[Snort-users] Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
erikba at ...12686...
Fri Nov 19 10:42:48 EST 2004
Without any strong knowledge of the inner workings of OpenVPN, I would
hazard to guess that:
"shared secret" encryption would be difficult to detect, "certificates"
(required for 2.0 multi-servers) may be detectable by an SSL-style startup
sequence (which I know nothing about) unless they were cloaked by an
additional shared secret. Shared-secret encryption has no unencrypted
negotiation or initialization, the two machines just start throwing
encrypted packets at each other.
----- Original Message -----
From: "Jason Haar" <Jason.Haar at ...294...>
To: <openvpn-users at lists.sourceforge.net>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 18, 2004 2:30 PM
Subject: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
> [This should put the cat amongst the pigeons ;-)]
> I love OpenVPN - great piece of work. However, with my corporate security
> hat on, I'd like to be able to detect it within our corporate network on
> our Snort servers. We can detect IPSec easily enough, but these NAT'ted
> type technologies are ... rather harder.
> It can run over both TCP and UDP, on arbitrary ports (defaults to 1194),
> supports LZO compression, certificates and shared keys.
> I have tried to sniff the traffic and find some commonality - but without
> much luck so far.
> Is there any "initialization" sequences that are common, that a Snort
> signature(s) could be written for? Has anyone else done it?
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> This SF.Net email is sponsored by: InterSystems CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database that combines
> robust object and relational technologies, making it a perfect match
> for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
> Openvpn-users mailing list
> Openvpn-users at lists.sourceforge.net
More information about the Snort-users