[Snort-users] Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

Florian Weimer fw at ...12698...
Mon Nov 22 08:40:02 EST 2004


* Jason Haar:

> I don't think any product - commercial or otherwise - could detect such 
> things - if they are implemented correctly.

You just look for flows that consist solely of high-entropy packets.
Not too hard to implement in low bandwidth environments, but it's a
real challenge as soon as the packet rate is non-trivial.  You have to
mask out a few false positives (FTP transfers of compressed files, for
example), but it would catch all sorts of cryptographic tunneling
protocols, including OpenVPN.

A good approach in some environments (especially corporate) is to look
at flows that exist for extended periods of times, and rule out the
good ones.  The remaining data can be extremely interesting.




More information about the Snort-users mailing list