zeek
diff --git a/‎script-reference/autogenerated-script-index.rst‎
Lines changed: 6 additions & 2 deletions b/‎script-reference/autogenerated-script-index.rst‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎scripts/base/frameworks/analyzer/dpd.zeek.rst‎
Lines changed: 13 additions & 82 deletions b/‎scripts/base/frameworks/analyzer/dpd.zeek.rst‎
Lines changed: 13 additions & 82 deletions
diff --git a/‎scripts/base/frameworks/analyzer/index.rst‎
Lines changed: 3 additions & 3 deletions b/‎scripts/base/frameworks/analyzer/index.rst‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎scripts/base/frameworks/analyzer/logging.zeek.rst‎
Lines changed: 34 additions & 64 deletions b/‎scripts/base/frameworks/analyzer/logging.zeek.rst‎
Lines changed: 34 additions & 64 deletions
@@ -512,6 +512,9 @@
    builtin-plugins/Zeek_JavaScript/__load__.zeek </scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek>
    zeekygen/__load__.zeek </scripts/zeekygen/__load__.zeek>
    test-all-policy.zeek </scripts/test-all-policy.zeek>
+   policy/frameworks/analyzer/debug-logging.zeek </scripts/policy/frameworks/analyzer/debug-logging.zeek>
+   policy/frameworks/analyzer/detect-protocols.zeek </scripts/policy/frameworks/analyzer/detect-protocols.zeek>
+   policy/frameworks/analyzer/packet-segment-logging.zeek </scripts/policy/frameworks/analyzer/packet-segment-logging.zeek>
    policy/frameworks/cluster/backend/zeromq/__load__.zeek </scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek>
    policy/frameworks/cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>
    policy/frameworks/cluster/experimental.zeek </scripts/policy/frameworks/cluster/experimental.zeek>
@@ -536,8 +539,6 @@
    policy/frameworks/management/supervisor/main.zeek </scripts/policy/frameworks/management/supervisor/main.zeek>
    policy/frameworks/management/supervisor/api.zeek </scripts/policy/frameworks/management/supervisor/api.zeek>
    policy/frameworks/management/supervisor/config.zeek </scripts/policy/frameworks/management/supervisor/config.zeek>
-   policy/frameworks/dpd/detect-protocols.zeek </scripts/policy/frameworks/dpd/detect-protocols.zeek>
-   policy/frameworks/dpd/packet-segment-logging.zeek </scripts/policy/frameworks/dpd/packet-segment-logging.zeek>
    policy/frameworks/intel/do_notice.zeek </scripts/policy/frameworks/intel/do_notice.zeek>
    policy/frameworks/intel/do_expire.zeek </scripts/policy/frameworks/intel/do_expire.zeek>
    policy/frameworks/intel/whitelist.zeek </scripts/policy/frameworks/intel/whitelist.zeek>
@@ -639,10 +640,13 @@
    policy/protocols/ssl/weak-keys.zeek </scripts/policy/protocols/ssl/weak-keys.zeek>
    policy/tuning/json-logs.zeek </scripts/policy/tuning/json-logs.zeek>
    policy/tuning/track-all-assets.zeek </scripts/policy/tuning/track-all-assets.zeek>
+   policy/frameworks/analyzer/deprecated-dpd-log.zeek </scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek>
+   policy/frameworks/dpd/detect-protocols.zeek </scripts/policy/frameworks/dpd/detect-protocols.zeek>
    policy/frameworks/cluster/backend/zeromq/connect.zeek </scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek>
    policy/frameworks/cluster/nodes-experimental/manager.zeek </scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek>
    policy/frameworks/control/controllee.zeek </scripts/policy/frameworks/control/controllee.zeek>
    policy/frameworks/control/controller.zeek </scripts/policy/frameworks/control/controller.zeek>
+   policy/frameworks/dpd/packet-segment-logging.zeek </scripts/policy/frameworks/dpd/packet-segment-logging.zeek>
    policy/frameworks/management/agent/main.zeek </scripts/policy/frameworks/management/agent/main.zeek>
    policy/frameworks/management/controller/main.zeek </scripts/policy/frameworks/management/controller/main.zeek>
    policy/frameworks/management/node/__load__.zeek </scripts/policy/frameworks/management/node/__load__.zeek>
 
@@ -4,59 +4,47 @@ base/frameworks/analyzer/dpd.zeek
 =================================
 .. zeek:namespace:: DPD
 
-Activates port-independent protocol detection and selectively disables
-analyzers if protocol violations occur.
+Disables analyzers if protocol violations occur, and add service information
+to connection log.
 
 :Namespace: DPD
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`
 
 Summary
 ~~~~~~~
 Runtime Options
 ###############
 ============================================================================================================================================================ =========================================================================
-:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef`                                                                                      Analyzers which you don't want to throw
+:zeek:id:`DPD::ignore_violations`: :zeek:type:`set` :zeek:attr:`&redef`                                                                                      Analyzers which you don't want to remove on violations.
 :zeek:id:`DPD::ignore_violations_after`: :zeek:type:`count` :zeek:attr:`&redef`                                                                              Ignore violations which go this many bytes into the connection.
 :zeek:id:`DPD::max_violations`: :zeek:type:`table` :zeek:attr:`&deprecated` = *...* :zeek:attr:`&default` = ``5`` :zeek:attr:`&optional` :zeek:attr:`&redef` Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
 :zeek:id:`DPD::track_removed_services_in_connection`: :zeek:type:`bool` :zeek:attr:`&redef`                                                                  Change behavior of service field in conn.log:
                                                                                                                                                              Failed services are no longer removed.
 ============================================================================================================================================================ =========================================================================
 
-Types
-#####
-=========================================== ======================================================================
-:zeek:type:`DPD::Info`: :zeek:type:`record` The record type defining the columns to log in the DPD logging stream.
-=========================================== ======================================================================
-
 Redefinitions
 #############
 ============================================ ===================================================================================================================
-:zeek:type:`Log::ID`: :zeek:type:`enum`      Add the DPD logging stream identifier.
-                                             
-                                             * :zeek:enum:`DPD::LOG`
 :zeek:type:`connection`: :zeek:type:`record` 
 
                                              :New Fields: :zeek:type:`connection`
 
-                                               dpd: :zeek:type:`DPD::Info` :zeek:attr:`&optional`
-                                             
                                                service_violation: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
                                                  The set of services (analyzers) for which Zeek has observed a
                                                  violation after the same service had previously been confirmed.
+                                             
+                                               failed_analyzers: :zeek:type:`set` [:zeek:type:`string`] :zeek:attr:`&default` = ``{  }`` :zeek:attr:`&optional`
+                                                 The set of prototol analyzers that were removed due to a protocol
+                                                 violation after the same analyzer had previously been confirmed.
 ============================================ ===================================================================================================================
 
-Hooks
-#####
-======================================================== =============================================
-:zeek:id:`DPD::log_policy`: :zeek:type:`Log::PolicyHook` A default logging policy hook for the stream.
-======================================================== =============================================
-
 
 Detailed Interface
 ~~~~~~~~~~~~~~~~~~
 Runtime Options
 ###############
 .. zeek:id:: DPD::ignore_violations
-   :source-code: base/frameworks/analyzer/dpd.zeek 33 33
+   :source-code: base/frameworks/analyzer/dpd.zeek 13 13
 
    :Type: :zeek:type:`set` [:zeek:type:`Analyzer::Tag`]
    :Attributes: :zeek:attr:`&redef`
@@ -74,10 +62,10 @@ Runtime Options
          Analyzer::ANALYZER_NTLM
 
 
-   Analyzers which you don't want to throw
+   Analyzers which you don't want to remove on violations.
 
 .. zeek:id:: DPD::ignore_violations_after
-   :source-code: base/frameworks/analyzer/dpd.zeek 37 37
+   :source-code: base/frameworks/analyzer/dpd.zeek 17 17
 
    :Type: :zeek:type:`count`
    :Attributes: :zeek:attr:`&redef`
@@ -87,7 +75,7 @@ Runtime Options
    Set to 0 to never ignore protocol violations.
 
 .. zeek:id:: DPD::max_violations
-   :source-code: base/frameworks/analyzer/dpd.zeek 30 30
+   :source-code: base/frameworks/analyzer/dpd.zeek 10 10
 
    :Type: :zeek:type:`table` [:zeek:type:`Analyzer::Tag`] of :zeek:type:`count`
    :Attributes: :zeek:attr:`&deprecated` = *"Remove in v8.1: This has become non-functional in Zeek 7.2, see PR #4200"* :zeek:attr:`&default` = ``5`` :zeek:attr:`&optional` :zeek:attr:`&redef`
@@ -96,7 +84,7 @@ Runtime Options
    Deprecated, please see https://github.com/zeek/zeek/pull/4200 for details
 
 .. zeek:id:: DPD::track_removed_services_in_connection
-   :source-code: base/frameworks/analyzer/dpd.zeek 44 44
+   :source-code: base/frameworks/analyzer/dpd.zeek 24 24
 
    :Type: :zeek:type:`bool`
    :Attributes: :zeek:attr:`&redef`
@@ -108,61 +96,4 @@ Runtime Options
    E.g. a http connection with a violation would be logged as
    "http,-http".
 
-Types
-#####
-.. zeek:type:: DPD::Info
-   :source-code: base/frameworks/analyzer/dpd.zeek 14 27
-
-   :Type: :zeek:type:`record`
-
-
-   .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
-
-      Timestamp for when protocol analysis failed.
-
-
-   .. zeek:field:: uid :zeek:type:`string` :zeek:attr:`&log`
-
-      Connection unique ID.
-
-
-   .. zeek:field:: id :zeek:type:`conn_id` :zeek:attr:`&log`
-
-      Connection ID containing the 4-tuple which identifies endpoints.
-
-
-   .. zeek:field:: proto :zeek:type:`transport_proto` :zeek:attr:`&log`
-
-      Transport protocol for the violation.
-
-
-   .. zeek:field:: analyzer :zeek:type:`string` :zeek:attr:`&log`
-
-      The analyzer that generated the violation.
-
-
-   .. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log`
-
-      The textual reason for the analysis failure.
-
-
-   .. zeek:field:: packet_segment :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
-
-      (present if :doc:`/scripts/policy/frameworks/dpd/packet-segment-logging.zeek` is loaded)
-
-      A chunk of the payload that most likely resulted in the
-      analyzer violation.
-
-
-   The record type defining the columns to log in the DPD logging stream.
-
-Hooks
-#####
-.. zeek:id:: DPD::log_policy
-   :source-code: base/frameworks/analyzer/dpd.zeek 11 11
-
-   :Type: :zeek:type:`Log::PolicyHook`
-
-   A default logging policy hook for the stream.
-
 
@@ -33,10 +33,10 @@ automatically activate a particular analyzer for new connections.
 
 :doc:`/scripts/base/frameworks/analyzer/dpd.zeek`
 
-   Activates port-independent protocol detection and selectively disables
-   analyzers if protocol violations occur.
+   Disables analyzers if protocol violations occur, and add service information
+   to connection log.
 
 :doc:`/scripts/base/frameworks/analyzer/logging.zeek`
 
-   Logging analyzer confirmations and violations into analyzer.log
+   Logging analyzer  violations into analyzer.log
 
@@ -4,24 +4,19 @@ base/frameworks/analyzer/logging.zeek
 =====================================
 .. zeek:namespace:: Analyzer::Logging
 
-Logging analyzer confirmations and violations into analyzer.log
+Logging analyzer  violations into analyzer.log
 
 :Namespace: Analyzer::Logging
-:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/frameworks/config </scripts/base/frameworks/config/index>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
+:Imports: :doc:`base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
 
 Summary
 ~~~~~~~
 Runtime Options
 ###############
-=========================================================================================== ==================================================================
-:zeek:id:`Analyzer::Logging::enable`: :zeek:type:`bool` :zeek:attr:`&redef`                 Enable logging of analyzer violations and optionally confirmations
-                                                                                            when :zeek:see:`Analyzer::Logging::include_confirmations` is set.
+=========================================================================================== ==============================================================
 :zeek:id:`Analyzer::Logging::failure_data_max_size`: :zeek:type:`count` :zeek:attr:`&redef` If a violation contains information about the data causing it,
                                                                                             include at most this many bytes of it in the log.
-:zeek:id:`Analyzer::Logging::ignore_analyzers`: :zeek:type:`set` :zeek:attr:`&redef`        Set of analyzers for which to not log confirmations or violations.
-:zeek:id:`Analyzer::Logging::include_confirmations`: :zeek:type:`bool` :zeek:attr:`&redef`  Enable analyzer_confirmation.
-:zeek:id:`Analyzer::Logging::include_disabling`: :zeek:type:`bool` :zeek:attr:`&redef`      Enable tracking of analyzers getting disabled.
-=========================================================================================== ==================================================================
+=========================================================================================== ==============================================================
 
 Types
 #####
@@ -37,6 +32,13 @@ Redefinitions
                                         * :zeek:enum:`Analyzer::Logging::LOG`
 ======================================= ===========================================
 
+Events
+######
+============================================================== ===============================================================================
+:zeek:id:`Analyzer::Logging::log_analyzer`: :zeek:type:`event` An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
+                                                               record as it is sent on to the logging framework.
+============================================================== ===============================================================================
+
 Hooks
 #####
 ====================================================================== =============================================
@@ -48,18 +50,8 @@ Detailed Interface
 ~~~~~~~~~~~~~~~~~~
 Runtime Options
 ###############
-.. zeek:id:: Analyzer::Logging::enable
-   :source-code: base/frameworks/analyzer/logging.zeek 47 47
-
-   :Type: :zeek:type:`bool`
-   :Attributes: :zeek:attr:`&redef`
-   :Default: ``T``
-
-   Enable logging of analyzer violations and optionally confirmations
-   when :zeek:see:`Analyzer::Logging::include_confirmations` is set.
-
 .. zeek:id:: Analyzer::Logging::failure_data_max_size
-   :source-code: base/frameworks/analyzer/logging.zeek 64 64
+   :source-code: base/frameworks/analyzer/logging.zeek 37 37
 
    :Type: :zeek:type:`count`
    :Attributes: :zeek:attr:`&redef`
@@ -68,57 +60,17 @@ Runtime Options
    If a violation contains information about the data causing it,
    include at most this many bytes of it in the log.
 
-.. zeek:id:: Analyzer::Logging::ignore_analyzers
-   :source-code: base/frameworks/analyzer/logging.zeek 67 67
-
-   :Type: :zeek:type:`set` [:zeek:type:`AllAnalyzers::Tag`]
-   :Attributes: :zeek:attr:`&redef`
-   :Default: ``{}``
-
-   Set of analyzers for which to not log confirmations or violations.
-
-.. zeek:id:: Analyzer::Logging::include_confirmations
-   :source-code: base/frameworks/analyzer/logging.zeek 54 54
-
-   :Type: :zeek:type:`bool`
-   :Attributes: :zeek:attr:`&redef`
-   :Default: ``F``
-
-   Enable analyzer_confirmation. They are usually less interesting
-   outside of development of analyzers or troubleshooting scenarios.
-   Setting this option may also generated multiple log entries per
-   connection, minimally one for each conn.log entry with a populated
-   service field.
-
-.. zeek:id:: Analyzer::Logging::include_disabling
-   :source-code: base/frameworks/analyzer/logging.zeek 60 60
-
-   :Type: :zeek:type:`bool`
-   :Attributes: :zeek:attr:`&redef`
-   :Default: ``F``
-
-   Enable tracking of analyzers getting disabled. This is mostly
-   interesting for troubleshooting of analyzers in DPD scenarios.
-   Setting this option may also generated multiple log entries per
-   connection.
-
 Types
 #####
 .. zeek:type:: Analyzer::Logging::Info
-   :source-code: base/frameworks/analyzer/logging.zeek 18 43
+   :source-code: base/frameworks/analyzer/logging.zeek 13 33
 
    :Type: :zeek:type:`record`
 
 
    .. zeek:field:: ts :zeek:type:`time` :zeek:attr:`&log`
 
-      Timestamp of confirmation or violation.
-
-
-   .. zeek:field:: cause :zeek:type:`string` :zeek:attr:`&log`
-
-      What caused this log entry to be produced. This can
-      currently be "violation" or "confirmation".
+      Timestamp of the violation.
 
 
    .. zeek:field:: analyzer_kind :zeek:type:`string` :zeek:attr:`&log`
@@ -148,7 +100,7 @@ Types
       Connection identifier if available
 
 
-   .. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log` :zeek:attr:`&optional`
+   .. zeek:field:: failure_reason :zeek:type:`string` :zeek:attr:`&log`
 
       Failure or violation reason, if available.
 
@@ -159,12 +111,30 @@ Types
       to :zeek:see:`Analyzer::Logging::failure_data_max_size`.
 
 
+   .. zeek:field:: packet_segment :zeek:type:`string` :zeek:attr:`&optional` :zeek:attr:`&log`
+
+      (present if :doc:`/scripts/policy/frameworks/analyzer/packet-segment-logging.zeek` is loaded)
+
+      A chunk of the payload that most likely resulted in the
+      analyzer violation.
+
+
    The record type defining the columns to log in the analyzer logging stream.
 
+Events
+######
+.. zeek:id:: Analyzer::Logging::log_analyzer
+   :source-code: base/frameworks/analyzer/logging.zeek 41 41
+
+   :Type: :zeek:type:`event` (rec: :zeek:type:`Analyzer::Logging::Info`)
+
+   An event that can be handled to access the :zeek:type:`Analyzer::Logging::Info`
+   record as it is sent on to the logging framework.
+
 Hooks
 #####
 .. zeek:id:: Analyzer::Logging::log_policy
-   :source-code: base/frameworks/analyzer/logging.zeek 15 15
+   :source-code: policy/frameworks/analyzer/packet-segment-logging.zeek 38 50
 
    :Type: :zeek:type:`Log::PolicyHook`