On Sat, 09 Jun 2012 14:08:58 +0200 Peter N. M. Hansteen wrote: > While string matching in PF is not an option, I vaguely remember snort > users coming up with patterns to match earlier DNS tomfoolery, so > there's a chance you may be able to get useful info and possibly even a > working snort setup to deal with this one.
I've made custom rules scanning for user names with Snort and it was pretty easy. I had little performance concerns though so if possible, minimising the packet percentage handed to Snort or analysed would obviously be important.