I got this list by monitoring the Dynamic Update release emails from Palo Alto Networks.

Remember a “decoder” is effectivly a “base protocol”. You can also detect these within the App-ID database as any application that does not have a “depends on” or “implicily uses”. However, if we take this definition then the following list is wrong. In the list below we list some dependencies.

In their updates, they often list “decoder” udpates in addition to App-ID updates.

• asterisk-iax
• bacnet
• cip-ethernet-ip
• corba
• cotp
• dhcp
• dicom
• dns
• ed137
• ftp
• ftp-data
• functions
• gds-db
• generic
• gtp
• hp-data-protector
• http
• http2
• icmp
• iec-60870-5-104
• igmp
• ike
• imap
• ipsec-esp-udp
• kerberos
• ldap
• llmnr
• lpd
• medical
• mms-ics
• modbus
• msrpc
• mssql-db
• mysql
• netbios-ss
• ntp
• open-vpn
• oracle
• pop3
• postgres
• radius
• rpc
• rtsp
• scada
• sccp
• sctp
• sip
• smb
• smb-8-1
• smtp
• ssh
• ssl
• stun
• teamviewer
• tftp
• vmware
• vnc
• unknown-tcp
• unknown-udp
• unknown-peer-to-peer