Snort mailing list archives
Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
From: "Erik Anderson" <erikba () teamworkgroup com>
Date: Thu, 18 Nov 2004 15:31:24 -0800
Without any strong knowledge of the inner workings of OpenVPN, I would hazard to guess that: "shared secret" encryption would be difficult to detect, "certificates" (required for 2.0 multi-servers) may be detectable by an SSL-style startup sequence (which I know nothing about) unless they were cloaked by an additional shared secret. Shared-secret encryption has no unencrypted negotiation or initialization, the two machines just start throwing encrypted packets at each other.
----- Original Message ----- From: "Jason Haar" <Jason.Haar () trimble co nz>
To: <openvpn-users () lists sourceforge net> Cc: <snort-users () lists sourceforge net> Sent: Thursday, November 18, 2004 2:30 PM Subject: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
[This should put the cat amongst the pigeons ;-)]I love OpenVPN - great piece of work. However, with my corporate security hat on, I'd like to be able to detect it within our corporate network on our Snort servers. We can detect IPSec easily enough, but these NAT'ted type technologies are ... rather harder.It can run over both TCP and UDP, on arbitrary ports (defaults to 1194), supports LZO compression, certificates and shared keys.I have tried to sniff the traffic and find some commonality - but without much luck so far.Is there any "initialization" sequences that are common, that a Snort signature(s) could be written for? Has anyone else done it?Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Openvpn-users mailing list Openvpn-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone know how to detect OpenVPN traffic? Jason Haar (Nov 18)
- Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic? Erik Anderson (Nov 19)