[Snort-openappid] openVPN 443

Costas Kleopa (ckleopa) ckleopa at ...5...
Tue Apr 12 10:54:08 EDT 2016


The pcap you send to us, does not include any SSL exchange information for us to get the hints we need for detecting OpenVPN. Since all the traffic is encrypted in there, there is nothing for us to see if it’s part of OpenVPN, so unfortunately that is something we can’t identify at this point.

If you had any other traffic that would include a proper SSL exchange between the VPN client, there would be a chance we can get something from it, but I would imagine, VPN clients already include the SSL keys internally so those will probably won’t even show.

Thanks
Costas

On Apr 12, 2016, at 4:53 AM, valentin.giraud at ...128...<mailto:valentin.giraud at ...128...> wrote:

Hi Costas and thank you for the answer.

I do have a pcap (in attached document) of the traffic i am trying to
detect.
I thought openappid could manage encrypted traffic (and detect openVPN).
To enable SSLPP, I tried to disable:  trustservers and
noinspect_encrypted. But it did not work.


Le 11.04.2016 19:34, Costas Kleopa (ckleopa) a écrit :
Do you have any pcap with this kind of traffic?
If the traffic is encrypted then it maybe a challenge to identify the
actual OpenVPN traffic.

On Apr 11, 2016, at 7:11 AM, valentin.giraud at ...128...<mailto:valentin.giraud at ...128...> wrote:

Hi,

I am trying to detect openVPN on the port 443 (it already works with
the
port 1194). Is it supposed to be detect by the default rules ? Or do i
have to write my own custom rules?

Valentin.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications
Manager
Applications Manager provides deep performance insights into multiple
tiers of
your business applications. It resolves application problems quickly
and
reduces your MTTR. Get your free trial!
http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
<openVPN443.pcapng>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20160412/97d78f98/attachment.html>


More information about the Snort-openappid mailing list