[Bro] Detecting OpenVPN

Johanna Amann johanna at icir.org
Fri Jun 15 07:45:59 PDT 2018 

Is OpenVPN just "normal" TLS? (I admittedly just never looked at it).

If yes, that would be a bug. Do you randomly have a short pcap that you 
can share that shows this?

Johanna

On 15 Jun 2018, at 2:47, Michał Purzyński wrote:

> Just checked that the SSL analyzer does not attach to OpenVPN over TCP 
> (we support both protocols).
>
> I’d like to know, why and possibly get that fixed.
>
> OpenVPN should be quite easy to detect at the ssl layer, or we could 
> have an OpenVPN protocol maybe.
>
>> On Jun 15, 2018, at 2:43 AM, Mike Eriksson <mike at swedishmike.org> 
>> wrote:
>>
>> Michal,
>>
>> I didn't think about JA3, that could possibly be a good avenue to go 
>> down.
>>
>> OpenVPN can run over TCP as well as UDP, but UDP seems to be most 
>> prevalent.
>>
>> If  I look at captures there seems to be some patterns that could 
>> possibly be used to trigger detection. In the attached screenshot[1] 
>> you can see some sample UDP traffic.
>>
>> With the two RESET messages followed by the ACK and then TLS Client 
>> and Server Hello's there might be an way in?
>>
>> Cheers, Mike
>>
>> [1]
>> <image.png>
>>
>>
>>> On Fri, Jun 15, 2018 at 10:27 AM Michał Purzyński 
>>> <michalpurzynski1 at gmail.com> wrote:
>>> Maybe the initial SSL handshake is unique enough to warrant JA3 
>>> signature?
>>>
>>> The SSL analyzer does not attach there, but maybe that’s because 
>>> it’s UDP?
>>>
>>> Johanna?
>>>
>>>> On Jun 15, 2018, at 12:47 AM, Mike Eriksson <mike at swedishmike.org> 
>>>> wrote:
>>>>
>>>> All,
>>>>
>>>> Before I set out to re-invent the wheel, yet again, I thought I'd 
>>>> post the question to this list first. Is anyone aware of any work 
>>>> that's been done to get OpenVPN detection in Bro?
>>>>
>>>> Just getting detection on the handshake/initial connection should 
>>>> be a good enough start in my book. Wireshark have OpenVPN protocol 
>>>> support so it seems to be doable.
>>>>
>>>> Any feedback/ideas out there?
>>>>
>>>> Thanks in advance, Mike
>>>> -- 
>>>>
>>>> website: http://swedishmike.org
>>>> twitter: https://twitter.com/swedishmike
>>>> github: http://github.com/swedishmike
>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> -- 
>>
>> website: http://swedishmike.org
>> twitter: https://twitter.com/swedishmike
>> github: http://github.com/swedishmike
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list