Not really sure anymore. Things change. Phrack.org in issue 49 at http://www.phrack.org/show.php?p=49&a=6 presents LOKI as a concept for any TCP/IP system, but issue 51, written in 97, at http://www.phrack.org/show.php?p=51&a=06 only discusses Loki2 for Linux and Solaris and solicits information from anyone who can make it work on others. One hears rumours.., (something called ACK perhaps?) and there is much ICMP traffic going on these days, perhaps my question should be would TDS detect an exploit or a program opening a tunnel along those concept lines?
Interesting question which's reply i have to leave to the tech guys. I remember there were discussions about tunneling and TDS dealing with it, but if that was like with Loki/Loki2 i'm not sure at the moment. When there come code or changes one can expect TDS alarms. Certainly in the coming TDS-4 programs. Think you will love to try out Port Explorer to run together with TDS, btw, as i saw a very experienced user finding a very hidden problem (exploit?) with it last night acting as a normal legal application. I love to see such things tested in practise on it's value.
