Snort mailing list archives
Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?
From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 20 Nov 2004 19:31:57 +0100
* Jason Haar:
I don't think any product - commercial or otherwise - could detect such things - if they are implemented correctly.
You just look for flows that consist solely of high-entropy packets. Not too hard to implement in low bandwidth environments, but it's a real challenge as soon as the packet rate is non-trivial. You have to mask out a few false positives (FTP transfers of compressed files, for example), but it would catch all sorts of cryptographic tunneling protocols, including OpenVPN. A good approach in some environments (especially corporate) is to look at flows that exist for extended periods of times, and rule out the good ones. The remaining data can be extremely interesting. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic? Jason Haar (Nov 19)
- Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic? Florian Weimer (Nov 22)