reliable off-line protocol detection


> 1124785239.632272 > ftp-sig
> 1124785306.080354 > ftp-sig
> 1124785591.602025 > ftp-sig
> 1124785606.143460 > ftp-sig

WHY? ( =A91992 Annie Lennox)

The FTP backdoor detector isn't precise - it looks for initial 220 or 426
replies, which SMTP servers can generate too. Ideally, the SMTP detector
would trigger first (based on seeing EHLO or HELO). If you have a simple
trace that shows it's failing to do so, go ahead and send it to me and
I'll see what's up.