Re: Re: detecting tunnels with Snort

["Tom Le" <dottom () gmail com>]

> Who cares?  My example had nothing to do with packet size for
> encapsulated traffic.

The OP asked about how to detect different types of tunnels, i.e. encrypted
traffic.

Your response, i.e.:

> Example:  a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN
> 254 BYTES, as the dns rfc's on the dns query that is associated with
> that port should mark 'large packet', if query answer is larger than 254

assumes that the packet length is identifiable by Snort.  How are you going
to be able to distinguish between a DNS request vs. any other protocol
encapsulated within an IPSEC tunnel (unless the Snort box is behind the
encryption domain, but that does not address the OP's questions).

> Read the rfc's to get a clue.

Ditto.  The max length for hostname for DNS query is 255, not 254 bytes,
(254 bytes for FQDN, and 1 byte for the encoding dot).  And the max length
you will see for DNS UDP is 512-bytes (>512-byte answers for UDP should be
truncated with the TC bit set).

BTW- a little politeness goes a long ways.  Even if you're comparing apples
to oranges, you don't have to be a prune.

On 3/7/06, Michael Scheidell <scheidell () secnap net> wrote:

> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tom Le
> > Sent: Monday, March 06, 2006 10:40 PM
> > To: Michael Scheidell
> > Cc: Radu Spineanu; snort-users () lists sourceforge net
> > Subject: [Snort-users] Re: detecting tunnels with Snort
> >
> >
> > This is assuming you could discern the packet size of the
> > encapsulated traffic...
>
> Who cares?  My example had nothing to do with packet size for
> encapsulated traffic.
> Read the rfc's to get a clue.