For this feature of fixing the app_proto for torrent traffic which was showing up as “failed”, I’m wondering about the scope.
This seems to only happen for bittorrent dht protocol traffic over UDP, which is on random ports between 1024-65535.
Since this is a new app layer protocol for Suricata, for this ticket do we just want to simply detect this UDP traffic and label the app_proto as ‘bittorrent’/‘bittorrent_dht’ or should other fields e.g. error codes also be extacted and logged from the bittorrent dht protocol? And is it ok to probe for the bittorrent dht protocol on all ports between 1024-65535 by default?