Separate log for DPD speculative service.

dpd-analysis.zeek

module DPDAnalysis;

export {
	redef enum Log::ID += { LOG };

	type Info: record {
		ts:  time    &log;
		uid: string  &log;
		orig_p: port &log;
		resp_p: port &log; 
		service:             string &log &optional;
		speculative_service: string &log &optional;
	};

	global log_dpd_analysis: event(rec: Info);
}

redef record connection += {
	speculative_service: set[string] &default=string_set();
};

redef dpd_match_only_beginning = F;
redef dpd_late_match_stop = T;

event zeek_init() &priority=5
	{
	Log::create_stream(DPDAnalysis::LOG, [$columns=Info, $ev=log_dpd_analysis,
		$path="dpd-analysis"]);
	}

event protocol_late_match(c: connection, atype: Analyzer::Tag)
	{
	local analyzer = Analyzer::name(atype);
	add c$speculative_service[analyzer];
	}

event connection_state_remove(c: connection)
	{
	local info = Info(
		$ts = c$start_time,
		$uid = c$uid,
		$orig_p = c$id$orig_p,
		$resp_p = c$id$resp_p);
	local sp_service = "";

	if ( c?$conn && c$conn?$service )
		info$service = c$conn$service;

	for ( s in c$speculative_service )
		sp_service = sp_service == "" ? s : cat(sp_service, ",", s);
	if ( sp_service != "" )
		info$speculative_service = to_lower(sp_service);

	Log::write(DPDAnalysis::LOG, info);
	}