All,
Before I set out to re-invent the wheel, yet again, I thought I’d post the question to this list first. Is anyone aware of any work that’s been done to get OpenVPN detection in Bro?
Just getting detection on the handshake/initial connection should be a good enough start in my book. Wireshark have OpenVPN protocol support so it seems to be doable.
Any feedback/ideas out there?
Thanks in advance, Mike
Maybe the initial SSL handshake is unique enough to warrant JA3 signature?
The SSL analyzer does not attach there, but maybe that’s because it’s UDP?
Johanna?
Michal,
I didn’t think about JA3, that could possibly be a good avenue to go down.
OpenVPN can run over TCP as well as UDP, but UDP seems to be most prevalent.
If I look at captures there seems to be some patterns that could possibly be used to trigger detection. In the attached screenshot[1] you can see some sample UDP traffic.
With the two RESET messages followed by the ACK and then TLS Client and Server Hello’s there might be an way in?
Cheers, Mike
[1]
Just checked that the SSL analyzer does not attach to OpenVPN over TCP (we support both protocols).
I’d like to know, why and possibly get that fixed.
OpenVPN should be quite easy to detect at the ssl layer, or we could have an OpenVPN protocol maybe.
If it can be fixed in ‘core’ Bro it would be even better than writing my own detection. I’m sure more people than us would be interested in this?
Cheers, Mike
Is OpenVPN just "normal" TLS? (I admittedly just never looked at it).
If yes, that would be a bug. Do you randomly have a short pcap that you can share that shows this?
Johanna
Check out JA3 as a method of identifying clients.
https://github.com/salesforce/ja3
I did a little work on it last year. There are other relevant links here https://www.splunk.com/blog/2017/12/18/configuring-ja3-with-bro-for-splunk.html
Thanks,
Steve
Like we said previously it did not work.