DPD: log analyzers that have confirmed

This switches the DPD logic to always log analyzers that raised a
protocol confirmation.

The logic is that, once a protocol has been confirmed - and thus there
probably is log output - it does not make sense to later remove it from
the log. It does make sense to somehow flag it as failed - but that
seems like a secondary step.

scripts/base/frameworks/analyzer/dpd.zeek

@@ -79,12 +79,14 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
 
 	local c = info$c;
 	local analyzer = Analyzer::name(atype);
-	# If the service hasn't been confirmed yet, don't generate a log message
+	# If the service hasn't been confirmed yet, or already failed,
-	# for the protocol violation.
+	# don't generate a log message for the protocol violation.
-	if ( analyzer !in c$service )
+	if ( analyzer !in c$service || analyzer in c$service_violation )
 		return;
 
-	delete c$service[analyzer];
+	# No longer delete a service once it has been confirmed.
+	# FIXME: track failed analyzers somehow - either by changing how they are logged, or by adding a new column
+	# delete c$service[analyzer];
 	add c$service_violation[analyzer];
 
 	local dpd: Info;

testing/btest/Baseline/core.pppoe-over-qinq/conn.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	-	273.626833	11352	4984	SF	F	F	0	ShADdtaTTtFf	44	25283	42	13001	-	6
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	ssl	273.626833	11352	4984	SF	F	F	0	ShADdtaTTtFf	44	25283	42	13001	-	6
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	tcp	-	9.891089	34	71	SF	T	T	0	ShAdDaFf	13	718	10	599	-	6
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51354	127.0.0.1	21	tcp	ftp	9.891089	34	71	SF	T	T	0	ShAdDaFf	13	718	10	599	-	6
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	tcp	-	10.862185	34	74	SF	T	T	0	ShAdDaFf	13	718	10	602	-	6
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51344	127.0.0.1	21	tcp	ftp	10.862185	34	74	SF	T	T	0	ShAdDaFf	13	718	10	602	-	6
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	tcp	-	11.705309	34	68	SF	T	T	0	ShAdDaFf	13	718	10	596	-	6
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	51346	127.0.0.1	21	tcp	ftp	11.705309	34	68	SF	T	T	0	ShAdDaFf	13	718	10	596	-	6
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.modbus.events/conn-first.log

@@ -14,6 +14,6 @@ XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.0.0.9	3082	10.0.0.3	502	tcp	modbus	177.0
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	10.0.0.57	2585	10.0.0.8	502	tcp	-	76.561880	926	0	SF	T	T	0	ShADafF	8	1254	7	288	-	6
 XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	10.0.0.8	502	10.0.0.57	4446	tcp	-	155.114237	128	0	SF	T	T	0	ShADaFf	16	776	15	608	-	6
 XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	192.168.66.235	2582	166.161.16.230	502	tcp	-	2.905078	0	0	S0	T	F	0	S	2	96	0	0	-	6
-XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	192.168.66.235	2582	166.161.16.230	502	tcp	-	85.560847	1692	1278	S1	T	F	0	ShADad	167	8380	181	8522	-	6
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	192.168.66.235	2582	166.161.16.230	502	tcp	modbus	85.560847	1692	1278	S1	T	F	0	ShADad	167	8380	181	8522	-	6
 XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	10.1.1.234	51411	10.10.5.85	502	tcp	modbus	2100.811351	237936	4121200	S2	T	T	0	ShADdaF	39659	2300216	20100	5166412	-	6
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/conn.cut

@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	service
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54958	127.0.0.1	5432	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	54958	127.0.0.1	5432	postgresql