On Sun, May 08, 2016 at 16:57 +0000, you wrote:
> I don’t think anyone disagreed that this could be useful, but the > question would be how to do it in a maintainable way and where to put > it. I agree that detecting more protocols would certainly be useful, but I remain skeptical of the mechanism: the proposal is to detect protocols by relying only on signatures looking for characteristic byte sequences; in contrast to the current DPD approach actually attempting to parse the protocol. I am concerned about reliability with any signatures-only approach. Actually I would propose something else: we recently added minimal analyzers for IMAP and XMPP that parse just the beginning of a session---just enough to confirm the protocol and, in these cases, also use of SSL. That's an approach that I think could work more generally as well: even if a full analyzer isn't feasible, doing just the standard DPD confirmation for a protocol should usually be pretty straight-forward. Robin -- Robin Sommer * ICSI/LBNL * [email protected] * www.icir.org/robin _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
