Right, a student here is going to tackle this. Our goal is to
provide Bro with the ability to decide dynamically which protocol
analyzer is appropiate (and, if required, to take the decision back)
I believe that this will become very powerful.
A few folks in our group + Intel have recently done work on traffic
classifiers along those lines, comparing content-based vs. header-only
learners, bayesian nets etc. Fun stuff: