To add a bit more context: The idea is to implement a plugin interface for low-level analyzers (see https://github.com/zeek/zeek/issues/248) and collect requirements on the list.
Some first thoughts and questions: - What would be the lowest layer to built up on or should everything be pluggable down to the packet source? - What about the concept of connections? For some LL protocols the concept might be counterintuitive. - The interface should support to pass payload to other analyzers. Does it make sense to come up with a generalized DPD-mechanism? Jan _______________________________________________ zeek-dev mailing list zeek-dev@zeek.org http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev