# detects iodine covert tunnels (over DNS), send feedback on rules to merc [at] securitywire.com
alert udp any any -> any 53 (content:"|01 00 00 01 00 00 00 00 00 01|"; offset: 2; depth: 10; content:"|00 00 29 10 00 00 00 80 00 00 00|";  \
	  msg: "covert iodine tunnel request"; threshold: type limit, track by_src, count 1, seconds 300; sid: 5619500; rev: 1;)
alert udp any 53 -> any any (content: "|84 00 00 01 00 01 00 00 00 00|"; offset: 2; depth: 10; content:"|00 00 0a 00 01|";  \
	  msg: "covert iodine tunnel response"; threshold: type limit, track by_src, count 1, seconds 300; sid: 5619501; rev: 1;)