[Bro] Detecting OpenVPN
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Jun 15 14:34:26 PDT 2018
Like we said previously it did not work.
> On Jun 15, 2018, at 2:04 PM, Steve Brant <steve at brant.nu> wrote:
>
> Check out JA3 as a method of identifying clients.
>
> https://github.com/salesforce/ja3
>
> I did a little work on it last year. There are other relevant links here https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html
>
> Thanks,
> Steve
>> On Jun 15, 2018, 07:48 -0700, Johanna Amann <johanna at icir.org>, wrote:
>> Is OpenVPN just "normal" TLS? (I admittedly just never looked at it).
>>
>> If yes, that would be a bug. Do you randomly have a short pcap that you
>> can share that shows this?
>>
>> Johanna
>>
>> On 15 Jun 2018, at 2:47, Michał Purzyński wrote:
>>
>>> Just checked that the SSL analyzer does not attach to OpenVPN over TCP
>>> (we support both protocols).
>>>
>>> I’d like to know, why and possibly get that fixed.
>>>
>>> OpenVPN should be quite easy to detect at the ssl layer, or we could
>>> have an OpenVPN protocol maybe.
>>>
>>>> On Jun 15, 2018, at 2:43 AM, Mike Eriksson <mike at swedishmike.org>
>>>> wrote:
>>>>
>>>> Michal,
>>>>
>>>> I didn't think about JA3, that could possibly be a good avenue to go
>>>> down.
>>>>
>>>> OpenVPN can run over TCP as well as UDP, but UDP seems to be most
>>>> prevalent.
>>>>
>>>> If I look at captures there seems to be some patterns that could
>>>> possibly be used to trigger detection. In the attached screenshot[1]
>>>> you can see some sample UDP traffic.
>>>>
>>>> With the two RESET messages followed by the ACK and then TLS Client
>>>> and Server Hello's there might be an way in?
>>>>
>>>> Cheers, Mike
>>>>
>>>> [1]
>>>> <image.png>
>>>>
>>>>
>>>>> On Fri, Jun 15, 2018 at 10:27 AM Michał Purzyński
>>>>> <michalpurzynski1 at gmail.com> wrote:
>>>>> Maybe the initial SSL handshake is unique enough to warrant JA3
>>>>> signature?
>>>>>
>>>>> The SSL analyzer does not attach there, but maybe that’s because
>>>>> it’s UDP?
>>>>>
>>>>> Johanna?
>>>>>
>>>>>> On Jun 15, 2018, at 12:47 AM, Mike Eriksson <mike at swedishmike.org>
>>>>>> wrote:
>>>>>>
>>>>>> All,
>>>>>>
>>>>>> Before I set out to re-invent the wheel, yet again, I thought I'd
>>>>>> post the question to this list first. Is anyone aware of any work
>>>>>> that's been done to get OpenVPN detection in Bro?
>>>>>>
>>>>>> Just getting detection on the handshake/initial connection should
>>>>>> be a good enough start in my book. Wireshark have OpenVPN protocol
>>>>>> support so it seems to be doable.
>>>>>>
>>>>>> Any feedback/ideas out there?
>>>>>>
>>>>>> Thanks in advance, Mike
>>>>>> --
>>>>>>
>>>>>> website: http://swedishmike.org
>>>>>> twitter: https://twitter.com/swedishmike
>>>>>> github: http://github.com/swedishmike
>>>>>
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> --
>>>>
>>>> website: http://swedishmike.org
>>>> twitter: https://twitter.com/swedishmike
>>>> github: http://github.com/swedishmike
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/1da75873/attachment-0001.html
More information about the Bro
mailing list