Robin Sommer

Oh, that would indeed explain it! I'll look into it.

I believe I got a fix: https://github.com/rsmmr/justrx/commit/114f3c08d7c0cf3dfde93c2c36ce6d1e8721b0a2. Running this through Spicy CI and will then merge it there then. Thanks, @awelzel!

How about a lighter-weight version of (3): I'd say the main API to align is the managers' `DisableAnalyzer` methods. That's what for protocol analyzers then branches out into the components...

I looked over this high-level: I like the approach with the two new events and passing them records with fields set as a available. I'll go over in more detail...

> Okay. I had intended to keep them and even thought of introducing a `file_analyzer_violation(...)` based off the generic events, but seems you're leaning in the other direction. Yeah, that...

Sorry, too late now for 5.1, but yeah, go ahead and rebase on master and then I'll take another look and we can wrap it up.

Quick guess is that Zeek flipped the direction because of 53/udp being a well-known server port. Can you capture one of those connection into a trace?

Just to comment on this: we have seen this, it's great work! We will have to figure out more broadly how to move forward with telemetry, we have a few...

Not quite sure how to proceed here, seems this will need more discussion/work to get it ready. Thinking to move into a discussion for now until somebody can pick it...

Do you think you can still create a pcap? Otherwise I'll go ahead and merge as is.