[Snort-sigs] TOR Browser detection policy rule

Lenny Hansson lenny at netcowboy.dk
Sun Dec 10 18:17:06 EST 2017


To all SNORT users:

TOR Browser detection rule. Feel free to use.

I have tested the rule on 100GB data set no false positives so far. If
you find any false positives please let me know.

alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY
- TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS
name"; flow:from_server,established;
pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i";
reference:url,networkforensic.dk; metadata:10122017;
classtype:policy-violation; sid:5021501; rev:3;)

It detects every time the TOR Browser is started.

Best Regards
Lenny Hansson
***********************************
E-mail: security at netcowboy.dk
Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
***********************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171211/f8f79a05/attachment.sig>


More information about the Snort-sigs mailing list