[Bro] Detecting OpenVPN

Michał Purzyński michalpurzynski1 at gmail.com
Fri Jun 15 14:34:26 PDT 2018 

Like we said previously it did not work. 

> On Jun 15, 2018, at 2:04 PM, Steve Brant <steve at brant.nu> wrote:
> 
> Check out JA3 as a method of identifying clients.
> 
> https://github.com/salesforce/ja3
> 
> I did a little work on it last year. There are other relevant links here https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html
> 
> Thanks,
> Steve
>> On Jun 15, 2018, 07:48 -0700, Johanna Amann <johanna at icir.org>, wrote:
>> Is OpenVPN just "normal" TLS? (I admittedly just never looked at it).
>> 
>> If yes, that would be a bug. Do you randomly have a short pcap that you
>> can share that shows this?
>> 
>> Johanna
>> 
>> On 15 Jun 2018, at 2:47, Michał Purzyński wrote:
>> 
>>> Just checked that the SSL analyzer does not attach to OpenVPN over TCP
>>> (we support both protocols).
>>> 
>>> I’d like to know, why and possibly get that fixed.
>>> 
>>> OpenVPN should be quite easy to detect at the ssl layer, or we could
>>> have an OpenVPN protocol maybe.
>>> 
>>>> On Jun 15, 2018, at 2:43 AM, Mike Eriksson <mike at swedishmike.org>
>>>> wrote:
>>>> 
>>>> Michal,
>>>> 
>>>> I didn't think about JA3, that could possibly be a good avenue to go
>>>> down.
>>>> 
>>>> OpenVPN can run over TCP as well as UDP, but UDP seems to be most
>>>> prevalent.
>>>> 
>>>> If I look at captures there seems to be some patterns that could
>>>> possibly be used to trigger detection. In the attached screenshot[1]
>>>> you can see some sample UDP traffic.
>>>> 
>>>> With the two RESET messages followed by the ACK and then TLS Client
>>>> and Server Hello's there might be an way in?
>>>> 
>>>> Cheers, Mike
>>>> 
>>>> [1]
>>>> <image.png>
>>>> 
>>>> 
>>>>> On Fri, Jun 15, 2018 at 10:27 AM Michał Purzyński
>>>>> <michalpurzynski1 at gmail.com> wrote:
>>>>> Maybe the initial SSL handshake is unique enough to warrant JA3
>>>>> signature?
>>>>> 
>>>>> The SSL analyzer does not attach there, but maybe that’s because
>>>>> it’s UDP?
>>>>> 
>>>>> Johanna?
>>>>> 
>>>>>> On Jun 15, 2018, at 12:47 AM, Mike Eriksson <mike at swedishmike.org>
>>>>>> wrote:
>>>>>> 
>>>>>> All,
>>>>>> 
>>>>>> Before I set out to re-invent the wheel, yet again, I thought I'd
>>>>>> post the question to this list first. Is anyone aware of any work
>>>>>> that's been done to get OpenVPN detection in Bro?
>>>>>> 
>>>>>> Just getting detection on the handshake/initial connection should
>>>>>> be a good enough start in my book. Wireshark have OpenVPN protocol
>>>>>> support so it seems to be doable.
>>>>>> 
>>>>>> Any feedback/ideas out there?
>>>>>> 
>>>>>> Thanks in advance, Mike
>>>>>> --
>>>>>> 
>>>>>> website: http://swedishmike.org
>>>>>> twitter: https://twitter.com/swedishmike
>>>>>> github: http://github.com/swedishmike
>>>>> 
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> --
>>>> 
>>>> website: http://swedishmike.org
>>>> twitter: https://twitter.com/swedishmike
>>>> github: http://github.com/swedishmike
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/1da75873/attachment-0001.html

More information about the Bro mailing list