Let's say I do this on my network:
match protocol bittorrent
If someone changed their default bittorrent port, for example to port 80, would this circumvent detection?
If I then use "ip nbar port-map bittorrent tcp 80" to change the port monitored for bittorrent, doesn't this negate the purpose of NBAR - ie. to look further into the packet than just the port number in order to recognise traffic?