I agree with rcole. If the evasion technique creates an unknown application then you should already have policies in place to deny unknown udp and tcp traffic. While a signature (if possible ) would work in this situation the more encompasing approach would be to block unknown apps as mentioned. If the traffic causes a url category of "unknown" to be generated then you should deal with that situation within yout URL filtering policy. Signatures are great for specific or unique traffic patterns when other methods can't address the problem / situation. Glad you thinking out of the box.
... View more