From e7ce9bb7cd6e4fb684f9c19b5c9167dcaaeaf6ed Mon Sep 17 00:00:00 2001 From: Toby Date: Mon, 1 Apr 2024 21:20:18 -0700 Subject: [PATCH] update trojan & add openvpn --- docs/docs/analyzers.md | 27 ++++++++++++++++++++++++++- docs/docs/analyzers.zh.md | 27 ++++++++++++++++++++++++++- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/docs/docs/analyzers.md b/docs/docs/analyzers.md index 4ac4ab3..a5e913a 100644 --- a/docs/docs/analyzers.md +++ b/docs/docs/analyzers.md @@ -282,7 +282,7 @@ Example for blocking QUIC connections to `quic.rocks`: ```json { "trojan": { - "seq": [680, 4514, 293], + "seq": [682, 4540, 1310, 1031], "yes": true } } @@ -296,6 +296,10 @@ Example for blocking Trojan connections: expr: trojan != nil && trojan.yes ``` +!!! warning + + Trojan detection currently relies on traffic heuristics that are not always accurate, with approximately 0.6% false positives and 10% false negatives. Blocking all suspected Trojan connections, as in this example, can break normal TLS connections. For now, we recommend logging them and manually checking the IP addresses involved. + ## SOCKS SOCKS4: @@ -446,3 +450,24 @@ Example for blocking WireGuard traffic: action: block expr: wireguard?.packet_data?.receiver_index_matched == true ``` + +## OpenVPN + +OpenVPN analyzer can detect both UDP and TCP modes. Note that this won't work if you have `tls-crypt` in your OpenVPN configuration, as the traffic will be fully encrypted with a pre-shared key. + +```json +{ + "openvpn": { + "rx_pkt_cnt": 88, + "tx_pkt_cnt": 23 + } +} +``` + +Example for blocking OpenVPN traffic, if the total packet count is more than 50 (to avoid potential false positives): + +```yaml +- name: Block OpenVPN + action: block + expr: openvpn != nil && openvpn.rx_pkt_cnt + openvpn.tx_pkt_cnt > 50 +``` diff --git a/docs/docs/analyzers.zh.md b/docs/docs/analyzers.zh.md index 8ac317e..b9bdc12 100644 --- a/docs/docs/analyzers.zh.md +++ b/docs/docs/analyzers.zh.md @@ -278,7 +278,7 @@ QUIC 解析器的格式与 TLS 一样,但是目前只支持请求 (req) 部分 ```json { "trojan": { - "seq": [680, 4514, 293], + "seq": [682, 4540, 1310, 1031], "yes": true } } @@ -292,6 +292,10 @@ QUIC 解析器的格式与 TLS 一样,但是目前只支持请求 (req) 部分 expr: trojan != nil && trojan.yes ``` +!!! warning + + Trojan 检测目前依赖基于流量特征的启发式算法,并不保证完全准确。有大概 0.6% 的假阳性率和 10% 的假阴性率。像上述规则这样直接屏蔽所有疑似 Trojan 的连接可能导致误伤正常 TLS 连接。目前建议使用日志模式记录下 IP 地址,进行额外的人工审查。 + ## SOCKS SOCKS4: @@ -442,3 +446,24 @@ SOCKS5 带验证: action: block expr: wireguard?.packet_data?.receiver_index_matched == true ``` + +## OpenVPN + +OpenVPN 分析器对于 TCP 和 UDP 模式都可以检测。注意如果你的 OpenVPN 配置包含了 `tls-crypt` 则不能正常工作,因为在这种情况下连接会被一个预共享密钥加密,成为全加密连接。 + +```json +{ + "openvpn": { + "rx_pkt_cnt": 88, + "tx_pkt_cnt": 23 + } +} +``` + +屏蔽 OpenVPN(如果检测到超过 50 个 OpenVPN 包,防止误伤): + +```yaml +- name: Block OpenVPN + action: block + expr: openvpn != nil && openvpn.rx_pkt_cnt + openvpn.tx_pkt_cnt > 50 +```