Re: [Openvpn-users] Anyone know how to detect OpenVPN traffic?

[Florian Weimer <fw () deneb enyo de>]

* Jason Haar:

> I don't think any product - commercial or otherwise - could detect such 
> things - if they are implemented correctly.

You just look for flows that consist solely of high-entropy packets.
Not too hard to implement in low bandwidth environments, but it's a
real challenge as soon as the packet rate is non-trivial.  You have to
mask out a few false positives (FTP transfers of compressed files, for
example), but it would catch all sorts of cryptographic tunneling
protocols, including OpenVPN.

A good approach in some environments (especially corporate) is to look
at flows that exist for extended periods of times, and rule out the
good ones.  The remaining data can be extremely interesting.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users