[Snort-users] Re: detecting tunnels with Snort

Tom Le dottom at ...11827...
Mon Mar 6 19:40:00 EST 2006

This is assuming you could discern the packet size of the encapsulated

> Example:  a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN
254 BYTES, as the dns rfc's on the dns query that is associated with
that port should mark 'large packet', if query answer is larger than 254

More information about the Snort-users mailing list