udp_reply event instead of supposed udp_request event

What Bro really should do is to look at
the packet contents in addition to port numbers in its guessing.

Yes, exactly.

I don't know if
anyone is working on this kind of content-based port selection

I believe some folks at TU Munich are starting to work on this - Robin?

    Vern

Right, a student here is going to tackle this. Our goal is to
provide Bro with the ability to decide dynamically which protocol
analyzer is appropiate (and, if required, to take the decision back)
I believe that this will become very powerful.

Robin

A few folks in our group + Intel have recently done work on traffic
classifiers along those lines, comparing content-based vs. header-only
learners, bayesian nets etc. Fun stuff:

  http://www.cl.cam.ac.uk/users/awm22/publication/

Cheers,
Christian.