DPD: log analyzers that have confirmed

This switches the DPD logic to always log analyzers that raised a protocol confirmation. The logic is that, once a protocol has been confirmed - and thus there probably is log output - it does not make sense to later remove it from the log. It does make sense to somehow flag it as failed - but that seems like a secondary step.
2025-10-02 06:38:20 +00:00 · 2025-01-30 15:30:59 +00:00 · 2025-01-30 15:30:59 +00:00 · e6ed61c47a
commit e6ed61c47a
parent e411153f0d
7 changed files with 12 additions and 10 deletions
--- a/scripts/base/frameworks/analyzer/dpd.zeek
+++ b/scripts/base/frameworks/analyzer/dpd.zeek
@ -79,12 +79,14 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI

 	local c = info$c;
 	local analyzer = Analyzer::name(atype);
-	# If the service hasn't been confirmed yet, don't generate a log message
-	# for the protocol violation.
-	if ( analyzer !in c$service )
+	# If the service hasn't been confirmed yet, or already failed,
+	# don't generate a log message for the protocol violation.
+	if ( analyzer !in c$service || analyzer in c$service_violation )
 		return;

-	delete c$service[analyzer];
+	# No longer delete a service once it has been confirmed.
+	# FIXME: track failed analyzers somehow - either by changing how they are logged, or by adding a new column
+	# delete c$service[analyzer];
 	add c$service_violation[analyzer];

 	local dpd: Info;