[Bro] Detecting OpenVPN

Steve Brant steve at brant.nu
Fri Jun 15 14:04:59 PDT 2018


Check out JA3 as a method of identifying clients.

https://github.com/salesforce/ja3

I did a little work on it last year. There are other relevant links here https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html

Thanks,
Steve
On Jun 15, 2018, 07:48 -0700, Johanna Amann <johanna at icir.org>, wrote:
> Is OpenVPN just "normal" TLS? (I admittedly just never looked at it).
>
> If yes, that would be a bug. Do you randomly have a short pcap that you
> can share that shows this?
>
> Johanna
>
> On 15 Jun 2018, at 2:47, Michał Purzyński wrote:
>
> > Just checked that the SSL analyzer does not attach to OpenVPN over TCP
> > (we support both protocols).
> >
> > I’d like to know, why and possibly get that fixed.
> >
> > OpenVPN should be quite easy to detect at the ssl layer, or we could
> > have an OpenVPN protocol maybe.
> >
> > > On Jun 15, 2018, at 2:43 AM, Mike Eriksson <mike at swedishmike.org>
> > > wrote:
> > >
> > > Michal,
> > >
> > > I didn't think about JA3, that could possibly be a good avenue to go
> > > down.
> > >
> > > OpenVPN can run over TCP as well as UDP, but UDP seems to be most
> > > prevalent.
> > >
> > > If I look at captures there seems to be some patterns that could
> > > possibly be used to trigger detection. In the attached screenshot[1]
> > > you can see some sample UDP traffic.
> > >
> > > With the two RESET messages followed by the ACK and then TLS Client
> > > and Server Hello's there might be an way in?
> > >
> > > Cheers, Mike
> > >
> > > [1]
> > > <image.png>
> > >
> > >
> > > > On Fri, Jun 15, 2018 at 10:27 AM Michał Purzyński
> > > > <michalpurzynski1 at gmail.com> wrote:
> > > > Maybe the initial SSL handshake is unique enough to warrant JA3
> > > > signature?
> > > >
> > > > The SSL analyzer does not attach there, but maybe that’s because
> > > > it’s UDP?
> > > >
> > > > Johanna?
> > > >
> > > > > On Jun 15, 2018, at 12:47 AM, Mike Eriksson <mike at swedishmike.org>
> > > > > wrote:
> > > > >
> > > > > All,
> > > > >
> > > > > Before I set out to re-invent the wheel, yet again, I thought I'd
> > > > > post the question to this list first. Is anyone aware of any work
> > > > > that's been done to get OpenVPN detection in Bro?
> > > > >
> > > > > Just getting detection on the handshake/initial connection should
> > > > > be a good enough start in my book. Wireshark have OpenVPN protocol
> > > > > support so it seems to be doable.
> > > > >
> > > > > Any feedback/ideas out there?
> > > > >
> > > > > Thanks in advance, Mike
> > > > > --
> > > > >
> > > > > website: http://swedishmike.org
> > > > > twitter: https://twitter.com/swedishmike
> > > > > github: http://github.com/swedishmike
> > > >
> > > > > _______________________________________________
> > > > > Bro mailing list
> > > > > bro at bro-ids.org
> > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > > --
> > >
> > > website: http://swedishmike.org
> > > twitter: https://twitter.com/swedishmike
> > > github: http://github.com/swedishmike
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/0596c880/attachment.html 


More information about the Bro mailing list