[Snort-users] Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

Erik Anderson erikba at ...12686...
Fri Nov 19 10:42:48 EST 2004

Without any strong knowledge of the inner workings of OpenVPN, I would 
hazard to guess that:
  "shared secret" encryption would be difficult to detect, "certificates" 
(required for 2.0 multi-servers) may be detectable by an SSL-style startup 
sequence (which I know nothing about) unless they were cloaked by an 
additional shared secret.  Shared-secret encryption has no unencrypted 
negotiation or initialization, the two machines just start throwing 
encrypted packets at each other.

----- Original Message ----- 
From: "Jason Haar" <Jason.Haar at ...294...>
To: <openvpn-users at lists.sourceforge.net>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, November 18, 2004 2:30 PM
Subject: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

> [This should put the cat amongst the pigeons ;-)]
> I love OpenVPN - great piece of work. However, with my corporate security 
> hat on, I'd like to be able to detect it within our corporate network on 
> our Snort servers. We can detect IPSec easily enough, but these NAT'ted 
> type technologies are ... rather harder.
> It can run over both TCP and UDP, on arbitrary ports (defaults to 1194), 
> supports LZO compression, certificates and shared keys.
> I have tried to sniff the traffic and find some commonality - but without 
> much luck so far.
> Is there any "initialization" sequences that are common, that a Snort 
> signature(s) could be written for? Has anyone else done it?
> Thanks!
> -- 
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> -------------------------------------------------------
> This SF.Net email is sponsored by: InterSystems CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database that combines
> robust object and relational technologies, making it a perfect match
> for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

More information about the Snort-users mailing list