Detecting VPN traffic
313 views
Skip to first unread message
Tom N
Mar 30, 2017, 12:31:13 AM3/30/17
to security-onion
Is it possible to detect VPN traffic ie. OpenVPN / PPTP etc..
Shane Mullins
Mar 30, 2017, 9:42:11 AM3/30/17
to securit...@googlegroups.com
Should be able to,
Custom rule that fired on IKE/ISAKMP UDP 500 maybe. It has been awhile since I have looked at how the VPN connections establish. But it shouldn't be hard to do.On Thu, Mar 30, 2017 at 12:31 AM, Tom N <tom.na...@gmail.com> wrote:
Is it possible to detect VPN traffic ie. OpenVPN / PPTP etc..
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
wubb...@gmail.com
Mar 30, 2017, 10:33:19 AM3/30/17
to security-onion
Take a look at the tunnel logs in Bro. You can access them via ELSA, and I believe there are some canned queries. If not mistaken Bro should categories the tunnel type.
Tom N
Mar 30, 2017, 10:32:07 PM3/30/17
to security-onion
On Thursday, 30 March 2017 15:31:13 UTC+11, Tom N wrote:
> Is it possible to detect VPN traffic ie. OpenVPN / PPTP etc..
> Is it possible to detect VPN traffic ie. OpenVPN / PPTP etc..
Think i got this, just added some rules to local.rules
alert esp $HOME_NET any -> $EXTERNAL_NET any (msg:"Ipsec ESP data"; classtype:policy-violation; sid:99900001; rev:1;)
alert l2tp $HOME_NET any -> $EXTERNAL_NET any (msg:"Layer Two Tunneling Protocol Version 3"; classtype:policy-violation; sid:9900003; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1194 (msg: "OpenVPN!"; classtype:policy-violation; sid:9900004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1723 (msg:"VPN PPTP connection"; classtype:policy-violation; sid:9900005; rev:1;)
Thanks for the help :-)
Erik Hjelmvik
Mar 31, 2017, 3:48:38 AM3/31/17
to securit...@googlegroups.com
2017-03-31 4:32 GMT+02:00 Tom N <tom.na...@gmail.com>:
alert udp $HOME_NET any -> $EXTERNAL_NET 1194 (msg: "OpenVPN!"; classtype:policy-violation; sid:9900004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1723 (msg:"VPN PPTP connection"; classtype:policy-violation; sid:9900005; rev:1;)
Port based alerting is generally a bad idea for outgoing sessions since a user can easily run an external OpenVPN or PPTP service on any UDP port. I'd recommend matching on some characteristic byte sequence in these protocols instead. For example, PPTP sessions typically contain a sequence like this 2 bytes into the first UPD packet:
00 01 1a 2b 3c 4d 00 01 00 00 01 00 00 00
00 01 1a 2b 3c 4d 00 01 00 00 01 00 00 00
/erik
Reply all
Reply to author
Forward
0 new messages