[Bro-Dev] Detecting protocols without full analyzers

Robin Sommer robin at icir.org
Mon May 9 09:20:02 PDT 2016

On Sun, May 08, 2016 at 16:57 +0000, you wrote:

> I don’t think anyone disagreed that this could be useful, but the
> question would be how to do it in a maintainable way and where to put
> it.

I agree that detecting more protocols would certainly be useful, but I
remain skeptical of the mechanism: the proposal is to detect protocols
by relying only on signatures looking for characteristic byte
sequences; in contrast to the current DPD approach actually attempting
to parse the protocol. I am concerned about reliability with any
signatures-only approach.

Actually I would propose something else: we recently added minimal
analyzers for IMAP and XMPP that parse just the beginning of a
session---just enough to confirm the protocol and, in these cases,
also use of SSL. That's an approach that I think could work more
generally as well: even if a full analyzer isn't feasible, doing just
the standard DPD confirmation for a protocol should usually be pretty


Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the bro-dev mailing list