[Snort-sigs] TOR Browser detection policy rule

R S rene.shuster at bcsemail.org
Mon Dec 11 09:34:42 EST 2017


9000,9001,9040 etc. but not 300 ports. There will be lots of traffic
attributed to Tor although it isn't.
Suggest to change to date to international ISO format YYYY-MM-DD

On Sun, Dec 10, 2017 at 6:17 PM, Lenny Hansson <lenny at netcowboy.dk> wrote:

> To all SNORT users:
>
> TOR Browser detection rule. Feel free to use.
>
> I have tested the rule on 100GB data set no false positives so far. If
> you find any false positives please let me know.
>
> alert tcp $EXTERNAL_NET [9000:9300] -> $HOME_NET 1024: (msg:"NF - POLICY
> - TOR browser starting up - TOR SSL NAT Check Detected - Typical TOR DNS
> name"; flow:from_server,established;
> pcre:"/www\.[a-z0-9]{12,21}\.(com|net)/i";
> reference:url,networkforensic.dk; metadata:10122017;
> classtype:policy-violation; sid:5021501; rev:3;)
>
> It detects every time the TOR Browser is started.
>
> Best Regards
> Lenny Hansson
> ***********************************
> E-mail: security at netcowboy.dk
> Key-ID: D282 E960 7B91 5A04 68DA AB33 4070 9EB8 9137 9877
> ***********************************
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>


-- 
Tech III * AppControl * Endpoint Protection * Server Maintenance
Buncombe County Schools Technology Department Network Group
ComicSans Awareness Campaign <http://comicsanscriminal.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171211/a08ec018/attachment.html>


More information about the Snort-sigs mailing list