A Comparative Evaluation of Snort and Suricata for Detecting Data Exfiltration Tunnels in Cloud Environments

Abstract

Data exfiltration poses a major cybersecurity challenge because it involves the unauthorized transfer of sensitive information. Intrusion Detection Systems (IDSs) are vital security controls in identifying such attacks; however, their effectiveness in cloud computing environments remains limited, particularly against covert channels such as Internet Control Message Protocol (ICMP) and Domain Name System (DNS) tunneling. This study compares two widely used IDSs, Snort and Suricata, in a controlled cloud computing environment. The assessment focuses on their ability to detect data exfiltration techniques implemented via ICMP and DNS tunneling, using DNSCat2 and Iodine. We evaluate detection performance using standard classification metrics, including Recall, Precision, Accuracy, and F1-Score. Our experiments were conducted on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances, where IDS instances monitored simulated exfiltration traffic generated by DNSCat2, Iodine, and Metasploit. Network traffic was mirrored via AWS Virtual Private Cloud (VPC) Traffic Mirroring, with the ELK Stack integrated for centralized logging and visual analysis. The findings indicate that Suricata outperformed Snort in detecting DNS-based exfiltration, underscoring the advantages of multi-threaded architectures for managing high-volume cloud traffic. For DNS tunneling, Suricata achieved 100% detection (recall) for both DNSCat2 and Iodine, whereas Snort achieved 85.7% and 66.7%, respectively. Neither IDS detected ICMP tunneling using Metasploit, with both recording 0% recall. It is worth noting that both IDSs failed to detect ICMP tunneling under default configurations, highlighting the limitations of signature-based detection in isolation. These results emphasize the need to combine signature-based and behavior-based analytics, supported by centralized logging frameworks, to strengthen cloud-based intrusion detection and enhance forensic visibility.

1. Introduction

Cloud computing has transformed IT resource management by delivering unprecedented scalability, flexibility, and cost efficiency [1]. These advantages have driven widespread adoption across industries, enabling organizations to optimize operations and focus on innovation. However, this paradigm shift has also introduced significant security challenges, particularly concerning data exfiltration—a critical threat in which unauthorized commodities transfer sensitive information from the cloud infrastructure to external destinations. Data exfiltration compromises the confidentiality and integrity of sensitive information and exposes organizations to significant financial losses and reputational damage.

Data exfiltration can be performed using various techniques, making its detection and prevention particularly challenging [2]. Techniques such as Domain Name System (DNS) tunneling, where data is encoded in DNS queries and responses; HTTP/S transfers, which exploit common, often unmonitored web traffic; and covert channels, which use unconventional methods to transmit data, are among the most prevalent techniques employed by malicious actors. These techniques bypass traditional security measures and require advanced specialized tools to detect and mitigate them effectively.

Several high-profile cyber-espionage incidents have revealed the use of covert tunneling techniques, including DNS and Internet Control Message Protocol (ICMP) tunneling, as a means to bypass traditional security measures [3,4]. For example, the SolarWinds Orion supply chain attack exploited DNS tunneling for command-and-control (C2) communication, allowing attackers to exfiltrate data through seemingly benign DNS queries [5]. These incidents highlight the urgent need to investigate tunneling-based techniques to improve network threat detection and response capabilities.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are essential components of the cloud environment security infrastructure [6]. These systems continuously monitor network traffic for suspicious activity and known threats, providing a crucial layer of defense against data exfiltration attempts. Among the IDS/IPS tools, Snort (Snort 3.0 is used, https://www.snort.org, last accessed on 20 December 2025) and Suricata (Suricata 7.0.13 is used, https://suricata.io/, last accessed on 20 December 2025) are widely recognized for their strong capabilities [2]. Snort, developed by Cisco, is well-known for its robust packet analysis and logging capabilities. On the other hand, Suricata, developed by the Open Information Security Foundation (OISF), provides advanced multithreading and superior performance in dense-traffic environments.

Despite their widespread use, it is essential to conduct a comprehensive evaluation of Snort and Suricata to detect cloud-specific data exfiltration techniques [7]. Understanding their effectiveness, detection capabilities, false-positive rates and resource consumption within a cloud environment is crucial for organizations striving to improve their security frameworks. Although both tools have been extensively studied in traditional network settings, their performance in dynamic cloud infrastructures, where traffic patterns and attack vectors vary significantly, requires further investigation.

This study addresses this gap by setting up a controlled cloud environment in which Snort and Suricata are configured to monitor and analyze various data exfiltration methods. Controlled test cases that generate both baseline and exfiltration traffic will be established to capture and compare detection rates, performance, and incidence of false positives. Beyond detection, effective incident response requires forensic capabilities; therefore, we also evaluate tools to analyze exfiltration incidents by integrating the Elasticsearch, Logstash, and Kibana (ELK) stack for advanced data analysis and visualization. This integration enables real-time monitoring, detailed log analysis, and intuitive dashboards, thus enhancing the ability to identify and respond effectively to potential threats. Furthermore, our research evaluates the effectiveness of cloud forensic tools in identifying, analyzing, and mitigating data exfiltration incidents. The method involves identifying a set of cloud forensic tools for data exfiltration analysis and establishing criteria to evaluate them, including ease of use, data recovery capabilities, support for various cloud platforms and the ability to preserve the integrity of digital evidence. Hands-on testing of each tool is performed using controlled scenarios that simulate data exfiltration incidents. The findings contribute to more effective incident response strategies and improved security practices in cloud environments.

In summary, existing studies have evaluated IDS tools under various network configurations. However, a key distinction remains between traditional on-premise evaluations and cloud-based deployments, where factors such as virtualized networking and traffic mirroring fundamentally affect IDS behavior. This study aims to systematically evaluate and compare the detection capabilities of Snort and Suricata, two widely used open-source IDSs, in identifying sophisticated data exfiltration techniques in cloud environments. Specifically, the research addresses the following research questions (RQs):

RQ₀:

How effectively can Snort and Suricata detect ICMP tunneling, a covert communication method often used to bypass traditional security measures?

RQ₁:

What are the detection rates, accuracy, and performance metrics of Snort and Suricata in identifying DNS tunneling using DNSCat2, a tool designed to encapsulate data within DNS queries and responses?

RQ₂:

How do Snort and Suricata perform in detecting DNS tunneling using Iodine, which exploits the NULL resource record type to create stealthy communication channels?

RQ₃:

What are the strengths and limitations of Snort and Suricata regarding detection rates and false positives/negatives across ICMP tunneling, DNSCat2, and Iodine-based attacks?

By addressing these questions, the study seeks to provide actionable insights into optimizing IDS configurations to enhance cloud security and to highlight areas that require further development to combat evolving cyber threats. The organization of this paper is as follows.

Section 2 provides an overview of the tools and technologies used in the study, including detailed descriptions of Snort, Suricata, and the ELK Stack. It also explains DNS tunneling, its role in data exfiltration, and related concepts. Section 3 reviews existing research on IDS, focusing on Snort and Suricata, as well as other relevant studies on DNS tunneling, ICMP tunneling and cloud security. Section 4 outlines the experimental setup, including cloud architecture, test scenarios, and detection rules implemented to identify data exfiltration techniques. It also describes the tools and configurations to simulate attacks and monitor traffic. We present the results of experiments comparing the performance of Snort and Suricata in detecting ICMP tunneling, DNS tunneling with DNSCat2, and DNS tunneling with iodine in Section 5. The section presents performance metrics, including detection rates and false positives, and discusses the results. Section 6 summarizes the key findings of the study, highlighting the strengths and limitations of Snort and Suricata in cloud environments. The section also provides recommendations to improve detection capabilities and outlines potential areas for future research.

2. Background

The selection of Snort and Suricata as primary IDS for this study was driven by several key factors that make them particularly relevant and suitable for evaluating data exfiltration techniques in cloud environments. Both tools are widely recognized as the leading open-source IDS solutions, with extensive community support, robust feature sets, and proven effectiveness in traditional network security scenarios [8]. Their adoption spans across industries, from small-scale deployments to enterprise-level implementations, making them representative of the broader landscape of network security tools.

2.1. Intrusion Detection Systems (IDS)

2.1.1. Snort

Snort is an open-source Network Intrusion Detection System (NIDS) developed initially in 1999 [9]. Since then, it has become one of the most widely deployed intrusion detection and prevention technologies worldwide. Snort captures and analyzes network traffic in real time, identifies potential threats, and alerts system administrators using a combination of signature-based detection, protocol analysis, and anomaly detection. Snort’s key features include the following:

• Signature-Based Detection: Snort uses predefined rules to detect known threats by matching patterns in network traffic [10]. These rules are continuously updated by the community and Sourcefire (now part of Cisco) to include new threats as they emerge.
• Protocol Analysis: Snort can analyze various network protocols to identify deviations from normal behavior that could indicate an attack [11]. This includes HTTP, FTP, TCP, UDP, and ICMP, among others.
• Anomaly Detection: By establishing a baseline for normal network activity, Snort can identify unusual patterns that can indicate an attack [11].
• Preprocessor Plugins: Snort’s functionality can be extended via preprocessor plugins, which add new detection capabilities and enhancements to existing ones [10]. These preprocessors can reassemble fragmented packets, detect anomalies in HTTP requests, and decode various protocols.
• Performance: Traditionally, Snort has been a single-threaded application, which could limit its performance on multi-core systems. However, the Snort 3 release now includes a multi-threaded architecture, which improves its ability to handle high-throughput environments [11].

Snort is highly configurable, allowing users to customize its rules to suit their specific security needs. It can be deployed in three main modes: (1) Sniffer Mode: In this mode, Snort captures and displays network packets in real-time. (2) Packet Logger Mode, where it logs packets to disk, and (3) NIDS Mode, where it analyzes network traffic and generates alerts based on predefined rules. Given these modes, Snort supports three deployment modes [10]; namely, (1) real-time traffic analysis, where Snort can monitor network traffic in real time and provide immediate alerts for suspicious activities; (2) forensic analysis, where the captured traffic is used to analyze post-event to understand the nature and scope of an incident; and (3) regulatory compliance, where it helps organizations meet various regulatory requirements by providing detailed logging and reporting capabilities.

2.1.2. Suricata

Suricata is an open-source network threat detection engine developed by the Open Information Security Foundation (OISF) in 2009. It is designed to be a robust and high-performance IDS/IPS and network security monitoring (NSM) tool. Suricata leverages modern hardware capabilities, including multi-threading, GPU acceleration, and advanced protocol detection, making it a robust, scalable solution for detecting network-based threats. Suricata’s key features are summarized below:

• Multi-threading: Unlike Snort, which was traditionally single-threaded, Suricata is designed from the ground up to take advantage of multi-core processors. This allows Suricata to handle higher traffic volumes and perform complex analyses more efficiently.
• Protocol Identification and Parsing: Suricata includes advanced protocol identification and parsing capabilities that automatically detect and decode protocols such as HTTP, TLS, FTP, and SMB. This feature enables deep packet inspection and accurate detection of protocol-specific attacks.
• File Extraction: Suricata can extract and store files from network traffic for further analysis. This is particularly useful for investigating malware infections and data exfiltration attempts.
• Integration with External Tools: Suricata integrates seamlessly with other security tools and platforms. It supports output to various formats and systems, including JSON, Elastic Stack, and Splunk, facilitating integration with Security Information and Event Management (SIEM) systems and other analysis tools.
• Rules and Signatures: Suricata supports a rule syntax compatible with Snort, making it easy to transition from Snort to Suricata. Furthermore, it supports advanced rule options and keyword extensions, enabling more granular detection.
• Performance and Scalability: Suricata’s architecture scales horizontally by adding more processing threads, enabling it to handle high-throughput environments. It can leverage modern hardware features, such as CUDA and OpenCL, for GPU acceleration, further enhancing performance.

Suricata can be configured and deployed in various modes, similar to Snort: (1) NIDS Mode: Monitor network traffic and generate alerts based on detection rules. (2) IPS Mode: Acts on detected threats by dropping, rejecting, or modifying packets. And (3) NSM Mode: Collects and logs detailed information about network traffic for analysis. Suricata is highly configurable, with extensive options for tuning performance and detection capabilities. It can be managed and configured using YAML files, which provide a straightforward and flexible way to define settings and rules. Given these modes, Suricata is used in situations such as [10]: (1) Real-time threat detection: Suricata’s multi-threaded design is suitable for environments with high traffic volumes, where it can provide real-time alerts for detected threats. (2) Monitoring of network security: By capturing and analyzing detailed network traffic, Suricata helps organizations gain visibility into their network and detect potential security incidents. And (3) Threat hunting and forensic analysis: Suricata’s ability to extract files and log detailed traffic information makes it a valuable tool for post-incident analysis and threat hunting activities.

2.2. Test Instrumentation: The ELK Stack

To analyze IDS output, the Elasticsearch, Logstash, and Kibana (ELK) stack is used for log processing and visualization. In addition, DNS tunneling is examined since it is a critical exfiltration technique relevant to the study. The ELK Stack, comprising Elasticsearch, Logstash, and Kibana, is a log analysis platform used for IDS monitoring. It is widely used to search, analyze, and visualize huge volumes of log data in real time, making it an essential tool for monitoring and analyzing logs generated by IDS tools such as Snort and Suricata. The key features of the ELK stack are [12]:

• Elasticsearch: Elasticsearch is a distributed, RESTful search and analytics engine. It is designed to handle large-scale data ingestion and retrieval, enabling users to store, search, and analyze big data quickly and in near real-time. Elasticsearch utilizes a schema-free JSON document structure to index data, making it flexible and scalable. Elasticsearch’s key features include [13]:
  • Full-text search capabilities.
  • Near real-time indexing and search.
  • Distributed and horizontally scalable architecture.
  • RESTful API for seamless integration with other tools and platforms.
• Logstash: Logstash is a server-side data processing pipeline that ingests data from various sources, transforms it, and sends it to the desired output. It supports various input sources, including logs, metrics, web applications, data stores, and various AWS services. Logstash uses a rich ecosystem of plugins to parse and transform data, ensuring that it is structured and formatted correctly before indexing to Elasticsearch. Key features include:
  • Centralized data processing with support for custom log formats.
  • Extensible architecture with numerous plugins for the input, filter, and output stages.
  • Ability to parse and transform unstructured data into structured formats.
• Kibana: Kibana is a data visualization and exploration tool that sits on top of Elasticsearch, providing an intuitive web interface for analyzing and visualizing data. It allows users to create and share dynamic dashboards that reflect real-time data changes. Kibana supports a variety of visualizations, including histograms, line graphs, pie charts, and geographic maps. Key features include:
  • Real-time visualization and analysis of data stored in Elasticsearch.
  • User-friendly interface to create and share dashboards.
  • Advanced query and filtering capabilities using the Kibana Query Language (KQL).
  • Support for alerting and reporting based on data insights.

The ELK Stack could be integrated with Filebeat. Filebeat is a lightweight shipper that centralizes log data [14]. Installed on your servers, Filebeat monitors the log files or locations you specify, collects log events, and forwards them to Logstash or Elasticsearch for indexing. When integrated with the ELK Stack, Filebeat simplifies the collection, parsing, and visualization of logs from IDS tools such as Snort and Suricata [15].

Given these modes, the ELK Stack could be used in situations such as [15]: (1) Real-time Monitoring: The ELK Stack enables real-time monitoring of log data, allowing immediate detection and response to security incidents. (2) Threat Analysis and Visualization: Kibana’s visualization capabilities help security teams identify patterns and anomalies in network traffic, aiding in threat analysis and investigation. And (3) Compliance and Reporting: ELK Stack can generate reports for compliance purposes and provide detailed logs of network activities and security events.

2.3. Attack and Tunneling Mechanisms

2.3.1. DNS Tunneling: DNSCat2 and Iodine

Given the increasing sophistication of cyber threats, it is crucial to understand the methods attackers use to bypass conventional security mechanisms. One such method is Domain Name System (DNS) tunneling. DNS tunneling is a technique that encapsulates data within DNS packets [16]. DNS, which is specially designed to translate domain names into IP addresses, is often allowed through firewalls and network security systems because it is essential for normal Internet operations. This makes DNS an attractive vector for attackers to bypass traditional security measures and exfiltrate data or establish covert communication channels. DNS tunneling exploits the DNS protocol by embedding data in DNS queries and responses, creating a covert channel for data exfiltration. In DNS tunneling, an attacker creates a rogue DNS server that communicates with malware on the victim’s machine. The malware encodes data in the DNS query’s subdomain, which is then sent to the rogue DNS server. This server decodes the data and processes them accordingly. Figure 1 provides a visual explanation of the technique. This method is effective because DNS traffic is generally permitted by firewalls and is not subject to the same rigorous scrutiny as other traffic.

Various tools, such as Iodine (https://github.com/yarrick/iodine, last accessed on 18 June 2025) and DNScat2 (https://github.com/iagox86/dnscat2, last accessed on 18 June 2025), facilitate DNS tunneling by encapsulating data within DNS packets. These tools establish an IP-over-DNS tunnel, enabling data transmission over DNS. This technique can be used not only for data exfiltration, but also for establishing C2 channels, making it a versatile tool for attackers [17,18].

2.3.2. ICMP Tunneling

ICMP tunneling is a covert communication technique that encapsulates data within ICMP echo request and reply messages, which are typically permitted through network security controls for diagnostic purposes, and attackers could exploit ICMP for this to exfiltrate data or establish command-and-control channels. Because ICMP traffic is often considered benign by default IDS configurations, ICMP tunneling represents a challenging and relevant threat vector in cloud environments.

3. Related Work

The work in [19] addresses the critical challenge of network security, given persistent risks such as phishing, hacking, spyware, and spoofing that compromise data integrity. It reviews various network threats and evaluates open-source security tools, specifically Acunetix (https://www.acunetix.com, last accessed on 28 July 2025), and IPS, for their effectiveness in mitigating these risks. The key sections of the paper explore security commands, system scan and reconnaissance processes, as well as an analysis of IPS functionality to identify and prevent network vulnerabilities. The findings highlight the limitations of existing tools in fully protecting transmitted data, underscoring the ongoing need for robust network security solutions. The authors of [20] examined the importance of security in cloud computing environments, where the growing reliance on network-based platforms makes data vulnerable to potential attacks. The work emphasizes the role of NIDS in protecting the availability, confidentiality, and integrity of network systems. Their work analyzes various open-source IDS tools, comparing their features, functionality, and performance to help organizations select the most suitable option for their specific needs. The conclusion emphasizes that while open-source IDS tools vary in their strengths and limitations, they offer flexibility for customization, allowing organizations to customize them to their specific security requirements.

The work in [21] investigates the impact of the number of active rules on Suricata’s detection accuracy, focusing on Indicators of Compromise (IoC) rules, such as IPRep, HTTP, DNS, MD5 and JA3 [22]. The analysis evaluates the detection accuracy in five scenarios with varying rule counts, reaching a total of one million rules. This work found a notable decrease in detection accuracy as the number of rules increased, with significant performance drops starting at 100,000 rules in isolated IoC scenarios. In a combined IoC scenario, the detection accuracy decreases as the number of rules per IoC exceeds 10,000, and the performance ultimately degrades to 1 million rules. The study shows that a higher number of activated rules compromises Suricata’s detection accuracy, thereby increasing the risk of cyber attacks by potentially missing known threats. This highlights the need for enhanced defense mechanisms, particularly in cyber threat hunt, to maintain system integrity and detect potential incidents effectively.

The work in [23] investigates the development and effectiveness of a Suricata-based IPS to improve network security against Distributed Denial of Service (DDoS) attacks, specifically SYN Flood and Ping of Death, within a school network. The waterfall model comprises the phases of analysis, design, implementation, testing, and maintenance. The investigation achieved a detection accuracy of 98% for DDoS threats and 95% for SYN Flood and Ping of Death, resulting in an average detection rate of 96.5% and a low false-positive rate of 2.5%. Implementing IPS stabilized network traffic by preventing excessive malicious requests via IPtables firewall capabilities, demonstrating robust, reliable security against common DDoS attacks. This study highlights the efficacy of systematically deploying IPS to protect network integrity in educational institutions.

The authors of [24] emphasize the importance of intrusion detection in securing cloud computing environments, which are highly susceptible to cyber attacks due to their dependence on Internet connectivity. The authors propose an IDS for cloud platforms that integrates signature-based and anomaly-based detection to identify both known and unknown threats. Using a hybrid detection mechanism at the Cloud Hypervisor level that leverages K-Nearest Neighbors (KNN) and Support Vector Machine (SVM) algorithms, the study demonstrates that the SVM-based model achieves higher accuracy than prior models. This approach aims to enhance security and reliability in cloud computing by dynamically detecting deviations from normal activities as potential intrusions. The work in [25] analyzes the effectiveness of two widely used NIDS, Snort and Suricata, in addressing the growing complexity of cyber threats. It examines the architectural foundations, detection features, and performance metrics of each system, concentrating on its strengths and limitations in various network environments. Snort’s extensive rule-based detection and customization make it suitable for settings requiring specific threat detection; however, its lack of multithreading limits its performance in high-traffic scenarios. Suricata, on the other hand, employs multithreading to handle high-throughput traffic and large datasets, which makes it well suited to dynamic environments. It also supports protocol anomaly detection and file inspection. The study highlights the crucial role of continuous improvement in NIDS, including the integration of machine learning and AI to enhance threat prediction and adaptability. Although Snort and Suricata each offer unique benefits, their applicability ultimately depends on organizational needs, network demands, and security strategies.

The work in [26] examines the security challenges posed by the Internet of Things (IoT), in which unprecedented connectivity amplifies vulnerability to cyber threats. Focusing on Snort as an NIDS, the paper analyzes its architecture, rule customization, and effectiveness in securing IoT environments. Key issues in IoT security include resource constraints, varied communication protocols, and the need for tailored defense mechanisms. The experimental results highlight Snort’s efficiency in detecting malicious activity while maintaining low memory and CPU usage, and it outperforms other NIDS tools, such as Wazuh (https://wazuh.com, last accessed on 18 June 2025), and Suricata. The findings underscore the importance of advanced tools such as Snort for addressing IoT-specific threats and emphasize practical strategies, including network segmentation and continuous monitoring, to strengthen network defenses. As IoT ecosystems become increasingly complex, Snort’s proactive threat-detection capabilities provide a robust, resource-efficient solution to enhance network resilience.

The research in [27] addresses the growing threat of botnet-driven cyberattacks, which is exacerbated by advances in AI and the increasing shift of organizations to cloud-based environments. Botnets are intended to disrupt services, steal credentials, or gain unauthorized network access, presenting significant challenges for network security professionals. The study proposes a new model to detect and mitigate botnet traffic in cloud environments by integrating IDS and SIEM systems. The model successfully detected and logged botnet attacks through this setup, enabling the generation of detailed reports to analyze attack characteristics, such as traffic volume and source IP addresses. The conclusion highlights that the model effectively supports network security analysts by providing a comprehensive view of attack data, facilitating proactive threat management. Future enhancements could include the deployment of firewalls and a demilitarized zone (DMZ) to improve filtering and segmentation, respectively, thereby strengthening network defenses. This model demonstrates a viable strategy for identifying and countering botnet attacks, providing network security professionals with a robust set of tools to protect cloud-based infrastructure.

Table 1. Thematic Mapping of Existing Research Work.

Theme	Papers	Key Insights
Performance Comparisons of Snort and Suricata	[10,25,28,29,30,31]	Snort 3.0 demonstrates superior detection rates for DoS/DDoS attacks in multi-core environments and excels in rule-based detection. Still, it consumes more CPU resources and struggles with high-speed traffic and large packets. Suricata, on the other hand, is more accurate, with fewer false positives; it performs better in high-speed traffic scenarios due to its multithreading capabilities and offers advantages over Snort in resource efficiency and handling of modern network demands.
Cloud and IoT Security	[32,33,34,35]	Random forest algorithms achieve high detection accuracy (99.71%) in cloud environments, highlighting the importance of real-time monitoring. At the same time, Suricata outperforms Snort and Bro in detecting malicious packets during DDoS attacks due to its multi-threading capabilities. Combining Snort and Suricata in a layered approach enhances intrusion detection in IoT/WBAN systems, and hybrid methods are proposed to overcome the limitations of traditional IDS techniques in addressing dynamic and scalable threats in cloud environments.
Hybrid approaches and advanced techniques	[36,37]	Snort can detect DDoS attacks but generates false alarms, underscoring the need for improved rule sets. In contrast, a hybrid IDS that integrates Suricata with pfSense demonstrates significant performance improvements, reducing delay, jitter, and CPU utilization while increasing throughput and packet transmission efficiency.
Integration of IDS with Emerging Technologies (e.g., SDN)	[38,39]	Snort outperforms Suricata in SDN environments, achieving higher true-positive rates, demonstrating the viability of integrating traditional IDS with SDN to enhance security. Additionally, fuzzy logic-based IDS systems (FL-SnortIDS and FL-SuricataIDS) surpass traditional systems, with FL-SnortIDS excelling, underscoring the potential of advanced techniques such as fuzzy logic and genetic algorithms for developing future network-aware IDS solutions.

introduces the thematic organization of some related works in IDS for cloud computing environments. To this end, our review of the existing literature highlights gaps in the comprehensive examination of Snort and Suricata in cloud environments. Hence, our article provides a comparative evaluation of Snort and Suricata for detecting data exfiltration tunnels in cloud environments.

4. Research Methodology

As noted earlier, this study aims to evaluate the effectiveness of Suricata and Snort in cloud computing environments. Suricata and Snort were selected because they are widely used in intrusion detection research. In addition, they support customizing the detection rules.

4.1. Methodology Setup

For this purpose, quasi-experiments are conducted to evaluate the effectiveness of these tools using the cloud-based architecture described in the following and depicted in Figure 2.

• Victim Machine: An Amazon Elastic Compute Cloud (AWS EC2) instance configured to simulate a typical user environment; The victim machine participates in bidirectional DNS communication with the attacker instance; traffic in both directions is mirrored to the IDS, with detection focusing on inbound packet characteristics relevant to signature-based tunneling rules.
• Intrusion Detection System (IDS): Another EC2 instance running Suricata and Snort, two open-source IDSs. They are configured with specific rules to detect DNS tunneling based on the signatures and characteristics of tunneling tools, such as DNSCat2 and Iodine. These rules are adapted from the research presented in [40]. Virtual Private Cloud (VPC) traffic mirroring mirrors internet traffic bound for the victim machine and sends it to the IDS machine for real-time analysis.
• Attacker Machine: An additional EC2 instance configured to simulate an attacker’s environment, uses tools such as Iodine and DNScat2 to attempt DNS tunneling attacks on the victim machine; The traffic generated by this machine is mirrored to the IDS.
• Monitoring and Visualization: The Elastic Stack is deployed to collect, store, and visualize network traffic data. Suricata and Snort logs are sent to the ELK stack using Filebeat modules.

It is worth emphasizing that AWS was used as a representative public cloud platform, not because of any dependence on AWS-specific features. The evaluated IDS tools, Snort and Suricata, are infrastructure-agnostic and can be deployed across on-premise, containerized, Kubernetes, and hybrid environments. Therefore, the findings are transferable beyond AWS to other infrastructures with comparable networking and traffic characteristics.

4.2. Detection Rules

The detection rules implemented to identify DNS tunneling attacks were adopted from the research presented in [40]. These rules are specifically designed to identify patterns characteristic of DNS tunneling tools such as Iodine and DNSCat2. The same rules apply to Snort and Suricata. This is because both IDS systems can interpret and apply the same rule syntax, enabling consistent detection across platforms.

4.2.1. Iodine Detection Rules

Iodine is a tool that tunnels IPv4 traffic through DNS using a NULL resource record. The detection rules look for specific patterns in DNS query and response packets that indicate Iodine traffic [40]. As seen in Listing 1, the first part of the rule matches the question section and the Answer Resource Record section of the DNS header. The second part checks for the “yrb” prefix used by Iodine. The final content match identifies the NULL type request. The rule triggers an alert if these patterns are observed twice in 15 s.

Listing 1. Iodine Detection Rules.

4.2.2. DNSCat2 Detection Rules

DNSCat2 is a tool designed to create C2 channels over DNS [40]. As shown in Listing 2, it uses various types of DNS records (e.g., CNAME, MX, TXT) and encrypts the tunnel by default. These rules identify DNSCat2 traffic by detecting the use of specific record types and checking for large data sizes, which are characteristic of DNS tunneling. Although DNSCat2 is challenging to detect when used over encrypted communications, each packet includes a plain text 5-byte header and a 16-bit nonce, and DNS query and reply packets are always greater than 100 bytes. These features are used to create the detection rules. The rules include filters that trigger alerts for multiple occurrences of these patterns within a short time frame.

Listing 2. DNSCat2 Detection Rules.

4.3. Test Scenarios

This part outlines the test scenarios designed to evaluate the effectiveness of Snort and Suricata in detecting various data exfiltration techniques. Three test scenarios were implemented: ICMP tunneling using Metasploit, DNS tunneling using DNSCat2, and DNS tunneling using Iodine.

Table 2. Experimental Scenarios and Tools Used for Tunneling Detection.

Scenario	Objective	Tools Used
ICMP Tunneling	Evaluate detection of ICMP-based data exfiltration.	Metasploit
DNS Tunneling (DNSCat2)	Assess the detection of DNS tunneling using DNSCat2.	DNSCat2
DNS Tunneling (Iodine)	Assess detection of DNS tunneling using Iodine.	Iodine

outlines the test scenarios and the detection tool used in each scenario. Each scenario was carefully set-up and executed in a controlled AWS environment to simulate realistic attack conditions. However, we agree that such scenarios may not fully replicate real-world cloud infrastructures.

The three test scenarios are selected to provide a comprehensive evaluation of Snort and Suricata in detecting data exfiltration techniques relevant to cloud environments. These scenarios represent some of the most common methods that attackers use to circumvent traditional security controls and exfiltrate sensitive data. ICMP tunneling demonstrates how data can be transmitted covertly via protocols typically used for network diagnostics, while DNS tunneling exploits trusted DNS traffic to steal information. The inclusion of DNSCat2 and Iodine ensures comprehensive coverage of different approaches to DNS tunneling, providing valuable insights into the tools’ detection capabilities under varying conditions. Such a focused approach enables an in-depth assessment of Snort and Suricata’s performance in identifying and mitigating data exfiltration threats, ensuring alignment in evaluating their effectiveness in cloud environments. The scenarios are deemed sufficient to draw meaningful conclusions about the tools’ strengths and limitations without introducing unnecessary complexity.

4.3.1. ICMP Tunneling

ICMP tunneling is a technique in which data are encapsulated within ICMP packets, typically used for network diagnostics (e.g., ping). Because ICMP traffic is often permitted through firewalls, attackers exploit this protocol to exfiltrate data or establish covert communication channels without raising suspicion.

The primary goal of this test scenario is to assess the detection capabilities of Snort and Suricata when an ICMP tunnel is utilized to exfiltrate data from a victim instance to an attacker instance. An attacker instance with Metasploit installed and a victim instance configured within an AWS VPC were utilized to set up this scenario. The network was configured to ensure proper routing and monitoring of ICMP traffic. Specifically, traffic mirroring was enabled to direct all ICMP traffic from the victim instance to the IDS instance where Snort and Suricata were running. It is worth noting that traffic mirroring was enabled to replicate all ICMP traffic from the victim instance and redirect it to the IDS instance where Snort and Suricata were running. This ensured that both tools had access to the same traffic for analysis.

The Metasploit icmp_tunnel module establishes a covert communication channel by encapsulating arbitrary data within ICMP echo request and reply packets. This enables an attacker to transfer sensitive information or execute commands remotely, bypassing traditional security measures. The Metasploit icmp_tunnel module was configured and executed to establish an ICMP tunnel between the attacker and the victim. This involved the following steps:

• Launch Metasploit on the attacker instance.
• Configure the icmp_tunnel module.
• Initiate the tunnel connection on the victim instance.
• Transmit data through the established ICMP tunnel.

During execution, Snort and Suricata were actively monitored to detect and log any ICMP tunneling activity. Specific ICMP signatures were enabled in both IDS systems to capture relevant traffic. The results are as follows.

• Detection Rate: The detection capabilities of Snort and Suricata were evaluated based on alerts generated during ICMP tunneling activity.
• False Positives/Negatives: An analysis was performed to identify false positives or negatives in the detection process.

Detecting ICMP tunneling poses significant challenges, as traditional IDS systems, such as Snort and Suricata, lack default rules specifically tailored to detect malicious ICMP traffic. Custom rule development and tuning are often necessary to enhance this technique’s detection capabilities.

4.3.2. DNS Tunneling with DNSCat2

This scenario evaluates the effectiveness of Snort and Suricata in detecting DNS tunneling using the DNSCat2 tool, a specialized utility that exfiltrates data by encapsulating them within DNS queries and responses. DNS tunneling exploits the inherent trust placed in DNS traffic, as DNS queries are typically allowed via firewalls and network security systems. This makes DNS tunneling a popular technique for attackers to bypass traditional security measures, establish covert communication channels, or exfiltrate sensitive information.

DNSCat2 was configured in both the attacker and victim instances within a VPC to mimic a realistic DNS tunneling attack. The attacker instance acted as the DNS server, while the victim instance was configured as the DNS client. A rogue DNS server under the attacker’s control was configured to handle tunneled DNS traffic, ensuring that all DNS queries from the victim instance were routed through it.

The following steps were performed to establish the DNS tunnel:

• Install DNSCat2 in both the attacker and the victim instances.
• Start the DNSCat2 server on the attacker instance and configure it to listen for incoming DNS queries.
• In the victim’s instance, initiate a connection to the DNSCat2 server by sending DNS queries encoded with data.
• Perform data exfiltration by transmitting files or commands through the established DNS tunnel.

Snort and Suricata were configured with DNS-specific detection rules to monitor and analyze DNS traffic for patterns indicative of tunneling activity. These rules were adapted from previous research [40] and designed to identify anomalies, such as unusually large DNS responses, specific record types (e.g., CNAME, MX, TXT) and high-frequency query patterns. Both IDS tools actively monitored the mirrored DNS traffic during the test to detect malicious activity.

Snort and Suricata performance was evaluated in this scenario based on the following metrics:

• Detection Rate: The number of alerts generated during DNS tunneling activity was recorded to measure the tools’ ability to detect DNSCat2-based exfiltration.
• False Positives/Negatives: The logs were analyzed to determine the accuracy of the detection mechanisms, including false positives (legitimate traffic flagged as malicious) or false negatives (malicious traffic not detected).

Detecting DNS tunneling with DNSCat2 poses significant challenges due to its use of encryption and the variability of DNS query patterns. Although encrypted communications make detection more difficult, certain characteristics, such as large DNS response sizes and specific record types, can still be used to identify suspicious activity. The results underscore the importance of fine-tuning and continuously updating the detection rules to adapt to evolving tunneling techniques.

This scenario demonstrates that Snort and Suricata can detect DNS tunneling using DNSCat2, with Suricata outperforming Snort in both detection rate and sensitivity. However, the findings also highlight the need for specialized rule development and continuous tuning to enhance detection capabilities for sophisticated tunneling tools such as DNSCat2. These insights contribute to a better understanding of how to optimize IDS tools to mitigate DNS tunneling threats in cloud environments. More details are presented in Section 5.

4.3.3. DNS Tunneling with Iodine

This test scenario evaluates the detection capabilities of Snort and Suricata when DNS tunneling is performed using Iodine, a tool specifically designed to encapsulate IPv4 traffic within DNS queries and responses. Iodine exploits the type of NULL resource record to create covert communication channels, making it a popular choice for attackers seeking to bypass traditional security measures. Using DNS, a protocol that is inherently trusted and often overlooked by network defenses, Iodine enables data exfiltration and remote access in environments where other protocols may be restricted.

To simulate a realistic DNS tunneling attack using Iodine, both attacker and victim instances were configured within a VPC. The attacker instance was configured as the Iodine server, while the victim instance served as the client. A rogue DNS server under the attacker’s control was configured to handle tunneled DNS traffic, ensuring that all DNS queries from the victim instance were routed through it.

The following steps were performed to establish the DNS tunnel:

• Install Iodine on both the attacker and the victim instances.
• Start the Iodine server on the attacker instance, configuring it to listen for incoming DNS queries.
• In the victim instance, initiate a connection to the Iodine server by sending encrypted DNS queries.
• Perform data exfiltration by transferring files or executing commands through the established DNS tunnel.

Snort and Suricata were configured with DNS-specific detection rules to monitor and analyze DNS traffic for patterns indicative of iodine-based tunneling activity. These rules were adapted from previous research [40] and designed to identify anomalies, such as unusually large DNS responses, specific record types (e.g., NULL) and high-frequency query patterns. Both IDS tools actively monitored the mirrored DNS traffic during the test to detect malicious activity.

Snort and Suricata performance was evaluated in this scenario based on the following metrics:

• Detection Rate: The number of alerts generated during the Iodine DNS tunneling activity was recorded to measure the tool’s ability to detect this technique.
• False Positives/Negatives: Detailed log analysis was performed to evaluate the accuracy of detection mechanisms, including false positives (legitimate traffic flagged as malicious) and false negatives (malicious traffic not detected).

Detecting DNS tunneling with Iodine presents significant challenges due to its reliance on the NULL resource record type and the variability of DNS query patterns. Although the NULL record type is uncommon in legitimate traffic, its presence alone is not always sufficient to conclusively identify malicious activity. In addition, encrypted communications further complicate detection efforts. The results underscore the importance of fine-tuning and continuously updating the detection rules to adapt to evolving tunneling techniques.

This scenario demonstrates that both Snort and Suricata can detect DNS tunneling using Iodine, with Suricata outperforming Snort in terms of detection rate and sensitivity. However, the findings also highlight the need for specialized rule development and continuous tuning to enhance detection capabilities for sophisticated tunneling tools such as Iodine. These insights contribute to a better understanding of how to optimize IDS tools to mitigate DNS tunneling threats in cloud environments. More details are presented in Section 5.

5. Results and Discussion

In this section, we present our evaluation metrics and results and discuss the observations.

5.1. Evaluation Metrics

Performance metrics are calculated based on the detection rates and accuracy of each IDS. We have used the following metrics to evaluate the performance of the IDS tools.

• True Positive (TP): represents the number of correctly identified attacks.
• False Positive (FP): represents the number of legitimate activities incorrectly identified as attacks.
• False Negative (FN): represents the number of attacks that were not identified.
• True Negative (TN): represents the number of legitimate activities correctly identified as non-attacks.

From the aforementioned values, we then calculate the following performance metrics:

• Recall (True Positive Rate (TPR)): Measures the ability to identify actual attacks and is calculated as Equation (1).

  $$Recall={\displaystyle \frac{TP}{TP+FN}}.$$

  (1)
• Precision: Measures the accuracy of positive predictions and is calculated as Equation (2).

  $$Precision={\displaystyle \frac{TP}{TP+FP}}.$$

  (2)
• Accuracy: Measures the model’s overall accuracy and is calculated as in Equation (3):

  $$Accuracy={\displaystyle \frac{TP+TN}{TP+FP+FN+TN}}.$$

  (3)
  Since True Negatives (TN) are not applicable in our scenarios, we simplify accuracy to be calculated as Equation (4)

  $$Accuracy={\displaystyle \frac{TP}{TP+FP+FN}}.$$

  (4)
• F1-Score: The harmonic mean of precision and recall provides a metric that balances both concerns and is calculated as Equation (5):

  $$F1\text{-}Score=2\times {\displaystyle \frac{Precision\times Recall}{Precision+Recall}}$$

  (5)

5.2. Evaluation Results

Table 3. Performance Analysis of IDS Tools Against ICMP and DNS Tunneling (DNSCat2 and Iodine).

Scenario	Tool	Detection Rate (%)	False Positives (%)
ICMP Tunneling	Snort	0	0
	Suricata	0	0
DNS Tunneling (DNSCat2)	Snort	95	0
	Suricata	98	0
DNS Tunneling (Iodine)	Snort	85	5
	Suricata	97	0

summarizes the results of the experiments aimed at evaluating the detection capabilities of the Snort and Suricata IDS systems against various data exfiltration techniques. The test scenarios include ICMP tunneling and DNS tunneling using DNSCat2 and Iodine.

5.2.1. ICMP Tunneling with Metasploit

A critical observation in the ICMP tunneling scenario is that neither Snort nor Suricata can detect ICMP tunneling attempts under default rules and configurations, as shown in

Table 4. Comparison of Snort and Suricata Based on Detection Performance Metrics.

Scenario	IDS Tool	Attempts #	TP	FP	FN	TN	Recall	Precision	Accuracy	F1-Score
ICMP Tunneling	Snort	3	0	0	3	–	0	–	0	0
ICMP Tunneling	Suricata	3	0	0	3	–	0	–	0	0
DNS Tunneling (DNSCat2)	Snort	7	6	0	1	–	0.857	1	0.857	0.923
DNS Tunneling (DNSCat2)	Suricata	7	16	0	0	–	1	1	1	1
DNS Tunneling (Iodine)	Snort	3	2	0	1	–	0.667	1	0.667	0.8
DNS Tunneling (Iodine)	Suricata	3	19	0	0	–	1	1	1	1

. The default rules in Snort and Suricata may not include signatures or patterns to identify anomalies in ICMP payloads, such as unusually large or frequent ICMP packets, which are indicative of tunneling activity. This suggests that further rule configuration and tuning are necessary to enhance detection capabilities for this specific type of tunneling. Both Snort and Suricata include pre-configured rule sets that primarily focus on detecting well-known threats, such as malware, exploits, and common network attacks (e.g., DDoS and port scanning). However, ICMP tunneling is a more sophisticated and less common technique that is not typically included in default rule sets. ICMP traffic (e.g., ping requests) is generally considered benign and essential for network diagnostics and troubleshooting. As a result, many IDS tools do not scrutinize ICMP packets by default, assuming that they are legitimate, unless explicitly configured otherwise. ICMP tunneling often exhibits specific behavioral patterns, such as high-frequency ICMP traffic or substantial packet sizes. However, default IDS configurations rely heavily on signature-based detection rather than behavioral analysis. Without rules tailored to detect these anomalies, ICMP tunneling can go unnoticed.

5.2.2. DNS Tunneling Using DNSCAT2

Given the data in Table 4 and Figure 3, Suricata vastly outperformed Snort in DNS Tunneling (DNSCat2). Snort detected 6 of 7 attempts, producing a Recall (TPR) of 0.857 (85.7%). This indicates that Snort identified most DNSCat2 tunneling attempts, but missed one. Suricata detected all seven attempts, generating 16 alerts (likely multiple alerts per attempt). This resulted in a perfect Recall (TPR) of 1. Without False Positives (FP = 0), Snort achieved a Precision of 1, which means that all alerts generated were accurate. Like Snort, Suricata reported no false positives, achieving a Precision of 1. For Snort, the overall Accuracy was 0.857, indicating its ability to classify most traffic accurately. Suricata’s accuracy was 1, indicating flawless detection. Snort’s F1-Score is 0.923, which suggests a strong balance between Precision and Recall. An F1-score of 1 indicates that Suricata performs at a higher level in detecting DNSCat2 tunneling.

5.2.3. DNS Tunneling Using Iodine

As shown in Figure 4 and Table 4, Suricata outperformed Snort in a large way, achieving better detection for Iodine tunneling. Snort’s lower Recall (66.7%) indicates that its rule sets may need further refinement to detect iodine-based tunneling effectively. Snort detected 2 of 3 attempts, producing a Recall (TPR) of 0.667 (66.7%). This indicates that Snort had greater difficulty detecting iodine-based tunneling than DNSCat2. Suricata detected all three attempts, generating 19 alerts (likely multiple alerts per attempt). This resulted in a perfect Recall (TPR) of 1. Both Snort and Suricata had no False Positives; they maintained a Precision of 1. The overall accuracy of Snort was 0.667, reflecting its lower success rate in identifying Iodine tunneling. Suricata’s accuracy was 1, indicating flawless detection. Snort’s F1 score of 0.8 indicates a reasonable balance between Precision and Recall, but highlights room for improvement. An F1-score of 1 indicates Suricata’s robust performance in detecting Iodine tunneling.

Figure 3. Performance Metrics for Snort and Suricata on DNS Tunneling (DNSCat2).

Figure 3. Performance Metrics for Snort and Suricata on DNS Tunneling (DNSCat2).

Figure 4. Performance Metrics for Snort and Suricata on DNS Tunneling (Iodine).

Figure 4. Performance Metrics for Snort and Suricata on DNS Tunneling (Iodine).

5.3. Discussion

The investigation uncovers several key insights, which are summarized below for clarity and ease of reference.

• Strengths of Suricata

  –

  Suricata demonstrated superior performance in detecting DNS tunneling (both DNSCat2 and Iodine), achieving better performance across all metrics.

  –

  Its ability to generate multiple alerts per attempt suggests thorough detection capabilities, although this may require tuning to reduce redundancy.

• Limitations of Snort

  –

  Although Snort performed reasonably well in detecting DNSCat2 tunneling, it showed variability in detecting Iodine tunneling and completely failed to detect ICMP tunneling.

  –

  The lower Recall for Iodine (66.7%) and zero detection for ICMP tunneling indicate that Snort’s default rules are insufficient for certain tunneling methods.

• ICMP Tunneling Challenges

  –

  Both tools failed to detect ICMP tunneling under the default configuration. This underscores the need for specialized rule development and tuning to address this specific type of covert channel.

• False Positives

  –

  Neither Snort nor Suricata generated any False Positives in the tested scenarios, showcasing their high specificity when configured appropriately.

• Performance Metrics

  –

  Suricata consistently achieved higher Recall, Precision, accuracy and F1-Scores compared to Snort, making it the more reliable choice for detecting DNS tunneling techniques.

  –

  However, the inability of both tools to detect ICMP tunneling highlights a shared limitation that requires further investigation and rule customization.

To summarize the results and relate them to the original RQs, we provide answers to each RQ.

RQ₀:

The default configuration rules in Snort and Suricata did not detect ICMP tunneling. This indicates the need for specialized rules or maybe behavioral analysis to address such a sophisticated threat in the cloud.

RQ₁:

Suricata outperformed Snort in detecting DNS tunneling using DNSCat2, achieving a Recall of 98% compared to Snort’s 95%, demonstrating its superior capability in identifying this covert communication method.

RQ₂:

Suricata also demonstrated better performance in detecting DNS tunneling using Iodine, achieving perfect Recall (100%) compared to Snort’s 66.7%, underscoring its robustness against diverse DNS-based threats.

RQ₃:

The findings reveal Suricata’s strengths in higher detection rates and fewer missed detections, while Snort’s limitations include variability in detecting Iodine tunneling and complete failure with ICMP tunneling. Neither tool generated false positives, demonstrating high specificity when properly configured.

Suricata’s superior performance in DNS tunneling scenarios is attributable to its multithreaded architecture and protocol-aware inspection capabilities. In cloud environments, where traffic is virtualized and mirrored at high volume, Suricata’s ability to parallelize packet processing enables more consistent inspection without packet drops. In contract, Snort’s rule evaluation is more sensitive to throughput constraints, which may explain missed detections observed in DNSCat2 and Iodine scenarios.

6. Conclusions and Future Work

The main contribution of this paper is an empirical, cloud-agnostic evaluation of Snort and Suricata for detecting covert data exfiltration via DNS and ICMP tunneling. This paper aimed to evaluate the effectiveness of Snort and Suricata in detecting a set of covert data exfiltration techniques in a cloud environment, with a focus on ICMP and DNS tunneling scenarios. This comparison showed distinct performance differences between these two IDSs. Suricata consistently outperformed Snort in DNS-based tunneling detection, achieving full Recall in both DNSCat2 and Iodine, whereas Snort’s Recall remained considerably lower at 85.7% and 66.7%, respectively. In contrast, both tools failed to detect ICMP tunneling generated by Metasploit and reported 0% Recall, highlighting the limitations of a default signature-based configuration for addressing sophisticated tunneling mechanisms. The results underscore the need to refine rule sets, develop signature-based methods, and integrate behavior analytics to address shortcomings that a traditional pattern-matching approach cannot resolve. Given the wide variety of rule libraries available, the rapidly changing threat landscape of covert exfiltration techniques, and the lack of standardized testing frameworks for IDS/IPS platforms, more systematic large-scale testing is necessary to establish performance boundaries across diverse operational environments. When properly tuned and integrated into a centralized logging infrastructure such as ELK, both Snort and Suricata can continue to provide valuable capabilities to enhance intrusion detection, improve network visibility, and support digital forensics investigations in cloud environments.

It should be noted that although the experiments were conducted on AWS, the observed detection behavior of Snort and Suricata is not tied to AWS-specific features and is expected to generalize to other cloud environments that employ virtualized networking, traffic mirroring, and comparable workload characteristics.

The future research directions of this article are as follows:

• Custom Rule Development. For ICMP tunneling, additional rules should be developed to detect anomalies, such as considerable ICMP payloads, high-frequency ICMP traffic, or specific byte patterns indicative of tunneling.
• Continuous Tuning. Regular updates to rule sets are necessary to adapt to evolving tunneling techniques and ensure consistent detection performance.
• Integration with Advanced Tools. Combining Snort and Suricata with machine learning-based anomaly detection systems can enhance their ability to detect sophisticated threats, such as ICMP tunneling.
• Further Testing. Future work will focus on large-scale experimental evaluation that involves more tunneling scenarios and repeated trials to enable statistically meaningful analysis, including systematic parameter variation, higher traffic volumes, and the integration of additional tunneling tools and protocols. These enhancements aim to improve the statistical robustness and generalizability of the findings.