236
+request, CHhAvVGS1DHFjwGM9, QUIT, 
+reply, CHhAvVGS1DHFjwGM9, OK, Bye

testing/btest/Baseline/core.max-analyzer-violations/weird.log

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	pop3_server_command_unknown	-	F	zeek	POP3
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	line_terminated_with_single_CR	-	F	zeek	CONTENTLINE
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	58246	127.0.0.1	110	too_many_analyzer_violations	-	F	zeek	POP3
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/max-analyzer-violations.zeek

@@ -0,0 +1,31 @@
+# @TEST-DOC: In the pcap, the server responds with 10 unknown server commands and analyzer_violation_info events are raised for each. Verify that setting max_analyzer_violations creates a weird and suppresses further analyzer violation events.
+
+# @TEST-EXEC: zeek -b -r $TRACES/pop3-unknown-commands.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/pop3
+@load base/frameworks/notice/weird
+
+# It would trigger 10
+redef max_analyzer_violations = 5;
+
+# Do not let DPD logic interfere with this test.
+redef DPD::ignore_violations += { Analyzer::ANALYZER_POP3 };
+
+global c = 0;
+
+event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo)
+	{
+	print ++c, "violation", atype, info$c$uid, info$aid, info$reason;
+	}
+
+event pop3_request(c: connection, is_orig: bool, command: string, arg: string)
+	{
+	print "request", c$uid, command, arg;
+	}
+
+event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string)
+	{
+	print "reply", c$uid, cmd, msg;
+	}