Identify one method of detecting this network traffic using a method
that is not just specific to this situation, but other ones as
well.
Based on the observed behaviour, this network traffic can be detected by
almost any IDS or Firewall. I've decided to use the afore-mentioned Snort
with the following rules:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "Tool incoming traffic"; \
content: "|0200|"; offset: 0; dsize: >200;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "Tool outgoing traffic"; \
content: "|0300|"; offset: 0; dsize: >200;)