Some of the core developers of Bro have been having this discussion internally, and I’d like to bring it to the broader community.
It has been recognized that there are a lot of protocols for which we don’t have full analyzers that some would still like to detect in our conn.logs via simple signatures. A full analyzer is much harder to write and to do well. This creates a barrier to entry. Further, some protocols would not benefit much from deeper analysis because of encryption or other issues. However, it is still desirable to notice that such protocols and applications are used on your network.
I don’t think anyone disagreed that this could be useful, but the question would be how to do it in a maintainable way and where to put it. For example, would this be another field in the conn.log? Would this be turned on in Bro by default, would it be in the policy directory and not base, or would it be a separate plugin people could download if they want.
I’m not going to repeat all the arguments for or against different positions here; I’ll let people do that for themselves. I just want to start the conversation within the broader community.