From 0ddbda1f829a2d1b27d7e6519900201111702823 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 16 Sep 2024 18:38:26 +0200
Subject: Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)

Based on the paper: "OpenVPN is Open to VPN Fingerprinting"
See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen

Basic idea:
* the distribution of the first byte of the messages (i.e. the distribution
of the op-codes) is quite unique
* this fingerprint might be still detectable even if the OpenVPN packets are
somehow fully encrypted/obfuscated

The heuristic is disabled by default.
---
 tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng

(limited to 'tests/cfgs/openvpn_heuristic_enabled/pcap')

diff --git a/tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng b/tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng
new file mode 120000
index 000000000..4e91a46c1
--- /dev/null
+++ b/tests/cfgs/openvpn_heuristic_enabled/pcap/openvpn_obfuscated.pcapng
@@ -0,0 +1 @@
+../../default/pcap/openvpn_obfuscated.pcapng
\ No newline at end of file
-- 
cgit v1.2.3