Anyone know how to detect OpenVPN traffic?

[Jason Haar <Jason.Haar () trimble co nz>]

[This should put the cat amongst the pigeons ;-)]

I love OpenVPN - great piece of work. However, with my corporate 
security hat on, I'd like to be able to detect it within our corporate 
network on our Snort servers. We can detect IPSec easily enough, but 
these NAT'ted type technologies are ... rather harder.

It can run over both TCP and UDP, on arbitrary ports (defaults to 1194), 
supports LZO compression, certificates and shared keys.

I have tried to sniff the traffic and find some commonality - but 
without much luck so far.

Is there any "initialization" sequences that are common, that a Snort 
signature(s) could be written for? Has anyone else done it?

Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users