I created two Snort IDS rules to detect covert Iodine tunnels.  Frequently in corporate environment and WIFI hotspots, DNS is not blocked at the firewalls and is allowed to flow to the internet while other type of traffic is restricted. Iodine lets users take advantage of this fact and allow tunneling IPv4 traffic  over DNS queries.  These Snort rules were tested with Iodine version 0.4.2, I’m very interested in getting feedback on how the rules are working (or not for you) or how I could make them better. You can find the Iodine Snort rules at this location: http://www.securitywire.com/snort_rules/iodine.rules

Tags: Covert Tunnels, DNS, IDS, Iodine, Snort

This entry was posted on Sunday, July 26th, 2009 at 14:15 and is filed under Intrusion Detection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.