[Bro-Dev] Detecting protocols without full analyzers

Slagell, Adam J slagell at illinois.edu
Mon May 9 09:22:45 PDT 2016

> On May 9, 2016, at 11:20 AM, Robin Sommer <robin at icir.org> wrote:
> Actually I would propose something else: we recently added minimal
> analyzers for IMAP and XMPP that parse just the beginning of a
> session---just enough to confirm the protocol and, in these cases,
> also use of SSL. That's an approach that I think could work more
> generally as well: even if a full analyzer isn't feasible, doing just
> the standard DPD confirmation for a protocol should usually be pretty
> straight-forward.

Is this what Justin did for RDP, because I don’t think that was much effort, was it Justin?



Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 

More information about the bro-dev mailing list