-
Notifications
You must be signed in to change notification settings - Fork 746
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add openVPN analyzer #114
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
感谢!我这周末 review 下。能把 TCP 和 UDP 的逻辑合并到同一个 analyzer 吗?同一个 analyzer 是可以同时实现 TCP/UDP 的接口的,可以参考已有的 DNS analyzer |
对于用 psk 的情况,我在考虑让 FET analyzer 支持 UDP... 应该可以对付开了 tls-crypt 的 OpenVPN |
现在把逻辑都合并到 {
"openvpn": {
"rx_pkt_cnt": 0,
"tx_pkt_cnt": 0
}
} |
tobyxdd
approved these changes
Mar 30, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I can confirm this works as expected
haruue
approved these changes
Mar 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
添加了一个 OpenVPN 的 analyzer,我参考了下面一些东西:
据官方,OpenVPN 有 pre-shared secret 和 tls 两种模式,前者可以认为所有数据均为密文,难以分析指纹,但应该能够用
FETAnalyzer
识别出来,现在实现的 OpenVPN analyzer 用于识别 tls 模式PropMap:
rx_pkt_cnt
和tx_pkt_cnt
分别为这条连接上被判断为可能是 OpenVPN 包收到/发送的数量,所以 block 规则可以这样写:包的数量越多,假阳性越低。假阳性的概率大致可以这样计算:
3/32 * 2/32 * (6/32)^(rx_pkt_cnt + tx_pkt_cnt)
目前限制了最多判别 256 个包,依据是这样假阳性概率大致能达到要求,并且在正常网络活动的情况下,达到这个数量的包所需要的时间不会超过 10s
关于假阴性,TCP 有可靠的流,理论上不会有假阴性。但 UDP 可能在较差的网络环境下具有较高的假阴性,当 OpenVPN 的
P_CONTROL_HARD_RESET_CLIENT_*
或P_CONTROL_HARD_RESET_SERVER_*
这两个控制包,即 OpenVPN 握手阶段才会发送的包被丢包时就会出现假阴性的情况,目前代码里面没有引入invalidCount
来解决,原因是考虑到可能会提高 UDP 的假阳性,需要的话也许后续可以加上(?)