On Mon, Feb 23, 2015 at 10:49:55PM +0100, Peter Wu wrote:
> On Mon, Feb 23, 2015 at 03:32:48PM +0100, Gianrico wrote:
>
> I propose to make one or more of these changes:
>
> - Call the heuristics dissector only for the first data frame.
I forgot to mention the 1/n-1 splitting which is nowadays commonly done
for SSL dissectors to mitigate BEAST. New-style dissectors could return
"-1" ("I want more data") if they need more than the first byte.
> - Decouple the list of valid protocols from
> transport_proto/addr/server_port->appdata_proto/keyfile
> associations. This allows for multiple valid protocols while linking
> one unique key per transport_proto/address/server_port tuple.
> (Jeff, comments?)
> - Allow a wildcard protocol name in the UAT dialog just to set the key,
> not the protocol ("any", "*" or the empty string?).
> - Select an appdata protocol in this order: STARTTLS hint, heuristics,
> associations, (first available) dissector hint.
>
> Why the suggested protocol selection order?
>
> - STARTTLS hint is quite strong.
> - Good heuristics can do "the right thing" automatically.
> - Associations are entered by the user.
> - For protocols such as SMTP, there is one clear choice which is great.
> For port 443, the best guess is HTTP (which should have been caught
> by the heuristics dissector) but others are possible.
--
Kind regards,
Peter Wu
https://lekensteyn.nl
