[Snort-users] Re: detecting tunnels with Snort

Tom Le dottom at ...11827...
Mon Mar 6 19:40:00 EST 2006


This is assuming you could discern the packet size of the encapsulated
traffic...

> Example:  a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN
254 BYTES, as the dns rfc's on the dns query that is associated with
that port should mark 'large packet', if query answer is larger than 254




More information about the Snort-users mailing list