Who cares? My example had nothing to do with packet size for
encapsulated traffic.
The OP asked about how to detect different types of tunnels, i.e. encrypted
traffic.
Your response, i.e.:
Example: a tunnel on udp port 53 SHOULD NOT HAVE A PACKER LARGER THAN
254 BYTES, as the dns rfc's on the dns query that is associated with
that port should mark 'large packet', if query answer is larger than 254
assumes that the packet length is identifiable by Snort. How are you going
to be able to distinguish between a DNS request vs. any other protocol
encapsulated within an IPSEC tunnel (unless the Snort box is behind the
encryption domain, but that does not address the OP's questions).
Read the rfc's to get a clue.
Ditto. The max length for hostname for DNS query is 255, not 254 bytes,
(254 bytes for FQDN, and 1 byte for the encoding dot). And the max length
you will see for DNS UDP is 512-bytes (>512-byte answers for UDP should be
truncated with the TC bit set).
BTW- a little politeness goes a long ways. Even if you're comparing apples
to oranges, you don't have to be a prune.
On 3/7/06, Michael Scheidell <scheidell@secnap.net> wrote:
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Tom Le
Sent: Monday, March 06, 2006 10:40 PM
To: Michael Scheidell
Cc: Radu Spineanu; snort-users@lists.sourceforge.net
Subject: [Snort-users] Re: detecting tunnels with Snort
This is assuming you could discern the packet size of the
encapsulated traffic...
Who cares? My example had nothing to do with packet size for
encapsulated traffic.
Read the rfc's to get a clue.
