[Snort-users] Anyone know how to detect OpenVPN traffic?
Jason.Haar at ...294...
Thu Nov 18 14:31:01 EST 2004
[This should put the cat amongst the pigeons ;-)]
I love OpenVPN - great piece of work. However, with my corporate
security hat on, I'd like to be able to detect it within our corporate
network on our Snort servers. We can detect IPSec easily enough, but
these NAT'ted type technologies are ... rather harder.
It can run over both TCP and UDP, on arbitrary ports (defaults to 1194),
supports LZO compression, certificates and shared keys.
I have tried to sniff the traffic and find some commonality - but
without much luck so far.
Is there any "initialization" sequences that are common, that a Snort
signature(s) could be written for? Has anyone else done it?
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users