On Tue, Mar 24, 2015 at 16:52 -0500, you wrote:
> This is something I've actually been moving away from. If I have a > high level of confidence in the DPD signature, I'd rather rely on > that, since I believe it will be more efficient than to try to attach > the analyzer to all traffic on that port, and wait for a violation. > This was based off some informal discussions with Seth, but I'm happy > to throw it out to bro-dev and see what others think. I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev