[Snort-users] Anyone know how to detect OpenVPN traffic?

Jason Haar Jason.Haar at ...294...
Thu Nov 18 14:31:01 EST 2004

[This should put the cat amongst the pigeons ;-)]

I love OpenVPN - great piece of work. However, with my corporate 
security hat on, I'd like to be able to detect it within our corporate 
network on our Snort servers. We can detect IPSec easily enough, but 
these NAT'ted type technologies are ... rather harder.

It can run over both TCP and UDP, on arbitrary ports (defaults to 1194), 
supports LZO compression, certificates and shared keys.

I have tried to sniff the traffic and find some commonality - but 
without much luck so far.

Is there any "initialization" sequences that are common, that a Snort 
signature(s) could be written for? Has anyone else done it?



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list