[Snort-users] detecting tunnels with Snort

Michael Scheidell scheidell at ...5171...
Mon Mar 6 14:32:01 EST 2006

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Radu Spineanu
> Sent: Sunday, March 05, 2006 10:12 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] detecting tunnels with Snort
> Hi
> Is it possible to detect different types of tunnels (gre, ipsec, http
> tunnels) that cross a network boundary by using snort ?
Yes, if you write a signature for it.

No, there are no signatures currently for it.

Maybe, as there are a lot of different tunnels, and you would need to
not only write a signature for it, but take into account the 'normal'
traffic on that port.

Example:  a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN
254 BYTES, as the dns rfc's on the dns query that is associated with
that port should mark 'large packet', if query answer is larger than 254

(so, you could 'protect' udp port 53 with a signature that:
A) triggered if you got udp port 53 traffic on an UNKNOWN DNS SERVER,
B) triggered if the packet length is > 254 bytes
(note, tunnel writer could break packets up)

Icmp:  if 'unknown' icmp types are used, you could trigger on that.
  Or, if icmp 'return traffic' came from addresses that did not send it
  If icmp timestamp packet came in that didn't have a timestamp, etc.

TCP, well if the encrypted traffic over port 80, 

I guess you would need an application engine, and assign 'normal'
traffic to each open port and write signatures looking for abnormal

(but, you could still encapsulate TUNNEL traffic inbetween 'valid
looking' HTTP ports on port 80)

More information about the Snort-users mailing list