[Bro] Detecting OpenVPN
Mike Eriksson
mike at swedishmike.org
Fri Jun 15 02:43:59 PDT 2018
Michal,
I didn't think about JA3, that could possibly be a good avenue to go down.
OpenVPN can run over TCP as well as UDP, but UDP seems to be most prevalent.
If I look at captures there seems to be some patterns that could possibly
be used to trigger detection. In the attached screenshot[1] you can see
some sample UDP traffic.
With the two RESET messages followed by the ACK and then TLS Client and
Server Hello's there might be an way in?
Cheers, Mike
[1]
[image: image.png]
On Fri, Jun 15, 2018 at 10:27 AM Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:
> Maybe the initial SSL handshake is unique enough to warrant JA3 signature?
>
> The SSL analyzer does not attach there, but maybe that’s because it’s UDP?
>
> Johanna?
>
> On Jun 15, 2018, at 12:47 AM, Mike Eriksson <mike at swedishmike.org> wrote:
>
> All,
>
> Before I set out to re-invent the wheel, yet again, I thought I'd post the
> question to this list first. Is anyone aware of any work that's been done
> to get OpenVPN detection in Bro?
>
> Just getting detection on the handshake/initial connection should be a
> good enough start in my book. Wireshark have OpenVPN protocol support so it
> seems to be doable.
>
> Any feedback/ideas out there?
>
> Thanks in advance, Mike
> --
>
> website: http://swedishmike.org
> twitter: https://twitter.com/swedishmike
> github: http://github.com/swedishmike
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
website: http://swedishmike.org
twitter: https://twitter.com/swedishmike
github: http://github.com/swedishmike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/a36093cc/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 69914 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/a36093cc/attachment-0001.bin
More information about the Bro
mailing list