[Bro] Detecting OpenVPN
Mike Eriksson
mike at swedishmike.org
Fri Jun 15 02:57:05 PDT 2018
If it can be fixed in 'core' Bro it would be even better than writing my
own detection. I'm sure more people than us would be interested in this?
Cheers, Mike
On Fri, Jun 15, 2018 at 10:47 AM Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:
> Just checked that the SSL analyzer does not attach to OpenVPN over TCP (we
> support both protocols).
>
> I’d like to know, why and possibly get that fixed.
>
> OpenVPN should be quite easy to detect at the ssl layer, or we could have
> an OpenVPN protocol maybe.
>
> On Jun 15, 2018, at 2:43 AM, Mike Eriksson <mike at swedishmike.org> wrote:
>
> Michal,
>
> I didn't think about JA3, that could possibly be a good avenue to go down.
>
> OpenVPN can run over TCP as well as UDP, but UDP seems to be most
> prevalent.
>
> If I look at captures there seems to be some patterns that could possibly
> be used to trigger detection. In the attached screenshot[1] you can see
> some sample UDP traffic.
>
> With the two RESET messages followed by the ACK and then TLS Client and
> Server Hello's there might be an way in?
>
> Cheers, Mike
>
> [1]
> <image.png>
>
>
> On Fri, Jun 15, 2018 at 10:27 AM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> Maybe the initial SSL handshake is unique enough to warrant JA3 signature?
>>
>> The SSL analyzer does not attach there, but maybe that’s because it’s UDP?
>>
>> Johanna?
>>
>> On Jun 15, 2018, at 12:47 AM, Mike Eriksson <mike at swedishmike.org> wrote:
>>
>> All,
>>
>> Before I set out to re-invent the wheel, yet again, I thought I'd post
>> the question to this list first. Is anyone aware of any work that's been
>> done to get OpenVPN detection in Bro?
>>
>> Just getting detection on the handshake/initial connection should be a
>> good enough start in my book. Wireshark have OpenVPN protocol support so it
>> seems to be doable.
>>
>> Any feedback/ideas out there?
>>
>> Thanks in advance, Mike
>> --
>>
>> website: http://swedishmike.org
>> twitter: https://twitter.com/swedishmike
>> github: http://github.com/swedishmike
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> --
>
> website: http://swedishmike.org
> twitter: https://twitter.com/swedishmike
> github: http://github.com/swedishmike
>
> --
website: http://swedishmike.org
twitter: https://twitter.com/swedishmike
github: http://github.com/swedishmike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/11d0a6cd/attachment.html
More information about the Bro
mailing list