Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

From: "Erik Anderson" <erikba () teamworkgroup com>
Date: Thu, 18 Nov 2004 15:31:24 -0800
Without any strong knowledge of the inner workings of OpenVPN, I would hazard to guess that: "shared secret" encryption would be difficult to detect, "certificates" (required for 2.0 multi-servers) may be detectable by an SSL-style startup sequence (which I know nothing about) unless they were cloaked by an additional shared secret. Shared-secret encryption has no unencrypted negotiation or initialization, the two machines just start throwing encrypted packets at each other.
----- Original Message ----- From: "Jason Haar" <Jason.Haar () trimble co nz> 
To: <openvpn-users () lists sourceforge net>
Cc: <snort-users () lists sourceforge net>
Sent: Thursday, November 18, 2004 2:30 PM
Subject: [Openvpn-users] Anyone know how to detect OpenVPN traffic?



[This should put the cat amongst the pigeons ;-)]
I love OpenVPN - great piece of work. However, with my corporate security hat on, I'd like to be able to detect it within our corporate network on our Snort servers. We can detect IPSec easily enough, but these NAT'ted type technologies are ... rather harder.
It can run over both TCP and UDP, on arbitrary ports (defaults to 1194), supports LZO compression, certificates and shared keys.
I have tried to sniff the traffic and find some commonality - but without much luck so far.
Is there any "initialization" sequences that are common, that a Snort signature(s) could be written for? Has anyone else done it? 

Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Openvpn-users mailing list
Openvpn-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/openvpn-users





-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: