Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)

Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-09-16 18:38:26 +0200
committer: GitHub <noreply@github.com> 2024-09-16 18:38:26 +0200
commit: 0ddbda1f829a2d1b27d7e6519900201111702823 (patch)
tree: 58caea96101eeb330a9490b3565ab3d751af0035 /tests/cfgs/openvpn_heuristic_enabled/pcap
parent: 47ea30fdaa4eb33d8150bbb0e7d57f9d92c41821 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng b/tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng
new file mode 120000
index 000000000..4e91a46c1
--- /dev/null
+++ b/tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng
@@ -0,0 +1 @@
+../../default/pcap/openvpn_obfuscated.pcapng
+\ No newline at end of file
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-09-16 18:38:26 +0200
committer	GitHub <noreply@github.com>	2024-09-16 18:38:26 +0200
commit	0ddbda1f829a2d1b27d7e6519900201111702823 (patch)
tree	58caea96101eeb330a9490b3565ab3d751af0035 /tests/cfgs/openvpn_heuristic_enabled/pcap
parent	47ea30fdaa4eb33d8150bbb0e7d57f9d92c41821 (diff)